![]() |
|
Plagegeister aller Art und deren Bekämpfung: GMER meldet "hidden rootkit activity" & Rechner langsamWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
![]() | #1 |
![]() ![]() | ![]() GMER meldet "hidden rootkit activity" & Rechner langsam Hallo liebes Anti-Trojaner-Team, nachdem ich gerade dabei bin, meinen PC neu aufzusetzen (Dank an Cosinus noch mal für die Hilfe!), habe ich nun auch evtl. Schwierigkeiten mit meinem Netbook. ![]() Malwarebytes hat nichts gefunden, aber GMER meldete "hidden rootkit activity". Muss ich den Laptop nun auch neu aufsetzen? ![]() Ich hab die Anleitung abgearbeitet, hier kommen die Logs: Malwarebytes: Code:
ATTFilter Malwarebytes Anti-Malware (Test) 1.70.0.1100 www.malwarebytes.org Datenbank Version: v2013.02.08.06 Windows 7 Service Pack 1 x86 NTFS Internet Explorer 9.0.8112.16421 ... :: NETBOOK [Administrator] Schutz: Aktiviert 08.02.2013 17:25:29 mbam-log-2013-02-08 (17-25-29).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|) Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 291574 Laufzeit: 2 Stunde(n), 34 Minute(n), 31 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 0 (Keine bösartigen Objekte gefunden) (Ende) Code:
ATTFilter OTL logfile created on: 2/8/2013 10:38:09 PM - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\...\Desktop Starter Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000409 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 1014.18 Mb Total Physical Memory | 441.98 Mb Available Physical Memory | 43.58% Memory free 2.99 Gb Paging File | 1.98 Gb Available in Paging File | 66.13% Paging File free Paging file location(s): c:\pagefile.sys 2048 2048 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files Drive C: | 80.00 Gb Total Space | 56.31 Gb Free Space | 70.39% Space Free | Partition Type: NTFS Drive D: | 54.03 Gb Total Space | 43.04 Gb Free Space | 79.66% Space Free | Partition Type: NTFS Computer Name: NETBOOK | User Name: ... | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - File not found -- PRC - [2013/02/08 17:10:21 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\...\Desktop\OTL.exe PRC - [2013/02/05 14:59:46 | 000,348,664 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe PRC - [2012/12/18 20:08:28 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe PRC - [2012/11/30 03:55:25 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe PRC - [2012/11/26 15:09:22 | 001,225,312 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psia.exe PRC - [2012/11/26 15:09:20 | 000,659,040 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\sua.exe PRC - [2012/11/23 03:48:41 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe PRC - [2012/05/02 00:42:28 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe PRC - [2012/05/01 23:34:34 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe PRC - [2012/04/24 01:11:55 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe PRC - [2011/10/01 08:30:42 | 000,219,496 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe PRC - [2011/10/01 08:30:36 | 000,508,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe PRC - [2011/02/25 06:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2010/06/29 15:15:18 | 000,073,728 | ---- | M] (Software 2000 Limited) -- C:\Windows\System32\spool\drivers\w32x86\3\HP1006MC.EXE PRC - [2010/06/09 22:26:34 | 000,412,600 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\EeePC\SHE\SuperHybridEngine.exe PRC - [2010/06/04 03:40:30 | 001,242,544 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\EeePC\HotkeyService\HotkeyService.exe PRC - [2010/05/29 00:41:36 | 000,445,344 | ---- | M] (ASUS) -- C:\Program Files\EeePC\CapsHook\CapsHook.exe PRC - [2010/04/13 03:37:47 | 000,083,240 | ---- | M] (Synaptics Incorporated) -- C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe PRC - [2010/02/28 02:33:14 | 000,077,664 | ---- | M] () -- C:\Program Files\Common Files\microsoft shared\Virtualization Handler\OFFICEVIRT.EXE PRC - [2009/09/11 19:41:02 | 000,100,328 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\EeePC\HotkeyService\HotKeyMon.exe PRC - [2009/08/19 01:35:56 | 000,219,136 | ---- | M] () -- C:\Windows\System32\AsusService.exe PRC - [2009/06/05 03:03:32 | 000,186,904 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe PRC - [2009/06/05 03:03:06 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe PRC - [2009/03/24 13:00:00 | 000,241,664 | ---- | M] () -- C:\Program Files\ZTE Join Air\AssistantServices.exe ========== Modules (No Company Name) ========== MOD - [2013/01/21 16:24:11 | 001,670,144 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\b95e7795ea5951d09521cddfc03b5c4e\Microsoft.VisualBasic.ni.dll MOD - [2013/01/21 14:27:10 | 000,628,224 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\01c6cb58745f397c9b7ccf3ab7bfc9cd\System.EnterpriseServices.ni.dll MOD - [2013/01/21 14:27:07 | 000,627,200 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\536d704e93ffec9b54e4a0312fb5b996\System.Transactions.ni.dll MOD - [2013/01/21 14:27:00 | 006,611,456 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Data\dd20416f723ee13ffb4173ec1afc4ec4\System.Data.ni.dll MOD - [2013/01/21 14:24:46 | 012,436,480 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\865d2bf19a7af7fab8660a42d92550fe\System.Windows.Forms.ni.dll MOD - [2013/01/21 14:24:09 | 001,592,832 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\eead6629e384a5b69f9ae35284b7eeed\System.Drawing.ni.dll MOD - [2013/01/21 14:22:53 | 005,453,312 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\f687c43e9fdec031988b33ae722c4613\System.Xml.ni.dll MOD - [2013/01/21 14:22:36 | 000,971,264 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\195a77fcc6206f8bb35d419ff2cf0d72\System.Configuration.ni.dll MOD - [2013/01/21 14:22:30 | 007,989,760 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System\369f8bdca364e2b4936d18dea582912c\System.ni.dll MOD - [2013/01/21 14:21:55 | 011,493,376 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\7150b9136fad5b79e88f6c7f9d3d2c39\mscorlib.ni.dll MOD - [2012/01/08 14:41:12 | 000,093,696 | ---- | M] () -- C:\Program Files\FileZilla FTP Client\fzshellext.dll MOD - [2010/11/05 02:58:05 | 002,927,616 | ---- | M] () -- C:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll MOD - [2010/06/24 17:31:07 | 000,839,680 | ---- | M] () -- C:\windows\assembly\GAC_32\System.Data.SQLite\1.0.60.0__db937bc2d44ff139\System.Data.SQLite.dll MOD - [2010/06/24 17:31:07 | 000,030,032 | ---- | M] () -- C:\windows\assembly\GAC_MSIL\SqliteShared\1.0.3726.20828__0d0f4b69e50e559b\SqliteShared.dll MOD - [2010/03/16 02:48:46 | 000,148,816 | ---- | M] () -- C:\Program Files\ASUS\ASUS WebStorage\EcaremeDLL.dll MOD - [2010/02/28 02:33:14 | 000,077,664 | ---- | M] () -- C:\Program Files\Common Files\microsoft shared\Virtualization Handler\OFFICEVIRT.EXE MOD - [2009/06/10 22:23:19 | 000,261,632 | ---- | M] () -- C:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll ========== Services (SafeList) ========== SRV - [2013/02/08 16:48:07 | 000,251,248 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2013/02/06 22:16:20 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2012/12/18 20:08:28 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2012/12/14 16:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService) SRV - [2012/12/14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler) SRV - [2012/11/26 15:09:22 | 001,225,312 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\psia.exe -- (Secunia PSI Agent) SRV - [2012/11/26 15:09:20 | 000,659,040 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\sua.exe -- (Secunia Update Agent) SRV - [2012/07/13 13:28:36 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate) SRV - [2012/05/02 00:42:28 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2012/05/01 23:34:34 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2011/10/01 08:30:42 | 000,219,496 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe -- (sftvsa) SRV - [2011/10/01 08:30:36 | 000,508,776 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe -- (sftlist) SRV - [2009/08/19 01:35:56 | 000,219,136 | ---- | M] () [Auto | Running] -- C:\Windows\System32\AsusService.exe -- (AsusService) SRV - [2009/07/14 02:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2009/06/05 03:03:06 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) SRV - [2009/03/24 13:00:00 | 000,241,664 | ---- | M] () [Auto | Running] -- C:\Program Files\ZTE Join Air\AssistantServices.exe -- (UI Assistant Service) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\btwrchid.sys -- (btwrchid) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\btwl2cap.sys -- (btwl2cap) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\btwavdt.sys -- (btwavdt) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\btwaudio.sys -- (btwaudio) DRV - [2012/12/14 16:49:28 | 000,021,104 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector) DRV - [2012/08/23 15:44:32 | 000,014,848 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport) DRV - [2012/08/23 15:40:25 | 000,049,664 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV - [2012/04/27 09:20:04 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb) DRV - [2012/04/24 23:32:27 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt) DRV - [2012/04/16 20:17:40 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr) DRV - [2011/10/01 08:30:42 | 000,019,304 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Sftvollh.sys -- (Sftvol) DRV - [2011/10/01 08:30:40 | 000,021,864 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\Sftredirlh.sys -- (Sftredir) DRV - [2011/10/01 08:30:38 | 000,194,408 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Sftplaylh.sys -- (Sftplay) DRV - [2011/10/01 08:30:36 | 000,579,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Sftfslh.sys -- (Sftfs) DRV - [2011/06/27 01:37:12 | 002,191,872 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr) DRV - [2011/02/09 14:03:00 | 000,011,832 | ---- | M] () [Kernel | System | Running] -- C:\Windows\System32\drivers\AsUpIO.sys -- (AsUpIO) DRV - [2010/09/01 09:30:58 | 000,015,544 | ---- | M] (Secunia) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\psi_mf.sys -- (PSI) DRV - [2010/06/17 14:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2010/04/13 03:39:17 | 000,051,712 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\L1C62x86.sys -- (L1C) DRV - [2010/04/13 03:36:46 | 000,043,944 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\btusbflt.sys -- (btusbflt) DRV - [2010/04/13 03:36:12 | 000,013,880 | ---- | M] ( ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\kbfiltr.sys -- (kbfiltr) DRV - [2009/07/14 00:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp) DRV - [2009/04/09 12:38:32 | 000,110,592 | R--- | M] (ZTE Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\zteusbnet.sys -- (ZTEusbnet) DRV - [2009/04/09 12:38:32 | 000,105,344 | R--- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\zteusbvoice.sys -- (ZTEusbvoice) DRV - [2009/04/09 12:38:32 | 000,105,344 | R--- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ZTEusbnmea.sys -- (ZTEusbnmea) DRV - [2009/04/09 12:38:32 | 000,104,960 | R--- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ZTEusbser6k.sys -- (ZTEusbser6k) DRV - [2009/04/09 12:38:32 | 000,104,960 | R--- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ZTEusbmdm6k.sys -- (ZTEusbmdm6k) DRV - [2009/04/09 12:38:32 | 000,007,680 | R--- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\massfilter.sys -- (massfilter) DRV - [2005/06/13 09:03:12 | 000,060,768 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\w800bus.sys -- (w800bus) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&form=ASUTDF&pc=MAAU&src=IE-SearchBox IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-268967856-1830572098-4256470926-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://asus.msn.com IE - HKU\S-1-5-21-268967856-1830572098-4256470926-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://eeepc.asus.com [binary data] IE - HKU\S-1-5-21-268967856-1830572098-4256470926-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank IE - HKU\S-1-5-21-268967856-1830572098-4256470926-1000\..\SearchScopes,DefaultScope = {CC0BF2FC-B6AD-4033-BB3D-147016CEB22D} IE - HKU\S-1-5-21-268967856-1830572098-4256470926-1000\..\SearchScopes\{CC0BF2FC-B6AD-4033-BB3D-147016CEB22D}: "URL" = hxxp://www.google.de/search?q={searchTerms} IE - HKU\S-1-5-21-268967856-1830572098-4256470926-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.update: false FF - prefs.js..browser.startup.homepage: "about:blank" FF - prefs.js..extensions.enabledAddons: en-US%40dictionaries.addons.mozilla.org:6.0 FF - prefs.js..extensions.enabledAddons: pl%40dictionaries.addons.mozilla.org:1.0.20110621 FF - prefs.js..extensions.enabledAddons: firefox%40ghostery.com:2.8.4 FF - prefs.js..extensions.enabledAddons: %7B8AA36F4F-6DC7-4c06-77AF-5035170634FE%7D:2013.01.16 FF - prefs.js..extensions.enabledAddons: %7B73a6fe31-595d-460b-a920-fcc0f8843232%7D:2.6.4.4 FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:18.0.2 FF - prefs.js..network.proxy.type: 0 FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\system32\Macromed\Flash\NPSWF32_11_5_502_149.dll () FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.11.2: C:\windows\system32\npDeployJava1.dll File not found FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{8AA36F4F-6DC7-4c06-77AF-5035170634FE}: C:\ProgramData\Swiss Academic Software\Citavi Picker\Firefox [2013/01/29 20:09:28 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/02/06 22:16:20 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 18.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/02/06 22:16:20 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 18.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/11/09 16:28:07 | 000,000,000 | ---D | M] (No name found) -- C:\Users\...\AppData\Roaming\mozilla\Extensions [2013/01/31 22:54:06 | 000,000,000 | ---D | M] (No name found) -- C:\Users\...\AppData\Roaming\mozilla\Firefox\Profiles\88ttsqn5.default\extensions [2012/10/16 16:44:18 | 000,000,000 | ---D | M] (German Dictionary) -- C:\Users\...\AppData\Roaming\mozilla\Firefox\Profiles\88ttsqn5.default\extensions\de-DE@dictionaries.addons.mozilla.org [2012/05/19 09:20:07 | 000,000,000 | ---D | M] (United States English Spellchecker) -- C:\Users\...\AppData\Roaming\mozilla\Firefox\Profiles\88ttsqn5.default\extensions\en-US@dictionaries.addons.mozilla.org [2013/01/22 19:46:39 | 000,000,000 | ---D | M] (Ghostery) -- C:\Users\...\AppData\Roaming\mozilla\Firefox\Profiles\88ttsqn5.default\extensions\firefox@ghostery.com [2013/01/31 10:36:39 | 000,533,536 | ---- | M] () (No name found) -- C:\Users\...\AppData\Roaming\mozilla\firefox\profiles\88ttsqn5.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2013/01/31 22:54:06 | 000,817,973 | ---- | M] () (No name found) -- C:\Users\...\AppData\Roaming\mozilla\firefox\profiles\88ttsqn5.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2013/02/06 22:16:08 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions [2013/01/29 20:09:28 | 000,000,000 | ---D | M] (Citavi Picker) -- C:\PROGRAMDATA\SWISS ACADEMIC SOFTWARE\CITAVI PICKER\FIREFOX [2013/02/06 22:16:20 | 000,262,552 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2013/01/17 01:11:04 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2013/01/17 01:11:04 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml [2013/01/17 01:11:04 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2013/01/17 01:11:04 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2013/01/17 01:11:04 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml [2013/01/17 01:11:04 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2009/06/10 22:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O3 - HKU\S-1-5-21-268967856-1830572098-4256470926-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found. O4 - HKLM..\Run: [ASUSPRP] C:\Program Files\ASUS\APRP\aprp.exe (ASUSTek Computer Inc.) O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [CapsHook] C:\windows\System32\AsusSender.exe (ASUSTek Computer Inc.) O4 - HKLM..\Run: [HotkeyMon] C:\windows\System32\AsusSender.exe (ASUSTek Computer Inc.) O4 - HKLM..\Run: [HotkeyService] C:\windows\System32\AsusSender.exe (ASUSTek Computer Inc.) O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation) O4 - HKLM..\Run: [SuperHybridEngine] C:\windows\System32\AsusSender.exe (ASUSTek Computer Inc.) O4 - HKLM..\Run: [SynAsusAcpi] C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe (Synaptics Incorporated) O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation) O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O7 - HKU\S-1-5-21-268967856-1830572098-4256470926-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O8 - Extra context menu item: &Citavi Picker... - C:\ProgramData\Swiss Academic Software\Citavi Picker\Internet Explorer\ShowContextMenu.html () O13 - gopher Prefix: missing O15 - HKU\S-1-5-21-268967856-1830572098-4256470926-1000\..Trusted Domains: secunia.com ([]https in Vertrauenswürdige Sites) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1A1F17EB-9944-41B8-B902-3562B5878363}: DhcpNameServer = 192.168.2.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{CF68EEF1-8832-40C0-A48F-CD51ED10B0FD}: DhcpNameServer = 192.168.2.1 O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation) O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009/06/10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2030/01/01 22:36:01 | 000,000,000 | -HSD | C] -- C:\Boot [2013/02/08 17:16:52 | 002,213,976 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\...\Desktop\tdsskiller.exe [2013/02/08 17:10:12 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\...\Desktop\OTL.exe [2013/02/08 17:03:47 | 000,000,000 | ---D | C] -- C:\Users\...\AppData\Roaming\pdfforge [2013/02/08 17:03:34 | 000,000,000 | ---D | C] -- C:\Program Files\PDFCreator [2013/02/06 22:16:06 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox [2013/02/05 16:25:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN [2013/02/05 16:19:09 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service [2013/01/29 19:48:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Foxit Reader [2013/01/29 19:42:13 | 000,000,000 | ---D | C] -- C:\Program Files\VideoLAN [2013/01/29 19:42:12 | 000,000,000 | ---D | C] -- C:\Users\...\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IrfanView [2013/01/29 16:32:12 | 000,000,000 | ---D | C] -- C:\Users\...\AppData\Local\Secunia PSI [2013/01/29 16:31:57 | 000,000,000 | ---D | C] -- C:\Program Files\Secunia [2013/01/29 13:21:59 | 000,000,000 | ---D | C] -- C:\Users\...\AppData\Roaming\Malwarebytes [2013/01/29 13:21:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2013/01/29 13:21:42 | 000,021,104 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys [2013/01/29 13:21:41 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2013/01/29 13:21:18 | 000,000,000 | ---D | C] -- C:\Users\...\AppData\Local\Programs [2013/01/29 12:59:20 | 000,000,000 | ---D | C] -- C:\windows\System32\x64 [2013/01/24 14:58:33 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe ========== Files - Modified Within 30 Days ========== [2013/02/08 22:47:01 | 000,000,884 | ---- | M] () -- C:\windows\tasks\Adobe Flash Player Updater.job [2013/02/08 22:23:43 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat [2013/02/08 17:28:45 | 013,562,257 | ---- | M] () -- C:\Users\...\Desktop\mbar-1.01.0.1017.zip [2013/02/08 17:20:22 | 000,582,209 | ---- | M] () -- C:\Users\...\Desktop\adwcleaner.exe [2013/02/08 17:17:09 | 002,213,976 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\...\Desktop\tdsskiller.exe [2013/02/08 17:12:16 | 000,365,568 | ---- | M] () -- C:\Users\...\Desktop\gmer_2.0.18454.exe [2013/02/08 17:10:21 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\...\Desktop\OTL.exe [2013/02/08 17:03:48 | 000,000,955 | ---- | M] () -- C:\Users\Public\Desktop\PDFCreator.lnk [2013/02/08 12:31:56 | 000,009,696 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013/02/08 12:31:55 | 000,009,696 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013/02/08 12:24:00 | 000,016,384 | ---- | M] () -- C:\windows\System32\Ikeext.etl [2013/02/08 12:23:14 | 797,581,312 | -HS- | M] () -- C:\hiberfil.sys [2013/02/05 18:08:14 | 000,644,310 | ---- | M] () -- C:\windows\System32\perfh007.dat [2013/02/05 18:08:14 | 000,607,634 | ---- | M] () -- C:\windows\System32\perfh009.dat [2013/02/05 18:08:14 | 000,126,580 | ---- | M] () -- C:\windows\System32\perfc007.dat [2013/02/05 18:08:14 | 000,103,754 | ---- | M] () -- C:\windows\System32\perfc009.dat [2013/02/05 16:25:56 | 000,000,984 | ---- | M] () -- C:\Users\Public\Desktop\VLC media player.lnk [2013/02/05 16:19:15 | 000,001,065 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk [2013/02/05 13:30:54 | 000,002,286 | -H-- | M] () -- D:\...\Eigene Dokumente\Default.rdp [2013/01/29 19:48:17 | 000,001,056 | ---- | M] () -- C:\Users\Public\Desktop\Foxit Reader.lnk [2013/01/29 19:43:08 | 000,000,932 | ---- | M] () -- C:\Users\...\Desktop\IrfanView.lnk [2013/01/29 19:40:33 | 000,000,932 | ---- | M] () -- C:\Users\Public\Desktop\IrfanView.lnk [2013/01/29 16:32:03 | 000,001,024 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI Tray.lnk [2013/01/29 13:21:46 | 000,001,027 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2013/01/29 13:06:40 | 000,272,128 | ---- | M] () -- C:\windows\System32\FNTCACHE.DAT [2013/01/24 14:59:16 | 000,001,949 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader XI.lnk ========== Files Created - No Company Name ========== [2030/01/01 22:36:02 | 000,383,786 | RHS- | C] () -- C:\bootmgr [2013/02/08 17:27:05 | 013,562,257 | ---- | C] () -- C:\Users\...\Desktop\mbar-1.01.0.1017.zip [2013/02/08 17:19:52 | 000,582,209 | ---- | C] () -- C:\Users\...\Desktop\adwcleaner.exe [2013/02/08 17:12:10 | 000,365,568 | ---- | C] () -- C:\Users\...\Desktop\gmer_2.0.18454.exe [2013/02/08 17:03:48 | 000,000,955 | ---- | C] () -- C:\Users\Public\Desktop\PDFCreator.lnk [2013/02/08 17:03:39 | 000,116,224 | ---- | C] () -- C:\windows\System32\pdfcmnnt.dll [2013/02/05 16:25:56 | 000,000,984 | ---- | C] () -- C:\Users\Public\Desktop\VLC media player.lnk [2013/02/05 16:19:15 | 000,001,077 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk [2013/02/05 16:19:15 | 000,001,065 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk [2013/01/29 19:48:17 | 000,001,056 | ---- | C] () -- C:\Users\Public\Desktop\Foxit Reader.lnk [2013/01/29 19:43:07 | 000,000,932 | ---- | C] () -- C:\Users\...\Desktop\IrfanView.lnk [2013/01/29 19:42:41 | 000,000,884 | ---- | C] () -- C:\windows\tasks\Adobe Flash Player Updater.job [2013/01/29 16:32:03 | 000,001,024 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI Tray.lnk [2013/01/29 16:32:03 | 000,000,987 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Secunia PSI.lnk [2013/01/29 13:21:46 | 000,001,027 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2013/01/29 12:51:22 | 000,000,003 | ---- | C] () -- C:\windows\System32\drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf [2013/01/29 12:49:51 | 000,000,003 | ---- | C] () -- C:\windows\System32\drivers\MsftWdf_User_01_11_00_Inbox_Critical.Wdf [2013/01/24 14:59:16 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk [2013/01/24 14:59:16 | 000,001,949 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader XI.lnk [2012/03/30 18:13:11 | 000,000,400 | ---- | C] () -- C:\windows\ODBC.INI [2012/03/30 18:13:10 | 000,001,471 | ---- | C] () -- C:\windows\ODBCINST.INI [2012/01/19 19:48:26 | 000,061,678 | ---- | C] () -- C:\Users\...\AppData\Roaming\PFP120JPR.{PB [2012/01/19 19:48:26 | 000,012,358 | ---- | C] () -- C:\Users\...\AppData\Roaming\PFP120JCM.{PB [2011/12/14 10:48:47 | 000,065,536 | ---- | C] () -- C:\windows\System32\HPPLVS.dll [2011/12/13 00:57:53 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat [2011/03/07 16:23:31 | 000,006,144 | ---- | C] () -- C:\windows\System32\drivers\ASUSHWIO.SYS [2010/06/24 17:10:26 | 000,131,984 | ---- | C] () -- C:\ProgramData\FullRemove.exe ========== ZeroAccess Check ========== [2009/07/14 05:42:31 | 000,000,227 | RHS- | M] () -- C:\windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012/06/09 05:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 13:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = %systemroot%\system32\wbem\wbemess.dll -- [2009/07/14 02:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both ========== LOP Check ========== [2010/06/24 17:31:25 | 000,000,000 | ---D | M] -- C:\Users\Default\AppData\Roaming\ASUS WebStorage [2010/06/24 17:31:25 | 000,000,000 | ---D | M] -- C:\Users\Default User\AppData\Roaming\ASUS WebStorage [2010/06/24 17:31:25 | 000,000,000 | ---D | M] -- C:\Users\...\AppData\Roaming\ASUS WebStorage [2011/02/04 20:29:51 | 000,000,000 | ---D | M] -- C:\Users\...\AppData\Roaming\E-Cam [2012/02/03 19:40:10 | 000,000,000 | ---D | M] -- C:\Users\...\AppData\Roaming\FileZilla [2011/12/30 01:42:31 | 000,000,000 | ---D | M] -- C:\Users\...\AppData\Roaming\Foxit Software [2012/04/29 15:51:11 | 000,000,000 | ---D | M] -- C:\Users\...\AppData\Roaming\IrfanView [2011/12/13 13:37:35 | 000,000,000 | ---D | M] -- C:\Users\...\AppData\Roaming\JAM Software [2013/02/08 17:03:47 | 000,000,000 | ---D | M] -- C:\Users\...\AppData\Roaming\pdfforge [2013/02/08 02:39:11 | 000,000,000 | ---D | M] -- C:\Users\...\AppData\Roaming\SoftGrid Client [2012/11/26 12:52:59 | 000,000,000 | ---D | M] -- C:\Users\...\AppData\Roaming\Swiss Academic Software [2011/02/04 21:19:12 | 000,000,000 | ---D | M] -- C:\Users\...\AppData\Roaming\TP [2012/10/18 17:54:35 | 000,000,000 | ---D | M] -- C:\Users\...\AppData\Roaming\VoipDiscount ========== Purity Check ========== < End of report > Code:
ATTFilter OTL Extras logfile created on: 2/8/2013 10:38:09 PM - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\...\Desktop Starter Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000409 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 1014.18 Mb Total Physical Memory | 441.98 Mb Available Physical Memory | 43.58% Memory free 2.99 Gb Paging File | 1.98 Gb Available in Paging File | 66.13% Paging File free Paging file location(s): c:\pagefile.sys 2048 2048 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files Drive C: | 80.00 Gb Total Space | 56.31 Gb Free Space | 70.39% Space Free | Partition Type: NTFS Drive D: | 54.03 Gb Total Space | 43.04 Gb Free Space | 79.66% Space Free | Partition Type: NTFS Computer Name: NETBOOK | User Name: ... | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\windows\System32\control.exe (Microsoft Corporation) .hlp [@ = hlpfile] -- C:\windows\winhlp32.exe (Microsoft Corporation) [HKEY_USERS\S-1-5-21-268967856-1830572098-4256470926-1000\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation) htmlfile [edit] -- Reg Error: Key error. htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" (VideoLAN) Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" (VideoLAN) Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 1 "AutoUpdateDisableNotify" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "VistaSp1" = Reg Error: Unknown registry data type -- File not found "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol] ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 ========== Authorized Applications List ========== ========== Vista Active Open Ports Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{03386B1F-803A-4186-8DA4-D323B4071C9E}" = rport=139 | protocol=6 | dir=out | app=system | "{14A6C1E0-851E-4969-8896-F9441085CF6B}" = lport=139 | protocol=6 | dir=in | app=system | "{205CE3F2-78DF-4DA9-8B46-609A5118BE24}" = lport=137 | protocol=17 | dir=in | app=system | "{3DD939B7-AAB7-483E-95D7-6F9BDF2BB99A}" = rport=138 | protocol=17 | dir=out | app=system | "{4A6065F1-83C8-439B-BD83-70D2F82CB5C7}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | "{4C4CDE39-CBA8-4F93-838D-2580F67AB958}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | "{57369344-79A8-4092-A134-192392D9BCB1}" = lport=445 | protocol=6 | dir=in | app=system | "{6B28C47A-0ED4-4307-BBFC-448C13181989}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{7FE02CD4-B385-4CD8-85CD-7DE53C93BEB3}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{93EF180A-DC0C-4C4B-B3E9-E79B0DEA3649}" = rport=445 | protocol=6 | dir=out | app=system | "{AF78E807-09D9-490A-BEDB-239192A3CE47}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{C164C7A6-7062-494A-ABE7-95A9FBC3D231}" = rport=137 | protocol=17 | dir=out | app=system | "{CB34B017-5E1C-45A4-9040-36CDF7F601FD}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{CEB0A60B-5A38-4AF5-9BF8-A5DA11A05BF3}" = lport=138 | protocol=17 | dir=in | app=system | ========== Vista Active Application Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{1171A6D4-B8ED-4768-9E63-1879953FCAEE}" = protocol=17 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\hp1006mc.exe | "{286DC0BC-9132-4FB2-A61C-881DFE9BC8D1}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | "{391A479A-30B5-4C56-9C20-793828867B9F}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | "{5BEACA52-A999-40E9-B412-B3321D83D6C7}" = dir=in | app=c:\program files\skype\phone\skype.exe | "{6208F3D2-72B6-4990-B6F6-0D807A9C6F13}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | "{A80E8CDB-97AC-4F17-9F03-52CB09ECF51F}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | "{DC3252B4-E1F6-4A61-ADB3-8D2FD16877B5}" = protocol=6 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\hp1006mc.exe | "TCP Query User{03FCA698-A1F5-4494-B668-728880C2E613}C:\program files\voipdiscount\voipdiscount.exe" = protocol=6 | dir=in | app=c:\program files\voipdiscount\voipdiscount.exe | "TCP Query User{77038D20-2671-4CCC-B213-A7DE7F183F1D}C:\program files\voipdiscount\voipdiscount.exe" = protocol=6 | dir=in | app=c:\program files\voipdiscount\voipdiscount.exe | "UDP Query User{AC10CA33-B936-4CE0-921B-AB47D8859A28}C:\program files\voipdiscount\voipdiscount.exe" = protocol=17 | dir=in | app=c:\program files\voipdiscount\voipdiscount.exe | "UDP Query User{D8B7EA4E-8324-4870-8EDD-16F508C435B3}C:\program files\voipdiscount\voipdiscount.exe" = protocol=17 | dir=in | app=c:\program files\voipdiscount\voipdiscount.exe | ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{00000407-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Premium "{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator "{17780F99-A9DF-450B-81B3-6781B20A17A8}" = FontResizer "{1798D459-6B8B-474B-868D-1229EADA3B95}" = Adobe AIR "{185AFA7A-F63E-450B-94AA-011CAC18090E}" = E-Cam "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 "{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros Client Installation Program "{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com "{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver "{38E5A3B1-ADF1-47E0-8024-76310A30EB36}" = LiveUpdate "{4B5092B6-F231-4D18-83BC-2618B729CA45}" = CapsHook "{587178E7-B1DF-494E-9838-FA4DD36E873C}" = ASUSUpdate for Eee PC "{6333FC29-BFE5-4024-AC78-958A1A7555D1}" = EeeSplendid "{71C0E38E-09F2-4386-9977-404D4F6640CD}" = Hotkey Service "{84C2B80B-64A2-4B22-93EC-F30C3D6BF7D8}" = Boingo Wi-Fi "{859D40CF-8491-44AD-8FA8-7389CB418C64}" = 32 Bit HP CIO Components Installer "{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 "{88F08F98-12BC-4613-81A2-8F9B88CFC73E}" = Super Hybrid Engine "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{8FC4F1DD-F7FD-4766-804D-3C8FF1D309B0}" = Ralink RT2860 Wireless LAN Card "{90140000-006D-0407-0000-0000000FF1CE}" = Microsoft Office Klick-und-Los 2010 "{90140011-0066-0407-0000-0000000FF1CE}" = Microsoft Office Starter 2010 - Deutsch "{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting "{95140000-0070-0000-0000-0000000FF1CE}" = Microsoft Office 2010 "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 "{A9E5EDA7-2E6C-49E7-924B-A32B89C24A04}" = Join Air "{AC76BA86-7AD7-1031-7B44-AB0000000001}" = Adobe Reader XI (11.0.01) - Deutsch "{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12 "{D802DD00-16A8-4A58-AFC9-020C2380ECDA}" = EeeSplendid "{E12C6653-1FF0-4686-ADB8-589C13AE761F}" = Citavi "{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.10 "{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver "{F58C1D44-4AC9-48E8-9049-7A6CDFCB415C}" = LocaleMe "Adobe AIR" = Adobe AIR "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin "ASUS WebStorage" = ASUS WebStorage "Avira AntiVir Desktop" = Avira Free Antivirus "B41C7C96D83162A676DA7365ADEFD6C1AF62A4EE" = Windows Driver Package - Broadcom Bluetooth (07/17/2009 6.2.0.9403) "B5C82F3814F82FB37F1513B3185399BD88892B08" = Windows Driver Package - Broadcom Bluetooth (07/29/2009 6.1.7100.0) "BF20603967CFDCB2BBF91950E8A56DFBC5C833FE" = Windows Driver Package - Broadcom HIDClass (07/28/2009 6.2.0.9800) "CCleaner" = CCleaner "Edraw Mind Map_is1" = Edraw Mind Map V4 "Eee Docking_is1" = Eee Docking 3.7.0 "FileZilla Client" = FileZilla Client 3.5.3 "Foxit Reader_is1" = Foxit Reader "HDMI" = Intel(R) Graphics Media Accelerator Driver "InstallShield_{17780F99-A9DF-450B-81B3-6781B20A17A8}" = FontResizer "IrfanView" = IrfanView (remove only) "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.70.0.1100 "Mozilla Firefox 18.0.2 (x86 de)" = Mozilla Firefox 18.0.2 (x86 de) "MozillaMaintenanceService" = Mozilla Maintenance Service "Office14.Click2Run" = Microsoft Office Klick-und-Los 2010 "Secunia PSI" = Secunia PSI (3.0.0.6001) "SynTPDeinstKey" = Synaptics Pointing Device Driver "TreeSize Free_is1" = TreeSize Free V2.6 "VLC media player" = VLC media player 2.0.5 "VoipDiscount_is1" = VoipDiscount "Watermark Image_is1" = Watermark Image software version 2.1.4.1 ========== Last 20 Event Log Errors ========== [ Application Events ] Error - 9/21/2012 6:24:58 AM | Computer Name = Netbook | Source = Application Hang | ID = 1002 Description = Programm PDFCreator.exe, Version 1.2.0.3 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen. Prozess-ID: 160c Startzeit: 01cd97e306c78209 Endzeit: 78 Anwendungspfad: C:\Program Files\PDFCreator\PDFCreator.exe Berichts-ID: 8bb9a07f-03d6-11e2-914d-20cf3057c295 Error - 9/21/2012 11:02:10 AM | Computer Name = Netbook | Source = Application Error | ID = 1000 Description = Name der fehlerhaften Anwendung: FOXIT READER.EXE, Version: 5.1.3.1201, Zeitstempel: 0x4ed6f47d Name des fehlerhaften Moduls: COMCTL32.dll, Version: 6.10.7601.17514, Zeitstempel: 0x4ce7b71c Ausnahmecode: 0xc0000409 Fehleroffset: 0x000ab772 ID des fehlerhaften Prozesses: 0x104c Startzeit der fehlerhaften Anwendung: 0x01cd9809f0b6161f Pfad der fehlerhaften Anwendung: C:\PROGRAM FILES\FOXIT SOFTWARE\FOXIT READER\FOXIT READER.EXE Pfad des fehlerhaften Moduls: C:\windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\COMCTL32.dll Berichtskennung: 50d7231b-03fd-11e2-914d-20cf3057c295 Error - 10/17/2012 6:33:11 AM | Computer Name = Netbook | Source = CVHSVC | ID = 100 Description = Nur zur Information. Error: BITS connection error Type: 150::InternetConnectionFailure. Error - 10/24/2012 9:44:35 AM | Computer Name = Netbook | Source = CVHSVC | ID = 100 Description = Nur zur Information. Die Aktion kann nicht abgeschlossen werden. Versuchen Sie es erneut. Wenden Sie sich bei Fortbestehen des Problems an den Microsoft-Produktsupport. Error - 10/25/2012 8:13:41 AM | Computer Name = Netbook | Source = CVHSVC | ID = 100 Description = Nur zur Information. (Patch task for {90140011-0066-0407-0000-0000000FF1CE}): DownloadLatest Failed: Error - 11/24/2012 9:10:46 AM | Computer Name = Netbook | Source = CVHSVC | ID = 100 Description = Nur zur Information. Error: BITS connection error Type: 150::InternetConnectionFailure. Error - 11/26/2012 7:40:28 AM | Computer Name = Netbook | Source = CVHSVC | ID = 100 Description = Nur zur Information. (Patch task for {90140011-0066-0407-0000-0000000FF1CE}): DownloadLatest Failed: Error - 11/27/2012 4:57:33 AM | Computer Name = Netbook | Source = CVHSVC | ID = 100 Description = Nur zur Information. Error: BITS connection error Type: 150::InternetConnectionFailure. Error - 11/28/2012 3:59:09 PM | Computer Name = Netbook | Source = CVHSVC | ID = 100 Description = Nur zur Information. Error: BITS connection error Type: 150::InternetConnectionFailure. Error - 11/29/2012 9:51:47 AM | Computer Name = Netbook | Source = CVHSVC | ID = 100 Description = Nur zur Information. Die Aktion kann nicht abgeschlossen werden. Versuchen Sie es erneut. Wenden Sie sich bei Fortbestehen des Problems an den Microsoft-Produktsupport. [ System Events ] Error - 2/7/2013 5:28:02 AM | Computer Name = Netbook | Source = Service Control Manager | ID = 7011 Description = Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung von Dienst LanmanServer erreicht. Error - 2/7/2013 5:28:32 AM | Computer Name = Netbook | Source = Service Control Manager | ID = 7011 Description = Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung von Dienst BITS erreicht. Error - 2/7/2013 5:28:32 AM | Computer Name = Netbook | Source = Service Control Manager | ID = 7000 Description = Der Dienst "Intelligenter Hintergrundübertragungsdienst" wurde aufgrund folgenden Fehlers nicht gestartet: %%1053 Error - 2/7/2013 5:29:47 AM | Computer Name = Netbook | Source = WMPNetworkSvc | ID = 866300 Description = Error - 2/7/2013 7:26:58 AM | Computer Name = Netbook | Source = Service Control Manager | ID = 7011 Description = Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung von Dienst ShellHWDetection erreicht. Error - 2/7/2013 5:10:53 PM | Computer Name = Netbook | Source = Service Control Manager | ID = 7026 Description = Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen: cdrom Error - 2/8/2013 7:24:45 AM | Computer Name = Netbook | Source = Service Control Manager | ID = 7026 Description = Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen: cdrom Error - 2/8/2013 8:38:22 AM | Computer Name = Netbook | Source = Service Control Manager | ID = 7011 Description = Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung von Dienst Netman erreicht. Error - 2/8/2013 8:38:22 AM | Computer Name = Netbook | Source = Service Control Manager | ID = 7011 Description = Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung von Dienst lmhosts erreicht. Error - 2/8/2013 9:16:55 AM | Computer Name = Netbook | Source = Service Control Manager | ID = 7011 Description = Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung von Dienst Netman erreicht. < End of report > Code:
ATTFilter GMER 2.0.18454 - hxxp://www.gmer.net Rootkit scan 2013-02-09 00:12:27 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST916031 rev.0002 149,05GB Running: 2) gmer_2.0.18454.exe; Driver: C:\Users\...\AppData\Local\Temp\uwrdqpog.sys ---- System - GMER 2.0 ---- SSDT 87B30B06 ZwCreateSection SSDT 87B30B10 ZwRequestWaitReplyPort SSDT 87B30B0B ZwSetContextThread SSDT 87B30B15 ZwSetSecurityObject SSDT 87B30B1A ZwSystemDebugControl SSDT 87B30AA7 ZwTerminateProcess ---- Kernel code sections - GMER 2.0 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 81C50A49 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81C8A4D2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 11F7 81C9162C 4 Bytes [06, 0B, B3, 87] .text ntkrnlpa.exe!KeRemoveQueueEx + 1553 81C91988 4 Bytes [10, 0B, B3, 87] {ADC [EBX], CL; MOV BL, 0x87} .text ntkrnlpa.exe!KeRemoveQueueEx + 1597 81C919CC 4 Bytes [0B, 0B, B3, 87] {OR ECX, [EBX]; MOV BL, 0x87} .text ntkrnlpa.exe!KeRemoveQueueEx + 1613 81C91A48 4 Bytes [15, 0B, B3, 87] .text ntkrnlpa.exe!KeRemoveQueueEx + 1667 81C91A9C 4 Bytes JMP B30B1A81 .text ... ---- User code sections - GMER 2.0 ---- .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ntdll.dll!NtClose 770254C8 5 Bytes JMP 6A4BFFC0 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ntdll.dll!NtCreateFile 770255C8 5 Bytes JMP 6A4BEC96 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ntdll.dll!NtCreateKey 77025608 5 Bytes JMP 6A4BB6DC C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ntdll.dll!NtDeleteFile 77025808 5 Bytes JMP 6A4BEAB3 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ntdll.dll!NtDeleteKey 77025818 5 Bytes JMP 6A4BAF5D C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ntdll.dll!NtDeleteValueKey 77025848 5 Bytes JMP 6A4BB220 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ntdll.dll!NtDuplicateObject 77025898 5 Bytes JMP 6A4C0096 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ntdll.dll!NtEnumerateKey 770258E8 5 Bytes JMP 6A4BB001 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ntdll.dll!NtEnumerateValueKey 77025918 5 Bytes JMP 6A4BB17A C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ntdll.dll!NtFlushKey 77025988 5 Bytes JMP 6A4BAFAF C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ntdll.dll!NtNotifyChangeKey 77025C68 5 Bytes JMP 6A4BB2CE C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ntdll.dll!NtNotifyChangeMultipleKeys 77025C78 5 Bytes JMP 6A4BB35C C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ntdll.dll!NtOpenFile 77025CD8 5 Bytes JMP 6A4BEE21 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ntdll.dll!NtOpenKey 77025D08 5 Bytes JMP 6A4BB5ED C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ntdll.dll!NtOpenKeyEx 77025D18 5 Bytes JMP 6A4BB660 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ntdll.dll!NtQueryAttributesFile 77025F38 5 Bytes JMP 6A4BEB1E C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ntdll.dll!NtQueryDirectoryFile 77025F98 5 Bytes JMP 6A4BD81E C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ntdll.dll!NtQueryFullAttributesFile 77025FE8 5 Bytes JMP 6A4BEB8E C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ntdll.dll!NtQueryKey 770260E8 5 Bytes JMP 6A4BB054 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ntdll.dll!NtQueryMultipleValueKey 77026108 5 Bytes JMP 6A4BB27B C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ntdll.dll!NtQueryObject 77026128 5 Bytes JMP 6A4C00EC C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ntdll.dll!NtQuerySecurityObject 770261A8 5 Bytes JMP 6A4C0030 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ntdll.dll!NtQueryValueKey 77026248 5 Bytes JMP 6A4BB127 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ntdll.dll!NtRenameKey 770263C8 5 Bytes JMP 6A4BB751 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ntdll.dll!NtSetInformationFile 77026638 5 Bytes JMP 6A4BEBFE C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ntdll.dll!NtSetInformationKey 77026658 5 Bytes JMP 6A4BB0BA C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ntdll.dll!NtSetSecurityObject 77026758 5 Bytes JMP 6A4C0149 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ntdll.dll!NtSetValueKey 77026808 5 Bytes JMP 6A4BB1CD C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] kernel32.dll!CreateProcessW 75A9204D 5 Bytes JMP 6A498C27 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] kernel32.dll!CreateProcessA 75A92082 5 Bytes JMP 6A498D65 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] kernel32.dll!CreateProcessAsUserW 75AC59FF 5 Bytes JMP 6A498F9B C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] kernel32.dll!SetDllDirectoryW 75B1D783 5 Bytes JMP 6A49977C C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] kernel32.dll!SetDllDirectoryA 75B1D82C 5 Bytes JMP 6A499AAF C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] kernel32.dll!WinExec 75B1EDAE 5 Bytes JMP 6A49931E C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] kernel32.dll!AllocConsole 75B3C675 5 Bytes JMP 6A4C1210 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] kernel32.dll!AttachConsole 75B3C743 5 Bytes JMP 6A4C1222 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] USER32.dll!CreateWindowExA 75B7BF40 5 Bytes JMP 6A4C11E0 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] USER32.dll!CreateWindowExW 75B7EC7C 5 Bytes JMP 6A4C11F8 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] GDI32.dll!AddFontResourceW 75A0EC13 5 Bytes JMP 6A4A6800 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] GDI32.dll!AddFontResourceA 75A0EFA7 5 Bytes JMP 6A4A67E4 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ADVAPI32.dll!EnumDependentServicesW 77161E3A 7 Bytes JMP 6A4A956C C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ADVAPI32.dll!EnumServicesStatusExW 7716B466 7 Bytes JMP 6A4AA48D C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ADVAPI32.dll!GetServiceKeyNameW 771878FF 7 Bytes JMP 6A4A9C13 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ADVAPI32.dll!GetServiceDisplayNameW 771879BB 7 Bytes JMP 6A4A9DC4 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ADVAPI32.dll!EnumServicesStatusExA 7718A3E2 7 Bytes JMP 6A4AA553 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ADVAPI32.dll!CreateProcessAsUserA 771A2538 5 Bytes JMP 6A4990DD C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ADVAPI32.dll!GetServiceKeyNameA 771C1B94 7 Bytes JMP 6A4A9CCB C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ADVAPI32.dll!GetServiceDisplayNameA 771C1C31 7 Bytes JMP 6A4A9E7C C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ADVAPI32.dll!EnumServicesStatusA 771C2021 7 Bytes JMP 6A4AA3CF C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ADVAPI32.dll!EnumDependentServicesA 771C2104 7 Bytes JMP 6A4A9623 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ADVAPI32.dll!EnumServicesStatusW 771C2221 5 Bytes JMP 6A4AA311 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ole32.dll!CoRegisterPSClsid 75C4C56E 5 Bytes JMP 6A4AFFF5 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ole32.dll!CoResumeClassObjects + 7 75C4EA09 7 Bytes JMP 6A4B05C6 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ole32.dll!OleRun 75C507DE 5 Bytes JMP 6A4B0481 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ole32.dll!CoRegisterClassObject 75C521E1 5 Bytes JMP 6A4B10F6 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ole32.dll!OleUninitialize 75C5EBA1 6 Bytes JMP 6A4B03A0 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ole32.dll!OleInitialize 75C5EFD7 5 Bytes JMP 6A4B0330 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ole32.dll!CoGetPSClsid 75C626B9 5 Bytes JMP 6A4B016D C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ole32.dll!CoGetClassObject 75C754AD 5 Bytes JMP 6A4B1684 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ole32.dll!CoInitializeEx 75C809AD 5 Bytes JMP 6A4B01E0 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ole32.dll!CoUninitialize 75C886D3 5 Bytes JMP 6A4B0262 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ole32.dll!CoCreateInstance 75C89D0B 5 Bytes JMP 6A4B2952 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ole32.dll!CoCreateInstanceEx 75C89D4E 5 Bytes JMP 6A4B0A8D C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ole32.dll!CoSuspendClassObjects + 7 75CABB09 7 Bytes JMP 6A4B04F1 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ole32.dll!CoRevokeClassObject 75CCEACF 5 Bytes JMP 6A4AFA52 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ole32.dll!CoGetInstanceFromFile 75D0340B 5 Bytes JMP 6A4B1B44 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5832] ole32.dll!OleRegEnumFormatEtc 75D4CFD9 5 Bytes JMP 6A4B040B C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ntdll.dll!NtClose 770254C8 5 Bytes JMP 6A4BFFC0 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ntdll.dll!NtCreateFile 770255C8 5 Bytes JMP 6A4BEC96 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ntdll.dll!NtCreateKey 77025608 5 Bytes JMP 6A4BB6DC C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ntdll.dll!NtDeleteFile 77025808 5 Bytes JMP 6A4BEAB3 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ntdll.dll!NtDeleteKey 77025818 5 Bytes JMP 6A4BAF5D C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ntdll.dll!NtDeleteValueKey 77025848 5 Bytes JMP 6A4BB220 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ntdll.dll!NtDuplicateObject 77025898 5 Bytes JMP 6A4C0096 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ntdll.dll!NtEnumerateKey 770258E8 5 Bytes JMP 6A4BB001 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ntdll.dll!NtEnumerateValueKey 77025918 5 Bytes JMP 6A4BB17A C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ntdll.dll!NtFlushKey 77025988 5 Bytes JMP 6A4BAFAF C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ntdll.dll!NtNotifyChangeKey 77025C68 5 Bytes JMP 6A4BB2CE C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ntdll.dll!NtNotifyChangeMultipleKeys 77025C78 5 Bytes JMP 6A4BB35C C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ntdll.dll!NtOpenFile 77025CD8 5 Bytes JMP 6A4BEE21 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ntdll.dll!NtOpenKey 77025D08 5 Bytes JMP 6A4BB5ED C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ntdll.dll!NtOpenKeyEx 77025D18 5 Bytes JMP 6A4BB660 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ntdll.dll!NtQueryAttributesFile 77025F38 5 Bytes JMP 6A4BEB1E C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ntdll.dll!NtQueryDirectoryFile 77025F98 5 Bytes JMP 6A4BD81E C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ntdll.dll!NtQueryFullAttributesFile 77025FE8 5 Bytes JMP 6A4BEB8E C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ntdll.dll!NtQueryKey 770260E8 5 Bytes JMP 6A4BB054 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ntdll.dll!NtQueryMultipleValueKey 77026108 5 Bytes JMP 6A4BB27B C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ntdll.dll!NtQueryObject 77026128 5 Bytes JMP 6A4C00EC C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ntdll.dll!NtQuerySecurityObject 770261A8 5 Bytes JMP 6A4C0030 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ntdll.dll!NtQueryValueKey 77026248 5 Bytes JMP 6A4BB127 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ntdll.dll!NtRenameKey 770263C8 5 Bytes JMP 6A4BB751 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ntdll.dll!NtSetInformationFile 77026638 5 Bytes JMP 6A4BEBFE C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ntdll.dll!NtSetInformationKey 77026658 5 Bytes JMP 6A4BB0BA C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ntdll.dll!NtSetSecurityObject 77026758 5 Bytes JMP 6A4C0149 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ntdll.dll!NtSetValueKey 77026808 5 Bytes JMP 6A4BB1CD C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] kernel32.dll!CreateProcessW 75A9204D 5 Bytes JMP 6A498C27 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] kernel32.dll!CreateProcessA 75A92082 5 Bytes JMP 6A498D65 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] kernel32.dll!CreateProcessAsUserW 75AC59FF 5 Bytes JMP 6A498F9B C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] kernel32.dll!SetDllDirectoryW 75B1D783 5 Bytes JMP 6A49977C C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] kernel32.dll!SetDllDirectoryA 75B1D82C 5 Bytes JMP 6A499AAF C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] kernel32.dll!WinExec 75B1EDAE 5 Bytes JMP 6A49931E C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] kernel32.dll!AllocConsole 75B3C675 5 Bytes JMP 6A4C1210 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] kernel32.dll!AttachConsole 75B3C743 5 Bytes JMP 6A4C1222 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] USER32.dll!CreateWindowExA 75B7BF40 5 Bytes JMP 6A4C11E0 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] USER32.dll!CreateWindowExW 75B7EC7C 5 Bytes JMP 6A4C11F8 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] GDI32.dll!AddFontResourceW 75A0EC13 5 Bytes JMP 6A4A6800 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] GDI32.dll!AddFontResourceA 75A0EFA7 5 Bytes JMP 6A4A67E4 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ADVAPI32.dll!EnumDependentServicesW 77161E3A 7 Bytes JMP 6A4A956C C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ADVAPI32.dll!EnumServicesStatusExW 7716B466 7 Bytes JMP 6A4AA48D C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ADVAPI32.dll!GetServiceKeyNameW 771878FF 7 Bytes JMP 6A4A9C13 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ADVAPI32.dll!GetServiceDisplayNameW 771879BB 7 Bytes JMP 6A4A9DC4 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ADVAPI32.dll!EnumServicesStatusExA 7718A3E2 7 Bytes JMP 6A4AA553 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ADVAPI32.dll!CreateProcessAsUserA 771A2538 5 Bytes JMP 6A4990DD C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ADVAPI32.dll!GetServiceKeyNameA 771C1B94 7 Bytes JMP 6A4A9CCB C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ADVAPI32.dll!GetServiceDisplayNameA 771C1C31 7 Bytes JMP 6A4A9E7C C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ADVAPI32.dll!EnumServicesStatusA 771C2021 7 Bytes JMP 6A4AA3CF C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ADVAPI32.dll!EnumDependentServicesA 771C2104 7 Bytes JMP 6A4A9623 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ADVAPI32.dll!EnumServicesStatusW 771C2221 5 Bytes JMP 6A4AA311 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ole32.dll!CoRegisterPSClsid 75C4C56E 5 Bytes JMP 6A4AFFF5 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ole32.dll!CoResumeClassObjects + 7 75C4EA09 7 Bytes JMP 6A4B05C6 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ole32.dll!OleRun 75C507DE 5 Bytes JMP 6A4B0481 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ole32.dll!CoRegisterClassObject 75C521E1 5 Bytes JMP 6A4B10F6 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ole32.dll!OleUninitialize 75C5EBA1 6 Bytes JMP 6A4B03A0 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ole32.dll!OleInitialize 75C5EFD7 5 Bytes JMP 6A4B0330 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ole32.dll!CoGetPSClsid 75C626B9 5 Bytes JMP 6A4B016D C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ole32.dll!CoGetClassObject 75C754AD 5 Bytes JMP 6A4B1684 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ole32.dll!CoInitializeEx 75C809AD 5 Bytes JMP 6A4B01E0 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ole32.dll!CoUninitialize 75C886D3 5 Bytes JMP 6A4B0262 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ole32.dll!CoCreateInstance 75C89D0B 5 Bytes JMP 6A4B2952 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ole32.dll!CoCreateInstanceEx 75C89D4E 5 Bytes JMP 6A4B0A8D C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ole32.dll!CoSuspendClassObjects + 7 75CABB09 7 Bytes JMP 6A4B04F1 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ole32.dll!CoRevokeClassObject 75CCEACF 5 Bytes JMP 6A4AFA52 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ole32.dll!CoGetInstanceFromFile 75D0340B 5 Bytes JMP 6A4B1B44 C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) .text Q:\140066.deu\Office14\MSOSYNC.EXE[6016] ole32.dll!OleRegEnumFormatEtc 75D4CFD9 5 Bytes JMP 6A4B040B C:\windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation) ---- Processes - GMER 2.0 ---- Library Q:\140066.deu\Office14\MSOSYNC.EXE (*** hidden *** ) @ Q:\140066.deu\Office14\MSOSYNC.EXE [6016] 0x2DD50000 Library Q:\140066.deu\Office14\1031\ospintl.dll (*** hidden *** ) @ Q:\140066.deu\Office14\MSOSYNC.EXE [6016] 0x725C0000 Library Q:\140066.deu\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft (*** hidden *** ) @ Q:\140066.deu\Office14\MSOSYNC.EXE [6016] 0x6A2B0000 Library Q:\140066.deu\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft (*** hidden *** ) @ Q:\140066.deu\Office14\MSOSYNC.EXE [6016] 0x71000000 Library Q:\140066.deu\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft (*** hidden *** ) @ Q:\140066.deu\Office14\MSOSYNC.EXE [6016] 0x69F60000 ---- Registry - GMER 2.0 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\1c4bd6048c8d Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\1c4bd6048c8d (not active ControlSet) Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{3FBE69D4-2B6D-11E0-9C0E-806E6F6E6963} 1143933280 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intel\xae Matrix Storage Manager\Intel\xae Matrix Storage Console.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Intel\xae Matrix Storage Manager\Intel\xae Matrix Storage Console.lnk 1 ---- EOF - GMER 2.0 ---- ![]() Vielen Dank im Voraus! lg, me. Geändert von help me (09.02.2013 um 01:05 Uhr) |
Themen zu GMER meldet "hidden rootkit activity" & Rechner langsam |
32 bit, antivir, arbeitsspeicher voll, avira, cpu, error, failed, firefox, flash player, format, ftp, install.exe, installation, kaspersky, langsam, logfile, microsoft office starter 2010, mozilla, neu aufsetzen, ntdll.dll, ntopenkeyex, programm, realtek, registry, rootkit, rundll, scan, secunia psi, security, software, svchost.exe, udp |