![]() | ![]() Avira durch Gruppenrichtlinien geblockt und Trojan.fakems Guten Abend, ich habe ein Problem auf meinem PC (vermutlich Befall durch einen Trojaner) und benötige dazu Ihre Hilfe. Identische Fälle sind bereits bekannt und habe ich mir bei HijackThis bereits durchgelesen. Mehrere Aussagen bestätigen, dass jeder Fall eigenständig behandelt werden soll um gravierende Schäden zu vermeiden. Folgendes Problem trat auf: - Vor ca. 1 Woche kam die Meldung durch den WindowsKontrollcenter, dass meine Antivirenprogramm Avira inaktiv ist. Daraufhin habe ich einfach versucht es wieder einzuschalten - vergebens. - Anschließend habe ich versucht das Programm über den Desktop zu starten - auch kein Erfolg, es kam die Meldung "Programm wurde durch eine Gruppenrichtlinie geblockt" nach einiger Recherche wird ein Trojaner dafür verantwortlich gemacht. - Ich habe versucht Avira über Systemst. zu deinstallieren - auch kein Erfolg - Daraufhin habe ich mir avast downgeloadet und installiert (vermutlich ein Fehler, da ja nicht 2 Antivirenprogramme zeitgleich installiert sein sollen) - Das Programm läuft momentan problemlos und erfüllt denke ich seinen Zweck - Heute habe ich mit Malwarebytes einen Check durchgeführt und 2 Trojaner : Trojan.fakems gefunden - Darufhin bin ich in Ihr Forum und bitte um Hilfe bei der Lösung des Problems ! |
Hallo uuuuuvex und
__________________![]() Mein Name ist Leo und ich werde dich durch die Bereinigung deines Rechners begleiten. Eins vorneweg: Ich kann dir keine Garantien geben, dass ich alles finden werde. Bei schwerwiegenden Infektionen ist ein Formatieren und Neuinstallieren meist der schnellere und immer der sicherere Weg. Wenn du dich für eine Bereinigung entscheidest, dann sollten wir gründlich vorgehen. Bleib also dran, bis ich dir eindeutig mitteile, dass wir fertig sind. Auch wenn die auffälligen Symptome schon früh verschwinden, bedeutet das nicht, dass dein Rechner dann schon sauber und sicher ist. ![]()
Los geht's: Zitat:
Zusätzlich: Schritt 1 Downloade dir bitte defogger (von jpshortstuff) auf deinen Desktop.
Schritt 2 Bitte lade dir ![]()
Schritt 3 Lade dir bitte OTL (von Oldtimer) herunter und speichere es auf deinen Desktop.
Bitte poste in deiner nächsten Antwort:
![]() | ![]() Avira durch Gruppenrichtlinien geblockt und Trojan.fakems hier der fund von malwarebytes:
Malwarebytes Anti-Malware www.malwarebytes.org Datenbank Version: v2013.05.24.07 Windows Vista Service Pack 2 x86 NTFS Internet Explorer 9.0.8112.16421 xxx :: xxx-PC [Administrator] 24.05.2013 21:10:08 MBAM-log-2013-05-24 (21-37-35).txt Art des Suchlaufs: Quick-Scan Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 207913 Laufzeit: 13 Minute(n), 58 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 2 C:\Users\xxx\AppData\Roaming\Cuelle\libnspr4.dll (Trojan.FakeMS) -> Keine Aktion durchgeführt. C:\Users\xxx\AppData\Local\Temp\libnspr4.dll (Trojan.FakeMS) -> Keine Aktion durchgeführt. (Ende)
OTL logfile created on: 24.05.2013 21:39:43 - Run 1 OTL by OldTimer - Version Folder = C:\Users\xxx\Desktop Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013.05.24 21:38:22 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\xxx\Desktop\OTL.exe PRC - [2013.05.09 10:58:30 | 004,858,968 | ---- | M] (AVAST Software) -- C:\Programme\AVAST Software\Avast\AvastUI.exe PRC - [2013.05.09 10:58:30 | 000,046,808 | ---- | M] (AVAST Software) -- C:\Programme\AVAST Software\Avast\AvastSvc.exe PRC - [2013.04.01 13:23:17 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\sched.exe PRC - [2013.04.01 13:23:01 | 000,079,584 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe PRC - [2013.04.01 13:22:58 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe PRC - [2013.03.12 09:05:50 | 029,106,336 | ---- | M] (Dropbox, Inc.) -- C:\Users\Astrid\AppData\Roaming\Dropbox\bin\Dropbox.exe PRC - [2012.12.20 19:44:32 | 000,844,296 | ---- | M] (Samsung) -- C:\Programme\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe PRC - [2012.12.20 19:44:28 | 000,310,280 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Programme\Samsung\Kies\KiesTrayAgent.exe PRC - [2012.12.20 19:44:26 | 001,476,104 | ---- | M] (Samsung) -- C:\Programme\Samsung\Kies\Kies.exe PRC - [2012.05.23 08:57:30 | 000,871,608 | ---- | M] (Citrix Systems, Inc.) -- C:\Programme\Citrix\ICA Client\wfcrun32.exe PRC - [2012.05.23 08:54:42 | 000,371,896 | ---- | M] (Citrix Systems, Inc.) -- C:\Programme\Citrix\ICA Client\concentr.exe PRC - [2012.04.05 11:11:18 | 001,144,704 | ---- | M] (Citrix Systems, Inc.) -- C:\Programme\Citrix\ICA Client\Receiver\Receiver.exe PRC - [2012.04.03 11:00:24 | 000,051,128 | ---- | M] (Citrix Systems, Inc.) -- C:\Programme\Citrix\SelfServicePlugin\SelfServicePlugin.exe PRC - [2009.11.02 03:30:00 | 002,508,104 | ---- | M] (CANON INC.) -- C:\Programme\Canon\MyPrinter\BJMYPRT.EXE PRC - [2009.04.11 08:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2009.04.11 08:27:28 | 000,069,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conime.exe PRC - [2008.07.25 06:18:26 | 000,768,520 | ---- | M] (Dritek System Inc.) -- C:\Programme\Launch Manager\LManager.exe PRC - [2008.06.27 12:33:18 | 006,244,896 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe PRC - [2008.06.11 12:18:30 | 000,024,576 | ---- | M] () -- C:\Programme\EMACHINES\eMachines Recovery Management\Service\ETService.exe PRC - [2008.01.21 04:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnetwk.exe PRC - [2008.01.21 04:25:33 | 000,202,240 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnscfg.exe PRC - [2008.01.21 04:23:32 | 001,008,184 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Defender\MSASCui.exe PRC - [2007.08.24 05:45:42 | 000,101,784 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE PRC - [2007.01.04 20:48:50 | 000,112,152 | ---- | M] (InterVideo) -- C:\Programme\Common Files\InterVideo\RegMgr\iviRegMgr.exe ========== Modules (No Company Name) ========== MOD - [2012.12.20 19:41:18 | 012,976,640 | ---- | M] () -- C:\Programme\Samsung\Kies\Theme\Kies.Theme.dll MOD - [2012.12.20 13:31:44 | 000,572,416 | ---- | M] () -- C:\Programme\Samsung\Kies\Common\Kies.UI.dll MOD - [2012.12.18 11:35:44 | 000,034,816 | ---- | M] () -- C:\Programme\Samsung\Kies\Common\Kies.Common.DeviceServiceLib.Interface.dll MOD - [2012.12.18 11:35:06 | 000,023,040 | ---- | M] () -- C:\Programme\Samsung\Kies\MVVM\Kies.MVVM.dll MOD - [2012.12.18 11:07:10 | 000,057,856 | ---- | M] () -- C:\Programme\Samsung\Kies\External\MediaModules\ASF_cSharpAPI.dll MOD - [2012.12.12 07:34:13 | 005,025,792 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\\System.Windows.Forms.dll MOD - [2012.10.05 12:59:03 | 003,194,880 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System\\System.dll MOD - [2012.10.05 12:59:03 | 000,630,784 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Drawing\\System.Drawing.dll MOD - [2012.08.31 13:01:10 | 004,550,656 | ---- | M] () -- C:\Windows\assembly\GAC_32\mscorlib\\mscorlib.dll MOD - [2012.02.13 13:02:15 | 001,249,280 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\WindowsBase\\WindowsBase.dll MOD - [2012.02.13 13:02:09 | 005,283,840 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\PresentationFramework\\PresentationFramework.dll MOD - [2012.02.13 13:02:04 | 004,214,784 | ---- | M] () -- C:\Windows\assembly\GAC_32\PresentationCore\\PresentationCore.dll MOD - [2009.06.13 14:34:17 | 000,667,648 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Core\\System.Core.dll MOD - [2009.03.30 06:42:20 | 002,048,000 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Xml\\System.Xml.dll MOD - [2009.03.30 06:42:19 | 000,303,104 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\\System.Runtime.Remoting.dll MOD - [2009.03.30 06:42:19 | 000,114,688 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.ServiceProcess\\System.ServiceProcess.dll MOD - [2009.03.30 06:42:17 | 000,425,984 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Configuration\\System.Configuration.dll MOD - [2009.03.30 06:42:12 | 000,040,960 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.ServiceProcess.resources\\System.ServiceProcess.resources.dll MOD - [2009.03.30 06:42:11 | 000,315,392 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\mscorlib.resources\\mscorlib.resources.dll MOD - [2009.03.30 06:42:10 | 000,010,752 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\Accessibility\\Accessibility.dll MOD - [2009.02.25 03:16:56 | 000,110,592 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\PresentationCore.resources\\PresentationCore.resources.dll MOD - [2003.06.07 07:30:08 | 000,057,344 | ---- | M] () -- C:\Programme\Launch Manager\PowerUtl.dll ========== Services (SafeList) ========== SRV - [2013.05.20 20:03:32 | 000,117,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2013.05.15 16:49:47 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2013.05.09 10:58:30 | 000,046,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Programme\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus) SRV - [2013.04.01 13:23:17 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2013.04.01 13:22:58 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2008.06.11 12:18:30 | 000,024,576 | ---- | M] () [Auto | Running] -- C:\Programme\EMACHINES\eMachines Recovery Management\Service\ETService.exe -- (ETService) SRV - [2008.01.21 04:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc) SRV - [2008.01.21 04:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2007.08.24 04:19:12 | 000,443,776 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\OFFICE12\ODSERV.EXE -- (odserv) SRV - [2007.01.04 20:48:50 | 000,112,152 | ---- | M] (InterVideo) [Auto | Running] -- C:\Programme\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr) SRV - [2006.10.26 15:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE -- (ose) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp) DRV - [2013.05.09 10:59:10 | 000,765,736 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx) DRV - [2013.05.09 10:59:10 | 000,368,944 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP) DRV - [2013.05.09 10:59:10 | 000,174,664 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\drivers\aswVmm.sys -- (aswVmm) DRV - [2013.05.09 10:59:10 | 000,056,080 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi) DRV - [2013.05.09 10:59:10 | 000,049,376 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\drivers\aswRvrt.sys -- (aswRvrt) DRV - [2013.05.09 10:59:09 | 000,066,336 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt) DRV - [2013.05.09 10:59:09 | 000,049,760 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (AswRdr) DRV - [2013.05.09 10:59:08 | 000,029,816 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk) DRV - [2013.04.01 13:23:19 | 000,135,136 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb) DRV - [2013.04.01 13:23:19 | 000,084,744 | ---- | M] (Avira Operations GmbH & Co. KG) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt) DRV - [2013.04.01 13:23:19 | 000,037,352 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr) DRV - [2012.09.20 06:35:36 | 000,181,344 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssudmdm.sys -- (ssudmdm) DRV - [2012.09.20 06:35:36 | 000,083,168 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssudbus.sys -- (dg_ssudbus) DRV - [2012.08.27 15:50:24 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2012.05.17 08:14:58 | 000,067,960 | ---- | M] (Citrix Systems, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\ctxusbm.sys -- (ctxusbm) DRV - [2008.06.11 12:13:24 | 000,015,392 | ---- | M] (Acer, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\int15.sys -- (int15) DRV - [2008.06.10 12:54:36 | 000,123,904 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169) DRV - [2008.03.17 11:05:30 | 000,101,632 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewusbmdm.sys -- (hwdatacard) DRV - [2007.04.17 21:09:28 | 000,011,032 | ---- | M] (InterVideo) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\regi.sys -- (regi) DRV - [2006.11.02 15:27:34 | 000,020,112 | ---- | M] (Dritek System Inc.) [Kernel | System | Running] -- C:\Programme\Launch Manager\DPortIO.sys -- (DritekPortIO) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0407&s=2&o=vp32&d=0309&m=e720 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0407&s=2&o=vp32&d=0309&m=e720 IE - HKLM\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACEW IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0407&s=2&o=vp32&d=0309&m=e720 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.web.de/tb/ie_startpage IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKCU\..\URLSearchHook: - No CLSID value found IE - HKCU\..\SearchScopes,DefaultScope = {CEE438B0-8D23-43BD-AAAF-0823A494B43B} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKCU\..\SearchScopes\{0C9BE677-668C-44B7-9BF4-60D03EB5C683}: "URL" = hxxp://go.web.de/tb/ie_searchplugin/?su={searchTerms} IE - HKCU\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACEW IE - HKCU\..\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}: "URL" = hxxp://{searchTerms} IE - HKCU\..\SearchScopes\{84EE01E4-BB12-412E-8548-DBB48CE4C558}: "URL" = hxxp://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000027&src=kw&q={searchTerms}&locale=de_DE&apn_ptnrs=U3&apn_dtid=OSJ000YYDE&apn_uid=7216D071-F749-4970-9500-BC9DA7BE6D9A&apn_sauid=37FBC488-8C66-4DF7-9809-1DABE7B9D46E IE - HKCU\..\SearchScopes\{89FAD86A-4F5A-4459-89BD-2384D21B171E}: "URL" = hxxp://go.gmx.net/tb/ie_searchplugin/?su={searchTerms} IE - HKCU\..\SearchScopes\{BFCB5309-6270-4E5C-9372-E669C681DD8C}: "URL" = hxxp://search.gmx.com/web?q={searchTerms}&origin=tb_splugin_ie IE - HKCU\..\SearchScopes\{CEE438B0-8D23-43BD-AAAF-0823A494B43B}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7ACEW_de IE - HKCU\..\SearchScopes\{EA6DBBB1-372A-4F57-A46D-B6E2F642C4C7}: "URL" = hxxp://go.1und1.de/tb/ie_searchplugin/?su={searchTerms} IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local ========== FireFox ========== FF - prefs.js..browser.search.defaultengine: "Google" FF - prefs.js..browser.search.defaultenginename: "Google" FF - prefs.js..browser.search.order.1: "Ask.com" FF - prefs.js..browser.search.selectedEngine: "Google" FF - prefs.js..browser.search.useDBForOrder: true FF - prefs.js..browser.startup.homepage: "hxxp://www.google.de/" FF - prefs.js..extensions.enabledAddons: add-to-searchbox%40maltekraus.de:2.0 FF - prefs.js..extensions.enabledAddons: donottrackplus%40abine.com: FF - prefs.js..extensions.enabledAddons: %7BC9B68337-E93A-44EA-94DC-CB300EC06444%7D:5.30.4 FF - prefs.js..extensions.enabledAddons: %7Ba0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7%7D:20130515 FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:21.0 FF - prefs.js..network.proxy.no_proxies_on: "*.local" FF - prefs.js..network.proxy.type: 0 FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_202.dll () FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll () FF - HKLM\Software\MozillaPlugins\@canon.com/EPPEX: C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.) FF - HKLM\Software\MozillaPlugins\@Citrix.com/npican: C:\Program Files\Citrix\ICA Client\npicaN.dll (Citrix Systems, Inc.) FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google) FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.17.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.17.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2013.05.18 14:19:04 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.10.19 20:10:47 | 000,000,000 | ---D | M] (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\Extensions [2013.05.16 18:10:01 | 000,000,000 | ---D | M] (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\Firefox\Profiles\z9rne1fk.default\extensions [2013.05.16 18:10:01 | 000,000,000 | ---D | M] (WOT) -- C:\Users\xxx\AppData\Roaming\mozilla\Firefox\Profiles\z9rne1fk.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [2013.03.31 14:55:16 | 000,000,000 | ---D | M] (IMinent Toolbar) -- C:\Users\xxx\AppData\Roaming\mozilla\Firefox\Profiles\z9rne1fk.default\extensions\{C9B68337-E93A-44EA-94DC-CB300EC06444} [2013.03.26 20:22:35 | 000,000,000 | ---D | M] (DoNotTrackMe) -- C:\Users\xxx\AppData\Roaming\mozilla\Firefox\Profiles\z9rne1fk.default\extensions\donottrackplus@abine.com [2013.03.31 15:05:52 | 000,000,000 | ---D | M] (Delta Toolbar) -- C:\Users\xxx\AppData\Roaming\mozilla\Firefox\Profiles\z9rne1fk.default\extensions\ffxtlbr@delta.com [2012.11.10 23:31:11 | 000,025,781 | ---- | M] () (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\extensions\add-to-searchbox@maltekraus.de.xpi [2012.12.13 22:29:00 | 000,199,445 | ---- | M] () (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\extensions\movie2kdownloader@movie2kdownloader.com.xpi [2012.10.19 20:16:29 | 000,020,591 | ---- | M] () (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi [2013.03.07 02:06:18 | 000,007,919 | ---- | M] () (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\extensions\donottrackplus@abine.com\chrome\content\ff\view_expiry.js [2011.10.13 17:19:44 | 000,000,855 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\1und1-suche.xml [2011.10.10 15:27:30 | 000,001,281 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\amazondotcom-de.xml [2013.03.31 15:05:54 | 000,001,294 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\delta.xml [2011.10.10 14:59:22 | 000,002,364 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\eBay-de.xml [2011.10.13 17:01:56 | 000,010,507 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\gmx-suche.xml [2011.10.10 15:12:38 | 000,002,385 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\lastminute.xml [2011.10.13 17:34:10 | 000,002,248 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\mailcom-search.xml [2013.05.20 20:03:34 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\browser\extensions [2013.05.20 20:03:34 | 000,000,000 | ---D | M] (Default) -- C:\Programme\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [2013.03.31 15:03:08 | 000,006,508 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml [2012.12.14 09:57:14 | 000,002,157 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\SearchTheWeb.xml O1 HOSTS File: ([2006.09.18 23:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: localhost O1 - Hosts: ::1 localhost O2 - BHO: (Canon Easy-WebPrint EX BHO) - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Programme\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.) O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre7\bin\ssv.dll (Oracle Corporation) O2 - BHO: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programme\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) O2 - BHO: (WEB.DE Toolbar BHO) - {BF42D4A8-016E-4fcd-B1EB-837659FD77C6} - C:\Programme\WEB.DE Toolbar\IE\uitb.dll (1und1 Mail und Media GmbH) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O3 - HKLM\..\Toolbar: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Programme\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.) O3 - HKLM\..\Toolbar: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programme\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) O3 - HKLM\..\Toolbar: (WEB.DE Toolbar) - {C424171E-592A-415a-9EB1-DFD6D95D3530} - C:\Programme\WEB.DE Toolbar\IE\uitb.dll (1und1 Mail und Media GmbH) O3 - HKCU\..\Toolbar\WebBrowser: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Programme\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.) O3 - HKCU\..\Toolbar\WebBrowser: (WEB.DE Toolbar) - {C424171E-592A-415A-9EB1-DFD6D95D3530} - C:\Programme\WEB.DE Toolbar\IE\uitb.dll (1und1 Mail und Media GmbH) O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software) O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.) O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.) O4 - HKLM..\Run: [ConnectionCenter] C:\Program Files\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.) O4 - HKLM..\Run: [eRecoveryService] File not found O4 - HKLM..\Run: [KiesTrayAgent] C:\Programme\Samsung\Kies\KiesTrayAgent.exe (Samsung Electronics Co., Ltd.) O4 - HKLM..\Run: [LManager] C:\Programme\Launch Manager\LManager.exe (Dritek System Inc.) O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor) O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) O4 - HKCU..\Run: [] C:\Programme\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe (Samsung) O4 - HKCU..\Run: [KiesAirMessage] C:\Program Files\Samsung\Kies\KiesAirMessage.exe -startup File not found O4 - HKCU..\Run: [KiesPreload] C:\Program Files\Samsung\Kies\Kies.exe (Samsung) O4 - HKCU..\Run: [Uxxyduubm] C:\Users\xxx\AppData\Roaming\Cuelle\cihoy.exe File not found O4 - HKLM..\RunOnce: [ Malwarebytes Anti-Malware ] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) O4 - Startup: C:\Users\xxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Astrid\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.) O4 - Startup: C:\Users\xxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk = C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation) O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation) O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Programme\PokerStars\PokerStarsUpdate.exe (PokerStars) O9 - Extra Button: ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Programme\ICQ7.2\ICQ.exe (ICQ, LLC.) O9 - Extra 'Tools' menuitem : ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Programme\ICQ7.2\ICQ.exe (ICQ, LLC.) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O9 - Extra Button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe File not found O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.) O13 - gopher Prefix: missing O15 - HKCU\..Trusted Domains: localhost ([]http in Local intranet) O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet) O16 - DPF: {28B66320-9687-4B13-8757-36F901887AB5} hxxp://www.photodose.de/ips-opdata/operator/69189345/objects/canvasx.cab (CanvasX Class) O16 - DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} hxxp://www.photodose.de/ips-opdata/operator/69189345/objects/jordan.cab (JordanUploader Class) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Reg Error: Value error.) O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 10.17.2) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{4DE48291-937F-4F23-A3D0-13D377260A3F}: DhcpNameServer = O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6094CB2C-98BC-4A93-A44B-D3DB86A05EE3}: DhcpNameServer = O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation) O18 - Protocol\Handler\webde {8FAF0273-9CA8-4efc-9536-1E35E254D5CD} - C:\Programme\WEB.DE Toolbar\IE\uitb.dll (1und1 Mail und Media GmbH) O18 - Protocol\Filter\application/x-ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica; charset=euc-jp {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica; charset=ISO-8859-1 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica; charset=MS936 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica; charset=MS949 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica; charset=MS950 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica; charset=UTF8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica; charset=UTF-8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica;charset=euc-jp {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica;charset=ISO-8859-1 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica;charset=MS936 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica;charset=MS949 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica;charset=MS950 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica;charset=UTF8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica;charset=UTF-8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) - C:\Programme\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O24 - Desktop WallPaper: C:\Users\xxx\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg O24 - Desktop BackupWallPaper: C:\Users\xxx\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O33 - MountPoints2\{e5738528-6716-11de-ae82-00235a569b62}\Shell - "" = AutoRun O33 - MountPoints2\{e5738528-6716-11de-ae82-00235a569b62}\Shell\AutoRun\command - "" = E:\setup_vmc_lite.exe /checkApplicationPresence O33 - MountPoints2\{e573852a-6716-11de-ae82-00235a569b62}\Shell - "" = AutoRun O33 - MountPoints2\{e573852a-6716-11de-ae82-00235a569b62}\Shell\AutoRun\command - "" = E:\setup_vmc_lite.exe /checkApplicationPresence O33 - MountPoints2\{f039e429-5849-11de-95ca-00235a569b62}\Shell - "" = AutoRun O33 - MountPoints2\{f039e429-5849-11de-95ca-00235a569b62}\Shell\AutoRun\command - "" = E:\setup_vmc_lite.exe /checkApplicationPresence O33 - MountPoints2\{f039e42f-5849-11de-95ca-00235a569b62}\Shell - "" = AutoRun O33 - MountPoints2\{f039e42f-5849-11de-95ca-00235a569b62}\Shell\AutoRun\command - "" = F:\setup_vmc_lite.exe /checkApplicationPresence O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) ========== Files/Folders - Created Within 30 Days ========== [2013.05.24 21:38:18 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\xxx\Desktop\OTL.exe [2013.05.24 21:09:17 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Roaming\Malwarebytes [2013.05.24 21:08:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware [2013.05.24 21:08:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2013.05.24 21:08:54 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2013.05.24 21:08:54 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2013.05.20 20:03:12 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox [2013.05.18 14:20:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus [2013.05.18 14:20:42 | 000,029,816 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys [2013.05.18 14:20:41 | 000,368,944 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys [2013.05.18 14:20:37 | 000,056,080 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys [2013.05.18 14:20:37 | 000,049,760 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys [2013.05.18 14:20:36 | 000,765,736 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys [2013.05.18 14:20:29 | 000,066,336 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys [2013.05.18 14:20:28 | 000,229,648 | ---- | C] (AVAST Software) -- C:\Windows\System32\aswBoot.exe [2013.05.18 14:18:40 | 000,041,664 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr [2013.05.18 14:17:39 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software [2013.05.18 14:16:28 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software [2013.05.17 18:42:24 | 000,000,000 | ---D | C] -- C:\Users\xxx\Desktop\Hochzeit xxx und xxx 11.05.13 [2013.05.17 18:35:42 | 000,000,000 | ---D | C] -- C:\Users\xxx\Desktop\Hamburg 28.02.-01.03.13 [2013.05.01 15:05:43 | 000,000,000 | ---D | C] -- C:\Users\xxx\Desktop\Bridge [2013.05.01 15:00:17 | 000,000,000 | ---D | C] -- C:\Users\xxx\Desktop\Spiegel [2013.05.01 13:35:35 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Roaming\Ogvuuq [2013.05.01 13:35:35 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Roaming\Galyy [2013.05.01 13:35:35 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Roaming\Cuelle ========== Files - Modified Within 30 Days ========== [2013.05.24 21:38:22 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\xxx\Desktop\OTL.exe [2013.05.24 21:36:00 | 000,000,000 | ---- | M] () -- C:\Users\xxx\defogger_reenable [2013.05.24 21:35:00 | 000,050,477 | ---- | M] () -- C:\Users\xxx\Desktop\Defogger.exe [2013.05.24 21:08:59 | 000,000,908 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2013.05.24 20:55:02 | 000,001,098 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2013.05.24 20:49:16 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013.05.24 20:36:58 | 000,000,000 | ---- | M] () -- C:\Windows\System32\LogConfigTemp.xml [2013.05.24 20:36:55 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2013.05.24 20:36:23 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2013.05.24 20:36:23 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2013.05.24 20:36:16 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.05.24 20:36:10 | 3147,841,536 | -HS- | M] () -- C:\hiberfil.sys [2013.05.23 18:27:37 | 000,001,052 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job [2013.05.22 21:07:17 | 000,025,600 | ---- | M] () -- C:\Users\xxx\Documents\Geld 2012 Bär.xlr [2013.05.22 21:07:17 | 000,002,180 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\wklnhst.dat [2013.05.18 14:20:44 | 000,001,831 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk [2013.05.18 14:20:29 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt [2013.05.18 12:25:27 | 000,001,889 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk [2013.05.17 18:31:08 | 000,623,280 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2013.05.17 18:31:08 | 000,591,320 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2013.05.17 18:31:08 | 000,125,378 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2013.05.17 18:31:08 | 000,103,194 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2013.05.17 16:14:18 | 000,020,992 | ---- | M] () -- C:\Users\xxx\Documents\Prinzessinnengeld1.xlr [2013.05.16 16:25:35 | 000,340,296 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2013.05.13 21:07:19 | 000,030,727 | ---- | M] () -- C:\Users\xxx\Documents\Waage.ods [2013.05.09 10:59:10 | 000,765,736 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys [2013.05.09 10:59:10 | 000,368,944 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys [2013.05.09 10:59:10 | 000,174,664 | ---- | M] () -- C:\Windows\System32\drivers\aswVmm.sys [2013.05.09 10:59:10 | 000,056,080 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys [2013.05.09 10:59:10 | 000,049,376 | ---- | M] () -- C:\Windows\System32\drivers\aswRvrt.sys [2013.05.09 10:59:09 | 000,066,336 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys [2013.05.09 10:59:09 | 000,049,760 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys [2013.05.09 10:59:08 | 000,029,816 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys [2013.05.09 10:58:37 | 000,041,664 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr [2013.05.09 10:58:28 | 000,229,648 | ---- | M] (AVAST Software) -- C:\Windows\System32\aswBoot.exe ========== Files Created - No Company Name ========== [2013.05.24 21:36:00 | 000,000,000 | ---- | C] () -- C:\Users\xxx\defogger_reenable [2013.05.24 21:34:59 | 000,050,477 | ---- | C] () -- C:\Users\xxx\Desktop\Defogger.exe [2013.05.24 21:08:59 | 000,000,908 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2013.05.18 14:20:44 | 000,001,831 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk [2013.05.18 14:20:35 | 000,174,664 | ---- | C] () -- C:\Windows\System32\drivers\aswVmm.sys [2013.05.18 14:20:34 | 000,049,376 | ---- | C] () -- C:\Windows\System32\drivers\aswRvrt.sys [2013.02.16 22:35:03 | 000,016,311 | ---- | C] () -- C:\Users\xxx\.TransferManager.db [2013.01.27 12:24:29 | 000,000,246 | ---- | C] () -- C:\Windows\wininit.ini [2012.12.18 11:06:10 | 000,030,568 | ---- | C] () -- C:\Windows\MusiccityDownload.exe [2012.12.18 11:06:06 | 000,974,848 | ---- | C] () -- C:\Windows\System32\cis-2.4.dll [2012.12.18 11:06:06 | 000,081,920 | ---- | C] () -- C:\Windows\System32\issacapi_bs-2.3.dll [2012.12.18 11:06:06 | 000,065,536 | ---- | C] () -- C:\Windows\System32\issacapi_pe-2.3.dll [2012.12.18 11:06:06 | 000,057,344 | ---- | C] () -- C:\Windows\System32\issacapi_se-2.3.dll [2012.09.18 17:31:20 | 000,000,857 | ---- | C] () -- C:\Users\xxx\.recently-used.xbel [2011.03.13 20:55:05 | 000,000,680 | ---- | C] () -- C:\Users\xxx\AppData\Local\d3d9caps.dat [2010.02.09 19:13:58 | 000,005,184 | ---- | C] () -- C:\ProgramData\N360BUOptions.ini [2009.07.15 17:35:28 | 000,002,180 | ---- | C] () -- C:\Users\xxx\AppData\Roaming\wklnhst.dat [2009.06.15 19:09:41 | 000,026,624 | ---- | C] () -- C:\Users\xxx\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini ========== ZeroAccess Check ========== [2006.11.02 14:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012.06.08 19:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2009.04.11 08:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = %systemroot%\system32\wbem\wbemess.dll -- [2009.04.11 08:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both ========== LOP Check ========== [2011.12.19 17:35:32 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\1&1 Mail & Media GmbH [2013.03.29 16:29:23 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\AnvSoft [2013.03.31 15:07:11 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\BabSolution [2013.03.31 15:03:02 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Babylon [2013.05.18 15:40:29 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Cuelle [2013.05.24 20:39:32 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Dropbox [2011.12.17 10:21:29 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\fotobuch.de AG [2013.05.01 13:35:35 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Galyy [2012.09.18 17:31:20 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\gtk-2.0 [2012.09.07 17:50:10 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\ICAClient [2012.05.28 20:00:12 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\ICQ [2009.06.13 22:45:08 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\InterVideo [2012.09.26 17:06:06 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Langenscheidt [2013.05.18 14:58:03 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Ogvuuq [2009.08.27 19:05:39 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\OpenOffice.org [2013.03.31 15:03:24 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Optimizer Pro [2013.02.16 20:29:31 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Samsung [2010.09.30 19:21:04 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Template [2009.06.13 14:03:07 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Vodafone ========== Purity Check ========== ========== Alternate Data Streams ========== @Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:9F683177 @Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:CF5C4195 @Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:8AB6C1D7 < End of report > Code:
ATTFilter OTL Extras logfile created on: 24.05.2013 21:39:43 - Run 1 OTL by OldTimer - Version Folder = C:\Users\xxx\Desktop Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,93 Gb Total Physical Memory | 1,86 Gb Available Physical Memory | 63,39% Memory free 6,08 Gb Paging File | 4,78 Gb Available in Paging File | 78,63% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 288,08 Gb Total Space | 171,26 Gb Free Space | 59,45% Space Free | Partition Type: NTFS Computer Name: xxx-PC | User Name: xxx | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation) .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation) [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation) inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 "VistaSp1" = Reg Error: Unknown registry data type -- File not found "VistaSp2" = Reg Error: Unknown registry data type -- File not found [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol] ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\Program Files\fotobuch.de\Designer 2.0\Designer.exe" = C:\Program Files\fotobuch.de\Designer 2.0\Designer.exe:*:Designer.exe ========== Vista Active Open Ports Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{0A3BD388-905E-4422-A3AB-058F0033DADC}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe | "{4C61EE98-FB3D-4F45-9FF5-81ECE62DE238}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{900498E1-C173-4FAE-8A5D-8010D9583F03}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{9D71D38C-5C9C-4549-80D8-EE0A1CC0E958}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe | "{C3790585-1710-432A-A849-50C85C1097B8}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe | "{DB432D38-975F-4BF8-B5FF-056D1E175ABE}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe | "{EAFEFA52-399B-4130-9C9E-6354650C70F5}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{F6EB0082-5EF1-4270-A308-A45494A56F22}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | ========== Vista Active Application Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{15A86B15-ACA3-461F-9A29-75583740A0E6}" = protocol=17 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\schedulersvc.exe | "{247C3C74-70DC-4ADD-A55D-EC3102B0307B}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | "{37B17D1C-10FD-4515-91A3-F27935568514}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{3A526904-A7B2-47AD-BFBB-858EFAA21C5B}" = protocol=17 | dir=in | app=c:\program files\icq7.2\aolload.exe | "{3FBB7E09-CE47-4A81-AB75-079E9F83C455}" = protocol=6 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\client\agentsvc.exe | "{49612362-6B51-4A59-BF2D-D7A92CB5DC91}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | "{4F0D85D6-85AF-4EEC-BFAD-88AAC234B37A}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe | "{6B256466-A6F0-4136-B7CC-4A828A0923B2}" = protocol=6 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\schedulersvc.exe | "{72886A47-67AD-424E-95EC-0EB068403ED2}" = protocol=17 | dir=in | app=c:\program files\icq7.2\icq.exe | "{75C39AEF-D685-4527-A325-D37649D889DE}" = protocol=17 | dir=in | app=c:\program files\icq7.2\aolload.exe | "{794BE6CF-4F82-4575-B5B2-B8B635A5C188}" = protocol=6 | dir=in | app=c:\program files\icq7.2\icq.exe | "{84872F10-4805-4391-A694-59230A86BE9A}" = protocol=17 | dir=in | app=c:\users\xxx\appdata\roaming\dropbox\bin\dropbox.exe | "{87FB78AD-283D-4550-A0FD-0842B5A42E4E}" = protocol=17 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\backupsvc.exe | "{8E49ACE9-78E0-4A9D-8948-A3796F92AE29}" = protocol=17 | dir=in | app=c:\program files\icq7.2\icq.exe | "{A2E5D1A0-0821-4EC1-896E-DD32653060A7}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | "{A51038BF-001D-4763-8481-C84D47E6164D}" = protocol=6 | dir=in | app=c:\program files\icq7.2\aolload.exe | "{A547F228-9382-46A1-9524-FED56E51321B}" = protocol=6 | dir=in | app=c:\program files\icq7.2\icq.exe | "{B8B2DE30-982D-4580-A249-D040D455E8B0}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | "{BF279619-05D7-497B-A8BE-2137CFB9004F}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | "{C85875EB-D6A4-41F6-9E86-6B68C2DAE271}" = protocol=17 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\client\agentsvc.exe | "{CC92A875-0703-4E1B-8B46-3DB4E252DFE7}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | "{DE84BDD0-987A-473A-9EF6-C0667F271B29}" = protocol=6 | dir=in | app=c:\users\xxx\appdata\roaming\dropbox\bin\dropbox.exe | "{EA0771F1-07BC-4318-8D94-D028E0079289}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{F2D77A8D-D782-4116-96A1-12217C395BC2}" = protocol=6 | dir=in | app=c:\program files\icq7.2\aolload.exe | "{F61E56FE-7FC7-44C3-9392-D66382E6C8AE}" = protocol=6 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\backupsvc.exe | "{FCE9531D-B7BB-497F-B37A-3447CD35D7EB}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe | "TCP Query User{1A572BB1-4FAB-42B3-BE7C-DE968AAD6BD1}C:\program files\icq6.5\icq.exe" = protocol=6 | dir=in | app=c:\program files\icq6.5\icq.exe | "TCP Query User{1F9437C7-4A6A-434B-A5F8-761E345697BA}C:\windows\system32\taskeng.exe" = protocol=6 | dir=in | app=c:\windows\system32\taskeng.exe | "TCP Query User{2E5C3701-36FF-4F9E-9107-F3C3BF638B07}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe | "TCP Query User{30D452E1-FBD2-4F8F-AD8E-E5D76CED1E8B}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe | "TCP Query User{3F411AF7-C9B6-421F-A0F6-2B69FA10A4DC}C:\users\xxx\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=6 | dir=in | app=c:\users\astrid\appdata\roaming\dropbox\bin\dropbox.exe | "TCP Query User{4F7DB614-5D91-4494-8E95-A8A99AAE47EA}C:\program files\icq7.2\icq.exe" = protocol=6 | dir=in | app=c:\program files\icq7.2\icq.exe | "TCP Query User{6AE8AC03-104E-4F26-A6E3-01FCC3F8F474}C:\program files\google\google earth\client\googleearth.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe | "TCP Query User{AB0F7B42-B527-41C2-94ED-DCF5F07FD8EB}C:\program files\icq6.5\icq.exe" = protocol=6 | dir=in | app=c:\program files\icq6.5\icq.exe | "TCP Query User{D4CE7A5B-E799-47C9-98E4-AB3F27284503}C:\windows\system32\taskeng.exe" = protocol=6 | dir=in | app=c:\windows\system32\taskeng.exe | "TCP Query User{E17FC99A-D425-4AE1-AFE1-9AD97BD67572}C:\program files\google\google earth\plugin\geplugin.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\plugin\geplugin.exe | "TCP Query User{FFE87A3E-D0D3-4794-B544-45CEEDC63246}C:\program files\google\google earth\client\googleearth.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe | "UDP Query User{0DC868F5-0B7F-4C92-881F-871CD17C7868}C:\program files\icq6.5\icq.exe" = protocol=17 | dir=in | app=c:\program files\icq6.5\icq.exe | "UDP Query User{401C38BD-DD94-4283-A1FE-4F116EDDF5A0}C:\program files\google\google earth\client\googleearth.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe | "UDP Query User{5748D7CB-DB48-440D-A6AE-7C611CE9747F}C:\program files\google\google earth\client\googleearth.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe | "UDP Query User{611A4B4A-A32B-46F6-8DB4-B4BDEF336C70}C:\windows\system32\taskeng.exe" = protocol=17 | dir=in | app=c:\windows\system32\taskeng.exe | "UDP Query User{7092F445-D93F-40B5-9D46-4A5C1FEE0DC1}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe | "UDP Query User{83985F17-B5EC-4FCE-B397-5C58D60D4DB0}C:\users\xxx\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=17 | dir=in | app=c:\users\astrid\appdata\roaming\dropbox\bin\dropbox.exe | "UDP Query User{8F3467DC-BC4D-4F3E-8C01-C4A901352624}C:\windows\system32\taskeng.exe" = protocol=17 | dir=in | app=c:\windows\system32\taskeng.exe | "UDP Query User{965484C4-FBC3-452C-B290-CCB9ED06B3ED}C:\program files\icq6.5\icq.exe" = protocol=17 | dir=in | app=c:\program files\icq6.5\icq.exe | "UDP Query User{D54BA3D7-94E9-4FFC-A24A-EE4C682E1C60}C:\program files\icq7.2\icq.exe" = protocol=17 | dir=in | app=c:\program files\icq7.2\icq.exe | "UDP Query User{DD79B672-F749-4AA4-8DCE-2E923190614D}C:\program files\google\google earth\plugin\geplugin.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\plugin\geplugin.exe | "UDP Query User{EAE5C0D8-9007-46CC-9CF2-FBBCC39472AA}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe | ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu "{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour "{1111706F-666A-4037-7777-211328764D10}" = JavaFX 2.1.1 "{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP2700_series" = Canon iP2700 series Printer Driver "{12EFA1A4-AC3B-443C-8143-237EDE760403}" = NTI Backup Now Standard "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer "{20471B27-D702-4FE8-8DEC-0702CC8C0A85}" = InterVideo WinDVD 8 "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer "{2413930C-8309-47A6-BC61-5EF27A4222BC}" = NTI Media Maker 8 "{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(TM) 6 Update 29 "{26A24AE4-039D-4CA4-87B4-2F83217017FF}" = Java 7 Update 17 "{2DE9C112-2482-4D27-AA90-1504DFD9F117}" = Citrix Authentication Manager "{2EA6C7A4-9178-4C04-887E-D3515F4AAC1B}" = Online Plug-in "{39D0E034-1042-4905-BECB-5502909FCB7C}" = Microsoft Works "{452F5D68-F680-4F84-9146-509C0DFEB8D6}" = Citrix Receiver (USB) "{468D22C0-8080-11E2-B86E-B8AC6F98CCE3}" = Google Earth "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{589D1E78-A6BA-485D-85D9-83F9E3DC1379}" = Vokabeltrainer En Vivo A1 "{5D601655-6D54-4384-B52C-17EC5385FBBD}" = iTunes "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable "{72EFBFE4-C74F-4187-AEFD-73EA3BE968D6}" = ICQ7.2 "{73A32AC6-C6DE-410E-8869-83E5D725DDE0}" = Citrix Receiver(Aero) "{758C8301-2696-4855-AF45-534B1200980A}" = Samsung Kies "{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}" = eMachines ScreenSaver "{7CE1F876-6012-431F-A514-C67107D6D8E1}" = Citrix Receiver (DV) "{7F811A54-5A09-4579-90E1-C93498E230D9}" = eMachines Recovery Management "{82149c0c-52f4-42eb-9683-55ae065bad30}" = Begado "{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11019760}" = eMachines "{8355F970-601D-442D-A79B-1D7DB4F24CAD}" = Apple Mobile Device Support "{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 8168 8101E 8102E Ethernet Driver "{8EC50898-E24A-4C0C-A1F2-A71A8DBF291F}" = Citrix Receiver Inside "{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007 "{90120000-0016-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DCBECE36-8F23-4B33-925E-A1C6183C0DBD}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007 "{90120000-0018-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DCBECE36-8F23-4B33-925E-A1C6183C0DBD}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007 "{90120000-001B-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DCBECE36-8F23-4B33-925E-A1C6183C0DBD}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007 "{90120000-001F-0407-0000-0000000FF1CE}_HOMESTUDENTR_{2AB528A5-BB1B-4EBE-8E51-AD0C4CD33CA9}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007 "{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007 "{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007 "{90120000-001F-0410-0000-0000000FF1CE}_HOMESTUDENTR_{58FC5E37-DD28-4D4A-A549-125744C6763C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-0020-0407-0000-0000000FF1CE}" = Compatibility Pack für 2007 Office System "{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007 "{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007 "{90120000-006E-0407-0000-0000000FF1CE}_HOMESTUDENTR_{888B9AC7-8F5C-456B-A27A-157A6C310E52}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007 "{90120000-00A1-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DCBECE36-8F23-4B33-925E-A1C6183C0DBD}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007 "{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{95120000-00AF-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (German) "{99E862CC-6F69-4D39-99AA-DBF71BF3B585}" = OpenOffice.org 3.1 "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 "{A4987FC4-33BE-4227-B290-FAA1819B65C2}" = Vokabeltrainer-Update 5.0.27 "{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper "{AC76BA86-7AD7-1031-7B44-A95000000001}" = Adobe Reader 9.5.5 - Deutsch "{B48A3CE4-2F1E-45EF-841A-C0A3C407EB0F}" = Self-Service Plug-in "{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime "{CB84F0F2-927B-458D-9DC5-87832E3DC653}" = GearDrvs "{CC4BBCBA-89F6-47C3-9B0F-5CE5BB1C316C}" = WEB.DE Toolbar MSVC100 CRT x86 "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{CE386A4E-D0DA-4208-8235-BCE43275C694}" = LightScribe "{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}" = SAMSUNG USB Driver for Mobile Phones "{D2A27492-2F6B-49BE-A4E4-BFCE01828FB7}" = Citrix Receiver (HDX Flash-Umleitung) "{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant "{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver "1&1 Mail & Media GmbH 1und1Softwareaktualisierung" = WEB.DE Softwareaktualisierung "1&1 Mail & Media GmbH Toolbar FF" = WEB.DE Toolbar für Mozilla Firefox "1&1 Mail & Media GmbH Toolbar IE8" = WEB.DE Toolbar für Internet Explorer "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin "Any Video Converter 5_is1" = Any Video Converter 5 5.0.4 "avast" = avast! Free Antivirus "Avira AntiVir Desktop" = Avira Free Antivirus "Canon iP2700 series Benutzerregistrierung" = Canon iP2700 series Benutzerregistrierung "CanonMyPrinter" = Canon Utilities My Printer "CanonSolutionMenu" = Canon Utilities Solution Menu "CitrixOnlinePluginPackWeb" = Citrix Receiver "Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX "Easy-WebPrint EX" = Canon Easy-WebPrint EX "ElsterFormular" = ElsterFormular "Google Desktop" = Google Desktop "Google Updater" = Google Updater "HDMI" = Intel(R) Graphics Media Accelerator Driver "HOMESTUDENTR" = Microsoft Office Home and Student 2007 "InstallShield_{12EFA1A4-AC3B-443C-8143-237EDE760403}" = NTI Backup Now 5 "InstallShield_{20471B27-D702-4FE8-8DEC-0702CC8C0A85}" = InterVideo WinDVD 8 "InstallShield_{2413930C-8309-47A6-BC61-5EF27A4222BC}" = NTI Media Maker 8 "InstallShield_{758C8301-2696-4855-AF45-534B1200980A}" = Samsung Kies "LManager" = Launch Manager "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version "Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile "Mozilla Firefox 21.0 (x86 de)" = Mozilla Firefox 21.0 (x86 de) "MozillaMaintenanceService" = Mozilla Maintenance Service "NAVIGON Fresh" = NAVIGON Fresh 3.4.1 "PokerStars" = PokerStars "PokerStars.net" = PokerStars.net "SynTPDeinstKey" = Synaptics Pointing Device Driver "WinGimp-2.0_is1" = GIMP 2.6.11 ========== HKEY_CURRENT_USER Uninstall List ========== [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "Dropbox" = Dropbox "MyFreeCodec" = MyFreeCodec ========== Last 20 Event Log Errors ========== [ Application Events ] Error - 19.05.2013 08:06:49 | Computer Name = xxx-PC | Source = WinMgmt | ID = 10 Description = Error - 19.05.2013 11:41:54 | Computer Name = xxx-PC | Source = WinMgmt | ID = 10 Description = Error - 20.05.2013 05:40:21 | Computer Name = xxx-PC | Source = WinMgmt | ID = 10 Description = Error - 20.05.2013 13:28:42 | Computer Name = xxx-PC | Source = WinMgmt | ID = 10 Description = Error - 21.05.2013 11:14:13 | Computer Name = xxx-PC | Source = WinMgmt | ID = 10 Description = Error - 21.05.2013 13:27:37 | Computer Name = xxx-PC | Source = WinMgmt | ID = 10 Description = Error - 21.05.2013 13:32:45 | Computer Name = xxx-PC | Source = Windows Search Service | ID = 3013 Description = Error - 22.05.2013 10:30:31 | Computer Name = xxx-PC | Source = WinMgmt | ID = 10 Description = Error - 22.05.2013 13:45:06 | Computer Name = xxx-PC | Source = WinMgmt | ID = 10 Description = Error - 24.05.2013 07:35:57 | Computer Name = xxx-PC | Source = WinMgmt | ID = 10 Description = Error - 24.05.2013 14:37:55 | Computer Name = xxx-PC | Source = WinMgmt | ID = 10 Description = [ System Events ] Error - 16.05.2013 12:09:49 | Computer Name = xxx-PC | Source = Service Control Manager | ID = 7011 Description = Error - 18.05.2013 06:25:15 | Computer Name = xxx-PC | Source = DCOM | ID = 10005 Description = Error - 18.05.2013 06:25:15 | Computer Name = xxx-PC | Source = Service Control Manager | ID = 7009 Description = Error - 18.05.2013 06:25:15 | Computer Name = xxx-PC | Source = Service Control Manager | ID = 7000 Description = Error - 19.05.2013 11:43:19 | Computer Name = xxx-PC | Source = Service Control Manager | ID = 7009 Description = Error - 19.05.2013 11:43:20 | Computer Name = xxx-PC | Source = Service Control Manager | ID = 7000 Description = Error - 19.05.2013 11:44:36 | Computer Name = xxx-PC | Source = Service Control Manager | ID = 7009 Description = Error - 19.05.2013 11:44:36 | Computer Name = xxx-PC | Source = Service Control Manager | ID = 7000 Description = Error - 20.05.2013 05:40:22 | Computer Name = xxx-PC | Source = Service Control Manager | ID = 7009 Description = Error - 20.05.2013 05:40:22 | Computer Name = xxx-PC | Source = Service Control Manager | ID = 7009 Description = < End of report > Geändert von uuuuuvex (25.05.2013 um 10:17 Uhr) |
![]() | ![]() Avira durch Gruppenrichtlinien geblockt und Trojan.fakems Gmer log-file: Code:
GMER 2.1.19163 - hxxp://www.gmer.net Rootkit scan 2013-05-24 23:33:51 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS543232L9A300 rev.FB4OC40C 298,09GB Running: gmer_2.1.19163.exe; Driver: C:\Users\xxx\AppData\Local\Temp\pwdiqpob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8FE7E644] Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8FE8AA80] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8FE8A808] SSDT 8C4B8516 ZwCreateSection SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8FE8A850] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0x8FE7F5D4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8FE8AA3A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0x8FE7FE8C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8FE7E6AA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0x8FE836AC] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x904AC730] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x904AAC80] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8FE7E710] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8FE83A76] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8FE8091C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8FE8A8C4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8FE8A908] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8FE8AAA4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8FE8A82E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0x8FE82F92] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8FE8A9B8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8FE8A878] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0x8FE83384] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8FE8AA5E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x904AC890] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8FE807E8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThread [0x8FE8033E] SSDT 8C4B8520 ZwRequestWaitReplyPort SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8FE7E776] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8FE7E7DC] SSDT 8C4B851B ZwSetContextThread SSDT 8C4B8525 ZwSetSecurityObject SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8FE7E32C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8FE7E502] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8FE7E490] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0x8FE80056] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0x8FE801B8] SSDT 8C4B852A ZwSystemDebugControl SSDT 8C4B84B7 ZwTerminateProcess SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0x8FE7FCE6] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwUnloadDriver [0x904AACB0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8FE7E842] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x904AC7DC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThreadEx [0x8FE7F7F0] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x904C5E80] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeSetEvent + 10D 824FE850 4 Bytes [44, E6, E7, 8F] .text ntkrnlpa.exe!KeSetEvent + 131 824FE874 4 Bytes [68, C6, 4A, 90] .text ntkrnlpa.exe!KeSetEvent + 191 824FE8D4 4 Bytes [D6, F0, E7, 8F] {SALC ; OUT 0x8f, EAX} .text ntkrnlpa.exe!KeSetEvent + 1D1 824FE914 8 Bytes [9A, A8, E8, 8F, E6, A8, E8, ...] .text ntkrnlpa.exe!KeSetEvent + 1DD 824FE920 4 Bytes [80, AA, E8, 8F] .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82629663 5 Bytes JMP 904C2D1A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject 82682703 5 Bytes JMP 904C4834 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 8268C01F 4 Bytes CALL 8FE80FDF \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 8268FC93 4 Bytes CALL 8FE80FF5 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 826E3FE0 7 Bytes JMP 904C5E84 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ---- User code sections - GMER 2.1 ---- .text C:\Windows\System32\spoolsv.exe[284] kernel32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Windows\system32\taskeng.exe[312] kernel32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Windows\Explorer.EXE[316] kernel32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[496] kernel32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Windows\system32\csrss.exe[608] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text ... .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 000601F8 .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 000603FC .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] ntdll.dll!DbgBreakPoint 77CE878E 1 Byte [C3] .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 000A03FC .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 000A0600 .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 000A1014 .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 000A0804 .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 000A0A08 .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 000A0C0C .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 000A0E10 .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 000A01F8 .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 000C0600 .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 000C0804 .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 000C0A08 .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 000C01F8 .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 000C03FC .text C:\Windows\system32\svchost.exe[1028] kernel32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Windows\System32\svchost.exe[1068] kernel32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Windows\System32\svchost.exe[1176] kernel32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1232] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 000601F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1232] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 000603FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1232] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1232] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 000703FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1232] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 00070600 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1232] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 00071014 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1232] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 00070804 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1232] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 00070A08 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1232] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 00070C0C .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1232] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 00070E10 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1232] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 000701F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1232] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 00540600 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1232] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 00540804 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1232] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 00540A08 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1232] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 005401F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1232] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 005403FC .text C:\Windows\System32\svchost.exe[1252] kernel32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Windows\system32\svchost.exe[1268] kernel32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Windows\system32\AUDIODG.EXE[1336] kernel32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Windows\system32\svchost.exe[1360] kernel32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Windows\system32\svchost.exe[1452] kernel32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Windows\system32\svchost.exe[1472] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1472] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1472] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 00070C0C .text C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\svchost.exe[1472] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 00080600 .text C:\Windows\system32\svchost.exe[1472] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 00080804 .text C:\Windows\system32\svchost.exe[1472] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 00080A08 .text C:\Windows\system32\svchost.exe[1472] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 000801F8 .text C:\Windows\system32\svchost.exe[1472] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 000803FC .text C:\Windows\system32\svchost.exe[1660] kernel32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1756] kernel32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe[1772] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1804] kernel32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Windows\system32\WLANExt.exe[1812] kernel32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text ... .text C:\Program Files\Samsung\Kies\Kies.exe[1996] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 000601F8 .text C:\Program Files\Samsung\Kies\Kies.exe[1996] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 000603FC .text C:\Program Files\Samsung\Kies\Kies.exe[1996] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Program Files\Samsung\Kies\Kies.exe[1996] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 000703FC .text C:\Program Files\Samsung\Kies\Kies.exe[1996] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 00070600 .text C:\Program Files\Samsung\Kies\Kies.exe[1996] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 00071014 .text C:\Program Files\Samsung\Kies\Kies.exe[1996] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 00070804 .text C:\Program Files\Samsung\Kies\Kies.exe[1996] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 00070A08 .text C:\Program Files\Samsung\Kies\Kies.exe[1996] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 00070C0C .text C:\Program Files\Samsung\Kies\Kies.exe[1996] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 00070E10 .text C:\Program Files\Samsung\Kies\Kies.exe[1996] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 000701F8 .text C:\Program Files\Samsung\Kies\Kies.exe[1996] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 00080600 .text C:\Program Files\Samsung\Kies\Kies.exe[1996] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 00080804 .text C:\Program Files\Samsung\Kies\Kies.exe[1996] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 00080A08 .text C:\Program Files\Samsung\Kies\Kies.exe[1996] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 000801F8 .text C:\Program Files\Samsung\Kies\Kies.exe[1996] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 000803FC .text C:\Windows\system32\Dwm.exe[2020] kernel32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[2584] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 001601F8 .text C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[2584] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 001603FC .text C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[2584] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[2584] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 00170600 .text C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[2584] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 00170804 .text C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[2584] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 00170A08 .text C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[2584] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 001701F8 .text C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[2584] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 001703FC .text C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[2584] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 001803FC .text C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[2584] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 00180600 .text C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[2584] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 00181014 .text C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[2584] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 00180804 .text C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[2584] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 00180A08 .text C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[2584] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 00180C0C .text C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[2584] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 00180E10 .text C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[2584] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 001801F8 .text C:\Windows\System32\hkcmd.exe[2612] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 001601F8 .text C:\Windows\System32\hkcmd.exe[2612] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 001603FC .text C:\Windows\System32\hkcmd.exe[2612] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Windows\System32\hkcmd.exe[2612] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 00180600 .text C:\Windows\System32\hkcmd.exe[2612] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 00180804 .text C:\Windows\System32\hkcmd.exe[2612] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 00180A08 .text C:\Windows\System32\hkcmd.exe[2612] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 001801F8 .text C:\Windows\System32\hkcmd.exe[2612] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 001803FC .text C:\Windows\System32\hkcmd.exe[2612] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 001903FC .text C:\Windows\System32\hkcmd.exe[2612] ADVAPI32.dll!DeleteService 7660A07E 3 Bytes JMP 00190600 .text C:\Windows\System32\hkcmd.exe[2612] ADVAPI32.dll!DeleteService + 4 7660A082 1 Byte [89] .text C:\Windows\System32\hkcmd.exe[2612] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 00191014 .text C:\Windows\System32\hkcmd.exe[2612] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 00190804 .text C:\Windows\System32\hkcmd.exe[2612] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 00190A08 .text C:\Windows\System32\hkcmd.exe[2612] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 00190C0C .text C:\Windows\System32\hkcmd.exe[2612] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 00190E10 .text C:\Windows\System32\hkcmd.exe[2612] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 001901F8 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2660] kernel32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2748] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 000601F8 .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2748] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 000603FC .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2748] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2748] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 00070600 .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2748] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 00070804 .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2748] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 00070A08 .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2748] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 000701F8 .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2748] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 000703FC .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2748] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 000803FC .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2748] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 00080600 .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2748] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 00081014 .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2748] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 00080804 .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2748] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 00080A08 .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2748] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 00080C0C .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2748] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 00080E10 .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2748] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 000801F8 .text C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[2752] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 001601F8 .text C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[2752] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 001603FC .text C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[2752] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[2752] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 00170600 .text C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[2752] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 00170804 .text C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[2752] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 00170A08 .text C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[2752] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 001701F8 .text C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[2752] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 001703FC .text C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[2752] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 001803FC .text C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[2752] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 00180600 .text C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[2752] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 00181014 .text C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[2752] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 00180804 .text C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[2752] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 00180A08 .text C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[2752] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 00180C0C .text C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[2752] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 00180E10 .text C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[2752] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 001801F8 .text C:\Windows\system32\igfxsrvc.exe[2784] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 001601F8 .text C:\Windows\system32\igfxsrvc.exe[2784] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 001603FC .text C:\Windows\system32\igfxsrvc.exe[2784] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Windows\system32\igfxsrvc.exe[2784] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 00170600 .text C:\Windows\system32\igfxsrvc.exe[2784] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 00170804 .text C:\Windows\system32\igfxsrvc.exe[2784] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 00170A08 .text C:\Windows\system32\igfxsrvc.exe[2784] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 001701F8 .text C:\Windows\system32\igfxsrvc.exe[2784] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 001703FC .text C:\Windows\system32\igfxsrvc.exe[2784] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 001803FC .text C:\Windows\system32\igfxsrvc.exe[2784] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 00180600 .text C:\Windows\system32\igfxsrvc.exe[2784] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 00181014 .text C:\Windows\system32\igfxsrvc.exe[2784] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 00180804 .text C:\Windows\system32\igfxsrvc.exe[2784] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 00180A08 .text C:\Windows\system32\igfxsrvc.exe[2784] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 00180C0C .text C:\Windows\system32\igfxsrvc.exe[2784] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 00180E10 .text C:\Windows\system32\igfxsrvc.exe[2784] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 001801F8 .text C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[2800] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 001601F8 .text C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[2800] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 001603FC .text C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[2800] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[2800] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 00170600 .text C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[2800] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 00170804 .text C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[2800] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 00170A08 .text C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[2800] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 001701F8 .text C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[2800] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 001703FC .text C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[2800] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 001803FC .text C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[2800] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 00180600 .text C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[2800] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 00181014 .text C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[2800] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 00180804 .text C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[2800] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 00180A08 .text C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[2800] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 00180C0C .text C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[2800] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 00180E10 .text C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[2800] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 001801F8 .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 001601F8 .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 001603FC .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 00180600 .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 00180804 .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 00180A08 .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 001801F8 .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 001803FC .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 001903FC .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] ADVAPI32.dll!DeleteService 7660A07E 3 Bytes JMP 00190600 .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] ADVAPI32.dll!DeleteService + 4 7660A082 1 Byte [89] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 00191014 .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 00190804 .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 00190A08 .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 00190C0C .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 00190E10 .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 001901F8 .text C:\Windows\system32\igfxext.exe[2836] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 001601F8 .text C:\Windows\system32\igfxext.exe[2836] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 001603FC .text C:\Windows\system32\igfxext.exe[2836] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Windows\system32\igfxext.exe[2836] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 00170600 .text C:\Windows\system32\igfxext.exe[2836] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 00170804 .text C:\Windows\system32\igfxext.exe[2836] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 00170A08 .text C:\Windows\system32\igfxext.exe[2836] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 001701F8 .text C:\Windows\system32\igfxext.exe[2836] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 001703FC .text C:\Windows\system32\igfxext.exe[2836] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 001803FC .text C:\Windows\system32\igfxext.exe[2836] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 00180600 .text C:\Windows\system32\igfxext.exe[2836] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 00181014 .text C:\Windows\system32\igfxext.exe[2836] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 00180804 .text C:\Windows\system32\igfxext.exe[2836] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 00180A08 .text C:\Windows\system32\igfxext.exe[2836] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 00180C0C .text C:\Windows\system32\igfxext.exe[2836] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 00180E10 .text C:\Windows\system32\igfxext.exe[2836] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 001801F8 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2880] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 000601F8 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2880] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 000603FC .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2880] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2880] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 000703FC .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2880] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 00070600 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2880] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 00071014 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2880] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 00070804 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2880] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 00070A08 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2880] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 00070C0C .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2880] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 00070E10 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2880] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 000701F8 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2880] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 00080600 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2880] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 00080804 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2880] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 00080A08 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2880] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 000801F8 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2880] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 000803FC .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[2896] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 001601F8 .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[2896] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 001603FC .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[2896] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[2896] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 001703FC .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[2896] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 00170600 .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[2896] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 00171014 .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[2896] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 00170804 .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[2896] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 00170A08 .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[2896] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 00170C0C .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[2896] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 00170E10 .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[2896] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 001701F8 .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[2896] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 00180600 .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[2896] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 00180804 .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[2896] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 00180A08 .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[2896] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 001801F8 .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[2896] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 001803FC .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2952] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 001501F8 .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2952] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 001503FC .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2952] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2952] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 00160600 .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2952] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 00160804 .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2952] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 00160A08 .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2952] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 001601F8 .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2952] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 001603FC .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2952] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 001703FC .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2952] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 00170600 .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2952] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 00171014 .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2952] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 00170804 .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2952] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 00170A08 .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2952] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 00170C0C .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2952] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 00170E10 .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2952] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 001701F8 .text C:\Windows\RtHDVCpl.exe[2976] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 001601F8 .text C:\Windows\RtHDVCpl.exe[2976] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 001603FC .text C:\Windows\RtHDVCpl.exe[2976] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Windows\RtHDVCpl.exe[2976] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 001703FC .text C:\Windows\RtHDVCpl.exe[2976] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 00170600 .text C:\Windows\RtHDVCpl.exe[2976] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 00171014 .text C:\Windows\RtHDVCpl.exe[2976] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 00170804 .text C:\Windows\RtHDVCpl.exe[2976] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 00170A08 .text C:\Windows\RtHDVCpl.exe[2976] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 00170C0C .text C:\Windows\RtHDVCpl.exe[2976] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 00170E10 .text C:\Windows\RtHDVCpl.exe[2976] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 001701F8 .text C:\Windows\RtHDVCpl.exe[2976] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 00180600 .text C:\Windows\RtHDVCpl.exe[2976] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 00180804 .text C:\Windows\RtHDVCpl.exe[2976] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 00180A08 .text C:\Windows\RtHDVCpl.exe[2976] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 001801F8 .text C:\Windows\RtHDVCpl.exe[2976] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 001803FC .text C:\Windows\system32\svchost.exe[2996] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[2996] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[2996] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Windows\system32\svchost.exe[2996] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[2996] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\svchost.exe[2996] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\svchost.exe[2996] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\svchost.exe[2996] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\svchost.exe[2996] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 00070C0C .text C:\Windows\system32\svchost.exe[2996] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\svchost.exe[2996] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\svchost.exe[2996] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 00080600 .text C:\Windows\system32\svchost.exe[2996] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 00080804 .text C:\Windows\system32\svchost.exe[2996] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 00080A08 .text C:\Windows\system32\svchost.exe[2996] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 000801F8 .text C:\Windows\system32\svchost.exe[2996] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 000803FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 001501F8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 001503FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 00160600 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 00160804 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 00160A08 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 001601F8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 001603FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 001703FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 00170600 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 00171014 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 00170804 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 00170A08 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 00170C0C .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 00170E10 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 001701F8 .text C:\Windows\system32\svchost.exe[3016] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 000A01F8 .text C:\Windows\system32\svchost.exe[3016] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 000A03FC .text C:\Windows\system32\svchost.exe[3016] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Windows\system32\svchost.exe[3016] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 000B03FC .text C:\Windows\system32\svchost.exe[3016] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 000B0600 .text C:\Windows\system32\svchost.exe[3016] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 000B1014 .text C:\Windows\system32\svchost.exe[3016] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 000B0804 .text C:\Windows\system32\svchost.exe[3016] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 000B0A08 .text C:\Windows\system32\svchost.exe[3016] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 000B0C0C .text C:\Windows\system32\svchost.exe[3016] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 000B0E10 .text C:\Windows\system32\svchost.exe[3016] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 000B01F8 .text C:\Windows\system32\svchost.exe[3016] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 000C0600 .text C:\Windows\system32\svchost.exe[3016] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 000C0804 .text C:\Windows\system32\svchost.exe[3016] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 000C0A08 .text C:\Windows\system32\svchost.exe[3016] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 000C01F8 .text C:\Windows\system32\svchost.exe[3016] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 000C03FC .text C:\Windows\System32\svchost.exe[3048] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[3048] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[3048] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Windows\System32\svchost.exe[3048] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 000703FC .text C:\Windows\System32\svchost.exe[3048] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 00070600 .text C:\Windows\System32\svchost.exe[3048] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 00071014 .text C:\Windows\System32\svchost.exe[3048] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 00070804 .text C:\Windows\System32\svchost.exe[3048] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 00070A08 .text C:\Windows\System32\svchost.exe[3048] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 00070C0C .text C:\Windows\System32\svchost.exe[3048] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 00070E10 .text C:\Windows\System32\svchost.exe[3048] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\SearchIndexer.exe[3100] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 000601F8 .text C:\Windows\system32\SearchIndexer.exe[3100] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 000603FC .text C:\Windows\system32\SearchIndexer.exe[3100] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Windows\system32\SearchIndexer.exe[3100] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\SearchIndexer.exe[3100] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\SearchIndexer.exe[3100] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\SearchIndexer.exe[3100] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\SearchIndexer.exe[3100] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\SearchIndexer.exe[3100] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 00070C0C .text C:\Windows\system32\SearchIndexer.exe[3100] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\SearchIndexer.exe[3100] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\SearchIndexer.exe[3100] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 00080600 .text C:\Windows\system32\SearchIndexer.exe[3100] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 00080804 .text C:\Windows\system32\SearchIndexer.exe[3100] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 00080A08 .text C:\Windows\system32\SearchIndexer.exe[3100] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 000801F8 .text C:\Windows\system32\SearchIndexer.exe[3100] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 000803FC .text C:\Program Files\Launch Manager\LManager.exe[3188] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 001601F8 .text C:\Program Files\Launch Manager\LManager.exe[3188] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 001603FC .text C:\Program Files\Launch Manager\LManager.exe[3188] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Program Files\Launch Manager\LManager.exe[3188] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 001703FC .text C:\Program Files\Launch Manager\LManager.exe[3188] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 00170600 .text C:\Program Files\Launch Manager\LManager.exe[3188] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 00171014 .text C:\Program Files\Launch Manager\LManager.exe[3188] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 00170804 .text C:\Program Files\Launch Manager\LManager.exe[3188] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 00170A08 .text C:\Program Files\Launch Manager\LManager.exe[3188] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 00170C0C .text C:\Program Files\Launch Manager\LManager.exe[3188] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 00170E10 .text C:\Program Files\Launch Manager\LManager.exe[3188] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 001701F8 .text C:\Program Files\Launch Manager\LManager.exe[3188] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 00280600 .text C:\Program Files\Launch Manager\LManager.exe[3188] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 00280804 .text C:\Program Files\Launch Manager\LManager.exe[3188] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 00280A08 .text C:\Program Files\Launch Manager\LManager.exe[3188] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 002801F8 .text C:\Program Files\Launch Manager\LManager.exe[3188] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 002803FC .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[3264] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 001601F8 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[3264] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 001603FC .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[3264] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[3264] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 00170600 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[3264] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 00170804 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[3264] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 00170A08 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[3264] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 001701F8 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[3264] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 001703FC .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[3264] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 001803FC .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[3264] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 00180600 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[3264] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 00181014 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[3264] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 00180804 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[3264] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 00180A08 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[3264] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 00180C0C .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[3264] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 00180E10 .text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[3264] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 001801F8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3268] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 001701F8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3268] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 001703FC .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3268] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3268] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 001803FC .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3268] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 00180600 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3268] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 00181014 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3268] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 00180804 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3268] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 00180A08 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3268] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 00180C0C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3268] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 00180E10 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3268] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 001801F8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3268] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 00190600 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3268] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 00190804 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3268] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 00190A08 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3268] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 001901F8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3268] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 001903FC .text C:\Windows\System32\igfxtray.exe[3572] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 001601F8 .text C:\Windows\System32\igfxtray.exe[3572] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 001603FC .text C:\Windows\System32\igfxtray.exe[3572] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Windows\System32\igfxtray.exe[3572] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 00280600 .text C:\Windows\System32\igfxtray.exe[3572] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 00280804 .text C:\Windows\System32\igfxtray.exe[3572] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 00280A08 .text C:\Windows\System32\igfxtray.exe[3572] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 002801F8 .text C:\Windows\System32\igfxtray.exe[3572] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 002803FC .text C:\Windows\System32\igfxtray.exe[3572] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 002903FC .text C:\Windows\System32\igfxtray.exe[3572] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 00290600 .text C:\Windows\System32\igfxtray.exe[3572] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 00291014 .text C:\Windows\System32\igfxtray.exe[3572] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 00290804 .text C:\Windows\System32\igfxtray.exe[3572] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 00290A08 .text C:\Windows\System32\igfxtray.exe[3572] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 00290C0C .text C:\Windows\System32\igfxtray.exe[3572] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 00290E10 .text C:\Windows\System32\igfxtray.exe[3572] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 002901F8 .text C:\Program Files\Citrix\ICA Client\concentr.exe[3728] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 000C01F8 .text C:\Program Files\Citrix\ICA Client\concentr.exe[3728] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 000C03FC .text C:\Program Files\Citrix\ICA Client\concentr.exe[3728] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Program Files\Citrix\ICA Client\concentr.exe[3728] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 000D0600 .text C:\Program Files\Citrix\ICA Client\concentr.exe[3728] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 000D0804 .text C:\Program Files\Citrix\ICA Client\concentr.exe[3728] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 000D0A08 .text C:\Program Files\Citrix\ICA Client\concentr.exe[3728] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 000D01F8 .text C:\Program Files\Citrix\ICA Client\concentr.exe[3728] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 000D03FC .text C:\Program Files\Citrix\ICA Client\concentr.exe[3728] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 000E03FC .text C:\Program Files\Citrix\ICA Client\concentr.exe[3728] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 000E0600 .text C:\Program Files\Citrix\ICA Client\concentr.exe[3728] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 000E1014 .text C:\Program Files\Citrix\ICA Client\concentr.exe[3728] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 000E0804 .text C:\Program Files\Citrix\ICA Client\concentr.exe[3728] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 000E0A08 .text C:\Program Files\Citrix\ICA Client\concentr.exe[3728] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 000E0C0C .text C:\Program Files\Citrix\ICA Client\concentr.exe[3728] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 000E0E10 .text C:\Program Files\Citrix\ICA Client\concentr.exe[3728] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 000E01F8 .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3736] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 000601F8 .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3736] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 000603FC .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3736] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3736] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 000703FC .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3736] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 00070600 .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3736] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 00071014 .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3736] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 00070804 .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3736] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 00070A08 .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3736] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 00070C0C .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3736] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 00070E10 .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3736] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 000701F8 .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3736] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 00180600 .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3736] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 00180804 .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3736] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 00180A08 .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3736] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 001801F8 .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3736] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 001803FC .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3764] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 001601F8 .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3764] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 001603FC .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3764] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3764] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 001703FC .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3764] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 00170600 .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3764] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 00171014 .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3764] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 00170804 .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3764] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 00170A08 .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3764] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 00170C0C .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3764] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 00170E10 .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3764] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 001701F8 .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3764] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 00180600 .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3764] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 00180804 .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3764] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 00180A08 .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3764] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 001801F8 .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3764] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 001803FC .text C:\Windows\system32\igfxsrvc.exe[3788] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 001601F8 .text C:\Windows\system32\igfxsrvc.exe[3788] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 001603FC .text C:\Windows\system32\igfxsrvc.exe[3788] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Windows\system32\igfxsrvc.exe[3788] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 00170600 .text C:\Windows\system32\igfxsrvc.exe[3788] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 00170804 .text C:\Windows\system32\igfxsrvc.exe[3788] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 00170A08 .text C:\Windows\system32\igfxsrvc.exe[3788] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 001701F8 .text C:\Windows\system32\igfxsrvc.exe[3788] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 001703FC .text C:\Windows\system32\igfxsrvc.exe[3788] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 001803FC .text C:\Windows\system32\igfxsrvc.exe[3788] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 00180600 .text C:\Windows\system32\igfxsrvc.exe[3788] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 00181014 .text C:\Windows\system32\igfxsrvc.exe[3788] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 00180804 .text C:\Windows\system32\igfxsrvc.exe[3788] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 00180A08 .text C:\Windows\system32\igfxsrvc.exe[3788] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 00180C0C .text C:\Windows\system32\igfxsrvc.exe[3788] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 00180E10 .text C:\Windows\system32\igfxsrvc.exe[3788] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 001801F8 .text C:\Program Files\Windows Defender\MSASCui.exe[3848] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 000A01F8 .text C:\Program Files\Windows Defender\MSASCui.exe[3848] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 000A03FC .text C:\Program Files\Windows Defender\MSASCui.exe[3848] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Program Files\Windows Defender\MSASCui.exe[3848] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 000B03FC .text C:\Program Files\Windows Defender\MSASCui.exe[3848] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 000B0600 .text C:\Program Files\Windows Defender\MSASCui.exe[3848] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 000B1014 .text C:\Program Files\Windows Defender\MSASCui.exe[3848] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 000B0804 .text C:\Program Files\Windows Defender\MSASCui.exe[3848] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 000B0A08 .text C:\Program Files\Windows Defender\MSASCui.exe[3848] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 000B0C0C .text C:\Program Files\Windows Defender\MSASCui.exe[3848] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 000B0E10 .text C:\Program Files\Windows Defender\MSASCui.exe[3848] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 000B01F8 .text C:\Program Files\Windows Defender\MSASCui.exe[3848] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 000C0600 .text C:\Program Files\Windows Defender\MSASCui.exe[3848] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 000C0804 .text C:\Program Files\Windows Defender\MSASCui.exe[3848] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 000C0A08 .text C:\Program Files\Windows Defender\MSASCui.exe[3848] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 000C01F8 .text C:\Program Files\Windows Defender\MSASCui.exe[3848] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 000C03FC .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 001701F8 .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 001703FC .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 00180600 .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 00180804 .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 00180A08 .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 001801F8 .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 001803FC .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 001903FC .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] ADVAPI32.dll!DeleteService 7660A07E 3 Bytes JMP 00190600 .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] ADVAPI32.dll!DeleteService + 4 7660A082 1 Byte [89] .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 00191014 .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 00190804 .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 00190A08 .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 00190C0C .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 00190E10 .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 001901F8 .text C:\Windows\System32\igfxpers.exe[3992] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 001601F8 .text C:\Windows\System32\igfxpers.exe[3992] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 001603FC .text C:\Windows\System32\igfxpers.exe[3992] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Windows\System32\igfxpers.exe[3992] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 00170600 .text C:\Windows\System32\igfxpers.exe[3992] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 00170804 .text C:\Windows\System32\igfxpers.exe[3992] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 00170A08 .text C:\Windows\System32\igfxpers.exe[3992] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 001701F8 .text C:\Windows\System32\igfxpers.exe[3992] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 001703FC .text C:\Windows\System32\igfxpers.exe[3992] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 001803FC .text C:\Windows\System32\igfxpers.exe[3992] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 00180600 .text C:\Windows\System32\igfxpers.exe[3992] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 00181014 .text C:\Windows\System32\igfxpers.exe[3992] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 00180804 .text C:\Windows\System32\igfxpers.exe[3992] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 00180A08 .text C:\Windows\System32\igfxpers.exe[3992] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 00180C0C .text C:\Windows\System32\igfxpers.exe[3992] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 00180E10 .text C:\Windows\System32\igfxpers.exe[3992] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 001801F8 .text C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe[4352] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 001601F8 .text C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe[4352] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 001603FC .text C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe[4352] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe[4352] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 001703FC .text C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe[4352] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 00170600 .text C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe[4352] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 00171014 .text C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe[4352] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 00170804 .text C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe[4352] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 00170A08 .text C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe[4352] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 00170C0C .text C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe[4352] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 00170E10 .text C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe[4352] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 001701F8 .text C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe[4352] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 00190600 .text C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe[4352] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 00190804 .text C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe[4352] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 00190A08 .text C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe[4352] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 001901F8 .text C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe[4352] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 001903FC .text C:\Users\Astrid\Desktop\gmer_2.1.19163.exe[4472] kernel32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe[4832] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 000601F8 .text C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe[4832] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 000603FC .text C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe[4832] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe[4832] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 000703FC .text C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe[4832] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 00070600 .text C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe[4832] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 00071014 .text C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe[4832] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 00070804 .text C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe[4832] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 00070A08 .text C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe[4832] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 00070C0C .text C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe[4832] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 00070E10 .text C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe[4832] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 000701F8 .text C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe[4832] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 001E0600 .text C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe[4832] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 001E0804 .text C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe[4832] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 001E0A08 .text C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe[4832] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 001E01F8 .text C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe[4832] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 001E03FC .text C:\Windows\system32\SearchProtocolHost.exe[5232] kernel32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[5340] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 000501F8 .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[5340] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 000503FC .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[5340] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[5340] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 000603FC .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[5340] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 00060600 .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[5340] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 00061014 .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[5340] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 00060804 .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[5340] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 00060A08 .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[5340] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 00060C0C .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[5340] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 00060E10 .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[5340] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 000601F8 .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[5340] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 000B0600 .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[5340] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 000B0804 .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[5340] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 000B0A08 .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[5340] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 000B01F8 .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[5340] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 000B03FC .text C:\Program Files\Citrix\ICA Client\wfcrun32.exe[5540] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 000601F8 .text C:\Program Files\Citrix\ICA Client\wfcrun32.exe[5540] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 000603FC .text C:\Program Files\Citrix\ICA Client\wfcrun32.exe[5540] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Program Files\Citrix\ICA Client\wfcrun32.exe[5540] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 00170600 .text C:\Program Files\Citrix\ICA Client\wfcrun32.exe[5540] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 00170804 .text C:\Program Files\Citrix\ICA Client\wfcrun32.exe[5540] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 00170A08 .text C:\Program Files\Citrix\ICA Client\wfcrun32.exe[5540] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 001701F8 .text C:\Program Files\Citrix\ICA Client\wfcrun32.exe[5540] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 001703FC .text C:\Program Files\Citrix\ICA Client\wfcrun32.exe[5540] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 001803FC .text C:\Program Files\Citrix\ICA Client\wfcrun32.exe[5540] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 00180600 .text C:\Program Files\Citrix\ICA Client\wfcrun32.exe[5540] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 00181014 .text C:\Program Files\Citrix\ICA Client\wfcrun32.exe[5540] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 00180804 .text C:\Program Files\Citrix\ICA Client\wfcrun32.exe[5540] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 00180A08 .text C:\Program Files\Citrix\ICA Client\wfcrun32.exe[5540] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 00180C0C .text C:\Program Files\Citrix\ICA Client\wfcrun32.exe[5540] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 00180E10 .text C:\Program Files\Citrix\ICA Client\wfcrun32.exe[5540] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 001801F8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5644] ntdll.dll!LdrLoadDll 77CC9378 5 Bytes JMP 001601F8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5644] ntdll.dll!LdrUnloadDll 77CDB680 5 Bytes JMP 001603FC .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5644] KERNEL32.dll!GetBinaryTypeW + 70 77E72447 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5644] USER32.dll!SetWindowsHookExA 776F6322 5 Bytes JMP 00170600 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5644] USER32.dll!SetWindowsHookExW 776F87AD 5 Bytes JMP 00170804 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5644] USER32.dll!UnhookWindowsHookEx 776F98DB 5 Bytes JMP 00170A08 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5644] USER32.dll!SetWinEventHook 776F9F3A 5 Bytes JMP 001701F8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5644] USER32.dll!UnhookWinEvent 776FC06F 5 Bytes JMP 001703FC .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5644] ADVAPI32.dll!CreateServiceW 76609EB4 5 Bytes JMP 001803FC .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5644] ADVAPI32.dll!DeleteService 7660A07E 5 Bytes JMP 00180600 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5644] ADVAPI32.dll!SetServiceObjectSecurity 76646CD9 5 Bytes JMP 00181014 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5644] ADVAPI32.dll!ChangeServiceConfigA 76646DD9 5 Bytes JMP 00180804 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5644] ADVAPI32.dll!ChangeServiceConfigW 76646F81 5 Bytes JMP 00180A08 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5644] ADVAPI32.dll!ChangeServiceConfig2A 76647099 5 Bytes JMP 00180C0C .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5644] ADVAPI32.dll!ChangeServiceConfig2W 766471E1 5 Bytes JMP 00180E10 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5644] ADVAPI32.dll!CreateServiceA 766472A1 5 Bytes JMP 001801F8 ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ---- Vielen Dank schonmal vorab für Ihre Hilfe. |
/// TB-Ausbilder ![]() ![]() ![]() ![]() ![]() ![]() | ![]() Avira durch Gruppenrichtlinien geblockt und Trojan.fakems Hi, machen wir weiter: ![]() Aus deinen Logs ist ersichtlich, dass du Malware eingefangen hast, die es speziell auf deine sensitiven Daten (Benutzernamen, Passwörter, Onlinebankingzugangsdaten, etc.) abgesehen hat. Man kann nicht genau wissen, was alles mitgeloggt wurde, aber sicherheitshalber würd ich alle auf diesem Rechner eingegebenen Daten und Passwörter als bekannt voraussetzen. Ich würde dir daher raten, zum Schluss oder von einem sauberen Rechner aus sämtliche Zugangsdaten, welche an diesem Rechner verwendet wurden, zu ändern. Schritt 1 Downloade Dir bitte ![]()
Schritt 2 Scan mit Combofix
Schritt 3
ATTFilter reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths" /s /c
Bitte poste in deiner nächsten Antwort:
__________________ cheers, Leo |
![]() | ![]() Avira durch Gruppenrichtlinien geblockt und Trojan.fakems Hallo Leo, habe nun alle scans durchgeführt. Hier die log Dateien. Combofix brachte die Meldung, dass Avira noch aktiv ist und die Ausführung behindern könnte. Das war eben mein Problem, da ich auf Avira ja nicht mehr zugreifen konnte. Ich habe die Meldung bestätigt. Code:
ATTFilter # AdwCleaner v2.301 - Datei am 25/05/2013 um 14:03:11 erstellt # Aktualisiert am 16/05/2013 von Xplode # Betriebssystem : Windows Vista (TM) Home Premium Service Pack 2 (32 bits) # Benutzer : xxx - xxx-PC # Bootmodus : Normal # Ausgeführt unter : C:\Users\xxx\Desktop\adwcleaner.exe # Option [Löschen] **** [Dienste] **** ***** [Dateien / Ordner] ***** Datei Gelöscht : C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml Datei Gelöscht : C:\Program Files\Mozilla Firefox\searchplugins\SearchTheWeb.xml Datei Gelöscht : C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\z9rne1fk.default\bProtector_extensions.rdf Datei Gelöscht : C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\z9rne1fk.default\bprotector_extensions.sqlite Datei Gelöscht : C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\z9rne1fk.default\extensions\movie2kdownloader@movie2kdownloader.com.xpi Datei Gelöscht : C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\z9rne1fk.default\searchplugins\delta.xml Datei Gelöscht : C:\Users\xxx\Desktop\eBay.lnk Ordner Gelöscht : C:\Program Files\ICQ6Toolbar Ordner Gelöscht : C:\Program Files\Iminent Ordner Gelöscht : C:\Program Files\Movie2KDownloader.com Ordner Gelöscht : C:\Program Files\Optimizer Pro Ordner Gelöscht : C:\Program Files\Video Downloader Ordner Gelöscht : C:\ProgramData\Ask Ordner Gelöscht : C:\ProgramData\Babylon Ordner Gelöscht : C:\ProgramData\boost_interprocess Ordner Gelöscht : C:\ProgramData\BrowserProtect Ordner Gelöscht : C:\ProgramData\ICQ\ICQToolbar Ordner Gelöscht : C:\ProgramData\Iminent Ordner Gelöscht : C:\Users\xxx\AppData\Local\SwvUpdater Ordner Gelöscht : C:\Users\xxx\AppData\Local\Temp\Iminent Ordner Gelöscht : C:\Users\xxx\AppData\Roaming\BabSolution Ordner Gelöscht : C:\Users\xxx\AppData\Roaming\Babylon Ordner Gelöscht : C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\z9rne1fk.default\extensions\{C9B68337-E93A-44EA-94DC-CB300EC06444} Ordner Gelöscht : C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\z9rne1fk.default\extensions\ffxtlbr@delta.com Ordner Gelöscht : C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\z9rne1fk.default\jetpack Ordner Gelöscht : C:\Users\xxx\AppData\Roaming\Optimizer Pro ***** [Registrierungsdatenbank] ***** Schlüssel Gelöscht : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64} Schlüssel Gelöscht : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E} Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0} Schlüssel Gelöscht : HKCU\Software\YahooPartnerToolbar Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\secman.DLL Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994} Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64} Wert Gelöscht : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}] ***** [Internet Browser] ***** -\\ Internet Explorer v9.0.8112.16483 Ersetzt : [HKCU\Software\Microsoft\Internet Explorer\Main - ICQ Search] = hxxp://search.icq.com/search/results.php?q={searchTerms}&ch_id=osd --> hxxp://www.google.com -\\ Mozilla Firefox v21.0 (de) Datei : C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\z9rne1fk.default\prefs.js C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\z9rne1fk.default\user.js ... Gelöscht ! Gelöscht : user_pref("browser.search.order.1", "Ask.com"); ************************* AdwCleaner[S1].txt - [4070 octets] - [25/05/2013 14:03:11] ########## EOF - C:\AdwCleaner[S1].txt - [4130 octets] ########## Code:
ATTFilter ComboFix 13-05-27.02 - xxx 27.05.2013 20:42:41.1.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.49.1031.18.3001.1392 [GMT 2:00] ausgeführt von:: c:\users\xxx\Desktop\ComboFix.exe AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C} AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C} SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681} SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Im Speicher befindliches AV aktiv. . . . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . . c:\users\xxx\4.0 c:\users\xxx\4.0\a\April.JPG c:\users\xxx\4.0\a\August.JPG c:\users\xxx\4.0\a\Deckblatt.JPG c:\users\xxx\4.0\a\Februar.JPG c:\users\xxx\4.0\a\Foto339.jpg c:\users\xxx\4.0\a\Januar.JPG c:\users\xxx\4.0\a\Juli.JPG c:\users\xxx\4.0\a\Juni.jpg c:\users\xxx\4.0\a\Mai.JPG c:\users\xxx\4.0\a\März.JPG c:\users\xxx\4.0\a\November.JPG c:\users\xxx\4.0\a\Oktober.JPG c:\users\xxx\4.0\a\September.JPG c:\users\xxx\AppData\Roaming\Galyy c:\users\xxx\AppData\Roaming\Galyy\soihx.rao c:\users\xxx\AppData\Roaming\Microsoft\Windows\Recent\Citrix over Internet(1).url c:\users\xxx\AppData\Roaming\Microsoft\Windows\Recent\Citrix over Internet.url . . ((((((((((((((((((((((( Dateien erstellt von 2013-04-27 bis 2013-05-27 )))))))))))))))))))))))))))))) . . 2013-05-27 18:52 . 2013-05-27 18:52 -------- d-----w- c:\users\xxx\AppData\Local\temp 2013-05-27 18:52 . 2013-05-27 18:52 -------- d-----w- c:\users\Default\AppData\Local\temp 2013-05-24 19:09 . 2013-05-24 19:09 -------- d-----w- c:\users\xxx\AppData\Roaming\Malwarebytes 2013-05-24 19:08 . 2013-05-24 19:08 -------- d-----w- c:\programdata\Malwarebytes 2013-05-24 19:08 . 2013-05-24 19:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2013-05-24 19:08 . 2013-04-04 12:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2013-05-24 18:45 . 2013-05-13 06:19 7016152 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{9AF1852B-4F42-4C9F-99B5-FD0B55E9C72C}\mpengine.dll 2013-05-18 12:20 . 2013-05-09 08:59 29816 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2013-05-18 12:20 . 2013-05-09 08:59 368944 ----a-w- c:\windows\system32\drivers\aswSP.sys 2013-05-18 12:20 . 2013-05-09 08:59 56080 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2013-05-18 12:20 . 2013-05-09 08:59 49760 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2013-05-18 12:20 . 2013-05-09 08:59 765736 ----a-w- c:\windows\system32\drivers\aswSnx.sys 2013-05-18 12:20 . 2013-05-09 08:59 174664 ----a-w- c:\windows\system32\drivers\aswVmm.sys 2013-05-18 12:20 . 2013-05-09 08:59 49376 ----a-w- c:\windows\system32\drivers\aswRvrt.sys 2013-05-18 12:20 . 2013-05-09 08:59 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys 2013-05-18 12:20 . 2013-05-09 08:58 229648 ----a-w- c:\windows\system32\aswBoot.exe 2013-05-18 12:18 . 2013-05-09 08:58 41664 ----a-w- c:\windows\avastSS.scr 2013-05-18 12:17 . 2013-05-18 12:17 -------- d-----w- c:\program files\AVAST Software 2013-05-18 12:16 . 2013-05-18 12:17 -------- d-----w- c:\programdata\AVAST Software 2013-05-15 19:15 . 2013-05-05 19:12 2382848 ----a-w- c:\windows\system32\mshtml.tlb 2013-05-15 14:37 . 2013-04-15 14:20 638328 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys 2013-05-15 14:37 . 2013-04-13 10:56 37376 ----a-w- c:\windows\system32\cdd.dll 2013-05-15 14:37 . 2013-04-09 01:36 2049024 ----a-w- c:\windows\system32\win32k.sys 2013-05-08 01:12 . 2013-05-08 01:12 106088 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll 2013-05-01 11:35 . 2013-05-18 13:40 -------- d-----w- c:\users\xxx\AppData\Roaming\Cuelle 2013-05-01 11:35 . 2013-05-18 12:58 -------- d-----w- c:\users\xxx\AppData\Roaming\Ogvuuq . . . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-05-15 14:49 . 2012-05-23 17:05 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-05-15 14:49 . 2011-05-20 19:07 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-05-02 00:06 . 2009-10-06 15:46 238872 ------w- c:\windows\system32\MpSigStub.exe 2013-04-07 10:04 . 2013-04-07 10:04 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll 2013-04-07 10:04 . 2012-07-12 10:26 861088 ----a-w- c:\windows\system32\npDeployJava1.dll 2013-04-07 10:04 . 2010-05-24 16:23 782240 ----a-w- c:\windows\system32\deployJava1.dll 2013-04-01 11:23 . 2012-10-15 15:06 84744 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2013-04-01 11:23 . 2012-10-15 15:06 37352 ----a-w- c:\windows\system32\drivers\avkmgr.sys 2013-04-01 11:23 . 2012-10-15 15:06 135136 ----a-w- c:\windows\system32\drivers\avipbb.sys 2013-03-11 13:25 . 2013-04-10 16:22 3603816 ----a-w- c:\windows\system32\ntkrnlpa.exe 2013-03-11 13:25 . 2013-04-10 16:22 3551080 ----a-w- c:\windows\system32\ntoskrnl.exe 2013-03-09 03:45 . 2013-04-10 16:22 49152 ----a-w- c:\windows\system32\csrsrv.dll 2013-03-09 01:28 . 2013-04-10 16:22 64000 ----a-w- c:\windows\system32\smss.exe 2013-03-08 03:53 . 2013-04-10 16:22 376320 ----a-w- c:\windows\system32\winsrv.dll 2013-03-08 03:52 . 2013-04-10 16:22 2067968 ----a-w- c:\windows\system32\mstscax.dll 2013-03-03 19:07 . 2013-04-10 16:22 1082232 ----a-w- c:\windows\system32\drivers\ntfs.sys . . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast] @="{472083B0-C522-11CF-8763-00608CC02F24}" [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}] 2013-05-09 08:58 121968 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2012-11-13 23:32 129272 ----a-w- c:\users\xxx\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2012-11-13 23:32 129272 ----a-w- c:\users\xxx\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2012-11-13 23:32 129272 ----a-w- c:\users\xxx\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-13 68856] "KiesPreload"="c:\program files\Samsung\Kies\Kies.exe" [2012-12-20 1476104] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-07-25 768520] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-02-22 1037608] "RtHDVCpl"="RtHDVCpl.exe" [2008-06-27 6244896] "Skytel"="Skytel.exe" [2008-06-27 1826816] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-02 2508104] "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 136216] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-25 171032] "Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 170520] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2013-05-08 41056] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576] "ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2012-05-23 371896] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2013-05-07 345312] "KiesTrayAgent"="c:\program files\Samsung\Kies\KiesTrayAgent.exe" [2012-12-20 310280] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848] "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-05-09 4858968] . c:\users\xxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Dropbox.lnk - c:\users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe [2013-3-12 29106336] OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache . Inhalt des "geplante Tasks" Ordners . 2013-05-27 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-23 14:49] . 2013-05-25 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-13 17:39] . 2013-05-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-13 17:55] . 2013-05-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-13 17:55] . . ------- Zusätzlicher Suchlauf ------- . uStart Page = hxxp://go.web.de/tb/ie_startpage mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0407&s=2&o=vp32&d=0309&m=e720 uInternet Settings,ProxyOverride = *.local IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 TCP: DhcpNameServer = Handler: webde - {8FAF0273-9CA8-4efc-9536-1E35E254D5CD} - c:\program files\WEB.DE Toolbar\IE\uitb.dll DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} - hxxp://www.photodose.de/ips-opdata/operator/69189345/objects/jordan.cab FF - ProfilePath - c:\users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\z9rne1fk.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/ FF - prefs.js: network.proxy.type - 0 FF - ExtSQL: 2013-05-18 14:19; wrc@avast.com; c:\program files\AVAST Software\Avast\WebRep\FF FF - ExtSQL: !HIDDEN! 2009-09-02 20:23; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension . - - - - Entfernte verwaiste Registrierungseinträge - - - - . HKCU-Run-KiesAirMessage - c:\program files\Samsung\Kies\KiesAirMessage.exe HKCU-Run-Uxxyduubm - c:\users\xxx\AppData\Roaming\Cuelle\cihoy.exe HKLM-Run-eRecoveryService - (no file) SafeBoot-WudfPf SafeBoot-WudfRd AddRemove-PokerStars.net - c:\program files\PokerStars.NET\PokerStarsUninstall.exe AddRemove-25_escape - c:\program files\Samsung\USB Drivers\25_escape\Uninstall.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net Rootkit scan 2013-05-27 20:52 Windows 6.0.6002 Service Pack 2 NTFS . Scanne versteckte Prozesse... . Scanne versteckte Autostarteinträge... . Scanne versteckte Dateien... . Scan erfolgreich abgeschlossen versteckte Dateien: 0 . ************************************************************************** . --------------------- Gesperrte Registrierungsschluessel --------------------- . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . Zeit der Fertigstellung: 2013-05-27 20:55:47 ComboFix-quarantined-files.txt 2013-05-27 18:55 . Vor Suchlauf: 9 Verzeichnis(se), 185.033.314.304 Bytes frei Nach Suchlauf: 15 Verzeichnis(se), 186.709.688.320 Bytes frei . - - End Of File - - 4330BF6A2BF07E73F3FA781666708CE3 Code:
ATTFilter OTL logfile created on: 27.05.2013 21:06:56 - Run 2 OTL by OldTimer - Version Folder = C:\Users\xxx\Desktop\Malwarebereinigung Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,93 Gb Total Physical Memory | 1,74 Gb Available Physical Memory | 59,45% Memory free 6,06 Gb Paging File | 4,83 Gb Available in Paging File | 79,73% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 288,08 Gb Total Space | 173,83 Gb Free Space | 60,34% Space Free | Partition Type: NTFS Computer Name: xxx-PC | User Name: xxx | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013.05.24 21:38:22 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\xxx\Desktop\Malwarebereinigung\OTL.exe PRC - [2013.05.20 20:03:33 | 000,920,472 | ---- | M] (Mozilla Corporation) -- C:\Programme\Mozilla Firefox\firefox.exe PRC - [2013.05.09 10:58:30 | 004,858,968 | ---- | M] (AVAST Software) -- C:\Programme\AVAST Software\Avast\AvastUI.exe PRC - [2013.05.09 10:58:30 | 000,046,808 | ---- | M] (AVAST Software) -- C:\Programme\AVAST Software\Avast\AvastSvc.exe PRC - [2013.04.01 13:23:17 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\sched.exe PRC - [2013.04.01 13:23:01 | 000,079,584 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe PRC - [2013.04.01 13:22:58 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe PRC - [2013.03.12 09:05:50 | 029,106,336 | ---- | M] (Dropbox, Inc.) -- C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe PRC - [2012.12.20 19:44:28 | 000,310,280 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Programme\Samsung\Kies\KiesTrayAgent.exe PRC - [2012.12.20 19:44:26 | 001,476,104 | ---- | M] (Samsung) -- C:\Programme\Samsung\Kies\Kies.exe PRC - [2012.05.23 08:57:30 | 000,871,608 | ---- | M] (Citrix Systems, Inc.) -- C:\Programme\Citrix\ICA Client\wfcrun32.exe PRC - [2012.05.23 08:54:42 | 000,371,896 | ---- | M] (Citrix Systems, Inc.) -- C:\Programme\Citrix\ICA Client\concentr.exe PRC - [2012.04.05 11:11:18 | 001,144,704 | ---- | M] (Citrix Systems, Inc.) -- C:\Programme\Citrix\ICA Client\Receiver\Receiver.exe PRC - [2012.04.03 11:00:24 | 000,051,128 | ---- | M] (Citrix Systems, Inc.) -- C:\Programme\Citrix\SelfServicePlugin\SelfServicePlugin.exe PRC - [2009.11.02 03:30:00 | 002,508,104 | ---- | M] (CANON INC.) -- C:\Programme\Canon\MyPrinter\BJMYPRT.EXE PRC - [2009.04.11 08:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2008.07.25 06:18:26 | 000,768,520 | ---- | M] (Dritek System Inc.) -- C:\Programme\Launch Manager\LManager.exe PRC - [2008.06.27 12:33:18 | 006,244,896 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe PRC - [2008.06.11 12:18:30 | 000,024,576 | ---- | M] () -- C:\Programme\EMACHINES\eMachines Recovery Management\Service\ETService.exe PRC - [2008.01.21 04:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnetwk.exe PRC - [2008.01.21 04:25:33 | 000,202,240 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnscfg.exe PRC - [2007.08.24 05:45:42 | 000,101,784 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE PRC - [2007.01.04 20:48:50 | 000,112,152 | ---- | M] (InterVideo) -- C:\Programme\Common Files\InterVideo\RegMgr\iviRegMgr.exe ========== Modules (No Company Name) ========== MOD - [2013.05.20 20:03:31 | 003,128,728 | ---- | M] () -- C:\Programme\Mozilla Firefox\mozjs.dll MOD - [2012.12.20 19:41:18 | 012,976,640 | ---- | M] () -- C:\Programme\Samsung\Kies\Theme\Kies.Theme.dll MOD - [2012.12.20 13:31:44 | 000,572,416 | ---- | M] () -- C:\Programme\Samsung\Kies\Common\Kies.UI.dll MOD - [2012.12.18 11:35:44 | 000,034,816 | ---- | M] () -- C:\Programme\Samsung\Kies\Common\Kies.Common.DeviceServiceLib.Interface.dll MOD - [2012.12.18 11:35:06 | 000,023,040 | ---- | M] () -- C:\Programme\Samsung\Kies\MVVM\Kies.MVVM.dll MOD - [2012.12.18 11:07:10 | 000,057,856 | ---- | M] () -- C:\Programme\Samsung\Kies\External\MediaModules\ASF_cSharpAPI.dll MOD - [2012.12.12 07:34:13 | 005,025,792 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\\System.Windows.Forms.dll MOD - [2012.10.05 12:59:03 | 003,194,880 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System\\System.dll MOD - [2012.10.05 12:59:03 | 000,630,784 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Drawing\\System.Drawing.dll MOD - [2012.08.31 13:01:10 | 004,550,656 | ---- | M] () -- C:\Windows\assembly\GAC_32\mscorlib\\mscorlib.dll MOD - [2012.02.13 13:02:15 | 001,249,280 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\WindowsBase\\WindowsBase.dll MOD - [2012.02.13 13:02:09 | 005,283,840 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\PresentationFramework\\PresentationFramework.dll MOD - [2012.02.13 13:02:04 | 004,214,784 | ---- | M] () -- C:\Windows\assembly\GAC_32\PresentationCore\\PresentationCore.dll MOD - [2009.06.13 14:34:17 | 000,667,648 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Core\\System.Core.dll MOD - [2009.03.30 06:42:20 | 002,048,000 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Xml\\System.Xml.dll MOD - [2009.03.30 06:42:19 | 000,303,104 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\\System.Runtime.Remoting.dll MOD - [2009.03.30 06:42:19 | 000,114,688 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.ServiceProcess\\System.ServiceProcess.dll MOD - [2009.03.30 06:42:17 | 000,425,984 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Configuration\\System.Configuration.dll MOD - [2009.03.30 06:42:12 | 000,040,960 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.ServiceProcess.resources\\System.ServiceProcess.resources.dll MOD - [2009.03.30 06:42:10 | 000,010,752 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\Accessibility\\Accessibility.dll MOD - [2003.06.07 07:30:08 | 000,057,344 | ---- | M] () -- C:\Programme\Launch Manager\PowerUtl.dll ========== Services (SafeList) ========== SRV - [2013.05.20 20:03:32 | 000,117,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2013.05.15 16:49:47 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2013.05.09 10:58:30 | 000,046,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Programme\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus) SRV - [2013.04.01 13:23:17 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2013.04.01 13:22:58 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2008.06.11 12:18:30 | 000,024,576 | ---- | M] () [Auto | Running] -- C:\Programme\EMACHINES\eMachines Recovery Management\Service\ETService.exe -- (ETService) SRV - [2008.01.21 04:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc) SRV - [2008.01.21 04:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2007.08.24 04:19:12 | 000,443,776 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\OFFICE12\ODSERV.EXE -- (odserv) SRV - [2007.01.04 20:48:50 | 000,112,152 | ---- | M] (InterVideo) [Auto | Running] -- C:\Programme\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr) SRV - [2006.10.26 15:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE -- (ose) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\xxx\AppData\Local\Temp\catchme.sys -- (catchme) DRV - [2013.05.09 10:59:10 | 000,765,736 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx) DRV - [2013.05.09 10:59:10 | 000,368,944 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP) DRV - [2013.05.09 10:59:10 | 000,174,664 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\drivers\aswVmm.sys -- (aswVmm) DRV - [2013.05.09 10:59:10 | 000,056,080 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi) DRV - [2013.05.09 10:59:10 | 000,049,376 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\drivers\aswRvrt.sys -- (aswRvrt) DRV - [2013.05.09 10:59:09 | 000,066,336 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt) DRV - [2013.05.09 10:59:09 | 000,049,760 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (AswRdr) DRV - [2013.05.09 10:59:08 | 000,029,816 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk) DRV - [2013.04.01 13:23:19 | 000,135,136 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb) DRV - [2013.04.01 13:23:19 | 000,084,744 | ---- | M] (Avira Operations GmbH & Co. KG) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt) DRV - [2013.04.01 13:23:19 | 000,037,352 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr) DRV - [2012.09.20 06:35:36 | 000,181,344 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssudmdm.sys -- (ssudmdm) DRV - [2012.09.20 06:35:36 | 000,083,168 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssudbus.sys -- (dg_ssudbus) DRV - [2012.08.27 15:50:24 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2012.05.17 08:14:58 | 000,067,960 | ---- | M] (Citrix Systems, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\ctxusbm.sys -- (ctxusbm) DRV - [2008.06.11 12:13:24 | 000,015,392 | ---- | M] (Acer, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\int15.sys -- (int15) DRV - [2008.06.10 12:54:36 | 000,123,904 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169) DRV - [2008.03.17 11:05:30 | 000,101,632 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewusbmdm.sys -- (hwdatacard) DRV - [2007.04.17 21:09:28 | 000,011,032 | ---- | M] (InterVideo) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\regi.sys -- (regi) DRV - [2006.11.02 15:27:34 | 000,020,112 | ---- | M] (Dritek System Inc.) [Kernel | System | Running] -- C:\Programme\Launch Manager\DPortIO.sys -- (DritekPortIO) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0407&s=2&o=vp32&d=0309&m=e720 IE - HKLM\..\SearchScopes,DefaultScope = IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1 IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.web.de/tb/ie_startpage IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\URLSearchHook: - No CLSID value found IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes,DefaultScope = {CEE438B0-8D23-43BD-AAAF-0823A494B43B} IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes\{0C9BE677-668C-44B7-9BF4-60D03EB5C683}: "URL" = hxxp://go.web.de/tb/ie_searchplugin/?su={searchTerms} IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes\{84EE01E4-BB12-412E-8548-DBB48CE4C558}: "URL" = hxxp://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000027&src=kw&q={searchTerms}&locale=de_DE&apn_ptnrs=U3&apn_dtid=OSJ000YYDE&apn_uid=7216D071-F749-4970-9500-BC9DA7BE6D9A&apn_sauid=37FBC488-8C66-4DF7-9809-1DABE7B9D46E IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes\{89FAD86A-4F5A-4459-89BD-2384D21B171E}: "URL" = hxxp://go.gmx.net/tb/ie_searchplugin/?su={searchTerms} IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes\{BFCB5309-6270-4E5C-9372-E669C681DD8C}: "URL" = hxxp://search.gmx.com/web?q={searchTerms}&origin=tb_splugin_ie IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes\{CEE438B0-8D23-43BD-AAAF-0823A494B43B}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7ACEW_de IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes\{EA6DBBB1-372A-4F57-A46D-B6E2F642C4C7}: "URL" = hxxp://go.1und1.de/tb/ie_searchplugin/?su={searchTerms} IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local ========== FireFox ========== FF - prefs.js..browser.search.defaultengine: "Google" FF - prefs.js..browser.search.defaultenginename: "Google" FF - prefs.js..browser.search.selectedEngine: "Google" FF - prefs.js..browser.search.useDBForOrder: true FF - prefs.js..browser.startup.homepage: "hxxp://www.google.de/" FF - prefs.js..extensions.enabledAddons: add-to-searchbox%40maltekraus.de:2.0 FF - prefs.js..extensions.enabledAddons: donottrackplus%40abine.com: FF - prefs.js..extensions.enabledAddons: %7Ba0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7%7D:20130515 FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:21.0 FF - prefs.js..network.proxy.no_proxies_on: "*.local" FF - prefs.js..network.proxy.type: 0 FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_202.dll () FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll () FF - HKLM\Software\MozillaPlugins\@canon.com/EPPEX: C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.) FF - HKLM\Software\MozillaPlugins\@Citrix.com/npican: C:\Program Files\Citrix\ICA Client\npicaN.dll (Citrix Systems, Inc.) FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google) FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.17.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.17.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2013.05.18 14:19:04 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.10.19 20:10:47 | 000,000,000 | ---D | M] (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\Extensions [2013.05.25 14:03:25 | 000,000,000 | ---D | M] (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\Firefox\Profiles\z9rne1fk.default\extensions [2013.05.16 18:10:01 | 000,000,000 | ---D | M] (WOT) -- C:\Users\xxx\AppData\Roaming\mozilla\Firefox\Profiles\z9rne1fk.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [2013.03.26 20:22:35 | 000,000,000 | ---D | M] (DoNotTrackMe) -- C:\Users\xxx\AppData\Roaming\mozilla\Firefox\Profiles\z9rne1fk.default\extensions\donottrackplus@abine.com [2012.11.10 23:31:11 | 000,025,781 | ---- | M] () (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\extensions\add-to-searchbox@maltekraus.de.xpi [2012.10.19 20:16:29 | 000,020,591 | ---- | M] () (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi [2013.03.07 02:06:18 | 000,007,919 | ---- | M] () (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\extensions\donottrackplus@abine.com\chrome\content\ff\view_expiry.js [2011.10.13 17:19:44 | 000,000,855 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\1und1-suche.xml [2011.10.10 15:27:30 | 000,001,281 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\amazondotcom-de.xml [2011.10.10 14:59:22 | 000,002,364 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\eBay-de.xml [2011.10.13 17:01:56 | 000,010,507 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\gmx-suche.xml [2011.10.10 15:12:38 | 000,002,385 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\lastminute.xml [2011.10.13 17:34:10 | 000,002,248 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\mailcom-search.xml [2013.05.20 20:03:34 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\browser\extensions [2013.05.20 20:03:34 | 000,000,000 | ---D | M] (Default) -- C:\Programme\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} O1 HOSTS File: ([2006.09.18 23:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: localhost O1 - Hosts: ::1 localhost O2 - BHO: (Canon Easy-WebPrint EX BHO) - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Programme\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.) O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre7\bin\ssv.dll (Oracle Corporation) O2 - BHO: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programme\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) O2 - BHO: (WEB.DE Toolbar BHO) - {BF42D4A8-016E-4fcd-B1EB-837659FD77C6} - C:\Programme\WEB.DE Toolbar\IE\uitb.dll (1und1 Mail und Media GmbH) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O3 - HKLM\..\Toolbar: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Programme\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.) O3 - HKLM\..\Toolbar: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programme\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) O3 - HKLM\..\Toolbar: (WEB.DE Toolbar) - {C424171E-592A-415a-9EB1-DFD6D95D3530} - C:\Programme\WEB.DE Toolbar\IE\uitb.dll (1und1 Mail und Media GmbH) O3 - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\Toolbar\WebBrowser: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Programme\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.) O3 - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\Toolbar\WebBrowser: (WEB.DE Toolbar) - {C424171E-592A-415A-9EB1-DFD6D95D3530} - C:\Programme\WEB.DE Toolbar\IE\uitb.dll (1und1 Mail und Media GmbH) O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software) O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.) O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.) O4 - HKLM..\Run: [ConnectionCenter] C:\Program Files\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.) O4 - HKLM..\Run: [KiesTrayAgent] C:\Programme\Samsung\Kies\KiesTrayAgent.exe (Samsung Electronics Co., Ltd.) O4 - HKLM..\Run: [LManager] C:\Programme\Launch Manager\LManager.exe (Dritek System Inc.) O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor) O4 - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000..\Run: [KiesPreload] C:\Program Files\Samsung\Kies\Kies.exe (Samsung) O4 - Startup: C:\Users\Astrid\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Astrid\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.) O4 - Startup: C:\Users\xxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk = C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation) O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Programme\PokerStars\PokerStarsUpdate.exe (PokerStars) O9 - Extra Button: ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Programme\ICQ7.2\ICQ.exe (ICQ, LLC.) O9 - Extra 'Tools' menuitem : ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Programme\ICQ7.2\ICQ.exe (ICQ, LLC.) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O9 - Extra Button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe File not found O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.) O15 - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..Trusted Domains: localhost ([]http in Local intranet) O15 - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..Trusted Ranges: GD ([http] in Local intranet) O16 - DPF: {28B66320-9687-4B13-8757-36F901887AB5} hxxp://www.photodose.de/ips-opdata/operator/69189345/objects/canvasx.cab (CanvasX Class) O16 - DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} hxxp://www.photodose.de/ips-opdata/operator/69189345/objects/jordan.cab (JordanUploader Class) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Reg Error: Value error.) O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 10.17.2) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{4DE48291-937F-4F23-A3D0-13D377260A3F}: DhcpNameServer = O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6094CB2C-98BC-4A93-A44B-D3DB86A05EE3}: DhcpNameServer = O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation) O18 - Protocol\Handler\webde {8FAF0273-9CA8-4efc-9536-1E35E254D5CD} - C:\Programme\WEB.DE Toolbar\IE\uitb.dll (1und1 Mail und Media GmbH) O18 - Protocol\Filter\application/x-ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica; charset=euc-jp {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica; charset=ISO-8859-1 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica; charset=MS936 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica; charset=MS949 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica; charset=MS950 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica; charset=UTF8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica; charset=UTF-8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica;charset=euc-jp {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica;charset=ISO-8859-1 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica;charset=MS936 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica;charset=MS949 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica;charset=MS950 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica;charset=UTF8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica;charset=UTF-8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll) - C:\Programme\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O24 - Desktop WallPaper: C:\Users\Astrid\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg O24 - Desktop BackupWallPaper: C:\Users\Astrid\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) ========== Files/Folders - Created Within 30 Days ========== [2013.05.27 20:55:53 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN [2013.05.27 20:55:49 | 000,000,000 | ---D | C] -- C:\Windows\temp [2013.05.27 20:55:49 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Local\temp [2013.05.27 20:39:57 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe [2013.05.27 20:39:57 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe [2013.05.27 20:39:57 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe [2013.05.27 20:39:47 | 000,000,000 | ---D | C] -- C:\ComboFix [2013.05.27 20:38:40 | 000,000,000 | ---D | C] -- C:\Qoobox [2013.05.27 20:37:49 | 000,000,000 | ---D | C] -- C:\Windows\erdnt [2013.05.25 11:20:54 | 000,000,000 | ---D | C] -- C:\Users\xxx\Desktop\Malwarebereinigung [2013.05.24 21:09:17 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Roaming\Malwarebytes [2013.05.24 21:08:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware [2013.05.24 21:08:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2013.05.24 21:08:54 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2013.05.24 21:08:54 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2013.05.20 20:03:12 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox [2013.05.18 14:20:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus [2013.05.18 14:20:42 | 000,029,816 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys [2013.05.18 14:20:41 | 000,368,944 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys [2013.05.18 14:20:37 | 000,056,080 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys [2013.05.18 14:20:37 | 000,049,760 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys [2013.05.18 14:20:36 | 000,765,736 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys [2013.05.18 14:20:29 | 000,066,336 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys [2013.05.18 14:20:28 | 000,229,648 | ---- | C] (AVAST Software) -- C:\Windows\System32\aswBoot.exe [2013.05.18 14:18:40 | 000,041,664 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr [2013.05.18 14:17:39 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software [2013.05.18 14:16:28 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software [2013.05.17 18:42:24 | 000,000,000 | ---D | C] -- C:\Users\xxx\Desktop\Hochzeit xxx und Mario 11.05.13 [2013.05.17 18:35:42 | 000,000,000 | ---D | C] -- C:\Users\xxx\Desktop\Hamburg 28.02.-01.03.13 [2013.05.01 15:05:43 | 000,000,000 | ---D | C] -- C:\Users\xxx\Desktop\Bridge [2013.05.01 15:00:17 | 000,000,000 | ---D | C] -- C:\Users\xxx\Desktop\Spiegel [2013.05.01 13:35:35 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Roaming\Ogvuuq [2013.05.01 13:35:35 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Roaming\Cuelle ========== Files - Modified Within 30 Days ========== [2013.05.27 21:02:35 | 000,000,000 | ---- | M] () -- C:\Windows\System32\LogConfigTemp.xml [2013.05.27 21:02:23 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2013.05.27 21:02:06 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2013.05.27 21:02:05 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2013.05.27 21:01:58 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.05.27 21:01:51 | 3147,841,536 | -HS- | M] () -- C:\hiberfil.sys [2013.05.27 20:55:14 | 000,001,098 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2013.05.27 20:49:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013.05.27 19:31:36 | 000,002,180 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\wklnhst.dat [2013.05.27 18:17:32 | 000,020,992 | ---- | M] () -- C:\Users\xxx\Documents\Prinzessinnengeld1.xlr [2013.05.25 12:19:00 | 000,001,052 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job [2013.05.24 23:01:54 | 325,024,979 | ---- | M] () -- C:\Windows\MEMORY.DMP [2013.05.24 21:36:00 | 000,000,000 | ---- | M] () -- C:\Users\xxx\defogger_reenable [2013.05.22 21:07:17 | 000,025,600 | ---- | M] () -- C:\Users\xxx\Documents\Geld 2012 Bär.xlr [2013.05.18 14:20:44 | 000,001,831 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk [2013.05.18 14:20:29 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt [2013.05.18 12:25:27 | 000,001,889 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk [2013.05.17 18:31:08 | 000,623,280 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2013.05.17 18:31:08 | 000,591,320 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2013.05.17 18:31:08 | 000,125,378 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2013.05.17 18:31:08 | 000,103,194 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2013.05.16 16:25:35 | 000,340,296 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2013.05.13 21:07:19 | 000,030,727 | ---- | M] () -- C:\Users\xxx\Documents\Waage.ods [2013.05.09 10:59:10 | 000,765,736 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys [2013.05.09 10:59:10 | 000,368,944 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys [2013.05.09 10:59:10 | 000,174,664 | ---- | M] () -- C:\Windows\System32\drivers\aswVmm.sys [2013.05.09 10:59:10 | 000,056,080 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys [2013.05.09 10:59:10 | 000,049,376 | ---- | M] () -- C:\Windows\System32\drivers\aswRvrt.sys [2013.05.09 10:59:09 | 000,066,336 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys [2013.05.09 10:59:09 | 000,049,760 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys [2013.05.09 10:59:08 | 000,029,816 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys [2013.05.09 10:58:37 | 000,041,664 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr [2013.05.09 10:58:28 | 000,229,648 | ---- | M] (AVAST Software) -- C:\Windows\System32\aswBoot.exe ========== Files Created - No Company Name ========== [2013.05.27 20:39:57 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe [2013.05.27 20:39:57 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe [2013.05.27 20:39:57 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe [2013.05.27 20:39:57 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe [2013.05.27 20:39:57 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe [2013.05.24 21:36:00 | 000,000,000 | ---- | C] () -- C:\Users\xxx\defogger_reenable [2013.05.18 14:20:44 | 000,001,831 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk [2013.05.18 14:20:35 | 000,174,664 | ---- | C] () -- C:\Windows\System32\drivers\aswVmm.sys [2013.05.18 14:20:34 | 000,049,376 | ---- | C] () -- C:\Windows\System32\drivers\aswRvrt.sys [2013.02.16 22:35:03 | 000,016,311 | ---- | C] () -- C:\Users\xxx\.TransferManager.db [2013.01.27 12:24:29 | 000,000,246 | ---- | C] () -- C:\Windows\wininit.ini [2012.12.18 11:06:10 | 000,030,568 | ---- | C] () -- C:\Windows\MusiccityDownload.exe [2012.12.18 11:06:06 | 000,974,848 | ---- | C] () -- C:\Windows\System32\cis-2.4.dll [2012.12.18 11:06:06 | 000,081,920 | ---- | C] () -- C:\Windows\System32\issacapi_bs-2.3.dll [2012.12.18 11:06:06 | 000,065,536 | ---- | C] () -- C:\Windows\System32\issacapi_pe-2.3.dll [2012.12.18 11:06:06 | 000,057,344 | ---- | C] () -- C:\Windows\System32\issacapi_se-2.3.dll [2012.09.18 17:31:20 | 000,000,857 | ---- | C] () -- C:\Users\xxx\.recently-used.xbel [2011.03.13 20:55:05 | 000,000,680 | ---- | C] () -- C:\Users\xxx\AppData\Local\d3d9caps.dat [2010.02.09 19:13:58 | 000,005,184 | ---- | C] () -- C:\ProgramData\N360BUOptions.ini [2009.07.15 17:35:28 | 000,002,180 | ---- | C] () -- C:\Users\xxx\AppData\Roaming\wklnhst.dat [2009.06.15 19:09:41 | 000,026,624 | ---- | C] () -- C:\Users\xxx\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini ========== ZeroAccess Check ========== [2006.11.02 14:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012.06.08 19:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2009.04.11 08:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = %systemroot%\system32\wbem\wbemess.dll -- [2009.04.11 08:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both ========== LOP Check ========== [2011.12.19 17:35:32 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\1&1 Mail & Media GmbH [2013.03.29 16:29:23 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\AnvSoft [2013.05.18 15:40:29 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Cuelle [2013.05.27 21:04:55 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Dropbox [2011.12.17 10:21:29 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\fotobuch.de AG [2012.09.18 17:31:20 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\gtk-2.0 [2012.09.07 17:50:10 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\ICAClient [2012.05.28 20:00:12 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\ICQ [2009.06.13 22:45:08 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\InterVideo [2012.09.26 17:06:06 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Langenscheidt [2013.05.18 14:58:03 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Ogvuuq [2009.08.27 19:05:39 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\OpenOffice.org [2013.02.16 20:29:31 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Samsung [2010.09.30 19:21:04 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Template [2009.06.13 14:03:07 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Vodafone ========== Purity Check ========== ========== Custom Scans ========== < reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths" /s /c > HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{02335D42-EEBF-465A-832D-D0E893B5502E} ItemData REG_SZ C:\Documents and Settings\All Users\Application Data\Symantec SaferFlags REG_DWORD 0x2 HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{045ACDBB-9378-4937-9BD1-E934D79571E1} ItemData REG_SZ C:\Documents and Settings\All Users\Application Data\Symantec SaferFlags REG_DWORD 0x2 HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{0CE8F104-3858-4825-8E18-42F97D6F29A4} ItemData REG_SZ C:\Program Files\Avira SaferFlags REG_DWORD 0x2 HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{22A369DF-3092-4523-A515-5F61AB4AB28F} ItemData REG_SZ C:\Documents and Settings\All Users\Application Data\Avira SaferFlags REG_DWORD 0x2 HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{B7D697E3-B419-4E64-995A-6743359F2B8A} ItemData REG_SZ C:\Program Files\Common Files\Symantec Shared SaferFlags REG_DWORD 0x2 HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{ECF69C10-DC81-4CA5-8BB2-E8523F7C9561} ItemData REG_SZ C:\Documents and Settings\All Users\Application Data\Symantec SaferFlags REG_DWORD 0x2 ========== Alternate Data Streams ========== @Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:9F683177 @Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:CF5C4195 @Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:8AB6C1D7 < End of report > Geändert von uuuuuvex (27.05.2013 um 20:43 Uhr) |
![]() | #7 | |
/// TB-Ausbilder ![]() ![]() ![]() ![]() ![]() ![]() | ![]() Avira durch Gruppenrichtlinien geblockt und Trojan.fakems Bevor wir weitermachen: Zitat:
![]() | #8 |
![]() | ![]() Avira durch Gruppenrichtlinien geblockt und Trojan.fakems nein den brauche ich nicht mehr |
![]() | #9 |
/// TB-Ausbilder ![]() ![]() ![]() ![]() ![]() ![]() | ![]() Avira durch Gruppenrichtlinien geblockt und Trojan.fakems Ok, dann machen wir weiter. Kannst du nach folgendem Schritt wieder normal auf Avira zugreifen? Wenn ja, dann deinstalliere eines der beiden Antivirenprogramme (avast oder avira, egal welches), so dass nur noch eines läuft. Schritt 1 Fixen mit OTL
ATTFilter :OTL [2013.05.18 15:40:29 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Cuelle [2013.05.18 14:58:03 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Ogvuuq @Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:9F683177 @Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:CF5C4195 @Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:8AB6C1D7 IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes\{84EE01E4-BB12-412E-8548-DBB48CE4C558}: "URL" = hxxp://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000027&src=kw&q={searchTerms}&locale=de_DE&apn_ptnrs=U3&apn_dtid=OSJ000YYDE&apn_uid=7216D071-F749-4970-9500-BC9DA7BE6D9A&apn_sauid=37FBC488-8C66-4DF7-9809-1DABE7B9D46E :reg [-HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{02335D42-EEBF-465A-832D-D0E893B5502E}] [-HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{045ACDBB-9378-4937-9BD1-E934D79571E1}] [-HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{0CE8F104-3858-4825-8E18-42F97D6F29A4}] [-HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{22A369DF-3092-4523-A515-5F61AB4AB28F}] [-HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{B7D697E3-B419-4E64-995A-6743359F2B8A}] [-HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{ECF69C10-DC81-4CA5-8BB2-E8523F7C9561}] :commands [emptytemp]
Bitte poste in deiner nächsten Antwort:
__________________ cheers, Leo |
![]() | ![]() Avira durch Gruppenrichtlinien geblockt und Trojan.fakems ich habe den fix mit otl durchgeführt. leider hat sich im Anschluss daran der pc aufgehägt. Ich habe Ihn ausschalten müssen und wieder gestartet. auf dem desktop lagen folgende dateien.. Code:
ATTFilter [.ShellClassInfo] LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21799 [LocalizedFileNames] Microsoft Office - 60 Day Trial.lnk=@C:\PROGRA~1\MICROS~4\mui\oaa.dll,-103 Code:
ATTFilter [.ShellClassInfo] LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21769 IconResource=%SystemRoot%\system32\imageres.dll,-183 [LocalizedFileNames] Launch Internet Explorer Browser.lnk=@%windir%\System32\ie4uinit.exe,-733 ![]() |
![]() | #11 | |
/// TB-Ausbilder ![]() ![]() ![]() ![]() ![]() ![]() | ![]() Avira durch Gruppenrichtlinien geblockt und Trojan.fakems Hallo, Zitat:
Schritt 1
Schritt 2 ESET Online Scanner
Schritt 3 Downloade Dir bitte ![]()
Schritt 4 Starte bitte die OTL.exe.
Bitte poste in deiner nächsten Antwort:
__________________ cheers, Leo |
/// TB-Ausbilder ![]() ![]() ![]() ![]() ![]() ![]() | ![]() Avira durch Gruppenrichtlinien geblockt und Trojan.fakems Hi, ich hab schon länger keine Antwort mehr von dir erhalten. Brauchst du weiterhin noch Hilfe? Wenn ich in den nächsten 24 Stunden nichts von dir höre, gehe ich davon aus, dass sich das Thema erledigt hat und lösche es aus meinen Abos. Hinweis: Wir sind noch nicht fertig! Auch wenn die Symptome verschwunden sein sollten, kann dein System weiterhin infiziert sein und über Sicherheitslücken verfügen, welche eine erneute Infektion möglich machen.
__________________ cheers, Leo |
![]() | #13 |
![]() | ![]() Avira durch Gruppenrichtlinien geblockt und Trojan.fakems Hallo Leo, bitte entschuldigen Sie. Ich war die letzten Tage nicht zuhause und konnte den online scan nicht durchführen (dauert ja auch ewig). Ich benötige weiterhin Ihre Hilfe und möchte nätürlich weitermachen |
![]() | #14 |
/// TB-Ausbilder ![]() ![]() ![]() ![]() ![]() ![]() | ![]() Avira durch Gruppenrichtlinien geblockt und Trojan.fakems Ok, alles klar. Ich behalte das Thema in meinen Abos und warte auf die nächsten Logs. ![]()
__________________ cheers, Leo |
![]() | ![]() Avira durch Gruppenrichtlinien geblockt und Trojan.fakemsCode:
ATTFilter Malwarebytes Anti-Malware www.malwarebytes.org Datenbank Version: v2013.05.28.06 Windows Vista Service Pack 2 x86 NTFS Internet Explorer 9.0.8112.16421 xxx :: xxx-PC [Administrator] 28.05.2013 21:29:13 mbam-log-2013-05-28 (21-29-13).txt Art des Suchlaufs: Quick-Scan Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 206844 Laufzeit: 6 Minute(n), 53 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 0 (Keine bösartigen Objekte gefunden) (Ende) Code:
ATTFilter ESETSmartInstaller@High as downloader log: all ok # version=8 # OnlineScannerApp.exe= # OnlineScanner.ocx= # api_version=3.0.2 # EOSSerial=96d19a1c0329a6469b80d73d47b6c2ad # engine=13995 # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=false # unsafe_checked=false # antistealth_checked=true # utc_time=2013-06-04 06:55:09 # local_time=2013-06-04 08:55:09 (+0100, Mitteleuropäische Sommerzeit) # country="Germany" # lang=1033 # osver=6.0.6002 NT Service Pack 2 # compatibility_mode=774 16777213 85 91 1492491 147081981 0 0 # compatibility_mode=5892 16776573 100 100 11209 207904837 0 0 # scanned=236332 # found=4 # cleaned=0 # scan_time=10207 sh=5E3D4BA042327C2390BA9834692572F293E59875 ft=0 fh=0000000000000000 vn="Java/Exploit.Agent.OFT trojan" ac=I fn="C:\Users\xxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\3a5faf18-3485981d" sh=D943B67D89B95158C5B182B635DA2E2D836DC5AC ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Users\xxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\4054a20-6dfba174" sh=353AB81FB995049C01067F119A6906D14ADF3495 ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Users\xxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\62c122ee-258ff79b" sh=36EE4188ADB89388D7ED9913E13056BD461F27DD ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Users\xxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\760ee271-2aca0f4a" Code:
ATTFilter Results of screen317's Security Check version 0.99.64 Windows Vista Service Pack 2 x86 (UAC is enabled) Internet Explorer 10 ``````````````Antivirus/Firewall Check:`````````````` avast! Antivirus Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware Version JavaFX 2.1.1 Java(TM) 6 Update 29 Java 7 Update 17 Java version out of Date! Adobe Flash Player 11.7.700.202 Adobe Reader 9 Adobe Reader out of Date! Mozilla Firefox (21.0) ````````Process Check: objlist.exe by Laurent```````` xxx Desktop Malwarebereinigung SecurityCheck.exe AVAST Software Avast AvastSvc.exe AVAST Software Avast AvastUI.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: % ````````````````````End of Log`````````````````````` Code:
ATTFilter OTL logfile created on: 04.06.2013 21:31:22 - Run 3 OTL by OldTimer - Version Folder = C:\Users\xxx\Desktop\Malwarebereinigung Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,93 Gb Total Physical Memory | 1,27 Gb Available Physical Memory | 43,43% Memory free 6,07 Gb Paging File | 4,67 Gb Available in Paging File | 76,97% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 288,08 Gb Total Space | 176,08 Gb Free Space | 61,12% Space Free | Partition Type: NTFS Computer Name: xxx-PC | User Name: xxx | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013.05.24 21:38:22 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\xxx\Desktop\Malwarebereinigung\OTL.exe PRC - [2013.05.20 20:03:33 | 000,920,472 | ---- | M] (Mozilla Corporation) -- C:\Programme\Mozilla Firefox\firefox.exe PRC - [2013.05.09 10:58:30 | 004,858,968 | ---- | M] (AVAST Software) -- C:\Programme\AVAST Software\Avast\AvastUI.exe PRC - [2013.05.09 10:58:30 | 000,046,808 | ---- | M] (AVAST Software) -- C:\Programme\AVAST Software\Avast\AvastSvc.exe PRC - [2013.03.12 09:05:50 | 029,106,336 | ---- | M] (Dropbox, Inc.) -- C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe PRC - [2012.12.20 19:44:28 | 000,310,280 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Programme\Samsung\Kies\KiesTrayAgent.exe PRC - [2012.12.20 19:44:26 | 001,476,104 | ---- | M] (Samsung) -- C:\Programme\Samsung\Kies\Kies.exe PRC - [2012.05.23 08:57:30 | 000,871,608 | ---- | M] (Citrix Systems, Inc.) -- C:\Programme\Citrix\ICA Client\wfcrun32.exe PRC - [2012.05.23 08:54:42 | 000,371,896 | ---- | M] (Citrix Systems, Inc.) -- C:\Programme\Citrix\ICA Client\concentr.exe PRC - [2012.04.05 11:11:18 | 001,144,704 | ---- | M] (Citrix Systems, Inc.) -- C:\Programme\Citrix\ICA Client\Receiver\Receiver.exe PRC - [2012.04.03 11:00:24 | 000,051,128 | ---- | M] (Citrix Systems, Inc.) -- C:\Programme\Citrix\SelfServicePlugin\SelfServicePlugin.exe PRC - [2009.11.02 03:30:00 | 002,508,104 | ---- | M] (CANON INC.) -- C:\Programme\Canon\MyPrinter\BJMYPRT.EXE PRC - [2009.04.11 08:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2009.04.11 08:27:28 | 000,069,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conime.exe PRC - [2008.07.25 06:18:26 | 000,768,520 | ---- | M] (Dritek System Inc.) -- C:\Programme\Launch Manager\LManager.exe PRC - [2008.06.27 12:33:18 | 006,244,896 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe PRC - [2008.06.11 12:18:30 | 000,024,576 | ---- | M] () -- C:\Programme\EMACHINES\eMachines Recovery Management\Service\ETService.exe PRC - [2008.01.21 04:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnetwk.exe PRC - [2008.01.21 04:25:33 | 000,202,240 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnscfg.exe PRC - [2007.08.24 05:45:42 | 000,101,784 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE PRC - [2007.01.04 20:48:50 | 000,112,152 | ---- | M] (InterVideo) -- C:\Programme\Common Files\InterVideo\RegMgr\iviRegMgr.exe ========== Modules (No Company Name) ========== MOD - [2013.05.20 20:03:31 | 003,128,728 | ---- | M] () -- C:\Programme\Mozilla Firefox\mozjs.dll MOD - [2012.12.20 19:41:18 | 012,976,640 | ---- | M] () -- C:\Programme\Samsung\Kies\Theme\Kies.Theme.dll MOD - [2012.12.20 13:31:44 | 000,572,416 | ---- | M] () -- C:\Programme\Samsung\Kies\Common\Kies.UI.dll MOD - [2012.12.18 11:35:44 | 000,034,816 | ---- | M] () -- C:\Programme\Samsung\Kies\Common\Kies.Common.DeviceServiceLib.Interface.dll MOD - [2012.12.18 11:35:06 | 000,023,040 | ---- | M] () -- C:\Programme\Samsung\Kies\MVVM\Kies.MVVM.dll MOD - [2012.12.18 11:07:10 | 000,057,856 | ---- | M] () -- C:\Programme\Samsung\Kies\External\MediaModules\ASF_cSharpAPI.dll MOD - [2012.12.12 07:34:13 | 005,025,792 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\\System.Windows.Forms.dll MOD - [2012.10.05 12:59:03 | 003,194,880 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System\\System.dll MOD - [2012.10.05 12:59:03 | 000,630,784 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Drawing\\System.Drawing.dll MOD - [2012.08.31 13:01:10 | 004,550,656 | ---- | M] () -- C:\Windows\assembly\GAC_32\mscorlib\\mscorlib.dll MOD - [2012.02.13 13:02:15 | 001,249,280 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\WindowsBase\\WindowsBase.dll MOD - [2012.02.13 13:02:09 | 005,283,840 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\PresentationFramework\\PresentationFramework.dll MOD - [2012.02.13 13:02:04 | 004,214,784 | ---- | M] () -- C:\Windows\assembly\GAC_32\PresentationCore\\PresentationCore.dll MOD - [2009.06.13 14:34:17 | 000,667,648 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Core\\System.Core.dll MOD - [2009.03.30 06:42:20 | 002,048,000 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Xml\\System.Xml.dll MOD - [2009.03.30 06:42:19 | 000,303,104 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\\System.Runtime.Remoting.dll MOD - [2009.03.30 06:42:19 | 000,114,688 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.ServiceProcess\\System.ServiceProcess.dll MOD - [2009.03.30 06:42:17 | 000,425,984 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Configuration\\System.Configuration.dll MOD - [2009.03.30 06:42:12 | 000,040,960 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.ServiceProcess.resources\\System.ServiceProcess.resources.dll MOD - [2009.03.30 06:42:10 | 000,010,752 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\Accessibility\\Accessibility.dll MOD - [2003.06.07 07:30:08 | 000,057,344 | ---- | M] () -- C:\Programme\Launch Manager\PowerUtl.dll ========== Services (SafeList) ========== SRV - [2013.05.20 20:03:32 | 000,117,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2013.05.15 16:49:47 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2013.05.09 10:58:30 | 000,046,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Programme\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus) SRV - [2008.06.11 12:18:30 | 000,024,576 | ---- | M] () [Auto | Running] -- C:\Programme\EMACHINES\eMachines Recovery Management\Service\ETService.exe -- (ETService) SRV - [2008.01.21 04:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc) SRV - [2008.01.21 04:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2007.08.24 04:19:12 | 000,443,776 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\OFFICE12\ODSERV.EXE -- (odserv) SRV - [2007.01.04 20:48:50 | 000,112,152 | ---- | M] (InterVideo) [Auto | Running] -- C:\Programme\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr) SRV - [2006.10.26 15:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE -- (ose) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\xxx\AppData\Local\Temp\catchme.sys -- (catchme) DRV - [2013.05.09 10:59:10 | 000,765,736 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx) DRV - [2013.05.09 10:59:10 | 000,368,944 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP) DRV - [2013.05.09 10:59:10 | 000,174,664 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\drivers\aswVmm.sys -- (aswVmm) DRV - [2013.05.09 10:59:10 | 000,056,080 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi) DRV - [2013.05.09 10:59:10 | 000,049,376 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\drivers\aswRvrt.sys -- (aswRvrt) DRV - [2013.05.09 10:59:09 | 000,066,336 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt) DRV - [2013.05.09 10:59:09 | 000,049,760 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (AswRdr) DRV - [2013.05.09 10:59:08 | 000,029,816 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk) DRV - [2012.09.20 06:35:36 | 000,181,344 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssudmdm.sys -- (ssudmdm) DRV - [2012.09.20 06:35:36 | 000,083,168 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssudbus.sys -- (dg_ssudbus) DRV - [2012.05.17 08:14:58 | 000,067,960 | ---- | M] (Citrix Systems, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\ctxusbm.sys -- (ctxusbm) DRV - [2008.06.11 12:13:24 | 000,015,392 | ---- | M] (Acer, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\int15.sys -- (int15) DRV - [2008.06.10 12:54:36 | 000,123,904 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169) DRV - [2008.03.17 11:05:30 | 000,101,632 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewusbmdm.sys -- (hwdatacard) DRV - [2007.04.17 21:09:28 | 000,011,032 | ---- | M] (InterVideo) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\regi.sys -- (regi) DRV - [2006.11.02 15:27:34 | 000,020,112 | ---- | M] (Dritek System Inc.) [Kernel | System | Running] -- C:\Programme\Launch Manager\DPortIO.sys -- (DritekPortIO) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0407&s=2&o=vp32&d=0309&m=e720 IE - HKLM\..\SearchScopes,DefaultScope = IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1 IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.web.de/tb/ie_startpage IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\URLSearchHook: - No CLSID value found IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes,DefaultScope = {CEE438B0-8D23-43BD-AAAF-0823A494B43B} IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes\{0C9BE677-668C-44B7-9BF4-60D03EB5C683}: "URL" = hxxp://go.web.de/tb/ie_searchplugin/?su={searchTerms} IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes\{89FAD86A-4F5A-4459-89BD-2384D21B171E}: "URL" = hxxp://go.gmx.net/tb/ie_searchplugin/?su={searchTerms} IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes\{BFCB5309-6270-4E5C-9372-E669C681DD8C}: "URL" = hxxp://search.gmx.com/web?q={searchTerms}&origin=tb_splugin_ie IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes\{CEE438B0-8D23-43BD-AAAF-0823A494B43B}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7ACEW_de IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes\{EA6DBBB1-372A-4F57-A46D-B6E2F642C4C7}: "URL" = hxxp://go.1und1.de/tb/ie_searchplugin/?su={searchTerms} IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local ========== FireFox ========== FF - prefs.js..browser.search.defaultengine: "Google" FF - prefs.js..browser.search.defaultenginename: "Google" FF - prefs.js..browser.search.selectedEngine: "Google" FF - prefs.js..browser.search.useDBForOrder: true FF - prefs.js..browser.startup.homepage: "hxxp://www.google.de/" FF - prefs.js..extensions.enabledAddons: add-to-searchbox%40maltekraus.de:2.0 FF - prefs.js..extensions.enabledAddons: donottrackplus%40abine.com: FF - prefs.js..extensions.enabledAddons: %7Ba0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7%7D:20130515 FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:21.0 FF - prefs.js..network.proxy.no_proxies_on: "*.local" FF - prefs.js..network.proxy.type: 0 FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_202.dll () FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll () FF - HKLM\Software\MozillaPlugins\@canon.com/EPPEX: C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.) FF - HKLM\Software\MozillaPlugins\@Citrix.com/npican: C:\Program Files\Citrix\ICA Client\npicaN.dll (Citrix Systems, Inc.) FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google) FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.17.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.17.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2013.05.18 14:19:04 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.10.19 20:10:47 | 000,000,000 | ---D | M] (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\Extensions [2013.05.25 14:03:25 | 000,000,000 | ---D | M] (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\Firefox\Profiles\z9rne1fk.default\extensions [2013.05.16 18:10:01 | 000,000,000 | ---D | M] (WOT) -- C:\Users\Astrid\AppData\Roaming\mozilla\Firefox\Profiles\z9rne1fk.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [2013.03.26 20:22:35 | 000,000,000 | ---D | M] (DoNotTrackMe) -- C:\Users\xxx\AppData\Roaming\mozilla\Firefox\Profiles\z9rne1fk.default\extensions\donottrackplus@abine.com [2012.11.10 23:31:11 | 000,025,781 | ---- | M] () (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\extensions\add-to-searchbox@maltekraus.de.xpi [2012.10.19 20:16:29 | 000,020,591 | ---- | M] () (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi [2013.03.07 02:06:18 | 000,007,919 | ---- | M] () (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\extensions\donottrackplus@abine.com\chrome\content\ff\view_expiry.js [2011.10.13 17:19:44 | 000,000,855 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\1und1-suche.xml [2011.10.10 15:27:30 | 000,001,281 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\amazondotcom-de.xml [2011.10.10 14:59:22 | 000,002,364 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\eBay-de.xml [2011.10.13 17:01:56 | 000,010,507 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\gmx-suche.xml [2011.10.10 15:12:38 | 000,002,385 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\lastminute.xml [2011.10.13 17:34:10 | 000,002,248 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\mailcom-search.xml [2013.05.20 20:03:34 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\browser\extensions [2013.05.20 20:03:34 | 000,000,000 | ---D | M] (Default) -- C:\Programme\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} O1 HOSTS File: ([2006.09.18 23:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: localhost O1 - Hosts: ::1 localhost O2 - BHO: (Canon Easy-WebPrint EX BHO) - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Programme\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.) O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre7\bin\ssv.dll (Oracle Corporation) O2 - BHO: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programme\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) O2 - BHO: (WEB.DE Toolbar BHO) - {BF42D4A8-016E-4fcd-B1EB-837659FD77C6} - C:\Programme\WEB.DE Toolbar\IE\uitb.dll (1und1 Mail und Media GmbH) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O3 - HKLM\..\Toolbar: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Programme\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.) O3 - HKLM\..\Toolbar: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programme\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) O3 - HKLM\..\Toolbar: (WEB.DE Toolbar) - {C424171E-592A-415a-9EB1-DFD6D95D3530} - C:\Programme\WEB.DE Toolbar\IE\uitb.dll (1und1 Mail und Media GmbH) O3 - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\Toolbar\WebBrowser: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Programme\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.) O3 - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\Toolbar\WebBrowser: (WEB.DE Toolbar) - {C424171E-592A-415A-9EB1-DFD6D95D3530} - C:\Programme\WEB.DE Toolbar\IE\uitb.dll (1und1 Mail und Media GmbH) O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software) O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.) O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.) O4 - HKLM..\Run: [ConnectionCenter] C:\Program Files\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.) O4 - HKLM..\Run: [KiesTrayAgent] C:\Programme\Samsung\Kies\KiesTrayAgent.exe (Samsung Electronics Co., Ltd.) O4 - HKLM..\Run: [LManager] C:\Programme\Launch Manager\LManager.exe (Dritek System Inc.) O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor) O4 - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000..\Run: [KiesPreload] C:\Program Files\Samsung\Kies\Kies.exe (Samsung) O4 - Startup: C:\Users\Astrid\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Astrid\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.) O4 - Startup: C:\Users\Astrid\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk = C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation) O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Programme\PokerStars\PokerStarsUpdate.exe (PokerStars) O9 - Extra Button: ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Programme\ICQ7.2\ICQ.exe (ICQ, LLC.) O9 - Extra 'Tools' menuitem : ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Programme\ICQ7.2\ICQ.exe (ICQ, LLC.) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O9 - Extra Button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe File not found O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.) O15 - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..Trusted Domains: localhost ([]http in Local intranet) O15 - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..Trusted Ranges: GD ([http] in Local intranet) O16 - DPF: {28B66320-9687-4B13-8757-36F901887AB5} hxxp://www.photodose.de/ips-opdata/operator/69189345/objects/canvasx.cab (CanvasX Class) O16 - DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} hxxp://www.photodose.de/ips-opdata/operator/69189345/objects/jordan.cab (JordanUploader Class) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Reg Error: Value error.) O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 10.17.2) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{4DE48291-937F-4F23-A3D0-13D377260A3F}: DhcpNameServer = O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6094CB2C-98BC-4A93-A44B-D3DB86A05EE3}: DhcpNameServer = O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation) O18 - Protocol\Handler\webde {8FAF0273-9CA8-4efc-9536-1E35E254D5CD} - C:\Programme\WEB.DE Toolbar\IE\uitb.dll (1und1 Mail und Media GmbH) O18 - Protocol\Filter\application/x-ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica; charset=euc-jp {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica; charset=ISO-8859-1 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica; charset=MS936 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica; charset=MS949 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica; charset=MS950 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica; charset=UTF8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica; charset=UTF-8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica;charset=euc-jp {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica;charset=ISO-8859-1 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica;charset=MS936 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica;charset=MS949 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica;charset=MS950 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica;charset=UTF8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica;charset=UTF-8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll) - C:\Programme\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O24 - Desktop WallPaper: C:\Users\xxx\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg O24 - Desktop BackupWallPaper: C:\Users\Astrid\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) ========== Files/Folders - Created Within 30 Days ========== [2013.05.28 19:58:18 | 000,000,000 | ---D | C] -- C:\_OTL [2013.05.27 20:55:53 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN [2013.05.27 20:55:49 | 000,000,000 | ---D | C] -- C:\Windows\temp [2013.05.27 20:55:49 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Local\temp [2013.05.27 20:39:57 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe [2013.05.27 20:39:57 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe [2013.05.27 20:39:57 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe [2013.05.27 20:39:47 | 000,000,000 | ---D | C] -- C:\ComboFix [2013.05.27 20:38:40 | 000,000,000 | ---D | C] -- C:\Qoobox [2013.05.27 20:37:49 | 000,000,000 | ---D | C] -- C:\Windows\erdnt [2013.05.25 11:20:54 | 000,000,000 | ---D | C] -- C:\Users\xxx\Desktop\Malwarebereinigung [2013.05.24 21:09:17 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Roaming\Malwarebytes [2013.05.24 21:08:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware [2013.05.24 21:08:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2013.05.24 21:08:54 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2013.05.24 21:08:54 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2013.05.20 20:03:12 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox [2013.05.18 14:20:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus [2013.05.18 14:20:42 | 000,029,816 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys [2013.05.18 14:20:41 | 000,368,944 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys [2013.05.18 14:20:37 | 000,056,080 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys [2013.05.18 14:20:37 | 000,049,760 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys [2013.05.18 14:20:36 | 000,765,736 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys [2013.05.18 14:20:29 | 000,066,336 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys [2013.05.18 14:20:28 | 000,229,648 | ---- | C] (AVAST Software) -- C:\Windows\System32\aswBoot.exe [2013.05.18 14:18:40 | 000,041,664 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr [2013.05.18 14:17:39 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software [2013.05.18 14:16:28 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software [2013.05.17 18:42:24 | 000,000,000 | ---D | C] -- C:\Users\xxx\Desktop\Hochzeit xxx und xxx 11.05.13 [2013.05.17 18:35:42 | 000,000,000 | ---D | C] -- C:\Users\xxx\Desktop\Hamburg 28.02.-01.03.13 ========== Files - Modified Within 30 Days ========== [2013.06.04 21:19:06 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2013.06.04 21:19:06 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2013.06.04 20:55:01 | 000,001,098 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2013.06.04 20:49:06 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013.06.04 19:11:25 | 000,020,992 | ---- | M] () -- C:\Users\xxx\Documents\xxxgeld1.xlr [2013.06.04 19:11:25 | 000,002,180 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\wklnhst.dat [2013.06.04 17:55:00 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2013.06.04 17:19:28 | 000,000,000 | ---- | M] () -- C:\Windows\System32\LogConfigTemp.xml [2013.06.04 17:18:56 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.06.04 17:18:51 | 3147,841,536 | -HS- | M] () -- C:\hiberfil.sys [2013.06.02 19:24:44 | 000,025,600 | ---- | M] () -- C:\Users\xxx\Documents\Geld 2012 Bär.xlr [2013.05.28 21:42:45 | 000,623,280 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2013.05.28 21:42:45 | 000,591,320 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2013.05.28 21:42:45 | 000,125,378 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2013.05.28 21:42:45 | 000,103,194 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2013.05.25 12:19:00 | 000,001,052 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job [2013.05.24 23:01:54 | 325,024,979 | ---- | M] () -- C:\Windows\MEMORY.DMP [2013.05.24 21:36:00 | 000,000,000 | ---- | M] () -- C:\Users\xxx\defogger_reenable [2013.05.18 14:20:44 | 000,001,831 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk [2013.05.18 14:20:29 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt [2013.05.18 12:25:27 | 000,001,889 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk [2013.05.16 16:25:35 | 000,340,296 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2013.05.13 21:07:19 | 000,030,727 | ---- | M] () -- C:\Users\xxx\Documents\Waage.ods [2013.05.09 10:59:10 | 000,765,736 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys [2013.05.09 10:59:10 | 000,368,944 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys [2013.05.09 10:59:10 | 000,174,664 | ---- | M] () -- C:\Windows\System32\drivers\aswVmm.sys [2013.05.09 10:59:10 | 000,056,080 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys [2013.05.09 10:59:10 | 000,049,376 | ---- | M] () -- C:\Windows\System32\drivers\aswRvrt.sys [2013.05.09 10:59:09 | 000,066,336 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys [2013.05.09 10:59:09 | 000,049,760 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys [2013.05.09 10:59:08 | 000,029,816 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys [2013.05.09 10:58:37 | 000,041,664 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr [2013.05.09 10:58:28 | 000,229,648 | ---- | M] (AVAST Software) -- C:\Windows\System32\aswBoot.exe ========== Files Created - No Company Name ========== [2013.05.29 21:45:54 | 3147,841,536 | -HS- | C] () -- C:\hiberfil.sys [2013.05.27 20:39:57 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe [2013.05.27 20:39:57 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe [2013.05.27 20:39:57 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe [2013.05.27 20:39:57 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe [2013.05.27 20:39:57 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe [2013.05.24 21:36:00 | 000,000,000 | ---- | C] () -- C:\Users\xxx\defogger_reenable [2013.05.18 14:20:44 | 000,001,831 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk [2013.05.18 14:20:35 | 000,174,664 | ---- | C] () -- C:\Windows\System32\drivers\aswVmm.sys [2013.05.18 14:20:34 | 000,049,376 | ---- | C] () -- C:\Windows\System32\drivers\aswRvrt.sys [2013.02.16 22:35:03 | 000,016,311 | ---- | C] () -- C:\Users\Astrid\.TransferManager.db [2013.01.27 12:24:29 | 000,000,246 | ---- | C] () -- C:\Windows\wininit.ini [2012.12.18 11:06:10 | 000,030,568 | ---- | C] () -- C:\Windows\MusiccityDownload.exe [2012.12.18 11:06:06 | 000,974,848 | ---- | C] () -- C:\Windows\System32\cis-2.4.dll [2012.12.18 11:06:06 | 000,081,920 | ---- | C] () -- C:\Windows\System32\issacapi_bs-2.3.dll [2012.12.18 11:06:06 | 000,065,536 | ---- | C] () -- C:\Windows\System32\issacapi_pe-2.3.dll [2012.12.18 11:06:06 | 000,057,344 | ---- | C] () -- C:\Windows\System32\issacapi_se-2.3.dll [2012.09.18 17:31:20 | 000,000,857 | ---- | C] () -- C:\Users\xxx\.recently-used.xbel [2011.03.13 20:55:05 | 000,000,680 | ---- | C] () -- C:\Users\xxx\AppData\Local\d3d9caps.dat [2010.02.09 19:13:58 | 000,005,184 | ---- | C] () -- C:\ProgramData\N360BUOptions.ini [2009.07.15 17:35:28 | 000,002,180 | ---- | C] () -- C:\Users\xxx\AppData\Roaming\wklnhst.dat [2009.06.15 19:09:41 | 000,026,624 | ---- | C] () -- C:\Users\xxx\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini ========== ZeroAccess Check ========== [2006.11.02 14:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012.06.08 19:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2009.04.11 08:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = %systemroot%\system32\wbem\wbemess.dll -- [2009.04.11 08:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both ========== LOP Check ========== [2011.12.19 17:35:32 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\1&1 Mail & Media GmbH [2013.03.29 16:29:23 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\AnvSoft [2013.06.04 17:20:46 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Dropbox [2011.12.17 10:21:29 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\fotobuch.de AG [2012.09.18 17:31:20 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\gtk-2.0 [2012.09.07 17:50:10 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\ICAClient [2012.05.28 20:00:12 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\ICQ [2009.06.13 22:45:08 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\InterVideo [2012.09.26 17:06:06 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Langenscheidt [2009.08.27 19:05:39 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\OpenOffice.org [2013.02.16 20:29:31 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Samsung [2010.09.30 19:21:04 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Template [2009.06.13 14:03:07 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Vodafone ========== Purity Check ========== < End of report > Geändert von uuuuuvex (04.06.2013 um 20:51 Uhr) |
