| |
| |||||||
Log-Analyse und Auswertung: TR/Agent.VB.1624 // TR/Crypt.FSPM.Gen // TR/Rontokbro.45417Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
29.07.2013, 14:31
| #1 | |
 |  TR/Agent.VB.1624 // TR/Crypt.FSPM.Gen // TR/Rontokbro.45417 Hallo zusammen, zunächst einmal vorab schon einmal danke für die Hilfe! Vor ein paar Jahren habt ihr mir schonmal sehr geholfen und nun hoffe ich, dass es diesmal auch wieder so wunderbar klappt. Also, zur Zeit wohne ich noch in Portugal und meine System-CDs befinden sich in Deutschland, so dass ich es leider nicht einfach neu aufsetzen kann. Mir wurde vor einigen Tagen über einen USB-Stick ein Trojaner oder Wurm übertragen. Als ich den USB-Stick anschloss, hat Avira unaufhörlich Alarm geschlagen. Zunächst war das so massiv, dass der PC immer wieder abgestürzt ist und auch keine Scanprogramme zuende hat laufen lassen. Über einige Schnellsuchläufe mit Antispyware, Zonealarm, Windows Security Essentials und Avira habe ich ihn dann erstmal wieder stabilisiert bekommen, dass ich nun endlich hier posten kann. Auch habe ich bereits Komplettscans mit allen oben genannten Programmen durchgeführt. Mit Zonealarm habe ich gestartet, dabei wurden 40 Datein gefunden, die anderen Programme haben danach nichts mehr gefunden. Gefunden wurden insgesamt folgende Datein: Avira hatte zuvor diese Datein gefunden: erst: TR/Agent.VB.1624 dann: TR/Crypt.FSPM.Gen auf dem Stick wurde dieser gefunden: TR/Rontokbro.45417 ZoneAlarm fand dies: Email-Worm.Win32.Brontok.q Worm.Win32.AutoRun.btdp Trojan-Downloader.Win32.Geral.cnh Superantispyware fand nichts und Microsoft Security Essentials fand dies: Worm:WIn32/Brontok.AF@mm Worm:Win32/Yeltminky.A Anbei noch die OTL- und Gmer-files. OTL: OTL Logfile: Code:
ATTFilter OTL logfile created on: 29.07.2013 11:12:32 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\***\Desktop 64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3,91 Gb Total Physical Memory | 2,07 Gb Available Physical Memory | 52,97% Memory free 7,81 Gb Paging File | 5,68 Gb Available in Paging File | 72,73% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 125,03 Gb Total Space | 49,72 Gb Free Space | 39,77% Space Free | Partition Type: NTFS Drive D: | 148,06 Gb Total Space | 27,89 Gb Free Space | 18,84% Space Free | Partition Type: NTFS Computer Name: *** | User Name: *** | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013.07.29 00:35:43 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\***\Desktop\OTL.exe PRC - [2012.08.29 15:17:06 | 002,445,880 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe PRC - [2012.08.29 14:45:24 | 000,073,392 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe PRC - [2012.07.18 17:04:33 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe PRC - [2012.07.18 17:04:23 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe PRC - [2012.07.18 17:04:22 | 000,348,664 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe PRC - [2011.10.03 14:17:40 | 000,166,528 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe PRC - [2011.09.13 21:33:14 | 002,317,312 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe PRC - [2011.07.21 14:49:10 | 005,716,608 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe PRC - [2009.12.15 09:39:38 | 000,096,896 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe PRC - [2009.06.19 09:29:42 | 000,105,016 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe PRC - [2009.06.19 09:29:26 | 002,488,888 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe PRC - [2009.06.15 16:30:42 | 000,084,536 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe PRC - [2008.12.22 16:15:34 | 000,174,648 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe PRC - [2008.08.13 20:00:08 | 000,113,208 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe ========== Modules (No Company Name) ========== MOD - [2011.09.13 21:33:14 | 001,163,264 | ---- | M] () -- C:\Program Files (x86)\ASUS\Wireless Console 3\acAuth.dll ========== Services (SafeList) ========== SRV:64bit: - [2013.05.27 06:50:47 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\mpsvc.dll -- (WinDefend) SRV:64bit: - [2013.01.27 12:34:32 | 000,379,360 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv) SRV:64bit: - [2013.01.27 12:34:32 | 000,022,056 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc) SRV:64bit: - [2012.09.27 15:50:51 | 001,432,400 | ---- | M] (Flexera Software, Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe -- (FLEXnet Licensing Service 64) SRV:64bit: - [2012.09.17 09:49:12 | 000,140,672 | ---- | M] (SUPERAntiSpyware.com) [Disabled | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE -- (!SASCORE) SRV:64bit: - [2012.07.14 15:01:26 | 000,827,560 | ---- | M] (Check Point Software Technologies) [Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe -- (IswSvc) SRV:64bit: - [2011.09.27 15:04:18 | 000,204,288 | ---- | M] (AMD) [Disabled | Stopped] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility) SRV:64bit: - [2010.09.23 02:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc) SRV - [2013.07.25 09:40:01 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2013.07.04 12:02:13 | 000,117,144 | ---- | M] (Mozilla Foundation) [Disabled | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2013.06.21 09:53:36 | 000,162,408 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate) SRV - [2012.12.19 10:49:34 | 000,732,648 | ---- | M] (Nokia) [Disabled | Stopped] -- C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer) SRV - [2012.10.25 02:05:50 | 000,067,752 | ---- | M] (Robert McNeel & Associates) [Disabled | Stopped] -- C:\Program Files (x86)\McNeelUpdate\5.0\McNeelUpdateService.exe -- (McNeelUpdate) SRV - [2012.08.29 15:17:06 | 002,445,880 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe -- (vsmon) SRV - [2012.07.27 21:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2012.07.18 17:04:33 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2012.07.18 17:04:23 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2011.02.02 14:08:16 | 000,018,656 | ---- | M] () [Auto | Stopped] -- C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe -- (Autodesk Content Service) SRV - [2010.10.06 05:04:12 | 002,655,768 | ---- | M] (Intel Corporation) [Disabled | Stopped] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe -- (UNS) SRV - [2010.10.06 05:04:08 | 000,325,656 | ---- | M] (Intel Corporation) [Disabled | Stopped] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe -- (LMS) SRV - [2010.03.18 21:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32) SRV - [2010.02.19 12:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard) SRV - [2009.12.15 09:39:38 | 000,096,896 | ---- | M] (ASUS) [Auto | Running] -- C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe -- (ATKGFNEXSrv) SRV - [2009.06.15 16:30:42 | 000,084,536 | ---- | M] (ASUS) [Auto | Running] -- C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe -- (ASLDRService) SRV - [2009.06.10 22:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32) SRV - [2009.04.30 12:23:26 | 000,090,112 | ---- | M] () [Disabled | Stopped] -- C:\Program Files (x86)\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe -- (OMSI download service) ========== Driver Services (SafeList) ========== DRV:64bit: - [2013.01.20 16:59:04 | 000,130,008 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv) DRV:64bit: - [2012.10.17 14:53:46 | 000,026,112 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\pccsmcfdx64.sys -- (pccsmcfd) DRV:64bit: - [2012.08.30 17:18:04 | 000,325,376 | ---- | M] (AfaTech ) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\AF15BDA.sys -- (AF15BDA) DRV:64bit: - [2012.08.29 14:25:29 | 000,283,200 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\dtsoftbus01.sys -- (dtsoftbus01) DRV:64bit: - [2012.07.18 17:04:42 | 000,132,832 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avipbb.sys -- (avipbb) DRV:64bit: - [2012.07.18 17:04:42 | 000,027,760 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avkmgr.sys -- (avkmgr) DRV:64bit: - [2012.07.18 17:04:41 | 000,098,848 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\avgntflt.sys -- (avgntflt) DRV:64bit: - [2012.07.14 15:01:42 | 000,033,712 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys -- (ISWKL) DRV:64bit: - [2012.03.01 07:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec) DRV:64bit: - [2012.01.09 17:59:32 | 000,485,680 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\Windows\SysNative\drivers\klif.sys -- (KLIF) DRV:64bit: - [2012.01.09 17:59:30 | 000,460,888 | ---- | M] (Kaspersky Lab ZAO) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\kl1.sys -- (KL1) DRV:64bit: - [2012.01.09 17:59:30 | 000,011,864 | ---- | M] (Kaspersky Lab ZAO) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\kl2.sys -- (kl2) DRV:64bit: - [2011.10.19 03:56:00 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata) DRV:64bit: - [2011.10.19 03:56:00 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata) DRV:64bit: - [2011.10.04 07:49:32 | 002,770,944 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\athrx.sys -- (athr) DRV:64bit: - [2011.09.27 15:56:52 | 010,207,232 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag) DRV:64bit: - [2011.09.27 14:25:08 | 000,317,952 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap) DRV:64bit: - [2011.08.23 14:57:24 | 000,565,352 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167) DRV:64bit: - [2011.08.09 01:32:02 | 012,289,472 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdpmd64.sys -- (intelkmd) DRV:64bit: - [2011.08.02 00:47:30 | 000,391,144 | ---- | M] (ASMedia Technology Inc) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\asmtxhci.sys -- (asmtxhci) DRV:64bit: - [2011.08.02 00:47:30 | 000,129,000 | ---- | M] (ASMedia Technology Inc) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\asmthub3.sys -- (asmthub3) DRV:64bit: - [2011.07.22 17:26:56 | 000,014,928 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS -- (SASDIFSV) DRV:64bit: - [2011.07.20 17:47:56 | 000,143,144 | ---- | M] (ELAN Microelectronics Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ETD.sys -- (ETD) DRV:64bit: - [2011.07.12 22:55:18 | 000,012,368 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS -- (SASKUTIL) DRV:64bit: - [2011.05.13 23:37:54 | 000,048,488 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\fssfltr.sys -- (fssfltr) DRV:64bit: - [2011.05.07 16:51:32 | 000,454,232 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\vsdatant.sys -- (Vsdatant) DRV:64bit: - [2011.04.26 04:07:36 | 000,557,848 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor) DRV:64bit: - [2011.03.15 11:09:16 | 000,311,400 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\rtsuvstor.sys -- (RSUSBVSTOR) DRV:64bit: - [2010.11.20 14:33:36 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD) DRV:64bit: - [2010.11.20 12:07:06 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV:64bit: - [2010.11.20 12:07:06 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD) DRV:64bit: - [2010.10.19 22:34:26 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (MEIx64) DRV:64bit: - [2010.10.14 18:28:16 | 000,317,440 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\IntcDAud.sys -- (IntcDAud) DRV:64bit: - [2009.07.20 10:29:40 | 000,015,416 | ---- | M] ( ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\kbfiltr.sys -- (kbfiltr) DRV:64bit: - [2009.07.14 02:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs) DRV:64bit: - [2009.07.14 02:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2) DRV:64bit: - [2009.07.14 02:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor) DRV:64bit: - [2009.07.14 00:21:48 | 000,038,400 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tpm.sys -- (TPM) DRV:64bit: - [2009.06.10 21:35:57 | 000,056,832 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\SiSG664.sys -- (SiSGbeLH) DRV:64bit: - [2009.06.10 21:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv) DRV:64bit: - [2009.06.10 21:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv) DRV:64bit: - [2009.06.10 21:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a) DRV:64bit: - [2009.06.10 21:34:18 | 000,057,344 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\L1C62x64.sys -- (L1C) DRV:64bit: - [2009.06.10 21:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir) DRV:64bit: - [2008.10.21 10:22:44 | 000,145,960 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s0017unic.sys -- (s0017unic) DRV:64bit: - [2008.10.21 10:22:44 | 000,128,552 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s0017obex.sys -- (s0017obex) DRV:64bit: - [2008.10.21 10:22:44 | 000,034,856 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s0017nd5.sys -- (s0017nd5) DRV:64bit: - [2008.10.21 10:22:42 | 000,152,616 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s0017mdm.sys -- (s0017mdm) DRV:64bit: - [2008.10.21 10:22:42 | 000,133,160 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s0017mgmt.sys -- (s0017mgmt) DRV:64bit: - [2008.10.21 10:22:42 | 000,019,496 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s0017mdfl.sys -- (s0017mdfl) DRV:64bit: - [2008.10.21 10:22:40 | 000,113,704 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s0017bus.sys -- (s0017bus) DRV:64bit: - [2008.05.23 16:27:28 | 000,154,168 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WimFltr.sys -- (WimFltr) DRV - [2011.09.07 08:55:04 | 000,017,536 | ---- | M] (ASUS) [Kernel | System | Running] -- C:\Program Files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys -- (ATKWMIACPIIO) DRV - [2009.07.14 02:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount) DRV - [2009.07.02 16:36:14 | 000,015,416 | ---- | M] (ASUS) [Kernel | Auto | Running] -- C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys -- (ASMMAP64) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://asus.msn.com IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&form=ASUTDF&pc=NP06&src=IE-SearchBox IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://asus.msn.com IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&form=ASUTDF&pc=NP06&src=IE-SearchBox IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://asus.msn.com IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/ IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local> ========== FireFox ========== FF - prefs.js..browser.search.selectedEngine: "Amazon.de" FF - prefs.js..browser.startup.homepage: "www.google.de" FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:22.0 FF - user.js - File not found FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_224.dll File not found FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll () FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\npFFApi.dll () FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google) FF - HKLM\Software\MozillaPlugins\@graphisoft.com/GDL Web Plug-in: C:\Program Files (x86)\GRAPHISOFT\GDLWebControl\npGDLMozilla.dll (Graphisoft SE) FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_32: C:\Windows\SysWOW64\npdeployJava1.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@nokia.com/EnablerPlugin: C:\Program Files (x86)\Nokia\Nokia Suite\npNokiaSuiteEnabler.dll ( ) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.3: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN) FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.7: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) 64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\PROGRAM FILES\CHECKPOINT\ZAFORCEFIELD\TRUSTCHECKER [2012.08.31 08:38:21 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker [2012.08.31 08:38:23 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 22.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013.06.29 01:04:44 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 22.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0.7\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2013.06.29 01:04:44 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0.7\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins [2012.08.31 08:33:18 | 000,000,000 | ---D | M] (No name found) -- C:\Users\***\AppData\Roaming\mozilla\Extensions [2012.12.11 20:16:52 | 000,000,000 | ---D | M] (No name found) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\zybsyvv0.default\extensions [2012.12.11 20:16:52 | 000,036,098 | ---- | M] () (No name found) -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\zybsyvv0.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}.xpi [2013.05.25 11:16:52 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\browser\extensions [2013.07.04 12:02:15 | 000,000,000 | ---D | M] (Default) -- C:\Program Files (x86)\mozilla firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} O1 HOSTS File: ([2012.08.29 14:32:25 | 000,001,787 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O1 - Hosts: 127.0.0.1 ereg.adobe.com O1 - Hosts: 127.0.0.1 activate.wip3.adobe.com# O1 - Hosts: 127.0.0.1 wip3.adobe.com O1 - Hosts: 127.0.0.1 3dns-3.adobe.com O1 - Hosts: 127.0.0.1 3dns-2.adobe.com O1 - Hosts: 127.0.0.1 adobe-dns-3.adobe.com O1 - Hosts: 127.0.0.1 ereg.wip3.adobe.com O1 - Hosts: 127.0.0.1 wwis-dubc1-vip60.adobe.com O1 - Hosts: 127.0.0.1 activate-sjc0.adobe.com O1 - Hosts: 127.0.0.1 adobe.activate.com O1 - Hosts: 127.0.0.1 hl2rcv.adobe.com O1 - Hosts: 127.0.0.1 209.34.83.73:443 O1 - Hosts: 127.0.0.1 209.34.83.73:43 O1 - Hosts: 127.0.0.1 209.34.83.73 O1 - Hosts: 127.0.0.1 209.34.83.67:43 O1 - Hosts: 127.0.0.1 209.34.83.67 O1 - Hosts: 127.0.0.1 ood.opsource.net O1 - Hosts: 127.0.0.1 CRL.VERISIGN.NET O1 - Hosts: 127.0.0.1 199.7.52.190:80 O1 - Hosts: 127.0.0.1 199.7.52.190 O1 - Hosts: 127.0.0.1 adobeereg.com O1 - Hosts: 127.0.0.1 OCSP.SPO1.VERISIGN.COM O1 - Hosts: 127.0.0.1 199.7.54.72:80 O1 - Hosts: 127.0.0.1 199.7.54.72 O2:64bit: - BHO: (ZoneAlarm Security Engine Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies) O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No CLSID value found. O2 - BHO: (ZoneAlarm Security Engine Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll File not found O3:64bit: - HKLM\..\Toolbar: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies) O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O3 - HKLM\..\Toolbar: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies) O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O4:64bit: - HKLM..\Run: [ETDCtrl] C:\Program Files\Elantech\ETDCtrl.exe (ELAN Microelectronics Corp.) O4:64bit: - HKLM..\Run: [ISW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe (Check Point Software Technologies) O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation) O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.) O4 - HKLM..\Run: [ASUSPRP] C:\Program Files (x86)\ASUS\APRP\APRP.EXE (ASUSTek Computer Inc.) O4 - HKLM..\Run: [avgnt] C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe (ASUS) O4 - HKLM..\Run: [Wireless Console 3] C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe (ASUS) O4 - HKLM..\Run: [ZoneAlarm] C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe (Check Point Software Technologies LTD) O4 - HKCU..\Run: [] File not found O4 - HKCU..\Run: [AdobeBridge] File not found O4 - HKCU..\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe File not found O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: = O8:64bit: - Extra context menu item: Free YouTube to MP3 Converter - C:\Users\***\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm () O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Users\***\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm () O1364bit: - gopher Prefix: missing O13 - gopher Prefix: missing O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2282695B-A721-4108-8C72-F9A77F178766}: DhcpNameServer = 10.0.16.3 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FC9F2850-F4A9-4408-90CD-5CEA7CD7C5BA}: DhcpNameServer = 192.168.1.1 O18:64bit: - Protocol\Handler\livecall - No CLSID value found O18:64bit: - Protocol\Handler\msnim - No CLSID value found O18:64bit: - Protocol\Handler\skype4com - No CLSID value found O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found O18:64bit: - Protocol\Handler\wlpg - No CLSID value found O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies) O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation) O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation) O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2012.10.24 23:50:19 | 000,000,000 | ---D | M] - C:\Autodesk -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2013.07.29 00:35:18 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\***\Desktop\OTL.exe [2013.07.15 22:02:46 | 000,000,000 | ---D | C] -- C:\Users\***\Desktop\music_july [2013.07.12 04:59:18 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\MRT [2012.11.21 16:33:51 | 000,148,736 | ---- | C] (Avanquest Software) -- C:\ProgramData\hpeE090.dll [2012.11.11 14:23:58 | 000,148,736 | ---- | C] (Avanquest Software) -- C:\ProgramData\hpeA8D.dll [1 C:\Users\***\AppData\Local\*.tmp files -> C:\Users\***\AppData\Local\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2013.07.29 11:08:58 | 000,000,000 | ---- | M] () -- C:\Users\***\defogger_reenable [2013.07.29 11:07:41 | 000,000,672 | ---- | M] () -- C:\Windows\tasks\WebContent AutoUpdate 2012.job [2013.07.29 10:54:32 | 000,009,920 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013.07.29 10:54:32 | 000,009,920 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013.07.29 10:46:59 | 000,001,128 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2013.07.29 10:45:36 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.07.29 10:45:28 | 3145,764,864 | -HS- | M] () -- C:\hiberfil.sys [2013.07.29 03:42:01 | 000,001,132 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2013.07.29 03:27:01 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013.07.29 00:35:45 | 000,377,856 | ---- | M] () -- C:\Users\***\Desktop\gmer_2.1.19163.exe [2013.07.29 00:35:43 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\***\Desktop\OTL.exe [2013.07.29 00:34:59 | 000,050,477 | ---- | M] () -- C:\Users\***\Desktop\Defogger.exe [2013.07.27 13:19:56 | 000,106,340 | ---- | M] () -- C:\Users\***\Desktop\***_Antrag_ausgefüllt.pdf [2013.07.27 13:19:35 | 000,105,558 | ---- | M] () -- C:\Users\***\Desktop\***_Antrag_ausgefüllt.odt [2013.07.27 11:26:23 | 000,000,516 | ---- | M] () -- C:\Windows\tasks\AutoUpdate Allplan 2012.job [2013.07.26 19:27:39 | 001,643,244 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2013.07.26 19:27:39 | 000,708,282 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat [2013.07.26 19:27:39 | 000,663,560 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2013.07.26 19:27:39 | 000,151,886 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat [2013.07.26 19:27:39 | 000,124,832 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2013.07.26 11:16:36 | 000,180,151 | ---- | M] () -- C:\Users\***\Desktop\CV_***_hostel.pdf [2013.07.23 22:21:44 | 000,599,662 | ---- | M] () -- C:\Users\***\Desktop\P7230838.jpg [2013.07.23 22:21:29 | 000,455,621 | ---- | M] () -- C:\Users\***\Desktop\P7230835.jpg [2013.07.23 22:21:24 | 001,140,196 | ---- | M] () -- C:\Users\***\Desktop\P7230842.jpg [2013.07.23 13:41:18 | 000,505,344 | ---- | M] () -- C:\Users\***\Desktop\Unbenannt-1.psd [2013.07.23 13:08:58 | 000,122,059 | ---- | M] () -- C:\Users\***\Desktop\Unbenannt-1.jpg [2013.07.22 14:27:46 | 000,104,391 | ---- | M] () -- C:\Users\***\Desktop\***_Antrag.odt [2013.07.21 22:41:57 | 001,372,219 | ---- | M] () -- C:\Users\***\Desktop\P7210762.jpg [2013.07.20 21:26:35 | 000,091,167 | ---- | M] () -- C:\Users\***\Desktop\***_1177412446_n.jpg [2013.07.20 21:01:53 | 000,050,034 | ---- | M] () -- C:\Users\***\Desktop\***_1658292798_n.jpg [2013.07.18 19:41:21 | 000,088,406 | ---- | M] () -- C:\Users\***\Desktop\***_808243800_n.jpg [2013.07.18 19:34:56 | 000,002,026 | ---- | M] () -- C:\Windows\epplauncher.mif [2013.07.18 01:34:50 | 001,335,354 | ---- | M] () -- C:\Users\***\Desktop\P7170603.jpg [2013.07.18 01:34:41 | 001,586,999 | ---- | M] () -- C:\Users\***\Desktop\P7170605.jpg [2013.07.18 01:33:48 | 001,457,338 | ---- | M] () -- C:\Users\***\Desktop\P7170604.jpg [2013.07.18 01:15:17 | 000,209,236 | ---- | M] () -- C:\Users\***\Desktop\***.pdf [2013.07.16 12:32:48 | 000,088,721 | ---- | M] () -- C:\Users\***\Desktop\***.2011.pdf [2013.07.16 12:32:48 | 000,026,415 | ---- | M] () -- C:\Users\***\Desktop\***_Verpflichtung.pdf [2013.07.16 12:32:48 | 000,025,706 | ---- | M] () -- C:\Users\***\Desktop\***_2.pdf [2013.07.16 12:32:48 | 000,023,696 | ---- | M] () -- C:\Users\***\Desktop\NebentÑtigkeit_2010_druck.pdf [2013.07.16 12:32:47 | 000,192,885 | ---- | M] () -- C:\Users\***\Desktop\***.2013.pdf [2013.07.16 12:32:47 | 000,027,994 | ---- | M] () -- C:\Users\***\Desktop\***druck.pdf [2013.07.16 12:32:47 | 000,026,771 | ---- | M] () -- C:\Users\***\Desktop\***_2010_07.pdf [2013.07.16 12:32:47 | 000,024,022 | ---- | M] () -- C:\Users\***\Desktop\Datenschutzrechtlicher Hinweis.pdf [2013.07.15 14:12:20 | 000,062,752 | ---- | M] () -- C:\Users\***\Desktop\***_620225398_n.jpg [2013.07.15 00:21:46 | 000,374,859 | ---- | M] () -- C:\Users\***\Desktop\P7130568.jpg [2013.07.12 21:39:31 | 001,459,619 | ---- | M] () -- C:\Users\***\Desktop\P7120555.jpg [2013.07.11 05:56:06 | 009,607,704 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT [1 C:\Users\***\AppData\Local\*.tmp files -> C:\Users\***\AppData\Local\*.tmp -> ] ========== Files Created - No Company Name ========== [2013.07.29 11:08:58 | 000,000,000 | ---- | C] () -- C:\Users\***\defogger_reenable [2013.07.29 00:35:41 | 000,377,856 | ---- | C] () -- C:\Users\***\Desktop\gmer_2.1.19163.exe [2013.07.29 00:34:47 | 000,050,477 | ---- | C] () -- C:\Users\***\Desktop\Defogger.exe [2013.07.27 13:19:56 | 000,106,340 | ---- | C] () -- C:\Users\***\Desktop\***_Antrag_ausgefüllt.pdf [2013.07.27 13:19:31 | 000,105,558 | ---- | C] () -- C:\Users\***\Desktop\***_Antrag_ausgefüllt.odt [2013.07.26 11:16:33 | 000,180,151 | ---- | C] () -- C:\Users\***\Desktop\CV_***_hostel.pdf [2013.07.23 22:21:42 | 000,599,662 | ---- | C] () -- C:\Users\***\Desktop\P7230838.jpg [2013.07.23 22:21:27 | 000,455,621 | ---- | C] () -- C:\Users\***\Desktop\P7230835.jpg [2013.07.23 22:21:21 | 001,140,196 | ---- | C] () -- C:\Users\***\Desktop\P7230842.jpg [2013.07.23 13:41:16 | 000,505,344 | ---- | C] () -- C:\Users\***\Desktop\Unbenannt-1.psd [2013.07.23 13:08:55 | 000,122,059 | ---- | C] () -- C:\Users\***\Desktop\Unbenannt-1.jpg [2013.07.22 14:27:37 | 000,104,391 | ---- | C] () -- C:\Users\***\Desktop\***_Antrag.odt [2013.07.21 22:41:53 | 001,372,219 | ---- | C] () -- C:\Users\***\Desktop\P7210762.jpg [2013.07.20 21:26:35 | 000,091,167 | ---- | C] () -- C:\Users\***\Desktop\***_1177412446_n.jpg [2013.07.20 21:01:51 | 000,050,034 | ---- | C] () -- C:\Users\***\Desktop\***_1658292798_n.jpg [2013.07.18 19:41:15 | 000,088,406 | ---- | C] () -- C:\Users\***\Desktop\***_808243800_n.jpg [2013.07.18 01:34:47 | 001,335,354 | ---- | C] () -- C:\Users\***\Desktop\P7170603.jpg [2013.07.18 01:34:38 | 001,586,999 | ---- | C] () -- C:\Users\***\Desktop\P7170605.jpg [2013.07.18 01:33:45 | 001,457,338 | ---- | C] () -- C:\Users\***\Desktop\P7170604.jpg [2013.07.18 01:15:15 | 000,209,236 | ---- | C] () -- C:\Users\***\Desktop\***.pdf [2013.07.16 12:32:48 | 000,088,721 | ---- | C] () -- C:\Users\***\Desktop\***.2011.pdf [2013.07.16 12:32:48 | 000,026,415 | ---- | C] () -- C:\Users\***\Desktop\***_Verpflichtung.pdf [2013.07.16 12:32:48 | 000,025,706 | ---- | C] () -- C:\Users\***\Desktop\Vorstrafen.pdf [2013.07.16 12:32:48 | 000,023,696 | ---- | C] () -- C:\Users\***\Desktop\***_druck.pdf [2013.07.16 12:32:47 | 000,192,885 | ---- | C] () -- C:\Users\***\Desktop\***.2013.pdf [2013.07.16 12:32:47 | 000,027,994 | ---- | C] () -- C:\Users\***\Desktop\***druck.pdf [2013.07.16 12:32:47 | 000,026,771 | ---- | C] () -- C:\Users\***\Desktop\***_2010_07.pdf [2013.07.16 12:32:47 | 000,024,022 | ---- | C] () -- C:\Users\***\Desktop\Datenschutzrechtlicher Hinweis.pdf [2013.07.15 14:12:10 | 000,062,752 | ---- | C] () -- C:\Users\***\Desktop\***_620225398_n.jpg [2013.07.15 00:21:33 | 000,374,859 | ---- | C] () -- C:\Users\***\Desktop\P7130568.jpg [2013.07.12 21:39:27 | 001,459,619 | ---- | C] () -- C:\Users\***\Desktop\P7120555.jpg [2013.05.26 14:40:20 | 000,001,456 | ---- | C] () -- C:\Users\***\AppData\Local\Adobe Für Web speichern 13.0 Prefs [2013.05.15 00:17:29 | 000,000,702 | ---- | C] () -- C:\Users\***\Eigene Musik - Verknüpfung.lnk [2013.05.15 00:16:52 | 000,000,725 | ---- | C] () -- C:\Users\***\Eigene Bilder - Verknüpfung.lnk [2012.09.27 15:51:38 | 000,000,153 | ---- | C] () -- C:\ProgramData\Microsoft.SqlServer.Compact.351.32.bc [2012.09.07 16:07:49 | 000,000,132 | ---- | C] () -- C:\Users\***\AppData\Roaming\Adobe CS6-AIFF-Format - Voreinstellungen [2012.09.05 11:45:43 | 000,000,742 | ---- | C] () -- C:\Users\***\Eigene Dokumente.lnk [2012.08.29 19:00:14 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin [2012.08.29 18:57:27 | 000,003,929 | ---- | C] () -- C:\Windows\SysWow64\atipblup.dat [2012.08.29 18:56:11 | 013,903,872 | ---- | C] () -- C:\Windows\SysWow64\ig4icd32.dll [2012.08.29 18:56:11 | 000,963,116 | ---- | C] () -- C:\Windows\SysWow64\igkrng600.bin [2012.08.29 18:56:11 | 000,216,000 | ---- | C] () -- C:\Windows\SysWow64\igfcg600m.bin [2012.08.29 18:56:11 | 000,145,804 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng600.bin [2012.08.29 18:56:11 | 000,056,832 | ---- | C] () -- C:\Windows\SysWow64\igdde32.dll [2012.08.29 18:56:10 | 000,003,929 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat [2012.08.29 18:55:55 | 000,008,192 | ---- | C] () -- C:\Windows\SysWow64\drivers\IntelMEFWVer.dll [2012.08.29 14:17:15 | 000,018,944 | ---- | C] ( ) -- C:\Windows\SysWow64\implode.dll [2012.08.29 10:25:02 | 000,045,056 | ---- | C] () -- C:\Windows\SysWow64\acovcnt.exe [2011.10.19 05:26:32 | 000,131,984 | ---- | C] () -- C:\ProgramData\FullRemove.exe [2011.10.19 05:11:04 | 001,621,138 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI [2011.09.28 06:15:06 | 000,056,832 | ---- | C] () -- C:\Windows\SysWow64\OpenVideo.dll ========== ZeroAccess Check ========== [2009.07.14 05:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 "" = C:\Windows\SysNative\shell32.dll -- [2013.02.27 06:52:56 | 014,172,672 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2013.02.27 05:55:05 | 012,872,704 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 02:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.20 13:19:04 | 000,606,208 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 02:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] ========== LOP Check ========== [2012.08.29 10:36:03 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\ASUS WebStorage [2012.10.25 00:16:53 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Autodesk [2012.08.31 08:38:24 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\CheckPoint [2012.09.05 10:20:50 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\DAEMON Tools Lite [2013.05.02 11:08:34 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\DVDVideoSoft [2012.08.31 08:39:39 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\DVDVideoSoftIEHelpers [2012.12.26 15:10:50 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\FileZilla [2012.11.05 11:25:09 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Graphisoft [2012.11.05 11:23:30 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Install.GS [2012.08.29 15:38:54 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\MAXON [2013.02.20 13:03:05 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\McNeel [2012.08.29 14:22:44 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Nemetschek [2012.10.11 16:29:12 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Notepad++ [2012.09.11 00:51:33 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\OpenOffice.org [2013.02.26 18:46:53 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\PC Suite [2012.08.29 14:54:16 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1 [2012.08.31 08:33:18 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Thunderbird [2012.08.29 10:53:16 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Zeon ========== Purity Check ========== ========== Alternate Data Streams ========== @Alternate Data Stream - 125 bytes -> C:\ProgramData\Temp:D20FFA63 < End of report > EXTRAS: Zitat:
GMER Logfile: Code:
ATTFilter GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2013-07-29 13:36:51
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST320LT0 rev.0001 298,09GB
Running: gmer_2.1.19163.exe; Driver: C:\Users\FRIEDE~1\AppData\Local\Temp\awldypow.sys
---- User code sections - GMER 2.1 ----
.text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000779814d0 5 bytes JMP 00000001222ffe7c
.text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort 0000000077981500 5 bytes JMP 0000000122300530
.text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType 0000000077981960 5 bytes JMP 00000001222ffab8
.text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077981b00 5 bytes JMP 00000001223005e8
.text C:\Windows\system32\wininit.exe[676] C:\Windows\system32\USER32.dll!FindWindowW 00000000774cd264 5 bytes JMP 00000001222ff174
.text C:\Windows\system32\wininit.exe[676] C:\Windows\system32\USER32.dll!FindWindowA 00000000774e8270 5 bytes JMP 00000001222ff1c4
.text C:\Windows\system32\services.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000779814d0 5 bytes JMP 00000001222ffe7c
.text C:\Windows\system32\services.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort 0000000077981500 5 bytes JMP 0000000122300530
.text C:\Windows\system32\services.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType 0000000077981960 5 bytes JMP 00000001222ffab8
.text C:\Windows\system32\services.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077981b00 5 bytes JMP 00000001223005e8
.text C:\Windows\system32\services.exe[772] C:\Windows\system32\USER32.dll!FindWindowW 00000000774cd264 5 bytes JMP 00000001222ff174
.text C:\Windows\system32\services.exe[772] C:\Windows\system32\USER32.dll!FindWindowA 00000000774e8270 5 bytes JMP 00000001222ff1c4
.text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000779814d0 5 bytes JMP 00000001222ffe7c
.text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort 0000000077981500 5 bytes JMP 0000000122300530
.text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType 0000000077981960 5 bytes JMP 00000001222ffab8
.text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077981b00 5 bytes JMP 00000001223005e8
.text C:\Windows\system32\lsass.exe[780] C:\Windows\system32\ADVAPI32.dll!ImpersonateNamedPipeClient + 1 000007feff92b3a1 3 bytes [DD, 4C, FA]
.text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000779814d0 5 bytes JMP 00000001222ffe7c
.text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort 0000000077981500 5 bytes JMP 0000000122300530
.text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType 0000000077981960 5 bytes JMP 00000001222ffab8
.text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077981b00 5 bytes JMP 00000001223005e8
.text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000779814d0 5 bytes JMP 00000001222ffe7c
.text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort 0000000077981500 5 bytes JMP 0000000122300530
.text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType 0000000077981960 5 bytes JMP 00000001222ffab8
.text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077981b00 5 bytes JMP 00000001223005e8
.text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000779814d0 5 bytes JMP 00000001222ffe7c
.text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort 0000000077981500 5 bytes JMP 0000000122300530
.text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType 0000000077981960 5 bytes JMP 00000001222ffab8
.text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077981b00 5 bytes JMP 00000001223005e8
.text C:\Windows\system32\svchost.exe[972] C:\Windows\system32\ADVAPI32.dll!ImpersonateNamedPipeClient + 1 000007feff92b3a1 3 bytes [DD, 4C, E8]
.text C:\Windows\System32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000779814d0 5 bytes JMP 00000001222ffe7c
.text C:\Windows\System32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort 0000000077981500 5 bytes JMP 0000000122300530
.text C:\Windows\System32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType 0000000077981960 5 bytes JMP 00000001222ffab8
.text C:\Windows\System32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077981b00 5 bytes JMP 00000001223005e8
.text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000779814d0 5 bytes JMP 00000001222ffe7c
.text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort 0000000077981500 5 bytes JMP 0000000122300530
.text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType 0000000077981960 5 bytes JMP 00000001222ffab8
.text C:\Windows\System32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077981b00 5 bytes JMP 00000001223005e8
.text C:\Windows\System32\svchost.exe[868] C:\Windows\system32\ADVAPI32.dll!ImpersonateNamedPipeClient + 1 000007feff92b3a1 3 bytes [DD, 4C, 0F]
.text C:\Windows\system32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000779814d0 5 bytes JMP 00000001222ffe7c
.text C:\Windows\system32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort 0000000077981500 5 bytes JMP 0000000122300530
.text C:\Windows\system32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType 0000000077981960 5 bytes JMP 00000001222ffab8
.text C:\Windows\system32\svchost.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077981b00 5 bytes JMP 00000001223005e8
.text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000779814d0 5 bytes JMP 00000001222ffe7c
.text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort 0000000077981500 5 bytes JMP 0000000122300530
.text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType 0000000077981960 5 bytes JMP 00000001222ffab8
.text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077981b00 5 bytes JMP 00000001223005e8
.text C:\Windows\system32\svchost.exe[1044] C:\Windows\system32\ADVAPI32.dll!ImpersonateNamedPipeClient + 1 000007feff92b3a1 3 bytes [DD, 4C, 0F]
.text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000779814d0 5 bytes JMP 00000001222ffe7c
.text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort 0000000077981500 5 bytes JMP 0000000122300530
.text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType 0000000077981960 5 bytes JMP 00000001222ffab8
.text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077981b00 5 bytes JMP 00000001223005e8
.text C:\Windows\system32\WLANExt.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000779814d0 5 bytes JMP 00000001222ffe7c
.text C:\Windows\system32\WLANExt.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort 0000000077981500 5 bytes JMP 0000000122300530
.text C:\Windows\system32\WLANExt.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType 0000000077981960 5 bytes JMP 00000001222ffab8
.text C:\Windows\system32\WLANExt.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077981b00 5 bytes JMP 00000001223005e8
.text C:\Windows\system32\conhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000779814d0 5 bytes JMP 00000001222ffe7c
.text C:\Windows\system32\conhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort 0000000077981500 5 bytes JMP 0000000122300530
.text C:\Windows\system32\conhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType 0000000077981960 5 bytes JMP 00000001222ffab8
.text C:\Windows\system32\conhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077981b00 5 bytes JMP 00000001223005e8
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077b2fb08 5 bytes JMP 0000000120cb89ab
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtImpersonateClientOfPort 0000000077b2fb50 5 bytes JMP 0000000120cb8d58
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtAccessCheckByType 0000000077b30220 5 bytes JMP 0000000120cb8791
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077b304a0 5 bytes JMP 0000000120cb8dd9
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[2012] C:\Windows\syswow64\kernel32.dll!OpenProcess 00000000752b1986 5 bytes JMP 0000000120cb846c
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[2012] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000771698fd 5 bytes JMP 0000000120cb825a
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[2012] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007716ffe6 5 bytes JMP 0000000120cb828f
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[2012] C:\Windows\syswow64\ADVAPI32.dll!SetThreadToken 0000000076a3c7ce 5 bytes JMP 0000000120cb9036
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[2012] C:\Windows\syswow64\ADVAPI32.dll!ImpersonateNamedPipeClient 0000000076a73369 5 bytes JMP 0000000120cb8e5d
.text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1120] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077b2fb08 5 bytes JMP 0000000120cb89ab
.text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1120] C:\Windows\SysWOW64\ntdll.dll!NtImpersonateClientOfPort 0000000077b2fb50 5 bytes JMP 0000000120cb8d58
.text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1120] C:\Windows\SysWOW64\ntdll.dll!NtAccessCheckByType 0000000077b30220 5 bytes JMP 0000000120cb8791
.text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1120] C:\Windows\SysWOW64\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077b304a0 5 bytes JMP 0000000120cb8dd9
.text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1120] C:\Windows\syswow64\kernel32.dll!OpenProcess 00000000752b1986 5 bytes JMP 0000000120cb846c
.text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1120] C:\Windows\syswow64\ADVAPI32.dll!SetThreadToken 0000000076a3c7ce 5 bytes JMP 0000000120cb9036
.text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1120] C:\Windows\syswow64\ADVAPI32.dll!ImpersonateNamedPipeClient 0000000076a73369 5 bytes JMP 0000000120cb8e5d
.text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1120] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000771698fd 5 bytes JMP 0000000120cb825a
.text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1120] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007716ffe6 5 bytes JMP 0000000120cb828f
.text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000779814d0 5 bytes JMP 00000001222ffe7c
.text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort 0000000077981500 5 bytes JMP 0000000122300530
.text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType 0000000077981960 5 bytes JMP 00000001222ffab8
.text C:\Windows\System32\spoolsv.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077981b00 5 bytes JMP 00000001223005e8
.text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000779814d0 5 bytes JMP 00000001222ffe7c
.text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort 0000000077981500 5 bytes JMP 0000000122300530
.text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType 0000000077981960 5 bytes JMP 00000001222ffab8
.text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077981b00 5 bytes JMP 00000001223005e8
.text C:\Windows\system32\svchost.exe[1660] C:\Windows\system32\ADVAPI32.dll!ImpersonateNamedPipeClient + 1 000007feff92b3a1 3 bytes [DD, 4C, FA]
.text C:\Windows\System32\StikyNot.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000779814d0 5 bytes JMP 00000001222ffe7c
.text C:\Windows\System32\StikyNot.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort 0000000077981500 5 bytes JMP 0000000122300530
.text C:\Windows\System32\StikyNot.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType 0000000077981960 5 bytes JMP 00000001222ffab8
.text C:\Windows\System32\StikyNot.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077981b00 5 bytes JMP 00000001223005e8
.text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000779814d0 5 bytes JMP 00000001222ffe7c
.text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort 0000000077981500 5 bytes JMP 0000000122300530
.text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType 0000000077981960 5 bytes JMP 00000001222ffab8
.text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077981b00 5 bytes JMP 00000001223005e8
.text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000779814d0 5 bytes JMP 00000001222ffe7c
.text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort 0000000077981500 5 bytes JMP 0000000122300530
.text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType 0000000077981960 5 bytes JMP 00000001222ffab8
.text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077981b00 5 bytes JMP 00000001223005e8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3216] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000779814d0 5 bytes JMP 00000001222ffe7c
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3216] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort 0000000077981500 5 bytes JMP 0000000122300530
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3216] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType 0000000077981960 5 bytes JMP 00000001222ffab8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3216] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077981b00 5 bytes JMP 00000001223005e8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3216] C:\Windows\system32\ADVAPI32.dll!ImpersonateNamedPipeClient + 1 000007feff92b3a1 3 bytes [DD, 4C, FA]
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077b2fb08 5 bytes JMP 0000000120cb89ab
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtImpersonateClientOfPort 0000000077b2fb50 5 bytes JMP 0000000120cb8d58
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtAccessCheckByType 0000000077b30220 5 bytes JMP 0000000120cb8791
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077b304a0 5 bytes JMP 0000000120cb8dd9
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3236] C:\Windows\syswow64\kernel32.dll!OpenProcess 00000000752b1986 5 bytes JMP 0000000120cb846c
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3236] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000771698fd 5 bytes JMP 0000000120cb825a
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3236] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007716ffe6 5 bytes JMP 0000000120cb828f
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3236] C:\Windows\syswow64\ADVAPI32.dll!SetThreadToken 0000000076a3c7ce 5 bytes JMP 0000000120cb9036
.text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3236] C:\Windows\syswow64\ADVAPI32.dll!ImpersonateNamedPipeClient 0000000076a73369 5 bytes JMP 0000000120cb8e5d
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000779814d0 5 bytes JMP 00000001222ffe7c
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort 0000000077981500 5 bytes JMP 0000000122300530
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType 0000000077981960 5 bytes JMP 00000001222ffab8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077981b00 5 bytes JMP 00000001223005e8
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077b2fb08 5 bytes JMP 0000000120cb89ab
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtImpersonateClientOfPort 0000000077b2fb50 5 bytes JMP 0000000120cb8d58
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtAccessCheckByType 0000000077b30220 5 bytes JMP 0000000120cb8791
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077b304a0 5 bytes JMP 0000000120cb8dd9
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3532] C:\Windows\syswow64\kernel32.dll!OpenProcess 00000000752b1986 5 bytes JMP 0000000120cb846c
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3532] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000771698fd 5 bytes JMP 0000000120cb825a
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3532] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007716ffe6 5 bytes JMP 0000000120cb828f
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3532] C:\Windows\syswow64\ADVAPI32.dll!SetThreadToken 0000000076a3c7ce 5 bytes JMP 0000000120cb9036
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3532] C:\Windows\syswow64\ADVAPI32.dll!ImpersonateNamedPipeClient 0000000076a73369 5 bytes JMP 0000000120cb8e5d
.text C:\Windows\SysWOW64\ntdll.dll[3552] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077b2fb08 5 bytes JMP 0000000120cb89ab
.text C:\Windows\SysWOW64\ntdll.dll[3552] C:\Windows\SysWOW64\ntdll.dll!NtImpersonateClientOfPort 0000000077b2fb50 5 bytes JMP 0000000120cb8d58
.text C:\Windows\SysWOW64\ntdll.dll[3552] C:\Windows\SysWOW64\ntdll.dll!NtAccessCheckByType 0000000077b30220 5 bytes JMP 0000000120cb8791
.text C:\Windows\SysWOW64\ntdll.dll[3552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077b304a0 5 bytes JMP 0000000120cb8dd9
.text C:\Windows\SysWOW64\ntdll.dll[3552] C:\Windows\syswow64\kernel32.dll!OpenProcess 00000000752b1986 5 bytes JMP 0000000120cb846c
.text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000779814d0 5 bytes JMP 00000001222ffe7c
.text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort 0000000077981500 5 bytes JMP 0000000122300530
.text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType 0000000077981960 5 bytes JMP 00000001222ffab8
.text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077981b00 5 bytes JMP 00000001223005e8
.text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\system32\ADVAPI32.dll!ImpersonateNamedPipeClient + 1 000007feff92b3a1 3 bytes [DD, 4C, FA]
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077b2fb08 5 bytes JMP 0000000120cb89ab
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtImpersonateClientOfPort 0000000077b2fb50 5 bytes JMP 0000000120cb8d58
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtAccessCheckByType 0000000077b30220 5 bytes JMP 0000000120cb8791
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077b304a0 5 bytes JMP 0000000120cb8dd9
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3724] C:\Windows\syswow64\kernel32.dll!OpenProcess 00000000752b1986 5 bytes JMP 0000000120cb846c
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3724] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000771698fd 5 bytes JMP 0000000120cb825a
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3724] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007716ffe6 5 bytes JMP 0000000120cb828f
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3724] C:\Windows\syswow64\ADVAPI32.dll!SetThreadToken 0000000076a3c7ce 5 bytes JMP 0000000120cb9036
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3724] C:\Windows\syswow64\ADVAPI32.dll!ImpersonateNamedPipeClient 0000000076a73369 5 bytes JMP 0000000120cb8e5d
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077b2fb08 5 bytes JMP 0000000120cb89ab
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtImpersonateClientOfPort 0000000077b2fb50 5 bytes JMP 0000000120cb8d58
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtAccessCheckByType 0000000077b30220 5 bytes JMP 0000000120cb8791
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077b304a0 5 bytes JMP 0000000120cb8dd9
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3720] C:\Windows\syswow64\kernel32.dll!OpenProcess 00000000752b1986 5 bytes JMP 0000000120cb846c
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3720] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000771698fd 5 bytes JMP 0000000120cb825a
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3720] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007716ffe6 5 bytes JMP 0000000120cb828f
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3720] C:\Windows\syswow64\ADVAPI32.dll!SetThreadToken 0000000076a3c7ce 5 bytes JMP 0000000120cb9036
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3720] C:\Windows\syswow64\ADVAPI32.dll!ImpersonateNamedPipeClient 0000000076a73369 5 bytes JMP 0000000120cb8e5d
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077b2fb08 5 bytes JMP 0000000120cb89ab
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtImpersonateClientOfPort 0000000077b2fb50 5 bytes JMP 0000000120cb8d58
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtAccessCheckByType 0000000077b30220 5 bytes JMP 0000000120cb8791
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3684] C:\Windows\SysWOW64\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077b304a0 5 bytes JMP 0000000120cb8dd9
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3684] C:\Windows\syswow64\kernel32.dll!OpenProcess 00000000752b1986 5 bytes JMP 0000000120cb846c
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3684] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000771698fd 5 bytes JMP 0000000120cb825a
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3684] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007716ffe6 5 bytes JMP 0000000120cb828f
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3684] C:\Windows\syswow64\ADVAPI32.dll!SetThreadToken 0000000076a3c7ce 5 bytes JMP 0000000120cb9036
.text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3684] C:\Windows\syswow64\ADVAPI32.dll!ImpersonateNamedPipeClient 0000000076a73369 5 bytes JMP 0000000120cb8e5d
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000779814d0 5 bytes JMP 00000001222ffe7c
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort 0000000077981500 5 bytes JMP 0000000122300530
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType 0000000077981960 5 bytes JMP 00000001222ffab8
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077981b00 5 bytes JMP 00000001223005e8
.text C:\Windows\system32\conhost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000779814d0 5 bytes JMP 00000001222ffe7c
.text C:\Windows\system32\conhost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort 0000000077981500 5 bytes JMP 0000000122300530
.text C:\Windows\system32\conhost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType 0000000077981960 5 bytes JMP 00000001222ffab8
.text C:\Windows\system32\conhost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077981b00 5 bytes JMP 00000001223005e8
.text C:\Windows\system32\SearchIndexer.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000779814d0 5 bytes JMP 00000001222ffe7c
.text C:\Windows\system32\SearchIndexer.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort 0000000077981500 5 bytes JMP 0000000122300530
.text C:\Windows\system32\SearchIndexer.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType 0000000077981960 5 bytes JMP 00000001222ffab8
.text C:\Windows\system32\SearchIndexer.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077981b00 5 bytes JMP 00000001223005e8
.text C:\Windows\system32\svchost.exe[4356] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000779814d0 5 bytes JMP 00000001222ffe7c
.text C:\Windows\system32\svchost.exe[4356] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort 0000000077981500 5 bytes JMP 0000000122300530
.text C:\Windows\system32\svchost.exe[4356] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType 0000000077981960 5 bytes JMP 00000001222ffab8
.text C:\Windows\system32\svchost.exe[4356] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077981b00 5 bytes JMP 00000001223005e8
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5020] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000779814d0 5 bytes JMP 00000001222ffe7c
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5020] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort 0000000077981500 5 bytes JMP 0000000122300530
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5020] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType 0000000077981960 5 bytes JMP 00000001222ffab8
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[5020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077981b00 5 bytes JMP 00000001223005e8
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000779814d0 5 bytes JMP 00000001222ffe7c
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort 0000000077981500 5 bytes JMP 0000000122300530
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType 0000000077981960 5 bytes JMP 00000001222ffab8
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077981b00 5 bytes JMP 00000001223005e8
.text C:\Windows\System32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000779814d0 5 bytes JMP 00000001222ffe7c
.text C:\Windows\System32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort 0000000077981500 5 bytes JMP 0000000122300530
.text C:\Windows\System32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType 0000000077981960 5 bytes JMP 00000001222ffab8
.text C:\Windows\System32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077981b00 5 bytes JMP 00000001223005e8
.text C:\Windows\System32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!ImpersonateNamedPipeClient + 1 000007feff92b3a1 3 bytes [DD, 4C, FA]
.text C:\Windows\system32\wuauclt.exe[4864] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000779814d0 5 bytes JMP 00000001222ffe7c
.text C:\Windows\system32\wuauclt.exe[4864] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort 0000000077981500 5 bytes JMP 0000000122300530
.text C:\Windows\system32\wuauclt.exe[4864] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType 0000000077981960 5 bytes JMP 00000001222ffab8
.text C:\Windows\system32\wuauclt.exe[4864] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077981b00 5 bytes JMP 00000001223005e8
.text C:\Windows\system32\svchost.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000779814d0 5 bytes JMP 00000001222ffe7c
.text C:\Windows\system32\svchost.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtImpersonateClientOfPort 0000000077981500 5 bytes JMP 0000000122300530
.text C:\Windows\system32\svchost.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtAccessCheckByType 0000000077981960 5 bytes JMP 00000001222ffab8
.text C:\Windows\system32\svchost.exe[3176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077981b00 5 bytes JMP 00000001223005e8
.text C:\Users\***\Desktop\gmer_2.1.19163.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077b2fb08 5 bytes JMP 0000000120cb89ab
.text C:\Users\***\Desktop\gmer_2.1.19163.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtImpersonateClientOfPort 0000000077b2fb50 5 bytes JMP 0000000120cb8d58
.text C:\Users\***\Desktop\gmer_2.1.19163.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtAccessCheckByType 0000000077b30220 5 bytes JMP 0000000120cb8791
.text C:\Users\***\Desktop\gmer_2.1.19163.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtAlpcImpersonateClientOfPort 0000000077b304a0 5 bytes JMP 0000000120cb8dd9
.text C:\Users\***\Desktop\gmer_2.1.19163.exe[3372] C:\Windows\syswow64\kernel32.dll!OpenProcess 00000000752b1986 5 bytes JMP 0000000120cb846c
.text C:\Users\***\Desktop\gmer_2.1.19163.exe[3372] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000771698fd 5 bytes JMP 0000000120cb825a
.text C:\Users\***\Desktop\gmer_2.1.19163.exe[3372] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007716ffe6 5 bytes JMP 0000000120cb828f
.text C:\Users\***\Desktop\gmer_2.1.19163.exe[3372] C:\Windows\syswow64\ADVAPI32.dll!SetThreadToken 0000000076a3c7ce 5 bytes JMP 0000000120cb9036
.text C:\Users\***\Desktop\gmer_2.1.19163.exe[3372] C:\Windows\syswow64\ADVAPI32.dll!ImpersonateNamedPipeClient 0000000076a73369 5 bytes JMP 0000000120cb8e5d
---- Threads - GMER 2.1 ----
Thread C:\Windows\SysWOW64\ntdll.dll [3552:3556] 0000000000d872be
Thread C:\Windows\SysWOW64\ntdll.dll [3552:3644] 00000000695d8f84
Thread C:\Windows\SysWOW64\ntdll.dll [3552:3648] 00000000695d925e
Thread C:\Windows\SysWOW64\ntdll.dll [3552:3652] 00000000695d8bd0
---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b2962e
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b2962e (not active ControlSet)
---- EOF - GMER 2.1 ---- [/QUOTE]
Zwei Fragen noch zum Schluss: Was mache ich mit dem Stick? Einfach einen Neuen kaufen und diesen in die Tonne kloppen? Und: Zur gleichen Zeit wie den Stick hatte ich auch meine externe Festplatte angeschlossen. Wie hoch ist die Wahrscheinlichkeit, dass auch diese beschädigt ist bzw. wie kann ich es herausfinden, ohne den Virus meines PCs auf die Festplatte zu übertragen? Wie gehe ich am Besten vor? Danke nochmals, ich hoffe, ihr könnt mir helfen! Viele Grüße, Friedi Geändert von Friedi (29.07.2013 um 14:42 Uhr) |
| Themen zu TR/Agent.VB.1624 // TR/Crypt.FSPM.Gen // TR/Rontokbro.45417 |
| antivir, avira, converter, festplatte, firefox, flash player, frage, igdpmd64.sys, kaspersky, mozilla, ntdll.dll, plug-in, realtek, registry, security, sehr geholfen, software, svchost.exe, tr/agent.vb, tr/crypt.fspm.gen, tr/rontokbro, tr/rontokbro.45417, trojaner, virus, windows, wuauclt.exe |
Baum-Darstellung