Backdoor.Trojan

Platin96 · 14.02.2013, 13:10

Hallo,

ich habe mir Vorgestern einen Trojaner eingefangen(Windos 7). Leider habe ich die Mail sofort gelöscht, weil ich das Problem nicht richtig erkannt habe. Die Mail sah jedenfalls aus, wie von der Telekom. Beim Öffenen hat der NORTON sofort Alarm gegeben.

Siehe unten das Protokoll von NORTON unten. Der NORTON hat sie isoliert, aber ich kommen seitdem nicht mehr auf meine E-Mailseiten bei T-online und Web.de. Da steht beim Versuch zu öffenen: Die Sicherheitszertifikatprobleme deuten eventuell auf den Versuch hin, Sie auszutricksen bzw. Daten die Sie an den Server gesendet haben abzufangen.

Hier das Protokoll von NORTON:

Kategorie:Quarantäne

Datum/Uhrzeit,Risiko,Aktivität,Status,Empfohlene Aktion,Pfad - Dateiname

13.02.2013 07:39:39,Hoch,msifkzxq.pif (Backdoor.Trojan) erkannt von Virenscanner,Isoliert,Behoben

- Keine Aktion erforderlich,c:\users\heiner\local settings\temp\msifkzxq.pif

13.02.2013 07:27:20,Hoch,msheuih.bat (Backdoor.Trojan) erkannt von Auto-Protect,Isoliert,Behoben

- Keine Aktion erforderlich,c:\users\helga.goldglas\local settings\temp\msheuih.bat

12.02.2013 13:03:21,Hoch,00adc18d.exe (00adc18d.exe) erkannt von SONAR,Isoliert,Behoben -

Keine Aktion erforderlich,c:\users\heiner\appdata\local\temp\00adc18d.exe

Ich habe bei Goggle gesucht: es besteht ein problem mit dem sicherheitszertifikat der website. Da wird immer empfohlen:

1.Klicken Sie in Windows Internet Explorer auf Laden dieser Website fortsetzen (nicht empfohlen).Eine rote Adressleiste und eine Zertifikatswarnung werden angezeigt. Wird bei mir nicht angezeigt! darum komme ich damit nicht weiter. 2.Klicken Sie auf die Schaltfläche Zertifikatfehler, um das Informationsfenster zu öffnen.
3.Klicken Sie auf Zertifikate anzeigen und anschließend auf Zertifikat installieren.
4.Klicken Sie in der angezeigten Warnmeldung auf Ja, um das Zertifikat zu installieren

Hat jemand einen Tipp für mich?

cosinus · 14.02.2013, 13:15

Hallo und

Bevor wir uns an die Arbeit machen, möchte ich dich bitten, folgende Punkte vollständig und aufmerksam zu lesen.

Lies dir meine Anleitungen, die ich im Laufe dieses Strangs hier posten werde, aufmerksam durch. Frag umgehend nach, wenn dir irgendetwas unklar sein sollte, bevor du anfängst meine Anleitungen umzusetzen.
Solltest du bei einem Schritt Probleme haben, stoppe dort und beschreib mir das Problem so gut du kannst. Manchmal erfordert ein Schritt den vorhergehenden.
Bitte nur Scans durchführen zu denen du von einem Helfer aufgefordert wurdest! Installiere / Deinstalliere keine Software ohne Aufforderung!
Poste die Logfiles direkt in deinen Thread (bitte in CODE-Tags) und nicht als Anhang, ausser du wurdest dazu aufgefordert. Logs in Anhängen erschweren mir das Auswerten!
Beachte bitte auch => Löschen von Logfiles und andere Anfragen

Note:
Sollte ich drei Tage nichts von mir hören lassen, so melde dich bitte in diesem Strang => Erinnerung an meinem Thread.
Nervige "Wann geht es weiter" Nachrichten enden mit Schließung deines Themas. Auch ich habe ein Leben abseits des Trojaner-Boards.

Erstmal eine Kontrolle mit OTL bitte:

Doppelklick auf die OTL.exe
Vista User: Rechtsklick auf die OTL.exe und "als Administrator ausführen" wählen
Setze oben mittig den Haken bei Scanne alle Benutzer
Oben findest Du ein Kästchen mit Output. Wähle bitte Minimal Output
Unter Extra Registry, wähle bitte Use SafeList
Klicke nun auf Run Scan links oben
Wenn der Scan beendet wurde werden 2 Logfiles erstellt
Poste die Logfiles hier in CODE-Tags in den Thread.

Platin96 · 14.02.2013, 13:58

Die Anhänge von Oldtimer

cosinus · 14.02.2013, 14:00

Warum in den Anhang? Du solltest die Logs in CODE-Tags posten

Bitte dieselben OTL-Logs nicht nochmal posten, aber alle kommenden Logs bitte ab jetzt in CODE-Tags!

Lesestoff:
Posten in CODE-Tags
Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:

Markiere das gesamte Logfile (geht meist mit STRG+A) und kopiere es in die Zwischenablage mit STRG+C.
Klicke im Editor auf das #-Symbol. Es erscheinen zwei Klammerausdrücke [CODE] [/CODE].
Setze den Curser zwischen die CODE-Tags und drücke STRG+V.
Klicke auf Erweitert/Vorschau, um so prüfen, ob du es richtig gemacht hast. Wenn alles stimmt ... auf Antworten.

Bitte nun Logs mit GMER (<<< klick für Anleitung) und MBAR (Anleitung etwas weiter unten) erstellen und posten.
GMER stürzt häufiger ab, wenn das Tool auch beim zweiten Mal nicht will, lass es einfach weg und führ nur MBAR aus.

Anleitung MBAR:

Downloade dir bitte

Malwarebytes Anti-Rootkit und speichere es auf deinem Desktop.

Starte bitte die mbar.exe.
Folge den Anweisungen auf deinem Bildschirm gemäß Anleitung zu Malwarebytes Anti-Rootkit
Aktualisiere unbedingt die Datenbank und erlaube dem Tool, dein System zu scannen.
Klicke auf den CleanUp Button und erlaube den Neustart.
Während dem Neustart wird MBAR die gefundenen Objekte entfernen, also bleib geduldig.
Nach dem Neustart starte die mbar.exe erneut.
Sollte nochmal was gefunden werden, wiederhole den CleanUp Prozess.

Das Tool wird im erstellten Ordner eine Logfile ( mbar-log-<Jahr-Monat-Tag>.txt ) erzeugen. Bitte poste diese hier.

Starte keine andere Datei in diesem Ordner ohne Anweisung eines Helfers

Platin96 · 14.02.2013, 14:03

Jetzt habe ich schon was falsch gemacht. Ich habe nicht alle Benutzer gescannt! Was ist CODE-Tags? Einfach alles kopieren und hier einfügen?

cosinus · 14.02.2013, 14:07

Bitte meinen Beitrag nochmal lesen, ich hab den erweitert.
Die OTL-Logs machen wir später nochmal, brauchst du jetzt nicht nochmal zu machen.

Platin96 · 14.02.2013, 14:25

Code:

ATTFilter

OTL logfile created on: 14.02.2013 14:07:38 - Run 2
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Heiner\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
8,00 Gb Total Physical Memory | 5,41 Gb Available Physical Memory | 67,59% Memory free
16,00 Gb Paging File | 12,94 Gb Available in Paging File | 80,87% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 921,75 Gb Total Space | 327,67 Gb Free Space | 35,55% Space Free | Partition Type: NTFS
 
Computer Name: GOLDGLAS | User Name: Heiner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC -  File not found
PRC - C:\Users\Heiner\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe (Spigot, Inc.)
PRC - C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe (Spigot, Inc.)
PRC - C:\Users\Heiner\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
PRC - C:\Program Files (x86)\Fighters\SPYWAREfighter\swproTray.exe (SPAMfighter)
PRC - C:\Program Files (x86)\Common Files\Common Toolkit Suite\AVEngine\AVScanningService.exe (Preventon Technologies Limited)
PRC - C:\Program Files (x86)\Common Files\Common Toolkit Suite\AVEngine\AVWatchService.exe (Preventon Technologies Limited)
PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
PRC - C:\Program Files (x86)\Fighters\Tray\FightersTray.exe (SPAMfighter ApS)
PRC - C:\Program Files (x86)\Fighters\FighterSuiteService.exe (SPAMfighter ApS)
PRC - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation)
PRC - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
PRC - C:\Program Files (x86)\Norton AntiVirus\Norton AntiVirus\Engine\19.9.1.14\ccSvcHst.exe (Symantec Corporation)
PRC - C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corporation)
PRC - C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe (Microsoft Corporation)
PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe (Logitech Inc.)
PRC - C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe ()
PRC - C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe (Logitech Inc.)
PRC - C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe ()
PRC - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
PRC - C:\Program Files (x86)\Logitech\Vid HD\Vid.exe (Logitech Inc.)
PRC - C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin (OpenOffice.org)
PRC - C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org)
PRC - C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe ()
PRC - C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe (Nero AG)
PRC - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
 
 
========== Modules (No Company Name) ==========
 
MOD - C:\Program Files (x86)\Common Files\logishrd\SharedBin\LVAPI11.dll ()
MOD - C:\Program Files (x86)\Common Files\logishrd\LWSPlugins\LWS\Applets\CameraHelper\DevManagerCore.dll ()
MOD - C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe ()
MOD - C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe ()
MOD - C:\Program Files (x86)\Logitech\Vid HD\vpxmd.dll ()
MOD - C:\Program Files (x86)\Logitech\Vid HD\SDL.dll ()
MOD - C:\Program Files (x86)\Logitech\LWS\Webcam Software\imageformats\QJpeg4.dll ()
MOD - C:\Program Files (x86)\Logitech\LWS\Webcam Software\imageformats\QGif4.dll ()
MOD - C:\Program Files (x86)\Logitech\LWS\Webcam Software\QtXml4.dll ()
MOD - C:\Program Files (x86)\Logitech\LWS\Webcam Software\QtGui4.dll ()
MOD - C:\Program Files (x86)\Logitech\LWS\Webcam Software\QtCore4.dll ()
MOD - C:\Program Files (x86)\OpenOffice.org 3\program\libxml2.dll ()
MOD - C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe ()
MOD - C:\Program Files (x86)\Logitech\Vid HD\QtNetwork4.dll ()
MOD - C:\Program Files (x86)\Logitech\Vid HD\QtCore4.dll ()
MOD - C:\Program Files (x86)\Logitech\Vid HD\plugins\imageformats\qjpeg4.dll ()
MOD - C:\Program Files (x86)\Logitech\Vid HD\plugins\imageformats\qico4.dll ()
MOD - C:\Program Files (x86)\Logitech\Vid HD\plugins\imageformats\qgif4.dll ()
MOD - C:\Program Files (x86)\Logitech\Vid HD\QtWebKit4.dll ()
MOD - C:\Program Files (x86)\Logitech\Vid HD\QtXml4.dll ()
MOD - C:\Program Files (x86)\Logitech\Vid HD\QtSql4.dll ()
MOD - C:\Program Files (x86)\Logitech\Vid HD\QtOpenGL4.dll ()
MOD - C:\Program Files (x86)\Logitech\Vid HD\QtGui4.dll ()
MOD - C:\Program Files (x86)\Logitech\Vid HD\phonon4.dll ()
 
 
========== Services (SafeList) ==========
 
SRV - (Application Updater) -- C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe (Spigot, Inc.)
SRV - (AV Engine Scanning Service) -- C:/Program Files (x86)/Common Files/Common Toolkit Suite/AVEngine/AVScanningService.exe ()
SRV - (AV Watch Service) -- C:/Program Files (x86)/Common Files/Common Toolkit Suite/AVEngine/AVWatchService.exe ()
SRV - (MBAMService) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (MBAMScheduler) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
SRV - (Suite Service) -- C:\Program Files (x86)\Fighters\FighterSuiteService.exe (SPAMfighter ApS)
SRV - (nvUpdatusService) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation)
SRV - (Stereo Service) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
SRV - (HPSLPSVC) -- C:\Users\Heiner\AppData\Local\Temp\7zS4DD2\hpslpsvc64.dll (Hewlett-Packard Co.)
SRV - (SkypeUpdate) -- C:\Program Files (x86)\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (NAV) -- C:\Program Files (x86)\Norton AntiVirus\Norton AntiVirus\Engine\19.9.1.14\ccSvcHst.exe (Symantec Corporation)
SRV - (sftvsa) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corporation)
SRV - (sftlist) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe (Microsoft Corporation)
SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (UMVPFSrv) -- C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe (Logitech Inc.)
SRV - (FLEXnet Licensing Service) -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (wlcrasvc) -- C:\Programme\Windows Live\Mesh\wlcrasvc.exe (Microsoft Corporation)
SRV - (wlidsvc) -- C:\Programme\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE (Microsoft Corp.)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (osppsvc) -- C:\Programme\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE (Microsoft Corporation)
SRV - (Nero BackItUp Scheduler 4.0) -- C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe (Nero AG)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - (AVFSFilter) -- C:\Windows\SysNative\drivers\avfsfilter.sys ()
DRV:64bit: - (MBAMProtector) -- C:\Windows\SysNative\drivers\mbam.sys (Malwarebytes Corporation)
DRV:64bit: - (SRTSPX) -- C:\Windows\SysNative\drivers\NAVx64\1309010.00E\srtspx64.sys (Symantec Corporation)
DRV:64bit: - (SRTSP) -- C:\Windows\SysNative\drivers\NAVx64\1309010.00E\srtsp64.sys (Symantec Corporation)
DRV:64bit: - (SymEvent) -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS (Symantec Corporation)
DRV:64bit: - (ccSet_NAV) -- C:\Windows\SysNative\drivers\NAVx64\1309010.00E\ccsetx64.sys (Symantec Corporation)
DRV:64bit: - (SymEFA) -- C:\Windows\SysNative\drivers\NAVx64\1309010.00E\symefa64.sys (Symantec Corporation)
DRV:64bit: - (SymNetS) -- C:\Windows\SysNative\drivers\NAVx64\1309010.00E\symnets.sys (Symantec Corporation)
DRV:64bit: - (SymIRON) -- C:\Windows\SysNative\drivers\NAVx64\1309010.00E\ironx64.sys (Symantec Corporation)
DRV:64bit: - (SymDS) -- C:\Windows\SysNative\drivers\NAVx64\1309010.00E\symds64.sys (Symantec Corporation)
DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation)
DRV:64bit: - (Sftvol) -- C:\Windows\SysNative\drivers\Sftvollh.sys (Microsoft Corporation)
DRV:64bit: - (Sftplay) -- C:\Windows\SysNative\drivers\Sftplaylh.sys (Microsoft Corporation)
DRV:64bit: - (Sftredir) -- C:\Windows\SysNative\drivers\Sftredirlh.sys (Microsoft Corporation)
DRV:64bit: - (Sftfs) -- C:\Windows\SysNative\drivers\Sftfslh.sys (Microsoft Corporation)
DRV:64bit: - (LVUVC64) -- C:\Windows\SysNative\drivers\lvuvc64.sys (Logitech Inc.)
DRV:64bit: - (LVRS64) -- C:\Windows\SysNative\drivers\lvrs64.sys (Logitech Inc.)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV:64bit: - (LVPr2Mon) -- C:\Windows\SysNative\drivers\LVPr2M64.sys ()
DRV:64bit: - (LVPr2M64) -- C:\Windows\SysNative\drivers\LVPr2M64.sys ()
DRV:64bit: - (NVHDA) -- C:\Windows\SysNative\drivers\nvhda64v.sys (NVIDIA Corporation)
DRV:64bit: - (NVNET) -- C:\Windows\SysNative\drivers\nvmf6264.sys (NVIDIA Corporation)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (WSDPrintDevice) -- C:\Windows\SysNative\drivers\WSDPrint.sys (Microsoft Corporation)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV - (NAVEX15) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.7.1.5\Definitions\VirusDefs\20130213.041\ex64.sys (Symantec Corporation)
DRV - (NAVENG) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.7.1.5\Definitions\VirusDefs\20130213.041\eng64.sys (Symantec Corporation)
DRV - (EraserUtilRebootDrv) -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (BHDrvx64) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.7.1.5\Definitions\BASHDefs\20130208.001\BHDrvx64.sys (Symantec Corporation)
DRV - (IDSVia64) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.7.1.5\Definitions\IPSDefs\20130213.001\IDSviA64.sys (Symantec Corporation)
DRV - (eeCtrl) -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys (Symantec Corporation)
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE:64bit: - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
IE - HKU\S-1-5-21-2321657326-780348007-3885685630-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.t-online.de/
IE - HKU\S-1-5-21-2321657326-780348007-3885685630-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-2321657326-780348007-3885685630-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKU\S-1-5-21-2321657326-780348007-3885685630-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 30 FF F3 D7 A5 A5 CB 01  [binary data]
IE - HKU\S-1-5-21-2321657326-780348007-3885685630-1001\..\URLSearchHook: {40c3cc16-7269-4b32-9531-17f2950fb06f} - No CLSID value found
IE - HKU\S-1-5-21-2321657326-780348007-3885685630-1001\..\URLSearchHook: {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files (x86)\pdfforge Toolbar\IE\6.9\pdfforgeToolbarIE.dll (Spigot, Inc.)
IE - HKU\S-1-5-21-2321657326-780348007-3885685630-1001\..\SearchScopes,DefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
IE - HKU\S-1-5-21-2321657326-780348007-3885685630-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-2321657326-780348007-3885685630-1001\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = hxxp://search.babylon.com/?q={searchTerms}&affID=110819&tt=060612_5_&babsrc=SP_ss&mntrId=cc0febcc0000000000000030678faac2
IE - HKU\S-1-5-21-2321657326-780348007-3885685630-1001\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7ADRA_de
IE - HKU\S-1-5-21-2321657326-780348007-3885685630-1001\..\SearchScopes\{AE5AF7FA-BCD8-492C-99B4-E15655037224}: "URL" = hxxp://de.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=302398&p={searchTerms}
IE - HKU\S-1-5-21-2321657326-780348007-3885685630-1001\..\SearchScopes\{C0B04D80-6F5B-4E49-AA17-01FF20731B4B}: "URL" = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2319825
IE - HKU\S-1-5-21-2321657326-780348007-3885685630-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2321657326-780348007-3885685630-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
IE - HKU\S-1-5-21-2321657326-780348007-3885685630-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.t-online.de/
IE - HKU\S-1-5-21-2321657326-780348007-3885685630-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-2321657326-780348007-3885685630-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKU\S-1-5-21-2321657326-780348007-3885685630-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 30 FF F3 D7 A5 A5 CB 01  [binary data]
IE - HKU\S-1-5-21-2321657326-780348007-3885685630-1004\..\URLSearchHook: {40c3cc16-7269-4b32-9531-17f2950fb06f} - No CLSID value found
IE - HKU\S-1-5-21-2321657326-780348007-3885685630-1004\..\URLSearchHook: {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files (x86)\pdfforge Toolbar\IE\6.9\pdfforgeToolbarIE.dll (Spigot, Inc.)
IE - HKU\S-1-5-21-2321657326-780348007-3885685630-1004\..\SearchScopes,DefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
IE - HKU\S-1-5-21-2321657326-780348007-3885685630-1004\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-2321657326-780348007-3885685630-1004\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = hxxp://search.babylon.com/?q={searchTerms}&affID=110819&tt=060612_5_&babsrc=SP_ss&mntrId=cc0febcc0000000000000030678faac2
IE - HKU\S-1-5-21-2321657326-780348007-3885685630-1004\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7ADRA_de
IE - HKU\S-1-5-21-2321657326-780348007-3885685630-1004\..\SearchScopes\{AE5AF7FA-BCD8-492C-99B4-E15655037224}: "URL" = hxxp://de.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=302398&p={searchTerms}
IE - HKU\S-1-5-21-2321657326-780348007-3885685630-1004\..\SearchScopes\{C0B04D80-6F5B-4E49-AA17-01FF20731B4B}: "URL" = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2319825
IE - HKU\S-1-5-21-2321657326-780348007-3885685630-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2321657326-780348007-3885685630-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
 
========== FireFox ==========
 
FF - HKLM\Software\MozillaPlugins\@canon.com/MycameraPlugin: C:\Program Files (x86)\Canon\MyCamera Download Plugin\NPCIG.dll (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_37: C:\Windows\SysWOW64\npdeployJava1.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.1: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.7.1.5\IPSFFPlgn\ [2012.12.21 18:58:25 | 000,000,000 | ---D | M]
 
 
O1 HOSTS File: ([2009.06.10 22:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (Windows Live ID Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton AntiVirus\Norton AntiVirus\Engine\19.9.1.14\IPS\IPSBHO.DLL (Symantec Corporation)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (pdfforge Toolbar) - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files (x86)\pdfforge Toolbar\IE\6.9\pdfforgeToolbarIE.dll (Spigot, Inc.)
O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (pdfforge Toolbar) - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files (x86)\pdfforge Toolbar\IE\6.9\pdfforgeToolbarIE.dll (Spigot, Inc.)
O3:64bit: - HKU\S-1-5-21-2321657326-780348007-3885685630-1001\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3 - HKU\S-1-5-21-2321657326-780348007-3885685630-1001\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3:64bit: - HKU\S-1-5-21-2321657326-780348007-3885685630-1004\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3 - HKU\S-1-5-21-2321657326-780348007-3885685630-1004\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [CommonToolkitTray] C:\Program Files (x86)\Fighters\Tray\FightersTray.exe (SPAMfighter ApS)
O4 - HKLM..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files (x86)\Corel\Corel Graphics 12\Languages\DE\Programs\registration.exe (Corel Corporation)
O4 - HKLM..\Run: [LWS] C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe (Logitech Inc.)
O4 - HKLM..\Run: [SearchSettings] C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe (Spigot, Inc.)
O4 - HKLM..\Run: [SWPROguard] C:\Program Files (x86)\Fighters\SPYWAREfighter\swprotray.exe (SPAMfighter)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2321657326-780348007-3885685630-1001..\Run: [Logitech Vid] C:\Program Files (x86)\Logitech\Vid HD\Vid.exe (Logitech Inc.)
O4 - HKU\S-1-5-21-2321657326-780348007-3885685630-1001..\Run: [PCSpeedUp] C:\Program Files (x86)\PC Beschleunigen\PCSpeedUp.lnk ()
O4 - HKU\S-1-5-21-2321657326-780348007-3885685630-1004..\Run: [Logitech Vid] C:\Program Files (x86)\Logitech\Vid HD\Vid.exe (Logitech Inc.)
O4 - HKU\S-1-5-21-2321657326-780348007-3885685630-1004..\Run: [PCSpeedUp] C:\Program Files (x86)\PC Beschleunigen\PCSpeedUp.lnk ()
O4 - HKU\S-1-5-21-2321657326-780348007-3885685630-1004..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-21-2321657326-780348007-3885685630-1004..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - Startup: C:\Users\Heiner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Heiner\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O4 - Startup: C:\Users\Heiner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8:64bit: - Extra context menu item: An vorhandenes PDF anfügen - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Auswahl in Adobe PDF konvertieren - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Auswahl in vorhandene PDF-Datei konvertieren - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Free YouTube to MP3 Converter - C:\Users\Heiner\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm ()
O8:64bit: - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html File not found
O8:64bit: - Extra context menu item: Hinzufügen zu Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2011\ie_banner_deny.htm File not found
O8:64bit: - Extra context menu item: In Adobe PDF konvertieren - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Verknüpfungsziel in Adobe PDF konvertieren - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: An vorhandenes PDF anfügen - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Auswahl in Adobe PDF konvertieren - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Auswahl in vorhandene PDF-Datei konvertieren - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Users\Heiner\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm ()
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html File not found
O8 - Extra context menu item: Hinzufügen zu Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2011\ie_banner_deny.htm File not found
O8 - Extra context menu item: In Adobe PDF konvertieren - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Verknüpfungsziel in Adobe PDF konvertieren - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O9 - Extra Button: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000005 [] - C:\Programme\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL (Microsoft Corp.)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000006 [] - C:\Programme\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL (Microsoft Corp.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-2321657326-780348007-3885685630-1001\..Trusted Domains: web.de ([www] https in Vertrauenswürdige Sites)
O15 - HKU\S-1-5-21-2321657326-780348007-3885685630-1004\..Trusted Domains: web.de ([www] https in Vertrauenswürdige Sites)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} hxxp://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect119b.cab (GMNRev Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab (Java Plug-in 1.6.0_37)
O16 - DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab (Java Plug-in 1.6.0_37)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab (Java Plug-in 1.6.0_37)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://active.macromedia.com/flash2/cabs/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{834EF8B1-98D9-474E-84B7-AD2E49C55429}: DhcpNameServer = 192.168.2.1
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18:64bit: - Protocol\Handler\skype-ie-addon-data - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013.02.14 13:22:27 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Heiner\Desktop\OTL.exe
[2013.02.14 08:56:24 | 000,000,000 | ---D | C] -- C:\Users\Heiner\AppData\Local\NPE
[2013.02.14 06:54:40 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Spigot
[2013.02.14 06:54:40 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\pdfforge Toolbar
[2013.02.14 06:54:40 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Application Updater
[2013.02.13 16:02:33 | 000,000,000 | ---D | C] -- C:\Users\Heiner\AppData\Roaming\Malwarebytes
[2013.02.13 16:02:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013.02.13 16:02:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2013.02.13 16:02:12 | 000,024,176 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2013.02.13 16:02:12 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2013.02.13 16:01:38 | 000,000,000 | ---D | C] -- C:\Users\Heiner\AppData\Local\Programs
[2013.02.13 08:15:08 | 000,000,000 | ---D | C] -- C:\ProgramData\clp
[2013.02.13 08:14:07 | 000,000,000 | ---D | C] -- C:\Users\Heiner\AppData\Roaming\Fighters
[2013.02.13 08:13:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Fighters
[2013.02.13 08:12:39 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Common Toolkit Suite
[2013.02.13 08:12:24 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Fighters
[2013.02.13 08:12:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Common Toolkit Suite
[2013.02.13 08:09:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Fighters
[2013.02.12 18:40:48 | 000,000,000 | ---D | C] -- C:\Users\Heiner\Local Settings
[2013.02.12 13:00:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Local Settings
[2013.01.23 07:00:01 | 000,000,000 | -HSD | C] -- C:\found.000
 
========== Files - Modified Within 30 Days ==========
 
[2013.02.14 14:09:59 | 000,365,568 | ---- | M] () -- C:\Users\Heiner\Desktop\gmer_2.0.18454.exe
[2013.02.14 13:54:01 | 000,001,110 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013.02.14 13:22:27 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Heiner\Desktop\OTL.exe
[2013.02.14 13:21:47 | 000,000,000 | ---- | M] () -- C:\Users\Heiner\defogger_reenable
[2013.02.14 13:19:56 | 000,050,477 | ---- | M] () -- C:\Users\Heiner\Desktop\Defogger.exe
[2013.02.14 12:54:01 | 000,001,106 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013.02.14 12:13:43 | 000,014,928 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013.02.14 12:13:43 | 000,014,928 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013.02.14 12:03:33 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013.02.14 12:03:22 | 000,000,000 | ---- | M] () -- C:\Windows\SysNative\drivers\lvuvc.hs
[2013.02.14 12:03:01 | 2146,983,935 | -HS- | M] () -- C:\hiberfil.sys
[2013.02.14 03:28:22 | 002,232,208 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2013.02.14 03:27:25 | 002,188,394 | ---- | M] () -- C:\Windows\SysNative\drivers\NAVx64\1309010.00E\Cat.DB
[2013.02.13 16:04:05 | 001,500,294 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2013.02.13 16:04:05 | 000,654,602 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat
[2013.02.13 16:04:05 | 000,616,484 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2013.02.13 16:04:05 | 000,130,216 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat
[2013.02.13 16:04:05 | 000,106,606 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2013.02.13 16:02:16 | 000,001,115 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2013.02.13 08:13:57 | 000,002,010 | ---- | M] () -- C:\Users\Public\Desktop\SPYWAREfighter.lnk
[2013.02.13 07:05:11 | 000,002,136 | ---- | M] () -- C:\{B5F5B971-2AC8-47A4-A6EF-263C4DEED6CF}
[2013.02.07 19:21:49 | 000,002,658 | ---- | M] () -- C:\Users\Public\Desktop\Norton AntiVirus.lnk
[2013.02.07 19:20:50 | 000,014,818 | ---- | M] () -- C:\Windows\SysNative\drivers\NAVx64\1309010.00E\VT20130115.021
[2013.02.02 07:31:42 | 000,000,172 | ---- | M] () -- C:\Windows\SysNative\drivers\NAVx64\1309010.00E\isolate.ini
[2013.01.29 18:13:43 | 000,019,978 | ---- | M] () -- C:\Users\Heiner\Documents\5460 Wieneke.pdf
[2013.01.25 11:30:17 | 000,001,058 | ---- | M] () -- C:\Users\Heiner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
[2013.01.25 11:29:55 | 000,001,028 | ---- | M] () -- C:\Users\Heiner\Desktop\Dropbox.lnk
 
========== Files Created - No Company Name ==========
 
[2013.02.14 13:21:47 | 000,000,000 | ---- | C] () -- C:\Users\Heiner\defogger_reenable
[2013.02.14 13:19:56 | 000,050,477 | ---- | C] () -- C:\Users\Heiner\Desktop\Defogger.exe
[2013.02.13 16:02:16 | 000,001,115 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2013.02.13 08:13:55 | 000,002,010 | ---- | C] () -- C:\Users\Public\Desktop\SPYWAREfighter.lnk
[2013.02.13 07:05:11 | 000,002,136 | ---- | C] () -- C:\{B5F5B971-2AC8-47A4-A6EF-263C4DEED6CF}
[2013.01.29 18:13:43 | 000,019,978 | ---- | C] () -- C:\Users\Heiner\Documents\5460 Wieneke.pdf
[2012.11.09 10:27:12 | 000,000,057 | ---- | C] () -- C:\ProgramData\Ament.ini
[2011.09.02 09:09:31 | 000,000,000 | ---- | C] () -- C:\Users\Heiner\AppData\Local\{77A2C8DC-1852-47EC-90EE-0CBE8A1DA986}
[2011.07.26 16:13:14 | 000,000,017 | ---- | C] () -- C:\Windows\SysWow64\shortcut_ex.dat
[2011.07.23 06:46:49 | 000,000,000 | ---- | C] () -- C:\Users\Heiner\AppData\Local\{5713649D-AD24-4724-B019-6739B154EFEC}
[2011.07.23 06:45:08 | 000,000,000 | ---- | C] () -- C:\Users\Heiner\AppData\Local\{56E0B3EA-EE24-45ED-8819-4D775B5A61E0}
[2011.06.22 14:41:40 | 000,000,000 | ---- | C] () -- C:\Users\Heiner\AppData\Local\{1F6F750A-D951-4236-9E3E-1DFC249E4655}
[2011.06.22 14:39:52 | 000,000,000 | ---- | C] () -- C:\Users\Heiner\AppData\Local\{A709DD15-E334-4284-956C-BF7296D6655A}
[2011.05.04 17:46:26 | 000,000,157 | ---- | C] () -- C:\Users\Heiner\AppData\Roaming\default.rss
[2011.04.01 06:07:02 | 010,877,272 | ---- | C] () -- C:\Windows\SysWow64\LogiDPP.dll
[2011.04.01 06:07:02 | 000,102,744 | ---- | C] () -- C:\Windows\SysWow64\LogiDPPApp.exe
[2011.04.01 06:06:56 | 000,331,608 | ---- | C] () -- C:\Windows\SysWow64\DevManagerCore.dll
[2011.02.07 18:22:25 | 000,000,000 | ---- | C] () -- C:\Users\Heiner\.gtk-bookmarks
[2011.01.17 18:28:49 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
 
========== ZeroAccess Check ==========
 
[2009.07.14 05:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012.06.09 06:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 05:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 02:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.20 13:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 02:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
 
========== LOP Check ==========
 
[2012.12.23 12:15:47 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\DVDVideoSoft
[2012.10.12 07:05:50 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\OpenOffice.org
[2012.12.29 14:40:20 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\SoftGrid Client
[2012.03.14 07:56:54 | 000,000,000 | ---D | M] -- C:\Users\Heiner\AppData\Roaming\Babylon
[2011.10.26 10:14:59 | 000,000,000 | ---D | M] -- C:\Users\Heiner\AppData\Roaming\Canon
[2013.02.14 12:14:25 | 000,000,000 | ---D | M] -- C:\Users\Heiner\AppData\Roaming\Dropbox
[2012.10.15 15:09:47 | 000,000,000 | ---D | M] -- C:\Users\Heiner\AppData\Roaming\DVDVideoSoft
[2012.10.15 15:09:42 | 000,000,000 | ---D | M] -- C:\Users\Heiner\AppData\Roaming\DVDVideoSoftIEHelpers
[2013.02.13 08:15:22 | 000,000,000 | ---D | M] -- C:\Users\Heiner\AppData\Roaming\Fighters
[2011.02.07 18:25:35 | 000,000,000 | ---D | M] -- C:\Users\Heiner\AppData\Roaming\FreeDoko
[2011.06.28 08:09:05 | 000,000,000 | ---D | M] -- C:\Users\Heiner\AppData\Roaming\go
[2011.01.21 17:52:22 | 000,000,000 | ---D | M] -- C:\Users\Heiner\AppData\Roaming\Leadertech
[2011.11.09 10:37:33 | 000,000,000 | ---D | M] -- C:\Users\Heiner\AppData\Roaming\OpenCandy
[2011.01.02 13:10:27 | 000,000,000 | ---D | M] -- C:\Users\Heiner\AppData\Roaming\OpenOffice.org
[2012.03.14 07:56:51 | 000,000,000 | ---D | M] -- C:\Users\Heiner\AppData\Roaming\pdfforge
[2013.02.14 11:37:30 | 000,000,000 | ---D | M] -- C:\Users\Heiner\AppData\Roaming\SoftGrid Client
[2011.08.03 05:42:46 | 000,000,000 | ---D | M] -- C:\Users\Heiner\AppData\Roaming\TP
[2012.02.19 09:34:02 | 000,000,000 | ---D | M] -- C:\Users\Heiner\AppData\Roaming\TuneUp Software
[2012.07.27 07:20:48 | 000,000,000 | ---D | M] -- C:\Users\Heiner\AppData\Roaming\Windows Live Writer
[2012.12.13 17:38:10 | 000,000,000 | ---D | M] -- C:\Users\Helga.Goldglas\AppData\Roaming\Canon
[2011.01.03 14:15:26 | 000,000,000 | ---D | M] -- C:\Users\Helga.Goldglas\AppData\Roaming\OpenOffice.org
[2013.02.06 21:10:40 | 000,000,000 | ---D | M] -- C:\Users\Helga.Goldglas\AppData\Roaming\SoftGrid Client
[2012.10.21 17:44:33 | 000,000,000 | ---D | M] -- C:\Users\Helga.Goldglas\AppData\Roaming\Windows Live Writer
 
========== Purity Check ==========
 
 

< End of report >

Code:

ATTFilter

OTL Extras logfile created on: 14.02.2013 13:23:07 - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Heiner\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
8,00 Gb Total Physical Memory | 5,47 Gb Available Physical Memory | 68,38% Memory free
16,00 Gb Paging File | 12,77 Gb Available in Paging File | 79,83% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 921,75 Gb Total Space | 327,67 Gb Free Space | 35,55% Space Free | Partition Type: NTFS
 
Computer Name: GOLDGLAS | User Name: Heiner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.js [@ = Reg Error: Value error.] -- Reg Error: Key error. File not found
.txt [@ = Reg Error: Value error.] -- Reg Error: Key error. File not found
 
========== Shell Spawning ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [Digital Photo Professional] -- C:\Program Files (x86)\Canon\Digital Photo Professional\DPPViewer.exe /path "%1" (CANON INC.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [scan_with_SPYWAREfighter] -- C:\Program Files (x86)\Fighters\SPYWAREfighter\swproTray.exe /scan "%1" (SPAMfighter)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [Digital Photo Professional] -- C:\Program Files (x86)\Canon\Digital Photo Professional\DPPViewer.exe /path "%1" (CANON INC.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [scan_with_SPYWAREfighter] -- C:\Program Files (x86)\Fighters\SPYWAREfighter\swproTray.exe /scan "%1" (SPAMfighter)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01  [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
========== Authorized Applications List ==========
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{15AA0EA5-C00B-42AC-B262-F9F66537550A}" = lport=139 | protocol=6 | dir=in | app=system | 
"{1ACBCCC5-66F7-4EFE-9955-838B43F18581}" = rport=10243 | protocol=6 | dir=out | app=system | 
"{1DDC30BB-08FD-43A8-81A7-7AE7992B1EED}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{27B53071-999A-4D2C-B28B-E6E923808B2F}" = lport=10243 | protocol=6 | dir=in | app=system | 
"{29E5888B-F2D7-4105-B917-3DB5A37192AD}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | 
"{32CF37DC-78AA-4708-8FAA-258B8E81EB21}" = lport=137 | protocol=17 | dir=in | app=system | 
"{3650E18F-A7D9-463E-9F5D-2370B392E845}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) | 
"{38DEC547-413E-412B-9127-1EE6E39825DF}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{447DAE0D-176F-4FEC-B051-A8950954DE78}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) | 
"{53A5764C-5951-4346-9499-B02E7FDE210F}" = lport=138 | protocol=17 | dir=in | app=system | 
"{6146D875-D553-4B06-B809-A4AB99E601E4}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{61862438-6FFE-452A-A521-9768CF9D0571}" = rport=139 | protocol=6 | dir=out | app=system | 
"{7A4082AD-3F2F-43F9-8DBF-152339C11A91}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{807421BD-DDE2-4B36-818B-62B542489D75}" = rport=445 | protocol=6 | dir=out | app=system | 
"{82483ECF-7CB0-432C-93F6-77092AED4DFB}" = rport=138 | protocol=17 | dir=out | app=system | 
"{83278D0A-5432-4E3A-9FD3-5AE5D0933AEC}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | 
"{8527F4E2-B575-4E86-A59B-0F52395A16A1}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{8778A330-F5B5-4FD8-BECD-AB6292FBAB80}" = lport=445 | protocol=6 | dir=in | app=system | 
"{8EE42CA5-5994-4F48-B60A-CA653CCEEC59}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{8FB3BC05-D995-4D0C-8590-77E8B48E1014}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{98A37B68-9392-4F48-9E9E-79C13AC71351}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{9C793851-D92C-40E3-897C-122C8484ECFF}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{D2D5AB84-DE9D-4154-9221-CF8D01A6985D}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{DB7A341E-3AB9-4FA8-A0F7-55FA99E092D5}" = lport=2869 | protocol=6 | dir=in | app=system | 
"{E211F38B-E749-4AFC-B07D-F58A6C7E6B68}" = rport=137 | protocol=17 | dir=out | app=system | 
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0255077B-3032-4823-A185-2AEDEA1F26F9}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | 
"{05F97508-D2A0-4F50-A594-2C4A3CE49CCE}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | 
"{2AB682F2-AAED-4AD5-8433-09E551B7D8D1}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | 
"{2ACBFD7B-B877-4596-B6BD-9997F2A786AB}" = protocol=6 | dir=in | app=c:\users\heiner\appdata\local\temp\7zs36fc\hpdiagnosticcoreui.exe | 
"{2C12113D-4654-4AC9-92CA-24E7FDB11341}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{33369D87-B396-4808-9149-6B40224AA578}" = protocol=17 | dir=in | app=c:\users\heiner\appdata\local\temp\7zs36fc\hpdiagnosticcoreui.exe | 
"{4800DBA4-60F0-44FC-8573-D716124ADA56}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{5061DEB5-8432-4C60-9051-9EAB22EF09BF}" = dir=in | app=c:\program files (x86)\windows live\contacts\wlcomm.exe | 
"{5433AEA8-B62C-4A97-B762-4BBB4CB5A0BD}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | 
"{54E65B2A-706C-458A-8961-7503A1A10B22}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{64E09245-9488-4627-84E0-0950F1E4C075}" = protocol=6 | dir=in | app=c:\program files (x86)\logitech\vid hd\vid.exe | 
"{6B42DC7F-BFFC-4087-B511-437F1F9512C6}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{77AB08F9-8194-48E0-BDF4-F53F766C38C7}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 
"{830A8BF8-46DB-4743-ACE3-E1B8BCAE8A6A}" = dir=in | app=c:\program files (x86)\windows live\mesh\moe.exe | 
"{8B1BB70B-81FE-40B9-8DCC-EA407DD46954}" = dir=in | app=c:\program files\hp\hp officejet 6600\bin\hpnetworkcommunicator.exe | 
"{95F8DDAE-AA5E-4102-9BC8-E7D61F148585}" = protocol=6 | dir=in | app=c:\users\heiner\appdata\local\temp\7zs3554\hpdiagnosticcoreui.exe | 
"{9BA65022-9CCF-4657-ADDE-E10C45B3FF57}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{9F2EA552-91DB-4B11-A8D0-589741016F20}" = dir=in | app=c:\program files\hp\hp officejet 6600\bin\devicesetup.exe | 
"{B62B55BD-D33D-4E4A-A2E0-22C8B10466E1}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{BAD1449C-FF5D-4ED3-A71E-62BF25A66BA8}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | 
"{CF2E2949-93F9-4B39-8B6D-3C427F6E6FF3}" = protocol=17 | dir=in | app=c:\program files (x86)\logitech\vid hd\vid.exe | 
"{DB870E3B-48B9-461C-AB07-8838C26B99FE}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{DBD35B13-A815-424E-9EB0-E6A033DACC14}" = protocol=17 | dir=in | app=c:\users\heiner\appdata\local\temp\7zs4dd2\hppiw.exe | 
"{E40C8D9F-E9C0-43FC-9AEE-77097B14BC26}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe | 
"{E77121F2-3602-409B-A6EE-7544B00E7CFF}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 
"{E8F25F77-A86C-4227-AAB8-1E44BE027EFA}" = protocol=6 | dir=in | app=c:\users\heiner\appdata\local\temp\7zs4dd2\hppiw.exe | 
"{E9C8A71F-8AA6-4526-A42B-8A4770A2F96F}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe | 
"{F0A3AA44-46CB-4CB2-BEC2-42FB42BC9589}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | 
"{F2C838E6-6423-456E-9FE9-67686BEB5291}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | 
"{F2F72826-CA26-4352-9013-2049873A91F8}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{F5711A98-B780-4C7F-91FE-0AD6C70CD52B}" = protocol=17 | dir=in | app=c:\users\heiner\appdata\local\temp\7zs3554\hpdiagnosticcoreui.exe | 
"{FF2C00E6-B87E-44DF-87F0-8A52F6C86488}" = protocol=6 | dir=out | app=system | 
"{FFE0B1E5-D00A-482C-B128-02A151A7FC19}" = dir=in | app=c:\program files (x86)\common files\apple\apple application support\webkit2webprocess.exe | 
"TCP Query User{4A524951-E2F1-4930-A8D7-256EABF07CD8}C:\program files (x86)\logitech\vid hd\vid.exe" = protocol=6 | dir=in | app=c:\program files (x86)\logitech\vid hd\vid.exe | 
"TCP Query User{D4C470A9-22E2-4CDD-9827-68E6512F4D48}C:\program files (x86)\java\jre6\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files (x86)\java\jre6\bin\javaw.exe | 
"TCP Query User{E8B0E57E-9C41-4953-9B76-4658BF5DF8A5}C:\windows\system32\wfs.exe" = protocol=6 | dir=in | app=c:\windows\system32\wfs.exe | 
"UDP Query User{3882AA81-36F4-4549-8FC3-82EE49892C78}C:\program files (x86)\java\jre6\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files (x86)\java\jre6\bin\javaw.exe | 
"UDP Query User{714F6564-787D-48FF-B4BC-B037E439C8CF}C:\program files (x86)\logitech\vid hd\vid.exe" = protocol=17 | dir=in | app=c:\program files (x86)\logitech\vid hd\vid.exe | 
"UDP Query User{7C05C06D-696D-4F3C-AD24-17618C0C4195}C:\windows\system32\wfs.exe" = protocol=17 | dir=in | app=c:\windows\system32\wfs.exe | 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0E3DAF3D-FF69-345A-A99E-1FED304CA083}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"{138A4072-9E64-46BD-B5F9-DB2BB395391F}" = LWS VideoEffects
"{1B8ABA62-74F0-47ED-B18C-A43128E591B8}" = Windows Live ID Sign-in Assistant
"{350AA351-21FA-3270-8B7A-835434E766AD}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022
"{5EB6F3CB-46F4-451F-A028-7F6D8D35D7D0}" = Windows Live Language Selector
"{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
"{8338783A-0968-3B85-AFC7-BAAE0A63DC50}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570
"{90140000-006D-0407-1000-0000000FF1CE}" = Microsoft Office Klick-und-Los 2010
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision" = NVIDIA 3D Vision Treiber 306.97
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Systemsteuerung 306.97
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Grafiktreiber 306.97
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.10.8
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
"{C768E610-4DFB-4A60-A59B-71549EB7BF75}" = HP Officejet 6600 - Grundlegende Software für das Gerät
"{D5876F0A-B2E9-4376-B9F5-CD47B7B8D820}" = Windows Live Remote Client Resources
"{D930AF5C-5193-4616-887D-B974CEFC4970}" = Windows Live Remote Service Resources
"{DA54F80E-261C-41A2-A855-549A144F2F59}" = Windows Live MIME IFilter
"{DF6D988A-EEA0-4277-AAB8-158E086E439B}" = Windows Live Remote Client
"{E02A6548-6FDE-40E2-8ED9-119D7D7E641F}" = Windows Live Remote Service
"{EE936C7A-EA40-31D5-9B65-8E3E089C3828}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"WinRAR archiver" = WinRAR 4.20 (64-Bit)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{02627EE5-EACA-4742-A9CC-E687631773E4}" = Nero ShowTime
"{0481A2EA-DA1D-4D10-A7C3-F8237948F6B5}" = Messenger Companion
"{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3
"{08610298-29AE-445B-B37D-EFBE05802967}" = LWS Pictures And Video
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{0E64B098-8018-4256-BA23-C316A43AD9B0}" = QuickTime
"{15634701-BACE-4449-8B25-1567DA8C9FD3}" = CameraHelperMsi
"{1651216E-E7AD-4250-92A1-FB8ED61391C9}" = LWS Help_main
"{174A3B31-4C43-43DD-866F-73C9DB887B48}" = LWS Twitter
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{1DDB95A4-FD7B-4517-B3F1-2BCAA96879E6}" = Windows Live Writer Resources
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{20400DBD-E6DB-45B8-9B6B-1DD7033818EC}" = Nero InfoTool Help
"{21DF0294-6B9D-4741-AB6F-B2ABFBD2387E}" = LWS YouTube Plugin
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2348B586-C9AE-46CE-936C-A68E9426E214}" = Nero StartSmart Help
"{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}" = Adobe ExtendScript Toolkit 2
"{26A24AE4-039D-4CA4-87B4-2F83216032FF}" = Java(TM) 6 Update 37
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{2EFA4E4C-7B5F-48F7-A1C0-1AA882B7A9C3}" = HP Update
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{33CF58F5-48D8-4575-83D6-96F574E4D83A}" = Nero DriveSpeed
"{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}" = erLT
"{415FA9AD-DA10-4ABE-97B6-5051D4795C90}" = HP FWUpdateEDO2
"{4393DE35-AD67-4F37-95E4-30F06EA0FDB2}" = Adobe Creative Suite 3 Design Premium
"{43E39830-1826-415D-8BAE-86845787B54B}" = Nero Vision
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CBABDFD-49F8-47FD-BE7D-ECDE7270525A}" = Windows Live PIMT Platform
"{4E8C27C2-D727-4C00-A90E-C3F6376EEE70}" = Nero ControlCenter
"{4F38594F-2C4A-4C42-B2C4-505E225F6F80}" = HP Product Detection
"{505AFDC0-5E72-4928-8368-5DEA385E3647}" = CorelDRAW Graphics Suite 12
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{5518E08A-2053-4A3E-85B2-F912D4666C9F}" = Adobe Setup
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{595A3116-40BB-4E0F-A2E8-D7951DA56270}" = NeroExpress
"{5D9BE3C1-8BA4-4E7E-82FD-9F74FA6815D1}" = Nero Vision Help
"{62AC81F6-BDD3-4110-9D36-3E9EAAB40999}" = Nero CoverDesigner
"{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}" = Adobe Setup
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{68e38297-863d-403b-8e62-9e1ee3fa702d}" = Nero 9 Essentials
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
"{6B708481-748A-4EB4-97C1-CD386244FF77}" = Adobe MotionPicture Color Files
"{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}" = AHV content for Acrobat and Flash
"{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}" = Adobe Color Common Settings
"{6F76EC3C-34B1-436E-97FB-48C58D7BEDCD}" = LWS Gallery
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{71E66D3F-A009-44AB-8784-75E2819BA4BA}" = LWS Motion Detection
"{73B5D990-04EA-4751-B10F-5534770B91F2}" = Adobe Color EU Recommended Settings
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7748AC8C-18E3-43BB-959B-088FAEA16FB2}" = Nero StartSmart
"{7829DB6F-A066-4E40-8912-CB07887C20BB}" = Nero BurnRights
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{78A96B4C-A643-4D0F-98C2-A8E16A6669F9}" = Windows Live Messenger Companion Core
"{7B0D3494-9AB1-43AE-80B0-FD00E9516E55}" = Fighters
"{802771A9-A856-4A41-ACF7-1450E523C923}" = Adobe XMP Panels CS3
"{83202942-84B3-4C50-8622-B8C0AA2D2885}" = Nero Express Help
"{83C8FA3C-F4EA-46C4-8392-D3CE353738D6}" = LWS Launcher
"{859D4022-B76D-40DE-96EF-C90CDA263F44}" = Windows Live Writer
"{869200DB-287A-4DC0-B02B-2B6787FBCD4C}" = Nero DiscSpeed
"{88D422DB-E9C7-4E16-9D80-2999F4FD6AD9}" = Adobe Flash Player 9 Plugin
"{8937D274-C281-42E4-8CDB-A0B2DF979189}" = LWS Webcam Software
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{90140011-0061-0407-0000-0000000FF1CE}" = Microsoft Office Home and Student 2010 - Deutsch
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{961D53EA-40DC-4156-AD74-25684CE05F81}" = Nero Installer
"{9A875B56-A35C-46BA-A3AA-DF8D03EE9F2F}" = Nero ControlCenter
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{9DAEA76B-E50F-4272-A595-0124E826553D}" = LWS WLM Plugin
"{9E48FF52-082C-4CC2-BB67-6E10D09C0431}" = Windows Live UX Platform Language Pack
"{9F3523F8-DAD7-AE52-6DA7-45CDDDF33726}" = Advertising Center
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
"{A8F2089B-1F79-4BF6-B385-A2C2B0B9A74D}" = ImagXpress
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC76BA86-1033-F400-7760-000000000003}" = Adobe Acrobat 8 Professional - English, Français, Deutsch
"{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.1) - Deutsch
"{ACFBE99B-6981-4513-B17E-A2683CEB9EE5}" = Windows Live Mesh
"{B113D18C-67B0-4FB7-B329-E89B66194AE6}" = Windows Live Fotogalerie
"{B1239994-A850-44E2-BED8-E70A21124E16}" = Windows Live Mail
"{B1ADF008-E898-4FE2-8A1F-690D9A06ACAF}" = DolbyFiles
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}" = Adobe Setup
"{B671CBFD-4109-4D35-9252-3062D3CCB7B2}" = Adobe SING CS3
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Click to Call with Skype
"{B73CFB12-C814-4638-AFFD-7E3AAFAF0B4E}" = Adobe BridgeTalk Plugin CS3
"{B78120A0-CF84-4366-A393-4D0A59BC546C}" = Menu Templates - Starter Kit
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{BAAE49C1-2844-4614-BCB9-1485569E344D}" = pdfforge Toolbar v6.9
"{BE5F3842-8309-4754-92D5-83E02E6077A3}" = Adobe Extension Manager CS3
"{C2AB7DC4-489E-4BE9-887A-52262FBADBE0}" = Windows Live Photo Common
"{C5398A89-516C-4DAF-BA07-EE7949090E56}" = Windows Live Mesh ActiveX control for remote connections
"{C5BD220A-EFE8-48A5-B70E-9503D535FACE}" = Adobe WAS CS3
"{C818BA3A-226F-4ED0-9CEF-96A0DF300211}" = HP Officejet 6600 Hilfe
"{C81A2FE0-3574-00A9-CED4-BDAA334CBE8E}" = Nero Online Upgrade
"{CA6BCA2F-EDEB-408F-850B-31404BE16A61}" = I.R.I.S. OCR
"{CC019E3F-59D2-4486-8D4B-878105B62A71}" = Nero DiscSpeed Help
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{CE96F5A5-584D-4F8F-AA3E-9BAED413DB72}" = Nero CoverDesigner Help
"{D0B44725-3666-492D-BEF6-587A14BD9BD9}" = MSVCRT_amd64
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{D3C605D8-3A5E-4BAD-965D-2C61441BF2AC}" = Adobe Photoshop CS3
"{D40EB009-0499-459c-A8AF-C9C110766215}" = Logitech Webcam Software
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{D9DCF92E-72EB-412D-AC71-3B01276E5F8B}" = Nero ShowTime
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh
"{DFFC0648-BC4B-47D1-93D2-6CA6B9457641}" = OpenOffice.org 3.2
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E498385E-1C51-459A-B45F-1721E37AA1A0}" = Movie Templates - Starter Kit
"{E4E88B54-4777-4659-967A-2EED1E6AFD83}" = Windows Live Movie Maker
"{E5C7D048-F9B4-4219-B323-8BDB01A2563D}" = Nero DriveSpeed Help
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}" = Adobe InDesign CS3 Icon Handler
"{EB879750-CCBD-4013-BFD5-0294D4DA5BD0}" = Apple Application Support
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.10
"{EED027B7-0DB6-404B-8F45-6DFEE34A0441}" = LWS Video Mask Maker
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F6BDD7C5-89ED-4569-9318-469AA9732572}" = Nero BurnRights Help
"{F95E4EE0-0C6E-4273-B6B9-91FD6F071D76}" = Windows Live Essentials
"{FBCDFD61-7DCF-4E71-9226-873BA0053139}" = Nero InfoTool
"{FF167195-9EE4-46C0-8CD7-FBA3457E88AB}" = LWS Facebook
"{FF29A7E2-FF40-4D07-B7E4-2093DE59E10A}" = Adobe Color NA Extra Settings
"7-Zip" = 7-Zip 4.65
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe_061850775b1c6d22bf2a145678e05e0" = Adobe Creative Suite 3 Design Premium hinzufügen oder entfernen
"Adobe_3e054d2218e7aa282c2369d939e58ff" = Adobe ExtendScript Toolkit 2
"Adobe_6c8e2cb4fd241c55406016127a6ab2e" = Adobe Color Common Settings
"CameraWindowDC8" = Canon Utilities CameraWindow DC 8
"CameraWindowLauncher" = Canon Utilities CameraWindow Launcher
"CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
"Canon Internet Library for ZoomBrowser EX" = Canon Internet Library for ZoomBrowser EX
"Canon MOV Decoder" = Canon MOV Decoder
"DPP" = Canon Utilities Digital Photo Professional 3.9
"Driver Genius Professional Edition_is1" = Driver Genius Professional Edition
"EOS Utility" = Canon Utilities EOS Utility
"Free YouTube to MP3 Converter_is1" = Free YouTube to MP3 Converter version 3.11.33.1005
"HP Photo Creations" = HP Photo Creations
"Logitech Vid" = Logitech Vid HD
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.70.0.1100
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"MovieUploaderForYouTube" = Canon Utilities Movie Uploader for YouTube
"MyCamera" = Canon Utilities MyCamera
"MyCamera Download Plugin" = CANON iMAGE GATEWAY MyCamera Download Plugin
"NAV" = Norton AntiVirus
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"Office14.Click2Run" = Microsoft Office Klick-und-Los 2010
"PhotoStitch" = Canon Utilities PhotoStitch
"SPYWAREfighter" = SPYWAREfighter
"VLC media player" = VLC media player 2.0.1
"WinLiveSuite" = Windows Live Essentials
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility
 
========== HKEY_CURRENT_USER Uninstall List ==========
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox
"Game Organizer" = EasyBits GO
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 13.02.2013 05:37:40 | Computer Name = Goldglas | Source = Application Hang | ID = 1002
Description = Programm iexplore.exe, Version 9.0.8112.16457 kann nicht mehr unter
 Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf 
in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem
 zu suchen.    Prozess-ID: 1174    Startzeit: 01ce09cc8f6ff2e0    Endzeit: 261    Anwendungspfad:
 C:\Program Files (x86)\Internet Explorer\iexplore.exe    Berichts-ID:   
 
Error - 13.02.2013 05:38:50 | Computer Name = Goldglas | Source = Application Hang | ID = 1002
Description = Programm iexplore.exe, Version 9.0.8112.16457 kann nicht mehr unter
 Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf 
in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem
 zu suchen.    Prozess-ID: 8fc    Startzeit: 01ce09cc30b3c830    Endzeit: 0    Anwendungspfad: C:\Program
 Files (x86)\Internet Explorer\iexplore.exe    Berichts-ID:   
 
Error - 13.02.2013 11:14:00 | Computer Name = Goldglas | Source = Application Hang | ID = 1002
Description = Programm mbam.exe, Version 1.70.0.9 kann nicht mehr unter Windows 
ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung,
 um nach weiteren Informationen zum Problem zu suchen.    Prozess-ID: 17fc    Startzeit:
 01ce09fb457cef60    Endzeit: 15    Anwendungspfad: C:\Program Files (x86)\Malwarebytes'
 Anti-Malware\mbam.exe    Berichts-ID: f5b1f411-75ef-11e2-aa64-0030678faac2  
 
Error - 13.02.2013 14:01:18 | Computer Name = Goldglas | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: AVScanningService.exe, Version: 2.1.8.0,
 Zeitstempel: 0x50ca0836  Name des fehlerhaften Moduls: AVScanningService.exe, Version:
 2.1.8.0, Zeitstempel: 0x50ca0836  Ausnahmecode: 0x40000015  Fehleroffset: 0x000cbcdc
ID
 des fehlerhaften Prozesses: 0x6cc  Startzeit der fehlerhaften Anwendung: 0x01ce09cbd08f2c10
Pfad
 der fehlerhaften Anwendung: C:\Program Files (x86)\Common Files\Common Toolkit 
Suite\AVEngine\AVScanningService.exe  Pfad des fehlerhaften Moduls: C:\Program Files
 (x86)\Common Files\Common Toolkit Suite\AVEngine\AVScanningService.exe  Berichtskennung:
 5d7c92f0-7607-11e2-aa64-0030678faac2
 
Error - 13.02.2013 15:00:20 | Computer Name = Goldglas | Source = CVHSVC | ID = 100
Description = Nur zur Information.  (Patch task for {90140011-0061-0407-0000-0000000FF1CE}):
 DownloadLatest Failed: Zurzeit sind keine aktiven Netzwerkverbindungen verfügbar.
 Der Vorgang wird von BITS wiederholt, sobald der Adapter über eine Verbindung verfügt.

 
Error - 13.02.2013 22:39:06 | Computer Name = Goldglas | Source = CVHSVC | ID = 100
Description = Nur zur Information.  (Patch task for {90140011-0061-0407-0000-0000000FF1CE}):
 DownloadLatest Failed: Zurzeit sind keine aktiven Netzwerkverbindungen verfügbar.
 Der Vorgang wird von BITS wiederholt, sobald der Adapter über eine Verbindung verfügt.

 
Error - 14.02.2013 02:48:36 | Computer Name = Goldglas | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: iexplore.exe, Version: 9.0.8112.16464,
 Zeitstempel: 0x50ec971b  Name des fehlerhaften Moduls: ADVAPI32.dll, Version: 6.1.7601.17514,
 Zeitstempel: 0x4ce7b706  Ausnahmecode: 0xc0000005  Fehleroffset: 0x000114d8  ID des fehlerhaften
 Prozesses: 0x1248  Startzeit der fehlerhaften Anwendung: 0x01ce0a7f4c96e1a0  Pfad der
 fehlerhaften Anwendung: C:\Program Files (x86)\Internet Explorer\iexplore.exe  Pfad
 des fehlerhaften Moduls: C:\Windows\syswow64\ADVAPI32.dll  Berichtskennung: 8e3f88f0-7672-11e2-a680-0030678faac2
 
Error - 14.02.2013 02:49:11 | Computer Name = Goldglas | Source = Application Hang | ID = 1002
Description = Programm iexplore.exe, Version 9.0.8112.16464 kann nicht mehr unter
 Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf 
in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem
 zu suchen.    Prozess-ID: 62c    Startzeit: 01ce0a7f456154b0    Endzeit: 15    Anwendungspfad: 
C:\Program Files (x86)\Internet Explorer\iexplore.exe    Berichts-ID:   
 
Error - 14.02.2013 06:01:58 | Computer Name = Goldglas | Source = CVHSVC | ID = 100
Description = Nur zur Information.  Error: Current process is not trusted Type: 94::InvalidSignature.
 
 
Error - 14.02.2013 07:15:18 | Computer Name = Goldglas | Source = CVHSVC | ID = 100
Description = Nur zur Information.  Error: Current process is not trusted Type: 94::InvalidSignature.
 
 
[ Media Center Events ]
Error - 17.04.2011 03:44:21 | Computer Name = Goldglas | Source = MCUpdate | ID = 0
Description = 09:44:14 - Fehler beim Herstellen der Internetverbindung.  09:44:14 
-     Serververbindung konnte nicht hergestellt werden..  
 
Error - 22.04.2011 06:03:32 | Computer Name = Goldglas | Source = MCUpdate | ID = 0
Description = 12:03:21 - Fehler beim Herstellen der Internetverbindung.  12:03:21 
-     Serververbindung konnte nicht hergestellt werden..  
 
Error - 29.06.2011 01:17:01 | Computer Name = Goldglas | Source = MCUpdate | ID = 0
Description = 07:16:47 - Fehler beim Herstellen der Internetverbindung.  07:16:47 
-     Serververbindung konnte nicht hergestellt werden..  
 
Error - 29.06.2011 02:17:30 | Computer Name = Goldglas | Source = MCUpdate | ID = 0
Description = 08:17:19 - Fehler beim Herstellen der Internetverbindung.  08:17:19 
-     Serververbindung konnte nicht hergestellt werden..  
 
Error - 05.10.2011 10:04:16 | Computer Name = Goldglas | Source = MCUpdate | ID = 0
Description = 16:04:16 - Fehler beim Herstellen der Internetverbindung.  16:04:16 
-     Serververbindung konnte nicht hergestellt werden..  
 
Error - 05.10.2011 10:04:30 | Computer Name = Goldglas | Source = MCUpdate | ID = 0
Description = 16:04:23 - Fehler beim Herstellen der Internetverbindung.  16:04:23 
-     Serververbindung konnte nicht hergestellt werden..  
 
Error - 07.07.2012 10:09:12 | Computer Name = Goldglas | Source = MCUpdate | ID = 0
Description = 16:09:12 - Fehler beim Herstellen der Internetverbindung.  16:09:12 
-     Serververbindung konnte nicht hergestellt werden..  
 
Error - 07.07.2012 10:09:24 | Computer Name = Goldglas | Source = MCUpdate | ID = 0
Description = 16:09:23 - MCESpotlight konnte nicht abgerufen werden (Fehler: Der
 Remotename konnte nicht aufgelöst werden: 'data.tvdownload.microsoft.com')  
 
Error - 07.07.2012 10:09:26 | Computer Name = Goldglas | Source = MCUpdate | ID = 0
Description = 16:09:25 - MCEClientUX konnte nicht abgerufen werden (Fehler: Der 
Remotename konnte nicht aufgelöst werden: 'data.tvdownload.microsoft.com')  
 
Error - 07.07.2012 10:09:31 | Computer Name = Goldglas | Source = MCUpdate | ID = 0
Description = 16:09:27 - Broadband konnte nicht abgerufen werden (Fehler: Der Remotename
 konnte nicht aufgelöst werden: 'data.tvdownload.microsoft.com')  
 
[ System Events ]
Error - 13.02.2013 03:23:14 | Computer Name = Goldglas | Source = Service Control Manager | ID = 7023
Description = Der Dienst "Diagnosesystemhost" wurde mit folgendem Fehler beendet:
   %%5
 
Error - 13.02.2013 05:23:30 | Computer Name = Goldglas | Source = EventLog | ID = 6008
Description = Das System wurde zuvor am ?13.?02.?2013 um 10:21:14 unerwartet heruntergefahren.
 
Error - 13.02.2013 05:29:50 | Computer Name = Goldglas | Source = Service Control Manager | ID = 7009
Description = Das Zeitlimit (30000 ms) wurde beim Verbindungsversuch mit dem Dienst
 Windows Media Player-Netzwerkfreigabedienst erreicht.
 
Error - 13.02.2013 05:29:50 | Computer Name = Goldglas | Source = Service Control Manager | ID = 7000
Description = Der Dienst "Windows Media Player-Netzwerkfreigabedienst" wurde aufgrund
 folgenden Fehlers nicht gestartet:   %%1053
 
Error - 13.02.2013 05:30:41 | Computer Name = Goldglas | Source = DCOM | ID = 10010
Description = 
 
Error - 13.02.2013 14:49:10 | Computer Name = Goldglas | Source = EventLog | ID = 6008
Description = Das System wurde zuvor am ?13.?02.?2013 um 19:46:13 unerwartet heruntergefahren.
 
Error - 13.02.2013 22:05:12 | Computer Name = Goldglas | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installationsfehler: Die Installation des folgenden Updates ist mit
 Fehler 0x80070643 fehlgeschlagen: Sicherheitsupdate für Microsoft .NET Framework
 4 unter Windows XP, Windows Server 2003, Windows Vista, Windows 7, Windows Server
 2008, Windows Server 2008 R2 für x64-basierte Systeme (KB2789642)
 
Error - 14.02.2013 02:49:24 | Computer Name = Goldglas | Source = DCOM | ID = 10010
Description = 
 
Error - 14.02.2013 05:52:42 | Computer Name = Goldglas | Source = Service Control Manager | ID = 7023
Description = Der Dienst "Superfetch" wurde mit folgendem Fehler beendet:   %%5
 
Error - 14.02.2013 06:39:31 | Computer Name = Goldglas | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installationsfehler: Die Installation des folgenden Updates ist mit
 Fehler 0x80070643 fehlgeschlagen: Sicherheitsupdate für Microsoft .NET Framework
 4 unter Windows XP, Windows Server 2003, Windows Vista, Windows 7, Windows Server
 2008, Windows Server 2008 R2 für x64-basierte Systeme (KB2789642)
 
 
< End of report >

cosinus · 14.02.2013, 14:33

Wieso denn jetzt doch OTL? Das solltest du doch lassen und mit den anderen Tools weitermachen....bitte meine Beiträge etwas sorgfältiger lesen!

Platin96 · 14.02.2013, 14:50

Ich bekomme das nicht hier eingefügt, weil zu gross. Was tuen?

GMER 2.txt:
Die Datei, die Sie anhängen möchten, ist zu groß. Die maximale Dateigröße für diesen Dateityp beträgt 97,7 KB. Ihre Datei ist 165,9 KB groß.

Zitat:

Zitat von cosinus

Wieso denn jetzt doch OTL? Das solltest du doch lassen und mit den anderen Tools weitermachen....bitte meine Beiträge etwas sorgfältiger lesen!

Tut mir leid, habe ich zu spät gesehen!

Malwarebytes Anti-Rootkit BETA 1.01.0.1020
www.malwarebytes.org

Database version: v2013.02.14.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Heiner :: GOLDGLAS [limited]

14.02.2013 15:23:32
mbar-log-2013-02-14 (15-23-32).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 32851
Time elapsed: 22 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

cosinus · 14.02.2013, 15:33

Zum dritten Mal, die Logs bitte in CODE-Tags posten!!

Nur wenn in diesem Falle GMER das Log zu groß sein sollte zippen und hier anhängen aber sonst grundsätzlich direkt posten und in CODE-Tags

Platin96 · 14.02.2013, 15:54

Code:

ATTFilter

Malwarebytes Anti-Rootkit BETA 1.01.0.1020
www.malwarebytes.org

Database version: v2013.02.14.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Heiner :: GOLDGLAS [limited]

14.02.2013 15:23:32
mbar-log-2013-02-14 (15-23-32).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled: 
Objects scanned: 32851
Time elapsed: 22 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

tut mir leid, ich bin leider nicht so fit darin, aber ich lerne!

edit
überflüssiges Log und Zitat entfernt
cosinus
/edit

cosinus · 15.02.2013, 09:30

Zitat:

Heiner :: GOLDGLAS [limited]

Wieso limited? Ist das nicht irgendwie selbstverständlich, dass du Adminrechte benötigst?
Wiederhol den Scan mit Adminrechten.
Außerdem warte ich auch noch auf das Log von GMER, wie du das hier reinbringst wurde erklärt.

Platin96 · 15.02.2013, 10:33

Zitat:

Zitat von cosinus

Wieso limited? Ist das nicht irgendwie selbstverständlich, dass du Adminrechte benötigst?
Wiederhol den Scan mit Adminrechten.
Außerdem warte ich auch noch auf das Log von GMER, wie du das hier reinbringst wurde erklärt.

Ok, ich dachte ich hätte das als Admin gemacht. der GMER läuft noch, habe ich erst heute morgen gestartet.

Zitat:

Zitat von cosinus

Zum dritten Mal, die Logs bitte in CODE-Tags posten!!

Nur wenn in diesem Falle GMER das Log zu groß sein sollte zippen und hier anhängen aber sonst grundsätzlich direkt posten und in CODE-Tags

Was mache ich denn, wenn das GMER sich nicht kopieren lässt, weil zu gross?

Was mache ich denn, wenn das GMER sich nicht kopieren lässt, weil zu gross? Stückweise kopieren?

Was mache ich denn, wenn das GMER sich nicht kopieren lässt, weil zu gross? Stückweise kopieren?

Leider ist der bei beiden Laufwerken scannen immer abgestürzt. Jetzt habe ich erst nur C gescannt. Q kommt als nächstes....

Code:

ATTFilter

GMER 2.0.18454 - hxxp://www.gmer.net
Rootkit scan 2013-02-15 17:18:56
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000067 SAMSUNG_ rev.1AJ1 931,51GB
Running: gmer_2.0.18454.exe; Driver: C:\Users\Heiner\AppData\Local\Temp\fxldqpob.sys


---- User code sections - GMER 2.0 ----

.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                                                                            0000000077991401 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                                                                              0000000077991419 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                                                                            0000000077991431 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                                                                            000000007799144a 2 bytes [99, 77]
.text    ...                                                                                                                                                                                                                                   * 9
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                                                                               00000000779914dd 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                                                                        00000000779914f5 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                                                                               000000007799150d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                                                                        0000000077991525 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                                                                              000000007799153d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                                                                                   0000000077991555 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                                                                            000000007799156d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                                                                              0000000077991585 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                                                                                 000000007799159d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                                                                              00000000779915b5 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                                                                            00000000779915cd 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                                                                        00000000779916b2 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1492] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                                                                        00000000779916bd 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Common Toolkit Suite\AVEngine\AVScanningService.exe[1596] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                                                 0000000077991401 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Common Toolkit Suite\AVEngine\AVScanningService.exe[1596] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                                                   0000000077991419 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Common Toolkit Suite\AVEngine\AVScanningService.exe[1596] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                                                 0000000077991431 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Common Toolkit Suite\AVEngine\AVScanningService.exe[1596] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                                                 000000007799144a 2 bytes [99, 77]
.text    ...                                                                                                                                                                                                                                   * 9
.text    C:\Program Files (x86)\Common Files\Common Toolkit Suite\AVEngine\AVScanningService.exe[1596] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                                                    00000000779914dd 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Common Toolkit Suite\AVEngine\AVScanningService.exe[1596] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                                             00000000779914f5 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Common Toolkit Suite\AVEngine\AVScanningService.exe[1596] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                                                    000000007799150d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Common Toolkit Suite\AVEngine\AVScanningService.exe[1596] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                                             0000000077991525 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Common Toolkit Suite\AVEngine\AVScanningService.exe[1596] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                                                   000000007799153d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Common Toolkit Suite\AVEngine\AVScanningService.exe[1596] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                                                        0000000077991555 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Common Toolkit Suite\AVEngine\AVScanningService.exe[1596] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                                                 000000007799156d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Common Toolkit Suite\AVEngine\AVScanningService.exe[1596] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                                                   0000000077991585 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Common Toolkit Suite\AVEngine\AVScanningService.exe[1596] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                                                      000000007799159d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Common Toolkit Suite\AVEngine\AVScanningService.exe[1596] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                                                   00000000779915b5 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Common Toolkit Suite\AVEngine\AVScanningService.exe[1596] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                                                 00000000779915cd 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Common Toolkit Suite\AVEngine\AVScanningService.exe[1596] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                                             00000000779916b2 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Common Toolkit Suite\AVEngine\AVScanningService.exe[1596] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                                             00000000779916bd 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2868] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                                                  0000000077991401 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2868] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                                                    0000000077991419 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2868] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                                                  0000000077991431 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2868] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                                                  000000007799144a 2 bytes [99, 77]
.text    ...                                                                                                                                                                                                                                   * 9
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2868] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                                                     00000000779914dd 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2868] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                                              00000000779914f5 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2868] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                                                     000000007799150d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2868] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                                              0000000077991525 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2868] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                                                    000000007799153d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2868] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                                                         0000000077991555 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2868] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                                                  000000007799156d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2868] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                                                    0000000077991585 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2868] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                                                       000000007799159d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2868] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                                                    00000000779915b5 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2868] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                                                  00000000779915cd 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2868] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                                              00000000779916b2 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2868] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                                              00000000779916bd 2 bytes [99, 77]
.text    C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                                                                           0000000077991401 2 bytes [99, 77]
.text    C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[3268] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                                                                             0000000077991419 2 bytes [99, 77]
.text    C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                                                                           0000000077991431 2 bytes [99, 77]
.text    C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                                                                           000000007799144a 2 bytes [99, 77]
.text    ...                                                                                                                                                                                                                                   * 9
.text    C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[3268] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                                                                              00000000779914dd 2 bytes [99, 77]
.text    C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                                                                       00000000779914f5 2 bytes [99, 77]
.text    C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[3268] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                                                                              000000007799150d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                                                                       0000000077991525 2 bytes [99, 77]
.text    C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                                                                             000000007799153d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[3268] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                                                                                  0000000077991555 2 bytes [99, 77]
.text    C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                                                                           000000007799156d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                                                                             0000000077991585 2 bytes [99, 77]
.text    C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[3268] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                                                                                000000007799159d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                                                                             00000000779915b5 2 bytes [99, 77]
.text    C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                                                                           00000000779915cd 2 bytes [99, 77]
.text    C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                                                                       00000000779916b2 2 bytes [99, 77]
.text    C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                                                                       00000000779916bd 2 bytes [99, 77]
.text    C:\Users\Heiner\AppData\Roaming\Dropbox\bin\Dropbox.exe[3784] C:\Windows\syswow64\Psapi.dll!GetModuleFileNameExW + 17                                                                                                                 0000000077991401 2 bytes [99, 77]
.text    C:\Users\Heiner\AppData\Roaming\Dropbox\bin\Dropbox.exe[3784] C:\Windows\syswow64\Psapi.dll!EnumProcessModules + 17                                                                                                                   0000000077991419 2 bytes [99, 77]
.text    C:\Users\Heiner\AppData\Roaming\Dropbox\bin\Dropbox.exe[3784] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 17                                                                                                                 0000000077991431 2 bytes [99, 77]
.text    C:\Users\Heiner\AppData\Roaming\Dropbox\bin\Dropbox.exe[3784] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 42                                                                                                                 000000007799144a 2 bytes [99, 77]
.text    ...                                                                                                                                                                                                                                   * 9
.text    C:\Users\Heiner\AppData\Roaming\Dropbox\bin\Dropbox.exe[3784] C:\Windows\syswow64\Psapi.dll!EnumDeviceDrivers + 17                                                                                                                    00000000779914dd 2 bytes [99, 77]
.text    C:\Users\Heiner\AppData\Roaming\Dropbox\bin\Dropbox.exe[3784] C:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameA + 17                                                                                                             00000000779914f5 2 bytes [99, 77]
.text    C:\Users\Heiner\AppData\Roaming\Dropbox\bin\Dropbox.exe[3784] C:\Windows\syswow64\Psapi.dll!QueryWorkingSetEx + 17                                                                                                                    000000007799150d 2 bytes [99, 77]
.text    C:\Users\Heiner\AppData\Roaming\Dropbox\bin\Dropbox.exe[3784] C:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameW + 17                                                                                                             0000000077991525 2 bytes [99, 77]
.text    C:\Users\Heiner\AppData\Roaming\Dropbox\bin\Dropbox.exe[3784] C:\Windows\syswow64\Psapi.dll!GetModuleBaseNameW + 17                                                                                                                   000000007799153d 2 bytes [99, 77]
.text    C:\Users\Heiner\AppData\Roaming\Dropbox\bin\Dropbox.exe[3784] C:\Windows\syswow64\Psapi.dll!EnumProcesses + 17                                                                                                                        0000000077991555 2 bytes [99, 77]
.text    C:\Users\Heiner\AppData\Roaming\Dropbox\bin\Dropbox.exe[3784] C:\Windows\syswow64\Psapi.dll!GetProcessMemoryInfo + 17                                                                                                                 000000007799156d 2 bytes [99, 77]
.text    C:\Users\Heiner\AppData\Roaming\Dropbox\bin\Dropbox.exe[3784] C:\Windows\syswow64\Psapi.dll!GetPerformanceInfo + 17                                                                                                                   0000000077991585 2 bytes [99, 77]
.text    C:\Users\Heiner\AppData\Roaming\Dropbox\bin\Dropbox.exe[3784] C:\Windows\syswow64\Psapi.dll!QueryWorkingSet + 17                                                                                                                      000000007799159d 2 bytes [99, 77]
.text    C:\Users\Heiner\AppData\Roaming\Dropbox\bin\Dropbox.exe[3784] C:\Windows\syswow64\Psapi.dll!GetModuleBaseNameA + 17                                                                                                                   00000000779915b5 2 bytes [99, 77]
.text    C:\Users\Heiner\AppData\Roaming\Dropbox\bin\Dropbox.exe[3784] C:\Windows\syswow64\Psapi.dll!GetModuleFileNameExA + 17                                                                                                                 00000000779915cd 2 bytes [99, 77]
.text    C:\Users\Heiner\AppData\Roaming\Dropbox\bin\Dropbox.exe[3784] C:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 20                                                                                                             00000000779916b2 2 bytes [99, 77]
.text    C:\Users\Heiner\AppData\Roaming\Dropbox\bin\Dropbox.exe[3784] C:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 31                                                                                                             00000000779916bd 2 bytes [99, 77]
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3712] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                                                                             0000000077991401 2 bytes [99, 77]
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3712] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                                                                               0000000077991419 2 bytes [99, 77]
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3712] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                                                                             0000000077991431 2 bytes [99, 77]
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3712] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                                                                             000000007799144a 2 bytes [99, 77]
.text    ...                                                                                                                                                                                                                                   * 9
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3712] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                                                                                00000000779914dd 2 bytes [99, 77]
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3712] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                                                                         00000000779914f5 2 bytes [99, 77]
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3712] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                                                                                000000007799150d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3712] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                                                                         0000000077991525 2 bytes [99, 77]
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3712] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                                                                               000000007799153d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3712] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                                                                                    0000000077991555 2 bytes [99, 77]
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3712] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                                                                             000000007799156d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3712] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                                                                               0000000077991585 2 bytes [99, 77]
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3712] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                                                                                  000000007799159d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3712] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                                                                               00000000779915b5 2 bytes [99, 77]
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3712] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                                                                             00000000779915cd 2 bytes [99, 77]
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3712] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                                                                         00000000779916b2 2 bytes [99, 77]
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[3712] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                                                                         00000000779916bd 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE[3168] C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE!?SparseBitMask@DataSourceDescription@FlexUI@@2HB + 960  000000002d2b5984 4 bytes [A4, 48, 15, 0D]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE[3168] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                                                     0000000077991401 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE[3168] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                                                       0000000077991419 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE[3168] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                                                     0000000077991431 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE[3168] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                                                     000000007799144a 2 bytes [99, 77]
.text    ...                                                                                                                                                                                                                                   * 9
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE[3168] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                                                        00000000779914dd 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE[3168] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                                                 00000000779914f5 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE[3168] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                                                        000000007799150d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE[3168] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                                                 0000000077991525 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE[3168] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                                                       000000007799153d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE[3168] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                                                            0000000077991555 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE[3168] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                                                     000000007799156d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE[3168] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                                                       0000000077991585 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE[3168] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                                                          000000007799159d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE[3168] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                                                       00000000779915b5 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE[3168] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                                                     00000000779915cd 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE[3168] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                                                 00000000779916b2 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE[3168] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                                                 00000000779916bd 2 bytes [99, 77]
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3228] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                                                                             0000000077991401 2 bytes [99, 77]
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3228] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                                                                               0000000077991419 2 bytes [99, 77]
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                                                                             0000000077991431 2 bytes [99, 77]
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                                                                             000000007799144a 2 bytes [99, 77]
.text    ...                                                                                                                                                                                                                                   * 9
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3228] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                                                                                00000000779914dd 2 bytes [99, 77]
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3228] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                                                                         00000000779914f5 2 bytes [99, 77]
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3228] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                                                                                000000007799150d 2 bytes [99, 77]
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3228] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                                                                         0000000077991525 2 bytes [99, 77]
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3228] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                                                                               000000007799153d 2 bytes [99, 77]
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3228] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                                                                                    0000000077991555 2 bytes [99, 77]
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3228] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                                                                             000000007799156d 2 bytes [99, 77]
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3228] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                                                                               0000000077991585 2 bytes [99, 77]
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3228] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                                                                                  000000007799159d 2 bytes [99, 77]
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3228] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                                                                               00000000779915b5 2 bytes [99, 77]
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3228] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                                                                             00000000779915cd 2 bytes [99, 77]
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3228] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                                                                         00000000779916b2 2 bytes [99, 77]
.text    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3228] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                                                                         00000000779916bd 2 bytes [99, 77]
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[3260] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                                                               0000000077991401 2 bytes [99, 77]
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[3260] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                                                                 0000000077991419 2 bytes [99, 77]
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[3260] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                                                               0000000077991431 2 bytes [99, 77]
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[3260] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                                                               000000007799144a 2 bytes [99, 77]
.text    ...                                                                                                                                                                                                                                   * 9
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[3260] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                                                                  00000000779914dd 2 bytes [99, 77]
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[3260] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                                                           00000000779914f5 2 bytes [99, 77]
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[3260] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                                                                  000000007799150d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[3260] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                                                           0000000077991525 2 bytes [99, 77]
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[3260] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                                                                 000000007799153d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[3260] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                                                                      0000000077991555 2 bytes [99, 77]
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[3260] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                                                               000000007799156d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[3260] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                                                                 0000000077991585 2 bytes [99, 77]
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[3260] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                                                                    000000007799159d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[3260] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                                                                 00000000779915b5 2 bytes [99, 77]
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[3260] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                                                               00000000779915cd 2 bytes [99, 77]
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[3260] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                                                           00000000779916b2 2 bytes [99, 77]
.text    C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[3260] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                                                           00000000779916bd 2 bytes [99, 77]
.text    C:\Program Files (x86)\Fighters\Tray\FightersTray.exe[3332] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                                                                                   0000000077991401 2 bytes [99, 77]
.text    C:\Program Files (x86)\Fighters\Tray\FightersTray.exe[3332] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                                                                                     0000000077991419 2 bytes [99, 77]
.text    C:\Program Files (x86)\Fighters\Tray\FightersTray.exe[3332] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                                                                                   0000000077991431 2 bytes [99, 77]
.text    C:\Program Files (x86)\Fighters\Tray\FightersTray.exe[3332] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                                                                                   000000007799144a 2 bytes [99, 77]
.text    ...                                                                                                                                                                                                                                   * 9
.text    C:\Program Files (x86)\Fighters\Tray\FightersTray.exe[3332] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                                                                                      00000000779914dd 2 bytes [99, 77]
.text    C:\Program Files (x86)\Fighters\Tray\FightersTray.exe[3332] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                                                                               00000000779914f5 2 bytes [99, 77]
.text    C:\Program Files (x86)\Fighters\Tray\FightersTray.exe[3332] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                                                                                      000000007799150d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Fighters\Tray\FightersTray.exe[3332] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                                                                               0000000077991525 2 bytes [99, 77]
.text    C:\Program Files (x86)\Fighters\Tray\FightersTray.exe[3332] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                                                                                     000000007799153d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Fighters\Tray\FightersTray.exe[3332] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                                                                                          0000000077991555 2 bytes [99, 77]
.text    C:\Program Files (x86)\Fighters\Tray\FightersTray.exe[3332] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                                                                                   000000007799156d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Fighters\Tray\FightersTray.exe[3332] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                                                                                     0000000077991585 2 bytes [99, 77]
.text    C:\Program Files (x86)\Fighters\Tray\FightersTray.exe[3332] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                                                                                        000000007799159d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Fighters\Tray\FightersTray.exe[3332] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                                                                                     00000000779915b5 2 bytes [99, 77]
.text    C:\Program Files (x86)\Fighters\Tray\FightersTray.exe[3332] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                                                                                   00000000779915cd 2 bytes [99, 77]
.text    C:\Program Files (x86)\Fighters\Tray\FightersTray.exe[3332] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                                                                               00000000779916b2 2 bytes [99, 77]
.text    C:\Program Files (x86)\Fighters\Tray\FightersTray.exe[3332] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                                                                               00000000779916bd 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2720] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                                                                     0000000077991401 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2720] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                                                                       0000000077991419 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2720] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                                                                     0000000077991431 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2720] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                                                                     000000007799144a 2 bytes [99, 77]
.text    ...                                                                                                                                                                                                                                   * 9
.text    C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2720] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                                                                        00000000779914dd 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2720] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                                                                 00000000779914f5 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2720] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                                                                        000000007799150d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2720] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                                                                 0000000077991525 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2720] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                                                                       000000007799153d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2720] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                                                                            0000000077991555 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2720] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                                                                     000000007799156d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2720] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                                                                       0000000077991585 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2720] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                                                                          000000007799159d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2720] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                                                                       00000000779915b5 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2720] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                                                                     00000000779915cd 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2720] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                                                                 00000000779916b2 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe[2720] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                                                                 00000000779916bd 2 bytes [99, 77]
.text    C:\Program Files (x86)\Fighters\SPYWAREfighter\swproTray.exe[172] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                                                                             0000000077991401 2 bytes [99, 77]
.text    C:\Program Files (x86)\Fighters\SPYWAREfighter\swproTray.exe[172] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                                                                               0000000077991419 2 bytes [99, 77]
.text    C:\Program Files (x86)\Fighters\SPYWAREfighter\swproTray.exe[172] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                                                                             0000000077991431 2 bytes [99, 77]
.text    C:\Program Files (x86)\Fighters\SPYWAREfighter\swproTray.exe[172] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                                                                             000000007799144a 2 bytes [99, 77]
.text    ...                                                                                                                                                                                                                                   * 9
.text    C:\Program Files (x86)\Fighters\SPYWAREfighter\swproTray.exe[172] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                                                                                00000000779914dd 2 bytes [99, 77]
.text    C:\Program Files (x86)\Fighters\SPYWAREfighter\swproTray.exe[172] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                                                                         00000000779914f5 2 bytes [99, 77]
.text    C:\Program Files (x86)\Fighters\SPYWAREfighter\swproTray.exe[172] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                                                                                000000007799150d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Fighters\SPYWAREfighter\swproTray.exe[172] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                                                                         0000000077991525 2 bytes [99, 77]
.text    C:\Program Files (x86)\Fighters\SPYWAREfighter\swproTray.exe[172] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                                                                               000000007799153d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Fighters\SPYWAREfighter\swproTray.exe[172] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                                                                                    0000000077991555 2 bytes [99, 77]
.text    C:\Program Files (x86)\Fighters\SPYWAREfighter\swproTray.exe[172] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                                                                             000000007799156d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Fighters\SPYWAREfighter\swproTray.exe[172] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                                                                               0000000077991585 2 bytes [99, 77]
.text    C:\Program Files (x86)\Fighters\SPYWAREfighter\swproTray.exe[172] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                                                                                  000000007799159d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Fighters\SPYWAREfighter\swproTray.exe[172] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                                                                               00000000779915b5 2 bytes [99, 77]
.text    C:\Program Files (x86)\Fighters\SPYWAREfighter\swproTray.exe[172] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                                                                             00000000779915cd 2 bytes [99, 77]
.text    C:\Program Files (x86)\Fighters\SPYWAREfighter\swproTray.exe[172] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                                                                         00000000779916b2 2 bytes [99, 77]
.text    C:\Program Files (x86)\Fighters\SPYWAREfighter\swproTray.exe[172] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                                                                         00000000779916bd 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe[3624] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                                                           0000000077991401 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe[3624] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                                                             0000000077991419 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe[3624] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                                                           0000000077991431 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe[3624] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                                                           000000007799144a 2 bytes [99, 77]
.text    ...                                                                                                                                                                                                                                   * 9
.text    C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe[3624] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                                                              00000000779914dd 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe[3624] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                                                       00000000779914f5 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe[3624] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                                                              000000007799150d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe[3624] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                                                       0000000077991525 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe[3624] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                                                             000000007799153d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe[3624] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                                                                  0000000077991555 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe[3624] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                                                           000000007799156d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe[3624] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                                                             0000000077991585 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe[3624] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                                                                000000007799159d 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe[3624] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                                                             00000000779915b5 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe[3624] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                                                           00000000779915cd 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe[3624] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                                                       00000000779916b2 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe[3624] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                                                       00000000779916bd 2 bytes [99, 77]
.text    C:\Program[1900] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                                                                                                00000000779df9c0 5 bytes JMP 000000016c295f49
.text    C:\Program[1900] C:\Windows\SysWOW64\ntdll.dll!NtQueryObject                                                                                                                                                                          00000000779df9d8 5 bytes JMP 000000016c296411
.text    C:\Program[1900] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey                                                                                                                                                                              00000000779dfa08 5 bytes JMP 000000016c29016d
.text    C:\Program[1900] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey                                                                                                                                                                    00000000779dfa20 5 bytes JMP 000000016c28fbca
.text    C:\Program[1900] C:\Windows\SysWOW64\ntdll.dll!NtQueryKey                                                                                                                                                                             00000000779dfa70 5 bytes JMP 000000016c28fa44
.text    C:\Program[1900] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey                                                                                                                                                                        00000000779dfa88 2 bytes JMP 000000016c28fb52
.text    C:\Program[1900] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey + 3                                                                                                                                                                    00000000779dfa8b 2 bytes [8B, F4]
.text    C:\Program[1900] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey                                                                                                                                                                            00000000779dfb20 5 bytes JMP 000000016c290424
.text    C:\Program[1900] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile                                                                                                                                                                   00000000779dfc18 5 bytes JMP 000000016c294369
.text    C:\Program[1900] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateKey                                                                                                                                                                         00000000779dfd2c 5 bytes JMP 000000016c28f9cc
.text    C:\Program[1900] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                                                             00000000779dfd44 5 bytes JMP 000000016c294959
.text    C:\Program[1900] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile                                                                                                                                                                   00000000779dfd78 5 bytes JMP 000000016c2939de
.text    C:\Program[1900] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject                                                                                                                                                                      00000000779dfe24 5 bytes JMP 000000016c295fc4
.text    C:\Program[1900] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile                                                                                                                                                                  00000000779dfe3c 5 bytes JMP 000000016c294adb
.text    C:\Program[1900] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                                                           00000000779e0094 5 bytes JMP 000000016c294791
.text    C:\Program[1900] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                                                                                                                                          00000000779e01a4 5 bytes JMP 000000016c28fc42
.text    C:\Program[1900] C:\Windows\SysWOW64\ntdll.dll!NtDeleteFile                                                                                                                                                                           00000000779e09c4 5 bytes JMP 000000016c294584
.text    C:\Program[1900] C:\Windows\SysWOW64\ntdll.dll!NtDeleteKey                                                                                                                                                                            00000000779e09dc 5 bytes JMP 000000016c28cc5b
.text    C:\Program[1900] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey                                                                                                                                                                       00000000779e0a24 5 bytes JMP 000000016c28cd29
.text    C:\Program[1900] C:\Windows\SysWOW64\ntdll.dll!NtFlushKey                                                                                                                                                                             00000000779e0b60 5 bytes JMP 000000016c28ccc2
.text    C:\Program[1900] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey                                                                                                                                                                      00000000779e0f50 5 bytes JMP 000000016c28fcba
.text    C:\Program[1900] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                                                                                             00000000779e0f68 5 bytes JMP 000000016c28ff45
.text    C:\Program[1900] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx                                                                                                                                                                            00000000779e0ff8 5 bytes JMP 000000016c2901fd
.text    C:\Program[1900] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile                                                                                                                                                              00000000779e131c 5 bytes JMP 000000016c294b6b
.text    C:\Program[1900] C:\Windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey                                                                                                                                                                00000000779e145c 5 bytes JMP 000000016c28fec9
.text    C:\Program[1900] C:\Windows\SysWOW64\ntdll.dll!NtQuerySecurityObject                                                                                                                                                                  00000000779e1508 5 bytes JMP 000000016c296389
.text    C:\Program[1900] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey                                                                                                                                                                            00000000779e16f8 1 byte JMP 000000016c28d138
.text    C:\Program[1900] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey + 2                                                                                                                                                                        00000000779e16fa 3 bytes {JMP 0xfffffffff48aba40}
.text    C:\Program[1900] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationKey                                                                                                                                                                    00000000779e1a38 5 bytes JMP 000000016c28facc
.text    C:\Program[1900] C:\Windows\SysWOW64\ntdll.dll!NtSetSecurityObject                                                                                                                                                                    00000000779e1b7c 5 bytes JMP 000000016c29616c
.text    C:\Program[1900] C:\Windows\syswow64\kernel32.dll!CreateProcessW                                                                                                                                                                      000000007700103d 5 bytes JMP 000000016c2693a9
.text    C:\Program[1900] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                                                                                                                                                      0000000077001072 5 bytes JMP 000000016c2694e7
.text    C:\Program[1900] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW                                                                                                                                                                000000007702c9b5 5 bytes JMP 000000016c26971d
.text    C:\Program[1900] C:\Windows\syswow64\kernel32.dll!SetDllDirectoryW                                                                                                                                                                    00000000770800c3 5 bytes JMP 000000016c269efe
.text    C:\Program[1900] C:\Windows\syswow64\kernel32.dll!SetDllDirectoryA                                                                                                                                                                    000000007708016b 5 bytes JMP 000000016c26a231
.text    C:\Program[1900] C:\Windows\syswow64\kernel32.dll!WinExec                                                                                                                                                                             0000000077082c91 5 bytes JMP 000000016c269aa0
.text    C:\Program[1900] C:\Windows\syswow64\kernel32.dll!AllocConsole                                                                                                                                                                        00000000770a6b3e 5 bytes JMP 000000016c297431
.text    C:\Program[1900] C:\Windows\syswow64\kernel32.dll!AttachConsole                                                                                                                                                                       00000000770a6c02 5 bytes JMP 000000016c297443
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3516] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                                                                0000000077991401 2 bytes [99, 77]
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3516] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                                                                  0000000077991419 2 bytes [99, 77]
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3516] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                                                                0000000077991431 2 bytes [99, 77]
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3516] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                                                                000000007799144a 2 bytes [99, 77]
.text    ...                                                                                                                                                                                                                                   * 9
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3516] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                                                                   00000000779914dd 2 bytes [99, 77]
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3516] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                                                            00000000779914f5 2 bytes [99, 77]
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3516] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                                                                   000000007799150d 2 bytes [99, 77]
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3516] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                                                            0000000077991525 2 bytes [99, 77]
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3516] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                                                                  000000007799153d 2 bytes [99, 77]
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3516] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                                                                       0000000077991555 2 bytes [99, 77]
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3516] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                                                                000000007799156d 2 bytes [99, 77]
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3516] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                                                                  0000000077991585 2 bytes [99, 77]
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3516] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                                                                     000000007799159d 2 bytes [99, 77]
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3516] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                                                                  00000000779915b5 2 bytes [99, 77]
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3516] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                                                                00000000779915cd 2 bytes [99, 77]
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3516] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                                                            00000000779916b2 2 bytes [99, 77]
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3516] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                                                            00000000779916bd 2 bytes [99, 77]
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                00000000779df9c0 5 bytes JMP 000000016c295f49
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtQueryObject                                                                                          00000000779df9d8 5 bytes JMP 000000016c296411
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey                                                                                              00000000779dfa08 5 bytes JMP 000000016c29016d
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey                                                                                    00000000779dfa20 5 bytes JMP 000000016c28fbca
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtQueryKey                                                                                             00000000779dfa70 5 bytes JMP 000000016c28fa44
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey                                                                                        00000000779dfa88 2 bytes JMP 000000016c28fb52
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey + 3                                                                                    00000000779dfa8b 2 bytes [8B, F4]
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey                                                                                            00000000779dfb20 5 bytes JMP 000000016c290424
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile                                                                                   00000000779dfc18 5 bytes JMP 000000016c294369
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateKey                                                                                         00000000779dfd2c 5 bytes JMP 000000016c28f9cc
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                             00000000779dfd44 5 bytes JMP 000000016c294959
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile                                                                                   00000000779dfd78 5 bytes JMP 000000016c2939de
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject                                                                                      00000000779dfe24 5 bytes JMP 000000016c295fc4
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile                                                                                  00000000779dfe3c 5 bytes JMP 000000016c294adb
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                           00000000779e0094 5 bytes JMP 000000016c294791
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                                                          00000000779e01a4 5 bytes JMP 000000016c28fc42
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtDeleteFile                                                                                           00000000779e09c4 5 bytes JMP 000000016c294584
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtDeleteKey                                                                                            00000000779e09dc 5 bytes JMP 000000016c28cc5b
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey                                                                                       00000000779e0a24 5 bytes JMP 000000016c28cd29
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtFlushKey                                                                                             00000000779e0b60 5 bytes JMP 000000016c28ccc2
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey                                                                                      00000000779e0f50 5 bytes JMP 000000016c28fcba
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys                                                                             00000000779e0f68 5 bytes JMP 000000016c28ff45
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx                                                                                            00000000779e0ff8 5 bytes JMP 000000016c2901fd
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile                                                                              00000000779e131c 5 bytes JMP 000000016c294b6b
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey                                                                                00000000779e145c 5 bytes JMP 000000016c28fec9
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtQuerySecurityObject                                                                                  00000000779e1508 5 bytes JMP 000000016c296389
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey                                                                                            00000000779e16f8 1 byte JMP 000000016c28d138
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey + 2                                                                                        00000000779e16fa 3 bytes {JMP 0xfffffffff48aba40}
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationKey                                                                                    00000000779e1a38 5 bytes JMP 000000016c28facc
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtSetSecurityObject                                                                                    00000000779e1b7c 5 bytes JMP 000000016c29616c
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\kernel32.dll!CreateProcessW                                                                                      000000007700103d 5 bytes JMP 000000016c2693a9
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                                                                      0000000077001072 5 bytes JMP 000000016c2694e7
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW                                                                                000000007702c9b5 5 bytes JMP 000000016c26971d
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\kernel32.dll!SetDllDirectoryW                                                                                    00000000770800c3 5 bytes JMP 000000016c269efe
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\kernel32.dll!SetDllDirectoryA                                                                                    000000007708016b 5 bytes JMP 000000016c26a231
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\kernel32.dll!WinExec                                                                                             0000000077082c91 5 bytes JMP 000000016c269aa0
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\kernel32.dll!AllocConsole                                                                                        00000000770a6b3e 5 bytes JMP 000000016c297431
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\kernel32.dll!AttachConsole                                                                                       00000000770a6c02 5 bytes JMP 000000016c297443
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                                                                                    0000000075b72aa4 5 bytes JMP 000000016c26a43c
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\USER32.dll!CreateWindowExW                                                                                       0000000075dc8a29 5 bytes JMP 000000016c297419
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\USER32.dll!CreateWindowExA                                                                                       0000000075dcd22e 5 bytes JMP 000000016c297401
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\GDI32.dll!AddFontResourceW                                                                                       0000000075a4d2b2 5 bytes JMP 000000016c277617
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\GDI32.dll!AddFontResourceA                                                                                       0000000075a4d7bb 5 bytes JMP 000000016c2775fb
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\ADVAPI32.dll!EnumDependentServicesW                                                                              0000000075d01e3a 7 bytes JMP 000000016c27a3b9
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\ADVAPI32.dll!EnumServicesStatusExW                                                                               0000000075d0b466 7 bytes JMP 000000016c27b2da
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\ADVAPI32.dll!GetServiceKeyNameW                                                                                  0000000075d278ff 7 bytes JMP 000000016c27aa60
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\ADVAPI32.dll!GetServiceDisplayNameW                                                                              0000000075d279bb 7 bytes JMP 000000016c27ac11
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\ADVAPI32.dll!EnumServicesStatusExA                                                                               0000000075d2a3e2 7 bytes JMP 000000016c27b3a0
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA                                                                                0000000075d42538 5 bytes JMP 000000016c26985f
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\ADVAPI32.dll!GetServiceKeyNameA                                                                                  0000000075d61b94 7 bytes JMP 000000016c27ab18
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\ADVAPI32.dll!GetServiceDisplayNameA                                                                              0000000075d61c31 7 bytes JMP 000000016c27acc9
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\ADVAPI32.dll!EnumServicesStatusA                                                                                 0000000075d62021 7 bytes JMP 000000016c27b21c
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\ADVAPI32.dll!EnumDependentServicesA                                                                              0000000075d62104 7 bytes JMP 000000016c27a470
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\ADVAPI32.dll!EnumServicesStatusW                                                                                 0000000075d62221 5 bytes JMP 000000016c27b15e
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\sechost.dll!ControlService                                                                                       0000000075394d5c 7 bytes JMP 000000016c27a1fe
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle                                                                                   0000000075394dc3 7 bytes JMP 000000016c27a527
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\sechost.dll!QueryServiceStatus                                                                                   0000000075394e4b 7 bytes JMP 000000016c27a28a
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\sechost.dll!QueryServiceStatusEx                                                                                 0000000075394eaf 7 bytes JMP 000000016c27a31d
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\sechost.dll!StartServiceW                                                                                        0000000075394f35 7 bytes JMP 000000016c27a079
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\sechost.dll!StartServiceA                                                                                        000000007539508d 7 bytes JMP 000000016c27a10f
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\sechost.dll!QueryServiceObjectSecurity                                                                           00000000753950f4 7 bytes JMP 000000016c27b02c
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                                                                             0000000075395181 7 bytes JMP 000000016c27b0c8
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                                                                 0000000075395254 7 bytes JMP 000000016c27a728
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                                                                 00000000753953d5 7 bytes JMP 000000016c27a643
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                                                                00000000753954c2 7 bytes JMP 000000016c27a9ca
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                                                                00000000753955e2 7 bytes JMP 000000016c27a934
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                                                                       000000007539567c 7 bytes JMP 000000016c279e5b
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                                                                       000000007539589f 7 bytes JMP 000000016c279d85
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\sechost.dll!DeleteService                                                                                        0000000075395a22 7 bytes JMP 000000016c27a5b5
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigA                                                                                  0000000075395a83 7 bytes JMP 000000016c27ae5b
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW                                                                                  0000000075395b29 7 bytes JMP 000000016c27adc2
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA                                                                                    0000000075395ca0 7 bytes JMP 000000016c279535
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\sechost.dll!ControlServiceExW                                                                                    0000000075395d8c 7 bytes JMP 000000016c2794bc
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\sechost.dll!OpenSCManagerW                                                                                       00000000753963ad 7 bytes JMP 000000016c279a83
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\sechost.dll!OpenSCManagerA                                                                                       00000000753964f0 7 bytes JMP 000000016c279b0f
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfig2A                                                                                 0000000075396633 7 bytes JMP 000000016c27af90
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfig2W                                                                                 000000007539680c 7 bytes JMP 000000016c27aef4
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\sechost.dll!OpenServiceW                                                                                         000000007539714b 7 bytes JMP 000000016c279bf8
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\SysWOW64\sechost.dll!OpenServiceA                                                                                         0000000075397245 7 bytes JMP 000000016c279c84
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\ole32.dll!CoRegisterPSClsid                                                                                      00000000755cc56e 5 bytes JMP 000000016c2811c4
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\ole32.dll!CoResumeClassObjects + 7                                                                               00000000755cea09 7 bytes JMP 000000016c281795
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\ole32.dll!OleRun                                                                                                 00000000755d07de 5 bytes JMP 000000016c281650
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\ole32.dll!CoRegisterClassObject                                                                                  00000000755d21e1 5 bytes JMP 000000016c2822c5
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\ole32.dll!OleUninitialize                                                                                        00000000755deba1 6 bytes JMP 000000016c28156f
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\ole32.dll!OleInitialize                                                                                          00000000755defd7 5 bytes JMP 000000016c2814ff
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\ole32.dll!CoGetPSClsid                                                                                           00000000755e26b9 5 bytes JMP 000000016c28133c
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\ole32.dll!CoGetClassObject                                                                                       00000000755f54ad 5 bytes JMP 000000016c282853
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\ole32.dll!CoInitializeEx                                                                                         00000000756009ad 5 bytes JMP 000000016c2813af
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\ole32.dll!CoUninitialize                                                                                         00000000756086d3 5 bytes JMP 000000016c281431
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\ole32.dll!CoCreateInstance                                                                                       0000000075609d0b 5 bytes JMP 000000016c283b21
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx                                                                                     0000000075609d4e 5 bytes JMP 000000016c281c5c
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\ole32.dll!CoSuspendClassObjects + 7                                                                              000000007562bb09 7 bytes JMP 000000016c2816c0
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\ole32.dll!CoRevokeClassObject                                                                                    000000007564eacf 5 bytes JMP 000000016c280c21
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\ole32.dll!CoGetInstanceFromFile                                                                                  000000007568340b 5 bytes JMP 000000016c282d13
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\ole32.dll!OleRegEnumFormatEtc                                                                                    00000000756ccfd9 5 bytes JMP 000000016c2815da
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\oleaut32.dll!RegisterActiveObject                                                                                000000007533279e 5 bytes JMP 000000016c280eb4
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\oleaut32.dll!RevokeActiveObject                                                                                  0000000075333294 5 bytes JMP 000000016c280fd5
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[1640] C:\Windows\syswow64\oleaut32.dll!GetActiveObject                                                                                     0000000075348f40 5 bytes JMP 000000016c281048

---- User IAT/EAT - GMER 2.0 ----

IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2488] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId]                                                       [7fef87c2750] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2488] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId]                                                   [7fef87c2b98] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2488] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId]                                           [7fef87c7de0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2488] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId]                                                    [7fef87c8130] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2488] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId]                                            [7fef87c1908] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2488] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession]                                                     [7fef87c1c00] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2488] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload]                                                    [7fef87c81d8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2488] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet]                                                            [7fef87c2878] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2488] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString]                                              [7fef87c7a5c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2488] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmIncrement]                                                      [7fef87c6c48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2488] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord]                                               [7fef87c77bc] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2488] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion]                                                  [7fef87c7064] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2488] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession]                                                   [7fef87c6544] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2488] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession]                                                     [7fef87c5e30] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll

---- Threads - GMER 2.0 ----

Thread   C:\Windows\system32\svchost.exe [2204:2240]                                                                                                                                                                                           000007fef9a85fd0
Thread   C:\Windows\system32\svchost.exe [2204:2244]                                                                                                                                                                                           000007fef9593438
Thread   C:\Windows\system32\svchost.exe [2204:2248]                                                                                                                                                                                           000007fef9a863ec
Thread   C:\Windows\system32\svchost.exe [2204:2252]                                                                                                                                                                                           000007fef92df454
---- Processes - GMER 2.0 ----

Library  Q:\140061.deu\Office14\ONENOTEM.EXE (*** suspicious ***) @ Q:\140061.deu\Office14\ONENOTEM.EXE [1900]                                                                                                                                 000000002ddc0000

---- EOF - GMER 2.0 ----

Platin96 · 15.02.2013, 18:20

.....so hier der 2 Teil, jetzt ging es problemlos. Ich hoffe, ich habe alles Richtig gemacht. Der Rechner fährt nur noch langsam hoch. Dann nach der Anmeldung habe ich manchmal einen schwarzen Bildschirm mit einen Fenster System 32...oder so. Jedenfalls macht der dann nichts mehr.

Platin96 · 15.02.2013, 19:58

Code:

ATTFilter

Malwarebytes Anti-Rootkit BETA 1.01.0.1020
www.malwarebytes.org

Database version: v2013.02.15.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Heiner :: GOLDGLAS [administrator]

15.02.2013 19:52:48
mbar-log-2013-02-15 (19-52-48).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled: 
Objects scanned: 32776
Time elapsed: 21 minute(s), 40 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

So, habe ich jetzt alles gemacht? Wenn was fehlt, bitte posten. Ich bin aber erst Sonntag wieder am Rechner. Vielen Dank schon mal.

14.02.2013, 14:07	#6
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Backdoor.Trojan Bitte meinen Beitrag nochmal lesen, ich hab den erweitert. Die OTL-Logs machen wir später nochmal, brauchst du jetzt nicht nochmal zu machen. __________________ --> Backdoor.Trojan

14.02.2013, 14:33	#8
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Backdoor.Trojan Wieso denn jetzt doch OTL? Das solltest du doch lassen und mit den anderen Tools weitermachen....bitte meine Beiträge etwas sorgfältiger lesen! __________________ Logfiles bitte immer in CODE-Tags posten

14.02.2013, 15:33	#10
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Backdoor.Trojan Zum dritten Mal, die Logs bitte in CODE-Tags posten!! Nur wenn in diesem Falle GMER das Log zu groß sein sollte zippen und hier anhängen aber sonst grundsätzlich direkt posten und in CODE-Tags __________________ Logfiles bitte immer in CODE-Tags posten

Backdoor.Trojan

Plagegeister aller Art und deren Bekämpfung: Backdoor.Trojan

Backdoor.Trojan

Backdoor.Trojan

Anhänge Oldtimer Backdoor.Trojan

Backdoor.Trojan

Backdoor.Trojan

Backdoor.Trojan

OTL Datei und Extras

Backdoor.Trojan

Backdoor.Trojan

Backdoor.Trojan

Backdoor.Trojan

Backdoor.Trojan

Backdoor.Trojan

Backdoor.Trojan

Backdoor.Trojan

Ähnliche Themen: Backdoor.Trojan

14.02.2013, 13:58	#3
Platin96	Anhänge Oldtimer Backdoor.Trojan Die Anhänge von Oldtimer __________________

14.02.2013, 14:03	#5
Platin96	Backdoor.Trojan Jetzt habe ich schon was falsch gemacht. Ich habe nicht alle Benutzer gescannt! Was ist CODE-Tags? Einfach alles kopieren und hier einfügen?

15.02.2013, 18:20	#14
Platin96	Backdoor.Trojan .....so hier der 2 Teil, jetzt ging es problemlos. Ich hoffe, ich habe alles Richtig gemacht. Der Rechner fährt nur noch langsam hoch. Dann nach der Anmeldung habe ich manchmal einen schwarzen Bildschirm mit einen Fenster System 32...oder so. Jedenfalls macht der dann nichts mehr.