|
Log-Analyse und Auswertung: Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckigWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
01.01.2014, 13:19 | #1 |
| Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig Guten Tag, ich bekomme seit ein paar Tagen immer ein Popup, welches nicht mehr verschwindet. Es fordert mich auf irgendwelche Weihnachtsgeschenke abzurufen. Im Taskmanager finde ich die Anwendung „Software.Updater.UI.exe“, die ich manuell gestoppt habe. Leider erscheint sie beim Start wieder. Laut „Virus-total.com“ handelt es sich um einen Virus. F-Secure hatte den Virus leider nicht erkannt. Die Applikationen Defogger, FRST und GMER habe ich ausgeführt, LogFiles sind anhängig. Vielen Dank vorab, Stefan |
01.01.2014, 13:29 | #2 |
/// the machine /// TB-Ausbilder | Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig Hi,
__________________Logs bitte immer in den Thread posten. Zur Not aufteilen und mehrere Posts nutzen. So funktioniert es: Posten in CODE-Tags Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
__________________ |
01.01.2014, 13:57 | #3 |
| Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckigCode:
ATTFilter Hallo, die Logs wurden als zu groß beim Erstellen gemeldet. Hier nochmals ein Versuch. DEFOGGER: defogger_disable by jpshortstuff (23.02.10.1) Log created at 18:39 on 30/12/2013 (Kathlen) Checking for autostart values... HKCU\~\Run values retrieved. HKLM\~\Run values retrieved. Checking for services/drivers... -=E.O.F=- FRST Logfile: |
01.01.2014, 14:00 | #4 |
| Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckigCode:
ATTFilter GMER 2.1.19163 - hxxp://www.gmer.net Rootkit scan 2013-12-30 19:07:12 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AJ1 298,09GB Running: gmer_2.1.19163.exe; Driver: C:\Users\Kathlen\AppData\Local\Temp\pxriafow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b31780 5 bytes JMP 0000000100191018 .text C:\Windows\system32\wininit.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b31cd0 5 bytes JMP 0000000100190018 .text C:\Windows\system32\wininit.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b31d80 5 bytes JMP 0000000100192018 .text C:\Windows\system32\wininit.exe[760] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd958ef0 5 bytes JMP 000007ff7d960018 .text C:\Windows\system32\wininit.exe[760] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd95c450 5 bytes JMP 000007ff7d961018 .text C:\Windows\system32\wininit.exe[760] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000778cf874 5 bytes JMP 0000000100193018 .text C:\Windows\system32\wininit.exe[760] C:\Windows\system32\USER32.dll!DdeConnect 000000007790dec0 5 bytes JMP 0000000100194018 .text C:\Windows\system32\wininit.exe[760] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefef2642c 5 bytes JMP 000007ff7ef31018 .text C:\Windows\system32\wininit.exe[760] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefef26484 5 bytes JMP 000007ff7ef30018 .text C:\Windows\system32\wininit.exe[760] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefef26518 5 bytes JMP 000007ff7ef32018 .text C:\Windows\system32\winlogon.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b31780 5 bytes JMP 0000000100af1018 .text C:\Windows\system32\winlogon.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b31cd0 5 bytes JMP 0000000100af0018 .text C:\Windows\system32\winlogon.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b31d80 5 bytes JMP 0000000100af2018 .text C:\Windows\system32\winlogon.exe[828] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd958ef0 5 bytes JMP 000007ff7d960018 .text C:\Windows\system32\winlogon.exe[828] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd95c450 5 bytes JMP 000007ff7d961018 .text C:\Windows\system32\winlogon.exe[828] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000778cf874 5 bytes JMP 0000000100af3018 .text C:\Windows\system32\winlogon.exe[828] C:\Windows\system32\USER32.dll!DdeConnect 000000007790dec0 4 bytes JMP 0000000100af4018 .text C:\Windows\system32\winlogon.exe[828] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefef2642c 5 bytes JMP 000007ff7ef31018 .text C:\Windows\system32\winlogon.exe[828] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefef26484 5 bytes JMP 000007ff7ef30018 .text C:\Windows\system32\winlogon.exe[828] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefef26518 5 bytes JMP 000007ff7ef32018 .text C:\Windows\system32\lsass.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b31780 5 bytes JMP 0000000100061018 .text C:\Windows\system32\lsass.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b31cd0 5 bytes JMP 0000000100060018 .text C:\Windows\system32\lsass.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b31d80 5 bytes JMP 0000000100062018 .text C:\Windows\system32\lsass.exe[892] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd958ef0 5 bytes JMP 000007ff7d960018 .text C:\Windows\system32\lsass.exe[892] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd95c450 5 bytes JMP 000007ff7d961018 .text C:\Windows\system32\lsass.exe[892] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefef2642c 5 bytes JMP 000007ff7ef31018 .text C:\Windows\system32\lsass.exe[892] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefef26484 5 bytes JMP 000007ff7ef30018 .text C:\Windows\system32\lsass.exe[892] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefef26518 5 bytes JMP 000007ff7ef32018 .text C:\Windows\system32\lsass.exe[892] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff2455c8 5 bytes JMP 000007ff7f250018 .text C:\Windows\system32\lsm.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b31780 5 bytes JMP 0000000100131018 .text C:\Windows\system32\lsm.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b31cd0 5 bytes JMP 0000000100130018 .text C:\Windows\system32\lsm.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b31d80 5 bytes JMP 0000000100132018 .text C:\Windows\system32\lsm.exe[900] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd958ef0 5 bytes JMP 000007ff7d960018 .text C:\Windows\system32\lsm.exe[900] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd95c450 5 bytes JMP 000007ff7d961018 .text C:\Windows\system32\lsm.exe[900] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefef2642c 5 bytes JMP 000007ff7ef31018 .text C:\Windows\system32\lsm.exe[900] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefef26484 5 bytes JMP 000007ff7ef30018 .text C:\Windows\system32\lsm.exe[900] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefef26518 5 bytes JMP 000007ff7ef32018 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b31780 5 bytes JMP 00000001001e1018 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b31cd0 5 bytes JMP 00000001001e0018 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b31d80 5 bytes JMP 00000001001e2018 .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b31780 5 bytes JMP 00000001001a1018 .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b31cd0 5 bytes JMP 00000001001a0018 .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b31d80 5 bytes JMP 00000001001a2018 .text C:\Windows\System32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b31780 5 bytes JMP 0000000100ce1018 .text C:\Windows\System32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b31cd0 5 bytes JMP 0000000100ce0018 .text C:\Windows\System32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b31d80 5 bytes JMP 0000000100ce2018 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b31780 5 bytes JMP 0000000100ea1018 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b31cd0 5 bytes JMP 0000000100ea0018 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b31d80 5 bytes JMP 0000000100ea2018 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b31780 5 bytes JMP 0000000100d31018 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b31cd0 5 bytes JMP 0000000100d30018 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b31d80 5 bytes JMP 0000000100d32018 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b31780 5 bytes JMP 0000000100e01018 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b31cd0 5 bytes JMP 0000000100e00018 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b31d80 5 bytes JMP 0000000100e02018 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b31780 5 bytes JMP 0000000100ba1018 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b31cd0 5 bytes JMP 0000000100ba0018 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b31d80 5 bytes JMP 0000000100ba2018 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b31780 5 bytes JMP 0000000100bf1018 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b31cd0 5 bytes JMP 0000000100bf0018 .text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b31d80 5 bytes JMP 0000000100bf2018 .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[1640] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd958ef0 5 bytes JMP 000007ff7d960018 .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[1640] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd95c450 5 bytes JMP 000007ff7d961018 .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[1640] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff2455c8 5 bytes JMP 000007ff7f250018 .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[1640] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefef2642c 5 bytes JMP 000007ff7ef31018 .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[1640] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefef26484 5 bytes JMP 000007ff7ef30018 .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[1640] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefef26518 5 bytes JMP 000007ff7ef32018 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1664] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077cdffec 5 bytes JMP 000000010011100c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1664] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077ce0814 5 bytes JMP 000000010011000c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1664] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077ce091c 5 bytes JMP 000000010011200c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1664] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 0000000075ab48fd 5 bytes JMP 000000010011300c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1664] C:\Windows\syswow64\kernel32.dll!TerminateThread 0000000075ab79cf 5 bytes JMP 000000010011400c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1664] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075897603 5 bytes JMP 000000010011500c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1664] C:\Windows\syswow64\USER32.dll!DdeConnect 00000000758ceb7f 5 bytes JMP 000000010011b00c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1664] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000075a0c9ec 5 bytes JMP 000000010011600c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1664] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000075a1361c 5 bytes JMP 000000010011800c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1664] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075a270c4 5 bytes JMP 000000010011900c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1664] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000075a270dc 5 bytes JMP 000000010011700c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1664] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000075f29d4e 5 bytes JMP 000000010011a00c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1664] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000773d1465 2 bytes [3D, 77] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1664] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000773d14bb 2 bytes [3D, 77] .text ... * 2 .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077cdffec 5 bytes JMP 00000001002b100c .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077ce0814 5 bytes JMP 00000001002b000c .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077ce091c 5 bytes JMP 00000001002b200c .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[1712] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 0000000075ab48fd 5 bytes JMP 00000001002b300c .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[1712] C:\Windows\syswow64\kernel32.dll!TerminateThread 0000000075ab79cf 5 bytes JMP 00000001002b400c .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[1712] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000075a0c9ec 5 bytes JMP 00000001002b600c .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[1712] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000075a1361c 5 bytes JMP 00000001002b800c .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[1712] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075a270c4 5 bytes JMP 00000001002b900c .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[1712] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000075a270dc 5 bytes JMP 00000001002b700c .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[1712] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075897603 5 bytes JMP 00000001002b500c .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[1712] C:\Windows\syswow64\USER32.dll!DdeConnect 00000000758ceb7f 5 bytes JMP 00000001002bb00c .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[1712] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000075f29d4e 5 bytes JMP 00000001002ba00c .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[1712] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000773d1465 2 bytes [3D, 77] .text C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[1712] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000773d14bb 2 bytes [3D, 77] .text ... * 2 .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b31780 5 bytes JMP 0000000103371018 .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b31cd0 5 bytes JMP 0000000103370018 .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b31d80 5 bytes JMP 0000000103372018 .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd958ef0 5 bytes JMP 000007ff7d960018 .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd95c450 5 bytes JMP 000007ff7d961018 .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007feff7dde90 5 bytes JMP 000007ff7f801018 .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff7f7490 5 bytes JMP 000007ff7f800018 .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefef2642c 5 bytes JMP 000007ff7ef31018 .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefef26484 5 bytes JMP 000007ff7ef30018 .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefef26518 5 bytes JMP 000007ff7ef32018 .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff2455c8 5 bytes JMP 000007ff7f250018 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b31780 5 bytes JMP 0000000100261018 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b31cd0 5 bytes JMP 0000000100260018 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b31d80 5 bytes JMP 0000000100262018 .text C:\Windows\SysWOW64\svchost.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077cdffec 5 bytes JMP 00000001005c100c .text C:\Windows\SysWOW64\svchost.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077ce0814 5 bytes JMP 00000001005c000c .text C:\Windows\SysWOW64\svchost.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077ce091c 5 bytes JMP 00000001005c200c .text C:\Windows\SysWOW64\svchost.exe[1976] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 0000000075ab48fd 5 bytes JMP 00000001005c300c .text C:\Windows\SysWOW64\svchost.exe[1976] C:\Windows\syswow64\kernel32.dll!TerminateThread 0000000075ab79cf 5 bytes JMP 00000001005c400c .text C:\Windows\SysWOW64\svchost.exe[1976] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000075a0c9ec 5 bytes JMP 00000001005c600c .text C:\Windows\SysWOW64\svchost.exe[1976] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000075a1361c 5 bytes JMP 00000001005c800c .text C:\Windows\SysWOW64\svchost.exe[1976] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075a270c4 5 bytes JMP 00000001005c900c .text C:\Windows\SysWOW64\svchost.exe[1976] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000075a270dc 5 bytes JMP 00000001005c700c .text C:\Windows\SysWOW64\svchost.exe[1976] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075897603 5 bytes JMP 00000001005c500c .text C:\Windows\SysWOW64\svchost.exe[1976] C:\Windows\syswow64\USER32.dll!DdeConnect 00000000758ceb7f 5 bytes JMP 00000001005cb00c .text C:\Windows\SysWOW64\svchost.exe[1976] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000075f29d4e 5 bytes JMP 00000001005ca00c .text C:\Windows\SysWOW64\svchost.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000773d1465 2 bytes [3D, 77] .text C:\Windows\SysWOW64\svchost.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000773d14bb 2 bytes [3D, 77] .text ... * 2 .text C:\Windows\system32\Dwm.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b31780 5 bytes JMP 0000000102171018 .text C:\Windows\system32\Dwm.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b31cd0 5 bytes JMP 0000000102170018 .text C:\Windows\system32\Dwm.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b31d80 5 bytes JMP 0000000102172018 .text C:\Windows\system32\Dwm.exe[2000] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd958ef0 5 bytes JMP 000007ff7d960018 .text C:\Windows\system32\Dwm.exe[2000] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd95c450 5 bytes JMP 000007ff7d961018 .text C:\Windows\system32\Dwm.exe[2000] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefef2642c 5 bytes JMP 000007ff7ef31018 .text C:\Windows\system32\Dwm.exe[2000] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefef26484 5 bytes JMP 000007ff7ef30018 .text C:\Windows\system32\Dwm.exe[2000] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefef26518 5 bytes JMP 000007ff7ef32018 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077cdffec 5 bytes JMP 000000010035100c .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077ce0814 5 bytes JMP 000000010035000c .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077ce091c 5 bytes JMP 000000010035200c .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2096] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 0000000075ab48fd 5 bytes JMP 000000010035300c .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2096] C:\Windows\syswow64\kernel32.dll!TerminateThread 0000000075ab79cf 5 bytes JMP 000000010035400c .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2096] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075897603 5 bytes JMP 000000010035500c .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2096] C:\Windows\syswow64\USER32.dll!DdeConnect 00000000758ceb7f 5 bytes JMP 000000010035b00c .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2096] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000075a0c9ec 5 bytes JMP 000000010035600c .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2096] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000075a1361c 5 bytes JMP 000000010035800c .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2096] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075a270c4 5 bytes JMP 000000010035900c .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2096] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000075a270dc 5 bytes JMP 000000010035700c .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2096] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000075f29d4e 5 bytes JMP 000000010035a00c .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000773d1465 2 bytes [3D, 77] .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000773d14bb 2 bytes [3D, 77] .text ... * 2 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077cdffec 5 bytes JMP 000000010014100c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077ce0814 5 bytes JMP 000000010014000c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077ce091c 5 bytes JMP 000000010014200c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2416] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 0000000075ab48fd 5 bytes JMP 000000010014300c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2416] C:\Windows\syswow64\kernel32.dll!TerminateThread 0000000075ab79cf 5 bytes JMP 000000010014400c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2416] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000075a0c9ec 5 bytes JMP 000000010014600c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2416] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000075a1361c 5 bytes JMP 000000010014800c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2416] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075a270c4 5 bytes JMP 000000010014900c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2416] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000075a270dc 5 bytes JMP 000000010014700c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2416] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075897603 5 bytes JMP 000000010014500c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2416] C:\Windows\syswow64\USER32.dll!DdeConnect 00000000758ceb7f 5 bytes JMP 000000010014b00c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2416] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000075f29d4e 5 bytes JMP 000000010014a00c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2416] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000773d1465 2 bytes [3D, 77] .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2416] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000773d14bb 2 bytes [3D, 77] .text ... * 2 .text C:\Windows\Explorer.EXE[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b31780 5 bytes JMP 0000000104911018 .text C:\Windows\Explorer.EXE[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b31cd0 5 bytes JMP 0000000104910018 .text C:\Windows\Explorer.EXE[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b31d80 5 bytes JMP 0000000104912018 .text C:\Windows\Explorer.EXE[3000] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd958ef0 5 bytes JMP 000007ff7d960018 .text C:\Windows\Explorer.EXE[3000] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd95c450 5 bytes JMP 000007ff7d961018 .text C:\Windows\Explorer.EXE[3000] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefef2642c 5 bytes JMP 000007ff7ef31018 .text C:\Windows\Explorer.EXE[3000] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefef26484 5 bytes JMP 000007ff7ef30018 .text C:\Windows\Explorer.EXE[3000] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefef26518 5 bytes JMP 000007ff7ef32018 .text C:\Windows\Explorer.EXE[3000] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000778cf874 5 bytes JMP 0000000104913018 .text C:\Windows\Explorer.EXE[3000] C:\Windows\system32\USER32.dll!DdeConnect 000000007790dec0 5 bytes JMP 0000000104914018 .text C:\Windows\Explorer.EXE[3000] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007feff7dde90 5 bytes JMP 000007ff7f801018 .text C:\Windows\Explorer.EXE[3000] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff7f7490 5 bytes JMP 000007ff7f800018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b31780 5 bytes JMP 00000001022b1018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b31cd0 5 bytes JMP 00000001022b0018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b31d80 5 bytes JMP 00000001022b2018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1732] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd958ef0 5 bytes JMP 000007ff7d960018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1732] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd95c450 5 bytes JMP 000007ff7d961018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1732] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefef2642c 5 bytes JMP 000007ff7ef31018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1732] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefef26484 5 bytes JMP 000007ff7ef30018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1732] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefef26518 5 bytes JMP 000007ff7ef32018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1732] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007feff7dde90 5 bytes JMP 000007ff7f801018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1732] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff7f7490 5 bytes JMP 000007ff7f800018 .text C:\Windows\System32\igfxtray.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b31780 5 bytes JMP 0000000101ce1018 .text C:\Windows\System32\igfxtray.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b31cd0 5 bytes JMP 0000000101ce0018 .text C:\Windows\System32\igfxtray.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b31d80 5 bytes JMP 0000000101ce2018 .text C:\Windows\System32\igfxtray.exe[1740] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd958ef0 5 bytes JMP 000007ff7d960018 .text C:\Windows\System32\igfxtray.exe[1740] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd95c450 5 bytes JMP 000007ff7d961018 .text C:\Windows\System32\igfxtray.exe[1740] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefef2642c 5 bytes JMP 000007ff7ef31018 .text C:\Windows\System32\igfxtray.exe[1740] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefef26484 5 bytes JMP 000007ff7ef30018 .text C:\Windows\System32\igfxtray.exe[1740] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefef26518 5 bytes JMP 000007ff7ef32018 .text C:\Windows\System32\igfxtray.exe[1740] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007feff7dde90 5 bytes JMP 000007ff7f801018 .text C:\Windows\System32\igfxtray.exe[1740] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff7f7490 5 bytes JMP 000007ff7f800018 .text C:\Windows\System32\hkcmd.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b31780 5 bytes JMP 00000001002b1018 .text C:\Windows\System32\hkcmd.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b31cd0 5 bytes JMP 00000001002b0018 .text C:\Windows\System32\hkcmd.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b31d80 5 bytes JMP 00000001002b2018 .text C:\Windows\System32\hkcmd.exe[2796] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd958ef0 5 bytes JMP 000007ff7d960018 .text C:\Windows\System32\hkcmd.exe[2796] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd95c450 5 bytes JMP 000007ff7d961018 .text C:\Windows\System32\hkcmd.exe[2796] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefef2642c 5 bytes JMP 000007ff7ef31018 .text C:\Windows\System32\hkcmd.exe[2796] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefef26484 5 bytes JMP 000007ff7ef30018 .text C:\Windows\System32\hkcmd.exe[2796] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefef26518 5 bytes JMP 000007ff7ef32018 .text C:\Windows\System32\hkcmd.exe[2796] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007feff7dde90 5 bytes JMP 000007ff7f801018 .text C:\Windows\System32\hkcmd.exe[2796] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff7f7490 5 bytes JMP 000007ff7f800018 .text C:\Windows\System32\igfxpers.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b31780 5 bytes JMP 0000000101fe1018 .text C:\Windows\System32\igfxpers.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b31cd0 5 bytes JMP 0000000101fe0018 .text C:\Windows\System32\igfxpers.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b31d80 5 bytes JMP 0000000101fe2018 .text C:\Windows\System32\igfxpers.exe[2800] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd958ef0 5 bytes JMP 000007ff7d960018 .text C:\Windows\System32\igfxpers.exe[2800] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd95c450 5 bytes JMP 000007ff7d961018 .text C:\Windows\System32\igfxpers.exe[2800] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefef2642c 5 bytes JMP 000007ff7ef31018 .text C:\Windows\System32\igfxpers.exe[2800] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefef26484 5 bytes JMP 000007ff7ef30018 .text C:\Windows\System32\igfxpers.exe[2800] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefef26518 5 bytes JMP 000007ff7ef32018 .text C:\Windows\System32\igfxpers.exe[2800] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007feff7dde90 5 bytes JMP 000007ff7f801018 .text C:\Windows\System32\igfxpers.exe[2800] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff7f7490 5 bytes JMP 000007ff7f800018 .text C:\Program Files\Elantech\ETDCtrl.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b31780 5 bytes JMP 00000001025f1018 .text C:\Program Files\Elantech\ETDCtrl.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b31cd0 5 bytes JMP 00000001025f0018 .text C:\Program Files\Elantech\ETDCtrl.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b31d80 5 bytes JMP 00000001025f2018 .text C:\Program Files\Elantech\ETDCtrl.exe[2896] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd958ef0 5 bytes JMP 000007ff7d960018 .text C:\Program Files\Elantech\ETDCtrl.exe[2896] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd95c450 5 bytes JMP 000007ff7d961018 .text C:\Program Files\Elantech\ETDCtrl.exe[2896] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefef2642c 5 bytes JMP 000007ff7ef31018 .text C:\Program Files\Elantech\ETDCtrl.exe[2896] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefef26484 5 bytes JMP 000007ff7ef30018 .text C:\Program Files\Elantech\ETDCtrl.exe[2896] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefef26518 5 bytes JMP 000007ff7ef32018 .text C:\Program Files\Elantech\ETDCtrl.exe[2896] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007feff7dde90 5 bytes JMP 000007ff7f801018 .text C:\Program Files\Elantech\ETDCtrl.exe[2896] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff7f7490 5 bytes JMP 000007ff7f800018 .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077cdffec 5 bytes JMP 00000001003f100c .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077ce0814 5 bytes JMP 00000001003f000c .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077ce091c 5 bytes JMP 00000001003f200c .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2792] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 0000000075ab48fd 5 bytes JMP 00000001003f300c .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2792] C:\Windows\syswow64\kernel32.dll!TerminateThread 0000000075ab79cf 5 bytes JMP 00000001003f400c .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000075a0c9ec 5 bytes JMP 00000001003f600c .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000075a1361c 5 bytes JMP 00000001003f800c .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075a270c4 5 bytes JMP 00000001003f900c .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000075a270dc 5 bytes JMP 00000001003f700c .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2792] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075897603 5 bytes JMP 00000001003f500c .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2792] C:\Windows\syswow64\USER32.dll!DdeConnect 00000000758ceb7f 5 bytes JMP 00000001003fb00c .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2792] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000075f29d4e 5 bytes JMP 00000001003fa00c .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2792] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000773d1465 2 bytes [3D, 77] .text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2792] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000773d14bb 2 bytes [3D, 77] |
01.01.2014, 14:00 | #5 |
| Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckigCode:
ATTFilter .text ... * 2 .text C:\Program Files\Windows Sidebar\sidebar.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b31780 5 bytes JMP 0000000104591018 .text C:\Program Files\Windows Sidebar\sidebar.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b31cd0 5 bytes JMP 0000000104590018 .text C:\Program Files\Windows Sidebar\sidebar.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b31d80 5 bytes JMP 0000000104592018 .text C:\Program Files\Windows Sidebar\sidebar.exe[2856] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd958ef0 5 bytes JMP 000007ff7d960018 .text C:\Program Files\Windows Sidebar\sidebar.exe[2856] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd95c450 5 bytes JMP 000007ff7d961018 .text C:\Program Files\Windows Sidebar\sidebar.exe[2856] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefef2642c 5 bytes JMP 000007ff7ef31018 .text C:\Program Files\Windows Sidebar\sidebar.exe[2856] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefef26484 5 bytes JMP 000007ff7ef30018 .text C:\Program Files\Windows Sidebar\sidebar.exe[2856] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefef26518 5 bytes JMP 000007ff7ef32018 .text C:\Program Files\Windows Sidebar\sidebar.exe[2856] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007feff7dde90 5 bytes JMP 000007ff7f801018 .text C:\Program Files\Windows Sidebar\sidebar.exe[2856] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff7f7490 5 bytes JMP 000007ff7f800018 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077cdffec 5 bytes JMP 0000000104da100c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077ce0814 5 bytes JMP 0000000104da000c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077ce091c 5 bytes JMP 0000000104da200c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[2848] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 0000000075ab48fd 5 bytes JMP 0000000104da300c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[2848] C:\Windows\syswow64\kernel32.dll!TerminateThread 0000000075ab79cf 5 bytes JMP 0000000104da400c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[2848] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000075a0c9ec 5 bytes JMP 0000000104da600c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[2848] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000075a1361c 5 bytes JMP 0000000104da800c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[2848] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075a270c4 5 bytes JMP 0000000104da900c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[2848] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000075a270dc 5 bytes JMP 0000000104da700c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[2848] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075897603 5 bytes JMP 0000000104da500c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[2848] C:\Windows\syswow64\USER32.dll!DdeConnect 00000000758ceb7f 5 bytes JMP 0000000104dab00c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[2848] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000075f29d4e 5 bytes JMP 0000000104daa00c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[2848] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000773d1465 2 bytes [3D, 77] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[2848] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000773d14bb 2 bytes [3D, 77] .text ... * 2 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077cdffec 5 bytes JMP 00000001003f100c .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077ce0814 5 bytes JMP 00000001003f000c .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077ce091c 5 bytes JMP 00000001003f200c .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3588] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 0000000075ab48fd 5 bytes JMP 00000001003f300c .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3588] C:\Windows\syswow64\kernel32.dll!TerminateThread 0000000075ab79cf 5 bytes JMP 00000001003f400c .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3588] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075897603 5 bytes JMP 00000001003f500c .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3588] C:\Windows\syswow64\USER32.dll!DdeConnect 00000000758ceb7f 5 bytes JMP 00000001003fb00c .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3588] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000075a0c9ec 5 bytes JMP 00000001003f600c .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3588] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000075a1361c 5 bytes JMP 00000001003f800c .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3588] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075a270c4 5 bytes JMP 00000001003f900c .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3588] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000075a270dc 5 bytes JMP 00000001003f700c .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3588] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000075f29d4e 5 bytes JMP 00000001003fa00c .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3588] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000773d1465 2 bytes [3D, 77] .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3588] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000773d14bb 2 bytes [3D, 77] .text ... * 2 .text C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3596] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077cdffec 5 bytes JMP 000000010403100c .text C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3596] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077ce0814 5 bytes JMP 000000010403000c .text C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3596] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077ce091c 5 bytes JMP 000000010403200c .text C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3596] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 0000000075ab48fd 5 bytes JMP 000000010403300c .text C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3596] C:\Windows\syswow64\kernel32.dll!TerminateThread 0000000075ab79cf 5 bytes JMP 000000010403400c .text C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3596] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075897603 5 bytes JMP 000000010403500c .text C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3596] C:\Windows\syswow64\USER32.dll!DdeConnect 00000000758ceb7f 5 bytes JMP 000000010403b00c .text C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3596] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000075a0c9ec 5 bytes JMP 000000010403600c .text C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3596] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000075a1361c 5 bytes JMP 000000010403800c .text C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3596] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075a270c4 5 bytes JMP 000000010403900c .text C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3596] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000075a270dc 5 bytes JMP 000000010403700c .text C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3596] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000075f29d4e 5 bytes JMP 000000010403a00c .text C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3596] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000773d1465 2 bytes [3D, 77] .text C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3596] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000773d14bb 2 bytes [3D, 77] .text ... * 2 .text C:\Program Files (x86)\F-Secure\Common\FSM32.EXE[3604] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077cdffec 5 bytes JMP 000000010523100c .text C:\Program Files (x86)\F-Secure\Common\FSM32.EXE[3604] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077ce0814 5 bytes JMP 000000010523000c .text C:\Program Files (x86)\F-Secure\Common\FSM32.EXE[3604] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077ce091c 5 bytes JMP 000000010523200c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077cdffec 5 bytes JMP 00000001002c100c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077ce0814 5 bytes JMP 00000001002c000c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077ce091c 5 bytes JMP 00000001002c200c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3672] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 0000000075ab48fd 5 bytes JMP 00000001002c300c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3672] C:\Windows\syswow64\kernel32.dll!TerminateThread 0000000075ab79cf 5 bytes JMP 00000001002c400c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3672] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075897603 5 bytes JMP 00000001002c500c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3672] C:\Windows\syswow64\USER32.dll!DdeConnect 00000000758ceb7f 5 bytes JMP 00000001002ca00c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3672] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000075a0c9ec 3 bytes JMP 00000001002c600c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3672] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW + 4 0000000075a0c9f0 1 byte [8A] .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3672] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000075a1361c 3 bytes JMP 00000001002c800c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3672] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle + 4 0000000075a13620 1 byte [8A] .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3672] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075a270c4 5 bytes JMP 00000001002c900c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3672] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000075a270dc 5 bytes JMP 00000001002c700c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3672] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000773d1465 2 bytes [3D, 77] .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3672] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000773d14bb 2 bytes [3D, 77] .text ... * 2 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[4064] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077cdffec 5 bytes JMP 000000010045100c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[4064] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077ce0814 5 bytes JMP 000000010045000c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[4064] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077ce091c 5 bytes JMP 000000010045200c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[4064] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 0000000075ab48fd 5 bytes JMP 000000010045300c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[4064] C:\Windows\syswow64\kernel32.dll!TerminateThread 0000000075ab79cf 5 bytes JMP 000000010045400c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[4064] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000075a0c9ec 5 bytes JMP 000000010045600c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[4064] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000075a1361c 5 bytes JMP 000000010045800c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[4064] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075a270c4 5 bytes JMP 000000010045900c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[4064] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000075a270dc 5 bytes JMP 000000010045700c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[4064] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075897603 5 bytes JMP 000000010045500c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[4064] C:\Windows\syswow64\USER32.dll!DdeConnect 00000000758ceb7f 5 bytes JMP 000000010045b00c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[4064] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000075f29d4e 5 bytes JMP 000000010045a00c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[4064] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000773d1465 2 bytes [3D, 77] .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[4064] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000773d14bb 2 bytes [3D, 77] .text ... * 2 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1208] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd958ef0 5 bytes JMP 000007ff7d960018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1208] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd95c450 5 bytes JMP 000007ff7d961018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1208] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefef2642c 5 bytes JMP 000007ff7ef31018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1208] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefef26484 5 bytes JMP 000007ff7ef30018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1208] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefef26518 5 bytes JMP 000007ff7ef32018 .text C:\Windows\system32\taskeng.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b31780 5 bytes JMP 0000000100111018 .text C:\Windows\system32\taskeng.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b31cd0 5 bytes JMP 0000000100110018 .text C:\Windows\system32\taskeng.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b31d80 5 bytes JMP 0000000100112018 .text C:\Windows\system32\taskeng.exe[4136] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd958ef0 5 bytes JMP 000007ff7d960018 .text C:\Windows\system32\taskeng.exe[4136] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd95c450 5 bytes JMP 000007ff7d961018 .text C:\Windows\system32\taskeng.exe[4136] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007feff7dde90 5 bytes JMP 000007ff7f801018 .text C:\Windows\system32\taskeng.exe[4136] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff7f7490 5 bytes JMP 000007ff7f800018 .text C:\Windows\system32\taskeng.exe[4136] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefef2642c 5 bytes JMP 000007ff7ef31018 .text C:\Windows\system32\taskeng.exe[4136] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefef26484 5 bytes JMP 000007ff7ef30018 .text C:\Windows\system32\taskeng.exe[4136] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefef26518 5 bytes JMP 000007ff7ef32018 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b31780 5 bytes JMP 00000001001a1018 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b31cd0 5 bytes JMP 00000001001a0018 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b31d80 5 bytes JMP 00000001001a2018 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd958ef0 5 bytes JMP 000007ff7d960018 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd95c450 5 bytes JMP 000007ff7d961018 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007feff7dde90 5 bytes JMP 000007ff7f801018 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff7f7490 5 bytes JMP 000007ff7f800018 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefef2642c 5 bytes JMP 000007ff7ef31018 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefef26484 5 bytes JMP 000007ff7ef30018 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefef26518 5 bytes JMP 000007ff7ef32018 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4200] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077cdffec 5 bytes JMP 000000010122100c .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4200] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077ce0814 5 bytes JMP 000000010122000c .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4200] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077ce091c 5 bytes JMP 000000010122200c .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4200] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 0000000075ab48fd 5 bytes JMP 000000010122300c .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4200] C:\Windows\syswow64\kernel32.dll!TerminateThread 0000000075ab79cf 5 bytes JMP 000000010122400c .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4200] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000075a0c9ec 5 bytes JMP 000000010122600c .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4200] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000075a1361c 5 bytes JMP 000000010122800c .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4200] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075a270c4 5 bytes JMP 000000010122900c .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4200] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000075a270dc 5 bytes JMP 000000010122700c .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4200] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075897603 5 bytes JMP 000000010122500c .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4200] C:\Windows\syswow64\USER32.dll!DdeConnect 00000000758ceb7f 5 bytes JMP 000000010122b00c .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4200] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000075f29d4e 5 bytes JMP 000000010122a00c .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4200] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000773d1465 2 bytes [3D, 77] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4200] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000773d14bb 2 bytes [3D, 77] .text ... * 2 .text C:\Windows\system32\SearchIndexer.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b31780 5 bytes JMP 00000001045d1018 .text C:\Windows\system32\SearchIndexer.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b31cd0 5 bytes JMP 00000001045d0018 .text C:\Windows\system32\SearchIndexer.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b31d80 5 bytes JMP 00000001045d2018 .text C:\Windows\system32\SearchIndexer.exe[4376] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd958ef0 5 bytes JMP 000007ff7d960018 .text C:\Windows\system32\SearchIndexer.exe[4376] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd95c450 5 bytes JMP 000007ff7d961018 .text C:\Windows\system32\SearchIndexer.exe[4376] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefef2642c 5 bytes JMP 000007ff7ef31018 .text C:\Windows\system32\SearchIndexer.exe[4376] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefef26484 5 bytes JMP 000007ff7ef30018 .text C:\Windows\system32\SearchIndexer.exe[4376] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefef26518 5 bytes JMP 000007ff7ef32018 .text C:\Windows\system32\SearchIndexer.exe[4376] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007feff7dde90 5 bytes JMP 000007ff7f801018 .text C:\Windows\system32\SearchIndexer.exe[4376] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff7f7490 5 bytes JMP 000007ff7f800018 .text C:\Windows\system32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b31780 5 bytes JMP 00000001001c1018 .text C:\Windows\system32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b31cd0 5 bytes JMP 00000001001c0018 .text C:\Windows\system32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b31d80 5 bytes JMP 00000001001c2018 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[4620] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077cdffec 5 bytes JMP 0000000102ca100c .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[4620] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077ce0814 5 bytes JMP 0000000102ca000c .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[4620] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077ce091c 5 bytes JMP 0000000102ca200c .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[4620] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 0000000075ab48fd 5 bytes JMP 0000000102ca300c .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[4620] C:\Windows\syswow64\kernel32.dll!TerminateThread 0000000075ab79cf 5 bytes JMP 0000000102ca400c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b31780 5 bytes JMP 0000000101b41018 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b31cd0 5 bytes JMP 0000000101b40018 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b31d80 5 bytes JMP 0000000101b42018 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4860] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd958ef0 5 bytes JMP 000007ff7d960018 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4860] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd95c450 5 bytes JMP 000007ff7d961018 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4860] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefef2642c 5 bytes JMP 000007ff7ef31018 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4860] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefef26484 5 bytes JMP 000007ff7ef30018 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4860] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefef26518 5 bytes JMP 000007ff7ef32018 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[5572] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 0000000075ab48fd 5 bytes JMP 000000010024000c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[5572] C:\Windows\syswow64\kernel32.dll!TerminateThread 0000000075ab79cf 5 bytes JMP 000000010024100c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[5572] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075897603 5 bytes JMP 000000010024200c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[5572] C:\Windows\syswow64\USER32.dll!DdeConnect 00000000758ceb7f 5 bytes JMP 000000010024800c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[5572] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000075a0c9ec 5 bytes JMP 000000010024300c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[5572] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000075a1361c 5 bytes JMP 000000010024500c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[5572] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075a270c4 5 bytes JMP 000000010024600c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[5572] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000075a270dc 5 bytes JMP 000000010024400c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[5572] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000075f29d4e 5 bytes JMP 000000010024700c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[5572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000773d1465 2 bytes [3D, 77] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[5572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000773d14bb 2 bytes [3D, 77] .text ... * 2 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[5692] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077cdffec 5 bytes JMP 00000001001e100c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[5692] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077ce0814 5 bytes JMP 00000001001e000c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[5692] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077ce091c 5 bytes JMP 00000001001e200c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[5692] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 0000000075ab48fd 5 bytes JMP 00000001001e300c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[5692] C:\Windows\syswow64\kernel32.dll!TerminateThread 0000000075ab79cf 5 bytes JMP 00000001001e400c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[5692] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075897603 5 bytes JMP 00000001001e500c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[5692] C:\Windows\syswow64\USER32.dll!DdeConnect 00000000758ceb7f 5 bytes JMP 00000001001eb00c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[5692] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000075a0c9ec 5 bytes JMP 00000001001e600c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[5692] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000075a1361c 5 bytes JMP 00000001001e800c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[5692] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075a270c4 5 bytes JMP 00000001001e900c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[5692] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000075a270dc 5 bytes JMP 00000001001e700c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[5692] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000075f29d4e 5 bytes JMP 00000001001ea00c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[5692] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000773d1465 2 bytes [3D, 77] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[5692] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000773d14bb 2 bytes [3D, 77] .text ... * 2 .text C:\Windows\system32\DllHost.exe[3996] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd958ef0 5 bytes JMP 000007ff7d960018 .text C:\Windows\system32\DllHost.exe[3996] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd95c450 5 bytes JMP 000007ff7d961018 .text C:\Windows\system32\DllHost.exe[3996] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007feff7dde90 5 bytes JMP 000007ff7f801018 .text C:\Windows\system32\DllHost.exe[3996] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff7f7490 5 bytes JMP 000007ff7f800018 .text C:\Windows\system32\DllHost.exe[3996] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefef2642c 5 bytes JMP 000007ff7f803018 .text C:\Windows\system32\DllHost.exe[3996] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefef26484 5 bytes JMP 000007ff7f802018 .text C:\Windows\system32\DllHost.exe[3996] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefef26518 5 bytes JMP 000007ff7f804018 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[2484] C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe!?SparseBitMask@DataSourceDescription@FlexUI@@2HB + 960 000000002d1d5984 4 bytes [E2, 47, 58, 2B] .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077cdffec 5 bytes JMP 00000001003f100c .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077ce0814 5 bytes JMP 00000001003f000c .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077ce091c 5 bytes JMP 00000001003f200c .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[2484] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 0000000075ab48fd 5 bytes JMP 00000001003f300c .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[2484] C:\Windows\syswow64\kernel32.dll!TerminateThread 0000000075ab79cf 5 bytes JMP 00000001003f400c .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[2484] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000075f29d4e 5 bytes JMP 00000001003fa00c .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[2484] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075897603 5 bytes JMP 00000001003f500c .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[2484] C:\Windows\syswow64\USER32.dll!DdeConnect 00000000758ceb7f 5 bytes JMP 00000001003fb00c .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[2484] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 0000000075a0c9ec 5 bytes JMP 00000001003f600c .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[2484] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 0000000075a1361c 5 bytes JMP 00000001003f800c .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[2484] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000075a270c4 5 bytes JMP 00000001003f900c .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[2484] C:\Windows\syswow64\ADVAPI32.dll!ControlService 0000000075a270dc 5 bytes JMP 00000001003f700c .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000773d1465 2 bytes [3D, 77] .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000773d14bb 2 bytes [3D, 77] .text ... * 2 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077cdf9e0 5 bytes JMP 0000000175486f86 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtQueryObject 0000000077cdf9f8 5 bytes JMP 000000017548741f .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey 0000000077cdfa28 5 bytes JMP 0000000175481027 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 0000000077cdfa40 5 bytes JMP 00000001754808b2 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtQueryKey 0000000077cdfa90 5 bytes JMP 000000017548072c .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 0000000077cdfaa8 5 bytes JMP 000000017548083a .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey 0000000077cdfb40 5 bytes JMP 00000001754813d1 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 0000000077cdfc38 5 bytes JMP 00000001754853c5 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateKey 0000000077cdfd4c 5 bytes JMP 00000001754806b4 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077cdfd64 5 bytes JMP 00000001754859b5 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 0000000077cdfd98 5 bytes JMP 0000000175484a3a .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000077cdfe44 5 bytes JMP 0000000175487001 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 0000000077cdfe5c 5 bytes JMP 0000000175485b37 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077ce00b4 5 bytes JMP 00000001754857ed .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077ce01c4 5 bytes JMP 000000017548092a .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtDeleteFile 0000000077ce09e4 5 bytes JMP 00000001754855e0 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtDeleteKey 0000000077ce09fc 5 bytes JMP 000000017547d7fa .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077ce0a44 5 bytes JMP 000000017547d8c8 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtFlushKey 0000000077ce0b80 5 bytes JMP 000000017547d861 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 0000000077ce0f70 5 bytes JMP 00000001754809a2 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ce0f88 5 bytes JMP 0000000175480dff .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx 0000000077ce1018 5 bytes JMP 000000017548112f .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 0000000077ce133c 5 bytes JMP 0000000175485bc7 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 0000000077ce147c 5 bytes JMP 0000000175480d83 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 0000000077ce1528 5 bytes JMP 0000000175487397 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey 0000000077ce1718 5 bytes JMP 000000017547dd06 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationKey 0000000077ce1a58 5 bytes JMP 00000001754807b4 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtSetSecurityObject 0000000077ce1b9c 5 bytes JMP 000000017548712e .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075ab103d 5 bytes JMP 0000000175459bba .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075ab1072 5 bytes JMP 0000000175459cf8 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\kernel32.dll!ReplaceFile 0000000075ad0dac 5 bytes JMP 0000000175457e04 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075adc965 5 bytes JMP 0000000175459f2e .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\kernel32.dll!ReplaceFileA 0000000075b2eab9 5 bytes JMP 0000000175457d24 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\kernel32.dll!SetDllDirectoryW 0000000075b30083 5 bytes JMP 000000017545a851 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\kernel32.dll!SetDllDirectoryA 0000000075b3012b 5 bytes JMP 000000017545ab84 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\kernel32.dll!WinExec 0000000075b32c51 5 bytes JMP 000000017545a3f3 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\kernel32.dll!AllocConsole 0000000075b56afe 5 bytes JMP 0000000175488595 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\kernel32.dll!AttachConsole 0000000075b56bc2 5 bytes JMP 00000001754885a7 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075762aa4 5 bytes JMP 000000017545ad8f .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075888a29 5 bytes JMP 000000017548857d .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007588d22e 5 bytes JMP 0000000175488565 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\GDI32.dll!AddFontResourceW 0000000075d0d3c2 5 bytes JMP 00000001754681eb .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\GDI32.dll!AddFontResourceA 0000000075d0d8cb 1 byte JMP 00000001754681cf .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\GDI32.dll!AddFontResourceA + 2 0000000075d0d8cd 3 bytes {JMP 0xffffffffff75a904} .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ADVAPI32.dll!EnumDependentServicesW 0000000075a01e3a 7 bytes JMP 000000017546b1d3 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ADVAPI32.dll!EnumServicesStatusExW 0000000075a0b406 7 bytes JMP 000000017546c0f4 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ADVAPI32.dll!GetServiceKeyNameW 0000000075a27897 7 bytes JMP 000000017546b87a .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ADVAPI32.dll!GetServiceDisplayNameW 0000000075a27953 7 bytes JMP 000000017546ba2b .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ADVAPI32.dll!EnumServicesStatusExA 0000000075a2a37a 7 bytes JMP 000000017546c1ba .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075a42642 5 bytes JMP 000000017545a070 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ADVAPI32.dll!GetServiceKeyNameA 0000000075a61d74 7 bytes JMP 000000017546b932 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ADVAPI32.dll!GetServiceDisplayNameA 0000000075a61e11 7 bytes JMP 000000017546bae3 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ADVAPI32.dll!EnumServicesStatusA 0000000075a62201 7 bytes JMP 000000017546c036 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ADVAPI32.dll!EnumDependentServicesA 0000000075a622e4 7 bytes JMP 000000017546b28a .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ADVAPI32.dll!EnumServicesStatusW 0000000075a62401 5 bytes JMP 000000017546bf78 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!ControlService 0000000075e74d5c 7 bytes JMP 000000017546b018 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 0000000075e74dc3 7 bytes JMP 000000017546b341 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!QueryServiceStatus 0000000075e74e4b 7 bytes JMP 000000017546b0a4 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!QueryServiceStatusEx 0000000075e74eaf 7 bytes JMP 000000017546b137 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!StartServiceW 0000000075e74f35 7 bytes JMP 000000017546ae93 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!StartServiceA 0000000075e7508d 7 bytes JMP 000000017546af29 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!QueryServiceObjectSecurity 0000000075e750f4 7 bytes JMP 000000017546be46 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075e75181 7 bytes JMP 000000017546bee2 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075e75254 7 bytes JMP 000000017546b542 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075e753d5 7 bytes JMP 000000017546b45d .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075e754c2 7 bytes JMP 000000017546b7e4 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075e755e2 7 bytes JMP 000000017546b74e .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075e7567c 7 bytes JMP 000000017546ac75 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075e7589f 7 bytes JMP 000000017546ab9f .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075e75a22 7 bytes JMP 000000017546b3cf .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigA 0000000075e75a83 7 bytes JMP 000000017546bc75 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW 0000000075e75b29 7 bytes JMP 000000017546bbdc .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA 0000000075e75ca0 7 bytes JMP 000000017546a34f .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!ControlServiceExW 0000000075e75d8c 7 bytes JMP 000000017546a2d6 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!OpenSCManagerW 0000000075e763ad 7 bytes JMP 000000017546a89d .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!OpenSCManagerA 0000000075e764f0 7 bytes JMP 000000017546a929 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfig2A 0000000075e76633 7 bytes JMP 000000017546bdaa .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfig2W 0000000075e7680c 7 bytes JMP 000000017546bd0e .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 0000000075e7714b 7 bytes JMP 000000017546aa12 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 0000000075e77245 7 bytes JMP 000000017546aa9e .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ole32.dll!CoRegisterPSClsid 0000000075eec56e 5 bytes JMP 000000017547196d .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ole32.dll!CoResumeClassObjects + 7 0000000075eeea09 7 bytes JMP 0000000175471f3e .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ole32.dll!OleRun 0000000075ef07de 5 bytes JMP 0000000175471df9 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ole32.dll!CoRegisterClassObject 0000000075ef21e1 5 bytes JMP 0000000175472a6e .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ole32.dll!OleUninitialize 0000000075efeba1 6 bytes JMP 0000000175471d18 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ole32.dll!OleInitialize 0000000075efefd7 5 bytes JMP 0000000175471ca8 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ole32.dll!CoGetPSClsid 0000000075f026b9 5 bytes JMP 0000000175471ae5 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ole32.dll!CoGetClassObject 0000000075f154ad 5 bytes JMP 0000000175472ffc .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ole32.dll!CoInitializeEx 0000000075f209ad 5 bytes JMP 0000000175471b58 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ole32.dll!CoUninitialize 0000000075f286d3 5 bytes JMP 0000000175471bda .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075f29d0b 5 bytes JMP 00000001754742ca .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000075f29d4e 5 bytes JMP 0000000175472405 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ole32.dll!CoSuspendClassObjects + 7 0000000075f4bb09 7 bytes JMP 0000000175471e69 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ole32.dll!CoRevokeClassObject 0000000075f6eacf 5 bytes JMP 00000001754713ca .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ole32.dll!CoGetInstanceFromFile 0000000075fa340b 5 bytes JMP 00000001754734bc .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ole32.dll!OleRegEnumFormatEtc 0000000075fecfd9 5 bytes JMP 0000000175471d83 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\oleaut32.dll!RegisterActiveObject 000000007747279e 5 bytes JMP 000000017547165d .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\oleaut32.dll!RevokeActiveObject 0000000077473294 5 bytes JMP 000000017547177e .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\oleaut32.dll!GetActiveObject 0000000077488f40 5 bytes JMP 00000001754717f1 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\4cedde6a3c77 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\4cedde6a3c77 (not active ControlSet) ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ---- |
02.01.2014, 09:00 | #6 | |
/// the machine /// TB-Ausbilder | Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckigCombofix sollte ausschließlich ausgeführt werden, wenn dies von einem Teammitglied angewiesen wurde!Downloade dir bitte Combofix vom folgenden Downloadspiegel Link 1 WICHTIG - Speichere Combofix auf deinem Desktop
Wenn Combofix fertig ist, wird es eine Logfile erstellen. Bitte poste die C:\Combofix.txt in deiner nächsten Antwort. Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten Zitat:
__________________ --> Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig |
02.01.2014, 19:26 | #7 |
| Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig Hallo Schrauber, vielen Dank für Deine kompetente und schnelle Hilfe. Ich denke, dass Übel ist beseitigt. Anhängend noch das Log. Gruss, Stefan Combofix Logfile: Code:
ATTFilter ComboFix 14-01-01.01 - Kathlen 02.01.2014 18:45:22.1.4 - x64 Microsoft Windows 7 Home Premium 6.1.7601.1.1252.49.1031.18.4010.2826 [GMT 1:00] ausgeführt von:: d:\users\Kathlen\Desktop\ComboFix.exe AV: F-Secure Internet Security 2011 10.51 *Disabled/Updated* {15414183-282E-D62C-CA37-EF24860A2F17} FW: F-Secure Internet Security 2011 10.51 *Enabled* {2D7AC0A6-6241-D774-E168-461178D9686C} SP: F-Secure Internet Security 2011 10.51 *Disabled/Updated* {AE20A067-0E14-D9A2-F087-D456FD8D65AA} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((( Dateien erstellt von 2013-12-02 bis 2014-01-02 )))))))))))))))))))))))))))))) . . 2014-01-02 17:52 . 2014-01-02 17:52 -------- d-----w- c:\users\Default\AppData\Local\temp 2014-01-01 11:44 . 2013-12-04 03:28 10315576 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D525CC62-397A-4191-8C92-1504F45F414D}\mpengine.dll 2013-12-30 17:45 . 2013-12-30 17:45 -------- d-----w- C:\FRST 2013-12-19 16:05 . 2013-12-19 16:05 -------- d-----w- c:\users\Kathlen\AppData\Local\SoftwareUpdater 2013-12-15 13:22 . 2013-10-14 17:00 28368 ----a-w- c:\windows\system32\IEUDINIT.EXE 2013-12-12 21:19 . 2013-05-10 05:56 12625920 ----a-w- c:\windows\system32\wmploc.DLL 2013-12-12 21:19 . 2013-05-10 04:56 12625408 ----a-w- c:\windows\SysWow64\wmploc.DLL 2013-12-12 21:19 . 2013-05-10 04:30 167424 ----a-w- c:\program files\Windows Media Player\wmplayer.exe 2013-12-12 21:19 . 2013-05-10 03:48 164864 ----a-w- c:\program files (x86)\Windows Media Player\wmplayer.exe 2013-12-12 21:19 . 2013-05-10 05:56 14631424 ----a-w- c:\windows\system32\wmp.dll 2013-12-12 21:16 . 2013-10-12 02:32 150016 ----a-w- c:\windows\system32\wshom.ocx 2013-12-12 21:16 . 2013-10-12 02:31 202752 ----a-w- c:\windows\system32\scrrun.dll 2013-12-12 21:16 . 2013-10-12 02:04 121856 ----a-w- c:\windows\SysWow64\wshom.ocx 2013-12-12 21:16 . 2013-10-12 01:33 156160 ----a-w- c:\windows\system32\cscript.exe 2013-12-12 21:16 . 2013-10-12 02:03 163840 ----a-w- c:\windows\SysWow64\scrrun.dll 2013-12-12 21:16 . 2013-10-12 01:33 168960 ----a-w- c:\windows\system32\wscript.exe 2013-12-12 21:16 . 2013-10-12 01:15 141824 ----a-w- c:\windows\SysWow64\wscript.exe 2013-12-12 21:16 . 2013-10-12 01:15 126976 ----a-w- c:\windows\SysWow64\cscript.exe 2013-12-12 21:15 . 2013-10-30 02:32 335360 ----a-w- c:\windows\system32\msieftp.dll 2013-12-12 21:15 . 2013-10-30 02:19 301568 ----a-w- c:\windows\SysWow64\msieftp.dll 2013-12-12 21:15 . 2013-10-30 01:24 3155968 ----a-w- c:\windows\system32\win32k.sys 2013-12-12 21:15 . 2013-11-23 18:26 417792 ----a-w- c:\windows\SysWow64\WMPhoto.dll 2013-12-12 21:15 . 2013-11-23 17:47 465920 ----a-w- c:\windows\system32\WMPhoto.dll 2013-12-12 21:15 . 2013-10-19 02:18 81408 ----a-w- c:\windows\system32\imagehlp.dll 2013-12-12 21:15 . 2013-10-19 01:36 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll 2013-12-12 21:15 . 2013-11-12 02:23 2048 ----a-w- c:\windows\system32\tzres.dll 2013-12-12 21:15 . 2013-11-12 02:07 2048 ----a-w- c:\windows\SysWow64\tzres.dll 2013-12-12 21:15 . 2013-10-04 02:16 116736 ----a-w- c:\windows\system32\drivers\drmk.sys 2013-12-12 21:15 . 2013-10-04 01:36 230400 ----a-w- c:\windows\system32\drivers\portcls.sys . . . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-12-15 13:45 . 2012-07-22 09:40 90708896 ----a-w- c:\windows\system32\MRT.exe 2013-12-10 20:57 . 2012-10-30 20:57 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2013-12-10 20:57 . 2011-10-21 15:43 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2013-11-19 02:33 . 2011-10-21 14:34 267936 ------w- c:\windows\system32\MpSigStub.exe 2013-10-12 02:30 . 2013-11-14 16:59 830464 ----a-w- c:\windows\system32\nshwfp.dll 2013-10-12 02:29 . 2013-11-14 16:59 859648 ----a-w- c:\windows\system32\IKEEXT.DLL 2013-10-12 02:29 . 2013-11-14 16:59 324096 ----a-w- c:\windows\system32\FWPUCLNT.DLL 2013-10-12 02:03 . 2013-11-14 16:59 656896 ----a-w- c:\windows\SysWow64\nshwfp.dll 2013-10-12 02:01 . 2013-11-14 16:59 216576 ----a-w- c:\windows\SysWow64\FWPUCLNT.DLL 2013-10-05 20:25 . 2013-11-14 17:00 1474048 ----a-w- c:\windows\system32\crypt32.dll 2013-10-05 19:57 . 2013-11-14 17:00 1168384 ----a-w- c:\windows\SysWow64\crypt32.dll . . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "RemoteControl10"="c:\program files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe" [2010-09-20 87336] "TrueImageMonitor.exe"="c:\program files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe" [2011-09-22 5587832] "F-Secure Manager"="c:\program files (x86)\F-Secure\Common\FSM32.EXE" [2011-10-21 201384] "F-Secure TNB"="c:\program files (x86)\F-Secure\FSGUI\TNBUtil.exe" [2011-10-21 1655464] "HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) "EnableLinkedConnections"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x] R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x] R2 SystemStoreService;System Store;c:\program files (x86)\SoftwareUpdater\SystemStore.exe -displayname System Store -servicename SystemStoreService;c:\program files (x86)\SoftwareUpdater\SystemStore.exe -displayname System Store -servicename SystemStoreService [x] R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x] R3 Samsung UPD Service;Samsung UPD Service;c:\windows\System32\SUPDSvc.exe;c:\windows\SYSNATIVE\SUPDSvc.exe [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x] R3 TurboBoost;Intel(R) Turbo Boost Technology Monitor 2.0;c:\program files\Intel\TurboBoost\TurboBoost.exe;c:\program files\Intel\TurboBoost\TurboBoost.exe [x] R3 VBoxUSB;VirtualBox USB;c:\windows\system32\Drivers\VBoxUSB.sys;c:\windows\SYSNATIVE\Drivers\VBoxUSB.sys [x] R3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x] R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64.sys [x] R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x] S0 fsbts;fsbts;c:\windows\system32\Drivers\fsbts.sys;c:\windows\SYSNATIVE\Drivers\fsbts.sys [x] S0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);c:\windows\system32\DRIVERS\tdrpm273.sys;c:\windows\SYSNATIVE\DRIVERS\tdrpm273.sys [x] S1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files (x86)\F-Secure\HIPS\drivers\fshs.sys;c:\program files (x86)\F-Secure\HIPS\drivers\fshs.sys [x] S1 FSES;F-Secure Email Scanning Driver;c:\windows\system32\drivers\fses.sys;c:\windows\SYSNATIVE\drivers\fses.sys [x] S1 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys;c:\windows\SYSNATIVE\drivers\fsdfw.sys [x] S1 fsvista;F-Secure Vista Support Driver;c:\program files (x86)\F-Secure\Anti-Virus\minifilter\fsvista.sys;c:\program files (x86)\F-Secure\Anti-Virus\minifilter\fsvista.sys [x] S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys;c:\windows\SYSNATIVE\Drivers\SABI.sys [x] S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxDrv.sys [x] S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxUSBMon.sys [x] S2 afcdpsrv;Acronis Nonstop Backup-Dienst;c:\program files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe;c:\program files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe [x] S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x] S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [x] S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys;c:\windows\SYSNATIVE\DRIVERS\TurboB.sys [x] S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [x] S3 afcdp;afcdp;c:\windows\system32\DRIVERS\afcdp.sys;c:\windows\SYSNATIVE\DRIVERS\afcdp.sys [x] S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys;c:\windows\SYSNATIVE\DRIVERS\clwvd.sys [x] S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys;c:\windows\SYSNATIVE\DRIVERS\ETD.sys [x] S3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files (x86)\F-Secure\Anti-Virus\minifilter\fsgk.sys;c:\program files (x86)\F-Secure\Anti-Virus\minifilter\fsgk.sys [x] S3 FSORSPClient;F-Secure ORSP Client;c:\program files (x86)\F-Secure\ORSP Client\fsorsp.exe;c:\program files (x86)\F-Secure\ORSP Client\fsorsp.exe [x] S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x] S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftfslh.sys [x] S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftplaylh.sys [x] S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftredirlh.sys [x] S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftvollh.sys [x] S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [x] S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxNetAdp.sys [x] S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxNetFlt.sys [x] . . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Inhalt des "geplante Tasks" Ordners . 2014-01-02 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-30 20:57] . 2014-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-21 18:34] . 2014-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-21 18:34] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-02-27 11780712] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-03-14 167960] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-03-14 391704] "Persistence"="c:\windows\system32\igfxpers.exe" [2011-03-14 418328] "Acronis Scheduler2 Service"="c:\program files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe" [2011-09-22 395344] . ------- Zusätzlicher Suchlauf ------- . uLocal Page = c:\windows\system32\blank.htm uStart Page = about:tabs uDefault_Search_URL = hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q= mDefault_Search_URL = hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q= mStart Page = about:tabs mLocal Page = c:\windows\SysWOW64\blank.htm mSearch Page = hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q= mSearch Bar = hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q= uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 LSP: c:\program files (x86)\F-Secure\FSPS\program\FSLSP.DLL TCP: DhcpNameServer = 192.168.178.1 FF - ProfilePath - c:\users\Kathlen\AppData\Roaming\Mozilla\Firefox\Profiles\l2abf66u.default\ FF - prefs.js: browser.search.selectedEngine - Web Search FF - prefs.js: browser.startup.homepage - about:home FF - prefs.js: keyword.URL - hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q= FF - prefs.js: network.proxy.type - 0 FF - ExtSQL: !HIDDEN! 2011-12-29 17:54; smartwebprinting@hp.com; c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 . - - - - Entfernte verwaiste Registrierungseinträge - - - - . Toolbar-Locked - (no file) HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start Toolbar-Locked - (no file) HKLM-Run-ETDCtrl - c:\program files (x86)\Elantech\ETDCtrl.exe . . . --------------------- Gesperrte Registrierungsschluessel --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{722b3793-5367-4446-b6bb-db89b05c1f24}\LocalServer32] @DACL=(02 0000) @=expand:"%SystemRoot%\\System32\\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {722b3793-5367-4446-b6bb-db89b05c1f24}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Zeit der Fertigstellung: 2014-01-02 18:54:48 ComboFix-quarantined-files.txt 2014-01-02 17:54 . Vor Suchlauf: 9 Verzeichnis(se), 58.582.933.504 Bytes frei Nach Suchlauf: 15 Verzeichnis(se), 58.503.217.152 Bytes frei . - - End Of File - - 1CE41B937BE04D4BE50009AE93676363 |
03.01.2014, 12:37 | #8 |
/// the machine /// TB-Ausbilder | Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig Downloade Dir bitte Malwarebytes Anti-Malware
Downloade Dir bitte AdwCleaner auf deinen Desktop.
Beende bitte Deine Schutzsoftware um eventuelle Konflikte zu vermeiden.
und ein frisches FRST log bitte.
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
06.01.2014, 19:14 | #9 |
| Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig Hallo Schrauber, ich habe nun die angewiesenen Schritte ausgeführt. Malwarebytes: hat funktioniert, Log nachfolgend. AdwCleaner: hat funktioniert, Log nachfolgend. Junkware Removal Tool: hat leider nicht funktioniert. Ich habe es neuste Version JRT_6.0.8 gefunden, welches ich als Admin gestartet habe. Daraufhin wurde das Versionaupdate erfragt, das ich mit "y" bestätigt habe. Leider bekomme ich die Meldung "the tool was not able to download to the desktop". F-Secure war ausgeschaltet. Danke und Grüße, Stefan Code:
ATTFilter Malwarebytes Anti-Malware (Test) 1.75.0.1300 www.malwarebytes.org Datenbank Version: v2014.01.06.05 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 11.0.9600.16476 Kathlen :: KATHLEN-PC [Administrator] Schutz: Aktiviert 06.01.2014 16:53:34 mbam-log-2014-01-06 (16-53-34).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|) Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 400742 Laufzeit: 1 Stunde(n), 26 Minute(n), 43 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 4 HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68B81CCD-A80C-4060-8947-5AE69ED01199} (PUP.Optional.Iminent.A) -> Erfolgreich gelöscht und in Quarantäne gestellt. HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E6B969FB-6D33-48d2-9061-8BBD4899EB08} (PUP.Optional.Iminent.A) -> Erfolgreich gelöscht und in Quarantäne gestellt. HKCU\Software\Iminent (PUP.Optional.Iminent.A) -> Erfolgreich gelöscht und in Quarantäne gestellt. HKLM\Software\Iminent (PUP.Optional.Iminent.A) -> Erfolgreich gelöscht und in Quarantäne gestellt. Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 6 HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Default_Search_URL (Hijack.SearchPage) -> Bösartig: (hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=) Gut: (hxxp://www.google.com) -> Erfolgreich ersetzt und in Quarantäne gestellt. HKCU\SOFTWARE\Microsoft\Internet Explorer\Search|Default_Search_URL (Hijack.SearchPage) -> Bösartig: (hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=) Gut: (hxxp://www.google.com/) -> Erfolgreich ersetzt und in Quarantäne gestellt. HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Default_Search_URL (Hijack.SearchPage) -> Bösartig: (hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=) Gut: (hxxp://www.google.com) -> Erfolgreich ersetzt und in Quarantäne gestellt. HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Search Page (Hijack.SearchPage) -> Bösartig: (hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=) Gut: (hxxp://www.google.com) -> Erfolgreich ersetzt und in Quarantäne gestellt. HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Search Bar (Hijack.SearchPage) -> Bösartig: (hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=) Gut: (hxxp://www.google.com) -> Erfolgreich ersetzt und in Quarantäne gestellt. HKLM\SOFTWARE\Microsoft\Internet Explorer\Search|Default_Search_URL (Hijack.SearchPage) -> Bösartig: (hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=) Gut: (hxxp://www.google.com/) -> Erfolgreich ersetzt und in Quarantäne gestellt. Infizierte Verzeichnisse: 2 C:\Users\Kathlen\AppData\Local\DownloadGuide (PUP.Optional.DownloadGuide.A) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\Users\Kathlen\AppData\Local\DownloadGuide\Offers (PUP.Optional.DownloadGuide.A) -> Erfolgreich gelöscht und in Quarantäne gestellt. Infizierte Dateien: 7 C:\Users\Kathlen\AppData\Local\DownloadGuide\Offers\HomeTab.exe (PUP.Optional.HomeTab.A) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\Users\Kathlen\AppData\Local\DownloadGuide\Offers\iminent.exe (PUP.Optional.Iminent.A) -> Erfolgreich gelöscht und in Quarantäne gestellt. D:\Users\Kathlen\Downloads\ZipExtractorSetup.exe (PUP.Optional.InstallCore) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\Users\Kathlen\AppData\Local\DownloadGuide\amazon.ico (PUP.Optional.DownloadGuide.A) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\Users\Kathlen\AppData\Local\DownloadGuide\FreeSystemUtilities.exe (PUP.Optional.DownloadGuide.A) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\Users\Kathlen\AppData\Local\DownloadGuide\Offers\autocompletepro.exe (PUP.Optional.DownloadGuide.A) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\Users\Kathlen\AppData\Local\DownloadGuide\Offers\gutscheincodes.exe (PUP.Optional.DownloadGuide.A) -> Erfolgreich gelöscht und in Quarantäne gestellt. (Ende) Code:
ATTFilter # AdwCleaner v3.016 - Bericht erstellt am 06/01/2014 um 18:47:19 # Aktualisiert 23/12/2013 von Xplode # Betriebssystem : Windows 7 Home Premium Service Pack 1 (64 bits) # Benutzername : Kathlen - KATHLEN-PC # Gestartet von : D:\Users\Kathlen\Desktop\adwcleaner_3.016.exe # Option : Löschen ***** [ Dienste ] ***** [#] Dienst Gelöscht : SystemStoreService ***** [ Dateien / Ordner ] ***** Ordner Gelöscht : C:\Program Files (x86)\GutscheinFinder Ordner Gelöscht : C:\Program Files (x86)\Iminent Ordner Gelöscht : C:\Program Files (x86)\Protected Search Ordner Gelöscht : C:\Users\Kathlen\AppData\Local\Software_Updater Ordner Gelöscht : C:\Users\Kathlen\AppData\Local\SoftwareUpdater Ordner Gelöscht : C:\Users\Kathlen\AppData\LocalLow\SimplyTech Datei Gelöscht : C:\Users\Kathlen\AppData\Roaming\Mozilla\Firefox\Profiles\l2abf66u.default\searchplugins\Web Search.xml Datei Gelöscht : C:\Program Files (x86)\Mozilla Firefox\searchplugins\Web Search.xml Datei Gelöscht : C:\Windows\System32\Tasks\Software Updater Ui Datei Gelöscht : C:\Windows\System32\Tasks\Software Updater ***** [ Verknüpfungen ] ***** ***** [ Registrierungsdatenbank ] ***** Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\iMesh.AudioCD Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32 Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\HomeTab_RASAPI32 Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\HomeTab_RASMANCS Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\Iminent_RASAPI32 Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\Iminent_RASMANCS Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{02054E11-5113-4BE3-8153-AA8DFB5D3761} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{3BF72F68-72D8-461D-A884-329D936C5581} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{78E9D883-93CD-4072-BEF3-38EE581E2839} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{83AC1413-FCE4-4A46-9DD5-4F31F306E71F} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{021B4049-F57D-4565-A693-FD3B04786BFA} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{0362AA09-808D-48E9-B360-FB51A8CBCE09} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{06844020-CD0B-3D3D-A7FE-371153013E49} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{0ADC01BB-303B-3F8E-93DA-12C140E85460} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{10D3722F-23E6-3901-B6C1-FF6567121920} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{1675E62B-F911-3B7B-A046-EB57261212F3} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{192929F2-9273-3894-91B0-F54671C4C861} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{2932897E-3036-43D9-8A64-B06447992065} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{2DE92D29-A042-3C37-BFF8-07C7D8893EFA} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{32B80AD6-1214-45F4-994E-78A5D482C000} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{3A8E103F-B2B7-3BEF-B3B0-88E29B2420E4} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{478CE5D3-D38E-3FFE-8DBE-8C4A0F1C4D8D} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{48B7DA4E-69ED-39E3-BAD5-3E3EFF22CFB0} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{5982F405-44E4-3BBB-BAC4-CF8141CBBC5C} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{5D8C3CC3-3C05-38A1-B244-924A23115FE9} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{641593AF-D9FD-30F7-B783-36E16F7A2E08} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{711FC48A-1356-3932-94D8-A8B733DBC7E4} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{72227B7F-1F02-3560-95F5-592E68BACC0C} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{7B5E8CE3-4722-4C0E-A236-A6FF731BEF37} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{890D4F59-5ED0-3CB4-8E0E-74A5A86E7ED0} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{8C68913C-AC3C-4494-8B9C-984D87C85003} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{8D019513-083F-4AA5-933F-7D43A6DA82C4} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{923F6FB8-A390-370E-A0D2-DD505432481D} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{9BBB26EF-B178-35D6-9D3D-B485F4279FE5} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{A62DDBE0-8D2A-339A-B089-8CBCC5CD322A} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{A82AD04D-0B8E-3A49-947B-6A69A8A9C96D} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{ADEB3CC9-A05D-4FCC-BD09-9025456AA3EA} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{B06D4521-D09C-3F41-8E39-9D784CCA2A75} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{C06DAD42-6F39-4CE1-83CC-9A8B9105E556} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{C2E799D0-43A5-3477-8A98-FC5F3677F35C} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{D16107CD-2AD5-46A8-BA59-303B7C32C500} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{D25B101F-8188-3B43-9D85-201F372BC205} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{D2BA7595-5E44-3F1E-880F-03B3139FA5ED} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{D35F5C81-17D9-3E1C-A1FC-4472542E1D25} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{D8FA96CA-B250-312C-AF34-4FF1DD72589D} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{DAFC1E63-3359-416D-9BC2-E7DCA6F7B0F3} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{DC5E5C44-80FD-3697-9E65-9F286D92F3E7} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{E1B4C9DE-D741-385F-981E-6745FACE6F01} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{E7B623F5-9715-3F9F-A671-D1485A39F8A2} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{ED916A7B-7C68-3198-B87D-2DABC30A5587} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{EFA1BDB2-BB3D-3D9A-8EB5-D0D22E0F64F4} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{F4CBF4DD-F8FE-35BA-BB7E-68304DAAB70B} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{FC32005D-E27C-32E0-ADFA-152F598B75E7} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\TypeLib\{2BF2028E-3F3C-4C05-AB45-B2F1DCFE0759} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\TypeLib\{C4C4F1F4-3074-4CB6-9FB8-0A64273166F0} Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\TypeLib\{DB538320-D3C5-433C-BCA9-C4081A054FCF} Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0FB6A909-6086-458F-BD92-1F8EE10042A0} Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{0FB6A909-6086-458F-BD92-1F8EE10042A0} Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7C3B01BC-53A5-48A0-A43B-0C67731134B9} Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0ABE0FED-50E7-4E42-A125-57C0A11DBCDE} Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CFD485F0-96BD-47CD-BB6D-CD7DDA95F102} Schlüssel Gelöscht : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B} Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{021B4049-F57D-4565-A693-FD3B04786BFA} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{0362AA09-808D-48E9-B360-FB51A8CBCE09} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{06844020-CD0B-3D3D-A7FE-371153013E49} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{0ADC01BB-303B-3F8E-93DA-12C140E85460} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{10D3722F-23E6-3901-B6C1-FF6567121920} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{1675E62B-F911-3B7B-A046-EB57261212F3} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{192929F2-9273-3894-91B0-F54671C4C861} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{2932897E-3036-43D9-8A64-B06447992065} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{2DE92D29-A042-3C37-BFF8-07C7D8893EFA} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{32B80AD6-1214-45F4-994E-78A5D482C000} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{3A8E103F-B2B7-3BEF-B3B0-88E29B2420E4} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{478CE5D3-D38E-3FFE-8DBE-8C4A0F1C4D8D} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{48B7DA4E-69ED-39E3-BAD5-3E3EFF22CFB0} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{5982F405-44E4-3BBB-BAC4-CF8141CBBC5C} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{5D8C3CC3-3C05-38A1-B244-924A23115FE9} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{641593AF-D9FD-30F7-B783-36E16F7A2E08} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{711FC48A-1356-3932-94D8-A8B733DBC7E4} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{72227B7F-1F02-3560-95F5-592E68BACC0C} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{7B5E8CE3-4722-4C0E-A236-A6FF731BEF37} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{890D4F59-5ED0-3CB4-8E0E-74A5A86E7ED0} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{8C68913C-AC3C-4494-8B9C-984D87C85003} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{8D019513-083F-4AA5-933F-7D43A6DA82C4} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{923F6FB8-A390-370E-A0D2-DD505432481D} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{9BBB26EF-B178-35D6-9D3D-B485F4279FE5} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{A62DDBE0-8D2A-339A-B089-8CBCC5CD322A} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{A82AD04D-0B8E-3A49-947B-6A69A8A9C96D} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{ADEB3CC9-A05D-4FCC-BD09-9025456AA3EA} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{B06D4521-D09C-3F41-8E39-9D784CCA2A75} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{C06DAD42-6F39-4CE1-83CC-9A8B9105E556} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{C2E799D0-43A5-3477-8A98-FC5F3677F35C} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{D16107CD-2AD5-46A8-BA59-303B7C32C500} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{D25B101F-8188-3B43-9D85-201F372BC205} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{D2BA7595-5E44-3F1E-880F-03B3139FA5ED} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{D35F5C81-17D9-3E1C-A1FC-4472542E1D25} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{D8FA96CA-B250-312C-AF34-4FF1DD72589D} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{DAFC1E63-3359-416D-9BC2-E7DCA6F7B0F3} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{DC5E5C44-80FD-3697-9E65-9F286D92F3E7} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{E1B4C9DE-D741-385F-981E-6745FACE6F01} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{E7B623F5-9715-3F9F-A671-D1485A39F8A2} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{ED916A7B-7C68-3198-B87D-2DABC30A5587} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{EFA1BDB2-BB3D-3D9A-8EB5-D0D22E0F64F4} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{F4CBF4DD-F8FE-35BA-BB7E-68304DAAB70B} Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{FC32005D-E27C-32E0-ADFA-152F598B75E7} Schlüssel Gelöscht : HKCU\Software\simplytech Schlüssel Gelöscht : HKCU\Software\AppDataLow\Software\simplytech Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchTheWebARP ***** [ Browser ] ***** -\\ Internet Explorer v11.0.9600.16428 Einstellung Wiederhergestellt : HKCU\Software\Microsoft\Internet Explorer\Search [Search Bar] Einstellung Wiederhergestellt : HKCU\Software\Microsoft\Internet Explorer\Search [Search Page] Einstellung Wiederhergestellt : HKLM\SOFTWARE\Microsoft\Internet Explorer\Search [Search Bar] Einstellung Wiederhergestellt : HKLM\SOFTWARE\Microsoft\Internet Explorer\Search [Search Page] Einstellung Wiederhergestellt : HKCU\Software\Microsoft\Internet Explorer\SearchUrl [(Default)] Einstellung Wiederhergestellt : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchUrl [(Default)] -\\ Mozilla Firefox v26.0 (de) [ Datei : C:\Users\Kathlen\AppData\Roaming\Mozilla\Firefox\Profiles\l2abf66u.default\prefs.js ] Zeile gelöscht : user_pref("browser.search.defaultengine", "Web Search"); Zeile gelöscht : user_pref("browser.search.defaultenginename", "Web Search"); Zeile gelöscht : user_pref("browser.search.order.1", "Web Search"); Zeile gelöscht : user_pref("browser.search.selectedEngine", "Web Search"); Zeile gelöscht : user_pref("iminent.webbooster.scripts.minibar.ROOTEXTENSION", "chrome://iminentwebbooster/content/minibar"); Zeile gelöscht : user_pref("iminent.webbooster.scripts.minibar.Services.BHPCode", "01"); Zeile gelöscht : user_pref("iminent.webbooster.scripts.minibar.Services.DefaultEvent", "000"); Zeile gelöscht : user_pref("iminent.webbooster.scripts.minibar.Services.DefaultWebSite", "000"); Zeile gelöscht : user_pref("iminent.webbooster.scripts.minibar.Services.IminentClientCode", "11"); Zeile gelöscht : user_pref("iminent.webbooster.scripts.minibar.Services.SmartFavCode", "02"); Zeile gelöscht : user_pref("iminent.webbooster.scripts.minibar.registerToolbarEvent102", "1368292009788"); Zeile gelöscht : user_pref("keyword.URL", "hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q="); ************************* AdwCleaner[R0].txt - [14969 octets] - [06/01/2014 18:45:09] AdwCleaner[S0].txt - [13698 octets] - [06/01/2014 18:47:19] ########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [13759 octets] ########## AdwCleaner Logfile: Code:
ATTFilter # AdwCleaner v3.016 - Bericht erstellt am 06/01/2014 um 18:45:09 # Aktualisiert 23/12/2013 von Xplode # Betriebssystem : Windows 7 Home Premium Service Pack 1 (64 bits) # Benutzername : Kathlen - KATHLEN-PC # Gestartet von : D:\Users\Kathlen\Desktop\adwcleaner_3.016.exe # Option : Suchen ***** [ Dienste ] ***** Dienst Gefunden : SystemStoreService ***** [ Dateien / Ordner ] ***** Datei Gefunden : C:\Program Files (x86)\Mozilla Firefox\searchplugins\Web Search.xml Datei Gefunden : C:\Users\Kathlen\AppData\Roaming\Mozilla\Firefox\Profiles\l2abf66u.default\searchplugins\Web Search.xml Datei Gefunden : C:\Windows\System32\Tasks\Software Updater Datei Gefunden : C:\Windows\System32\Tasks\Software Updater Ui Ordner Gefunden C:\Program Files (x86)\GutscheinFinder Ordner Gefunden C:\Program Files (x86)\Iminent Ordner Gefunden C:\Program Files (x86)\Protected Search Ordner Gefunden C:\Users\Kathlen\AppData\Local\Software_Updater Ordner Gefunden C:\Users\Kathlen\AppData\Local\SoftwareUpdater Ordner Gefunden C:\Users\Kathlen\AppData\LocalLow\SimplyTech ***** [ Verknüpfungen ] ***** ***** [ Registrierungsdatenbank ] ***** Schlüssel Gefunden : HKCU\Software\AppDataLow\Software\simplytech Schlüssel Gefunden : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B} Schlüssel Gefunden : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{0FB6A909-6086-458F-BD92-1F8EE10042A0} Schlüssel Gefunden : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0FB6A909-6086-458F-BD92-1F8EE10042A0} Schlüssel Gefunden : HKCU\Software\simplytech Schlüssel Gefunden : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B} Schlüssel Gefunden : [x64] HKCU\Software\simplytech Schlüssel Gefunden : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\CLSID\{02054E11-5113-4BE3-8153-AA8DFB5D3761} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\CLSID\{3BF72F68-72D8-461D-A884-329D936C5581} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\CLSID\{78E9D883-93CD-4072-BEF3-38EE581E2839} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\CLSID\{83AC1413-FCE4-4A46-9DD5-4F31F306E71F} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\iMesh.AudioCD Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{021B4049-F57D-4565-A693-FD3B04786BFA} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{0362AA09-808D-48E9-B360-FB51A8CBCE09} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{06844020-CD0B-3D3D-A7FE-371153013E49} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{0ADC01BB-303B-3F8E-93DA-12C140E85460} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{10D3722F-23E6-3901-B6C1-FF6567121920} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{1675E62B-F911-3B7B-A046-EB57261212F3} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{192929F2-9273-3894-91B0-F54671C4C861} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{2932897E-3036-43D9-8A64-B06447992065} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{2DE92D29-A042-3C37-BFF8-07C7D8893EFA} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{32B80AD6-1214-45F4-994E-78A5D482C000} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{3A8E103F-B2B7-3BEF-B3B0-88E29B2420E4} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{478CE5D3-D38E-3FFE-8DBE-8C4A0F1C4D8D} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{48B7DA4E-69ED-39E3-BAD5-3E3EFF22CFB0} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{5982F405-44E4-3BBB-BAC4-CF8141CBBC5C} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{5D8C3CC3-3C05-38A1-B244-924A23115FE9} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{641593AF-D9FD-30F7-B783-36E16F7A2E08} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{711FC48A-1356-3932-94D8-A8B733DBC7E4} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{72227B7F-1F02-3560-95F5-592E68BACC0C} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{7B5E8CE3-4722-4C0E-A236-A6FF731BEF37} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{890D4F59-5ED0-3CB4-8E0E-74A5A86E7ED0} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{8C68913C-AC3C-4494-8B9C-984D87C85003} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{8D019513-083F-4AA5-933F-7D43A6DA82C4} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{923F6FB8-A390-370E-A0D2-DD505432481D} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{9BBB26EF-B178-35D6-9D3D-B485F4279FE5} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{A62DDBE0-8D2A-339A-B089-8CBCC5CD322A} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{A82AD04D-0B8E-3A49-947B-6A69A8A9C96D} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{ADEB3CC9-A05D-4FCC-BD09-9025456AA3EA} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{B06D4521-D09C-3F41-8E39-9D784CCA2A75} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{C06DAD42-6F39-4CE1-83CC-9A8B9105E556} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{C2E799D0-43A5-3477-8A98-FC5F3677F35C} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{D16107CD-2AD5-46A8-BA59-303B7C32C500} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{D25B101F-8188-3B43-9D85-201F372BC205} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{D2BA7595-5E44-3F1E-880F-03B3139FA5ED} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{D35F5C81-17D9-3E1C-A1FC-4472542E1D25} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{D8FA96CA-B250-312C-AF34-4FF1DD72589D} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{DAFC1E63-3359-416D-9BC2-E7DCA6F7B0F3} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{DC5E5C44-80FD-3697-9E65-9F286D92F3E7} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{E1B4C9DE-D741-385F-981E-6745FACE6F01} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{E7B623F5-9715-3F9F-A671-D1485A39F8A2} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{ED916A7B-7C68-3198-B87D-2DABC30A5587} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{EFA1BDB2-BB3D-3D9A-8EB5-D0D22E0F64F4} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{F4CBF4DD-F8FE-35BA-BB7E-68304DAAB70B} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{FC32005D-E27C-32E0-ADFA-152F598B75E7} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\TypeLib\{2BF2028E-3F3C-4C05-AB45-B2F1DCFE0759} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\TypeLib\{C4C4F1F4-3074-4CB6-9FB8-0A64273166F0} Schlüssel Gefunden : HKLM\SOFTWARE\Classes\TypeLib\{DB538320-D3C5-433C-BCA9-C4081A054FCF} Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0ABE0FED-50E7-4E42-A125-57C0A11DBCDE} Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CFD485F0-96BD-47CD-BB6D-CD7DDA95F102} Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B} Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32 Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Tracing\HomeTab_RASAPI32 Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Tracing\HomeTab_RASMANCS Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Tracing\Iminent_RASAPI32 Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Tracing\Iminent_RASMANCS Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7C3B01BC-53A5-48A0-A43B-0C67731134B9} Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchTheWebARP Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{021B4049-F57D-4565-A693-FD3B04786BFA} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{0362AA09-808D-48E9-B360-FB51A8CBCE09} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{06844020-CD0B-3D3D-A7FE-371153013E49} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{0ADC01BB-303B-3F8E-93DA-12C140E85460} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{10D3722F-23E6-3901-B6C1-FF6567121920} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{1675E62B-F911-3B7B-A046-EB57261212F3} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{192929F2-9273-3894-91B0-F54671C4C861} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{2932897E-3036-43D9-8A64-B06447992065} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{2DE92D29-A042-3C37-BFF8-07C7D8893EFA} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{32B80AD6-1214-45F4-994E-78A5D482C000} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{3A8E103F-B2B7-3BEF-B3B0-88E29B2420E4} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{478CE5D3-D38E-3FFE-8DBE-8C4A0F1C4D8D} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{48B7DA4E-69ED-39E3-BAD5-3E3EFF22CFB0} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{5982F405-44E4-3BBB-BAC4-CF8141CBBC5C} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{5D8C3CC3-3C05-38A1-B244-924A23115FE9} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{641593AF-D9FD-30F7-B783-36E16F7A2E08} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{711FC48A-1356-3932-94D8-A8B733DBC7E4} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{72227B7F-1F02-3560-95F5-592E68BACC0C} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{7B5E8CE3-4722-4C0E-A236-A6FF731BEF37} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{890D4F59-5ED0-3CB4-8E0E-74A5A86E7ED0} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{8C68913C-AC3C-4494-8B9C-984D87C85003} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{8D019513-083F-4AA5-933F-7D43A6DA82C4} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{923F6FB8-A390-370E-A0D2-DD505432481D} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{9BBB26EF-B178-35D6-9D3D-B485F4279FE5} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{A62DDBE0-8D2A-339A-B089-8CBCC5CD322A} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{A82AD04D-0B8E-3A49-947B-6A69A8A9C96D} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{ADEB3CC9-A05D-4FCC-BD09-9025456AA3EA} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{B06D4521-D09C-3F41-8E39-9D784CCA2A75} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{C06DAD42-6F39-4CE1-83CC-9A8B9105E556} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{C2E799D0-43A5-3477-8A98-FC5F3677F35C} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{D16107CD-2AD5-46A8-BA59-303B7C32C500} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{D25B101F-8188-3B43-9D85-201F372BC205} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{D2BA7595-5E44-3F1E-880F-03B3139FA5ED} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{D35F5C81-17D9-3E1C-A1FC-4472542E1D25} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{D8FA96CA-B250-312C-AF34-4FF1DD72589D} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{DAFC1E63-3359-416D-9BC2-E7DCA6F7B0F3} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{DC5E5C44-80FD-3697-9E65-9F286D92F3E7} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{E1B4C9DE-D741-385F-981E-6745FACE6F01} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{E7B623F5-9715-3F9F-A671-D1485A39F8A2} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{ED916A7B-7C68-3198-B87D-2DABC30A5587} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{EFA1BDB2-BB3D-3D9A-8EB5-D0D22E0F64F4} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{F4CBF4DD-F8FE-35BA-BB7E-68304DAAB70B} Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{FC32005D-E27C-32E0-ADFA-152F598B75E7} ***** [ Browser ] ***** -\\ Internet Explorer v11.0.9600.16428 Einstellung Gefunden : HKCU\Software\Microsoft\Internet Explorer\Search [Search Bar] - hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q= Einstellung Gefunden : HKCU\Software\Microsoft\Internet Explorer\Search [Search Page] - hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q= Einstellung Gefunden : HKLM\SOFTWARE\Microsoft\Internet Explorer\Search [Search Bar] - hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q= Einstellung Gefunden : HKLM\SOFTWARE\Microsoft\Internet Explorer\Search [Search Page] - hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q= Einstellung Gefunden : HKCU\Software\Microsoft\Internet Explorer\SearchUrl [(Default)] - hxxp://search.certified-toolbar.com?si=&st=bs&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=%s Einstellung Gefunden : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchUrl [(Default)] - hxxp://search.certified-toolbar.com?si=&st=bs&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=%s -\\ Mozilla Firefox v26.0 (de) [ Datei : C:\Users\Kathlen\AppData\Roaming\Mozilla\Firefox\Profiles\l2abf66u.default\prefs.js ] Zeile gefunden : user_pref("browser.search.defaultengine", "Web Search"); Zeile gefunden : user_pref("browser.search.defaultenginename", "Web Search"); Zeile gefunden : user_pref("browser.search.order.1", "Web Search"); Zeile gefunden : user_pref("browser.search.selectedEngine", "Web Search"); Zeile gefunden : user_pref("iminent.webbooster.scripts.minibar.ROOTEXTENSION", "chrome://iminentwebbooster/content/minibar"); Zeile gefunden : user_pref("iminent.webbooster.scripts.minibar.Services.BHPCode", "01"); Zeile gefunden : user_pref("iminent.webbooster.scripts.minibar.Services.DefaultEvent", "000"); Zeile gefunden : user_pref("iminent.webbooster.scripts.minibar.Services.DefaultWebSite", "000"); Zeile gefunden : user_pref("iminent.webbooster.scripts.minibar.Services.IminentClientCode", "11"); Zeile gefunden : user_pref("iminent.webbooster.scripts.minibar.Services.SmartFavCode", "02"); Zeile gefunden : user_pref("iminent.webbooster.scripts.minibar.registerToolbarEvent102", "1368292009788"); Zeile gefunden : user_pref("keyword.URL", "hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q="); ************************* AdwCleaner[R0].txt - [14647 octets] - [06/01/2014 18:45:09] ########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [14708 octets] ########## |
07.01.2014, 10:19 | #10 |
/// the machine /// TB-Ausbilder | Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckigESET Online Scanner
Downloade Dir bitte SecurityCheck und:
und ein frisches FRST log bitte. Noch Probleme?
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
12.01.2014, 13:13 | #11 |
| Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig Hallo Schrauber. Ich bin leider bis Feb. zeitlich nicht in der Lage die nächsten Schritte durchzuführen. Wenn irgendwie möglich, bitte den Threat noch nicht schliessen. Ich melde mich dann mit dem Ergebnisprotokoll. Danke, Grüße, Stefan |
13.01.2014, 10:11 | #12 |
/// the machine /// TB-Ausbilder | Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig alles klar
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
09.02.2014, 18:18 | #13 |
| Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig Hallo Schrauber, danke, dass der Post offen geblieben ist. Habe ESET installiert und für alle Laufwerke ausgeführt, Log anhängend. Grüße, Stefan Code:
ATTFilter ESETSmartInstaller@High as downloader log: all ok # version=8 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6920 # api_version=3.0.2 # EOSSerial=bfac543b41dc0b44922c1e0aa9c62607 # engine=17003 # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=false # unsafe_checked=false # antistealth_checked=true # utc_time=2014-02-09 03:51:55 # local_time=2014-02-09 04:51:55 (+0100, Mitteleuropäische Zeit) # country="Germany" # lang=1033 # osver=6.1.7601 NT Service Pack 1 # compatibility_mode=2310 16777213 100 94 24073 72750106 0 0 # compatibility_mode=5893 16776573 100 94 104402 143590965 0 0 # scanned=212570 # found=0 # cleaned=0 # scan_time=10881 Code:
ATTFilter Results of screen317's Security Check version 0.99.78 Windows 7 Service Pack 1 x64 (UAC is enabled) Internet Explorer 11 ``````````````Antivirus/Firewall Check:`````````````` F-Secure Internet Security 2011 10.51 Antivirus up to date! (On Access scanning disabled!) `````````Anti-malware/Other Utilities Check:````````` Adobe Flash Player 11.9.900.170 Adobe Reader XI Mozilla Firefox (26.0) ````````Process Check: objlist.exe by Laurent```````` F-Secure Anti-Virus fsgk32st.exe F-Secure Anti-Virus FSGK32.EXE F-Secure Anti-Virus fssm32.exe F-Secure Anti-Virus fsav32.exe Acronis TrueImageHome OnlineBackupStandalone TrueImageMonitor.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: ````````````````````End of Log`````````````````````` |
10.02.2014, 12:47 | #14 |
/// the machine /// TB-Ausbilder | Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig Frisches FRST fehlt noch. Noch Probleme?
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
15.02.2014, 12:04 | #15 |
| Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig Hallo Schrauber, hier hab ich auch noch das FRST. Danke für Deine Hilfe, Stefan FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-02-2014 01 Ran by Kathlen (administrator) on KATHLEN-PC on 15-02-2014 11:53:15 Running from D:\Users\Kathlen\Downloads Windows 7 Home Premium Service Pack 1 (X64) OS Language: German Standard Internet Explorer Version 11 Boot Mode: Normal ==================== Processes (Whitelisted) ================= (Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe (Acronis) C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe (F-Secure Corporation) C:\Program Files (x86)\F-Secure\Anti-Virus\fsgk32st.exe (F-Secure Corporation) C:\Program Files (x86)\F-Secure\Common\FSMA32.EXE (Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe (F-Secure Corporation) C:\Program Files (x86)\F-Secure\Anti-Virus\FSGK32.EXE () C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe (Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe (F-Secure Corporation) C:\Program Files (x86)\F-Secure\Common\FSHDLL32.EXE (Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE (Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe (F-Secure Corporation) C:\Program Files (x86)\F-Secure\Common\FSHDLL64.EXE (Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe (Microsoft Corporation) C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE (F-Secure Corporation) C:\Program Files (x86)\F-Secure\FWES\Program\fsdfwd.exe (F-Secure Corporation) C:\Program Files (x86)\F-Secure\ORSP Client\fsorsp.exe (F-Secure Corporation) C:\Program Files (x86)\F-Secure\Anti-Virus\fssm32.exe (Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe (Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (F-Secure Corporation) C:\Program Files (x86)\F-Secure\Anti-Virus\fsav32.exe (Intel Corporation) C:\Windows\System32\igfxtray.exe (Intel Corporation) C:\Windows\System32\hkcmd.exe (Intel Corporation) C:\Windows\System32\igfxpers.exe (ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe (Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe (CyberLink) C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe (Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe (Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe (SRS Labs, Inc.) C:\Program Files\SRS Labs\SRS Control Panel\srspanel_64.exe (Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe (ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe (CyberLink Corp.) C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe (Acronis) C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe (Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (F-Secure Corporation) C:\Program Files (x86)\F-Secure\Common\FSM32.EXE (Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe (Acronis) C:\Program Files (x86)\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe (Intel® Corporation) C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe (F-Secure Corporation) C:\Program Files (x86)\F-Secure\Spam Control\fsscoepl_x64.exe (Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe (Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe (SEC) C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe (Hewlett-Packard) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Samsung Electronics Co., Ltd.) C:\Program Files\Samsung\SamsungFastStart\SmartRestarter.exe (Microsoft Corporation) C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe (Intel(R) Corporation) C:\Program Files\Intel\TurboBoost\TurboBoost.exe (Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe (Samsung Electronics Co., Ltd.) C:\Program Files (x86)\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (Samsung Electronics) C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe (SAMSUNG Electronics) C:\Program Files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe (Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe (Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe ==================== Registry (Whitelisted) ================== HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11780712 2011-02-27] (Realtek Semiconductor) HKLM\...\Run: [ETDCtrl] - C:\Program Files\Elantech\ETDCtrl.exe [2588968 2010-11-12] (ELAN Microelectronics Corp.) HKLM\...\Run: [Acronis Scheduler2 Service] - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe [395344 2011-09-22] (Acronis) HKLM\...\Run: [IntelTBRunOnce] - C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs [4526 2010-10-08] () HKLM-x32\...\Run: [RemoteControl10] - C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe [87336 2010-09-20] (CyberLink Corp.) HKLM-x32\...\Run: [TrueImageMonitor.exe] - C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe [5587832 2011-09-22] (Acronis) HKLM-x32\...\Run: [F-Secure Manager] - C:\Program Files (x86)\F-Secure\Common\FSM32.EXE [201384 2011-10-21] (F-Secure Corporation) HKLM-x32\...\Run: [F-Secure TNB] - C:\Program Files (x86)\F-Secure\FSGUI\TNBUtil.exe [1655464 2011-10-21] (F-Secure Corporation) HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-10] (Hewlett-Packard) HKLM-x32\...\Run: [SAOB Monitor] - C:\Program Files (x86)\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe [2571032 2011-09-22] (Acronis) HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated) Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation) Startup: C:\Users\Kathlen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe (No File) Startup: C:\Users\Kathlen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Überwachungstool für die Intel® Turbo-Boost-Technik 2.0.lnk ShortcutTarget: Überwachungstool für die Intel® Turbo-Boost-Technik 2.0.lnk -> C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe (Intel® Corporation) ==================== Internet (Whitelisted) ==================== HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:tabs HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:tabs StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.google.com/search?q={sear SearchScopes: HKCU - {7AF10BB5-1A3E-4F5E-9FA5-21102412DB25} URL = hxxp://search.certified-toolbar.com?si=&st=bs&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q={searchTerms} BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.) BHO-x32: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.) BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.) BHO-x32: Samsung BHO Class - {AA609D72-8482-4076-8991-8CDAE5B93BCB} - C:\Program Files\Samsung AnyWeb Print\W2PBrowser.dll () BHO-x32: Browsing Protection Class - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files (x86)\F-Secure\NRS\iescript\baselitmus.dll (F-Secure Corporation) BHO-x32: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.) Toolbar: HKLM-x32 - Browsing Protection Toolbar - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files (x86)\F-Secure\NRS\iescript\baselitmus.dll (F-Secure Corporation) Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies) Winsock: Catalog9 01 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation) Winsock: Catalog9 02 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation) Winsock: Catalog9 03 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation) Winsock: Catalog9 04 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation) Winsock: Catalog9 05 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation) Winsock: Catalog9 06 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation) Winsock: Catalog9 07 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation) Winsock: Catalog9 08 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation) Winsock: Catalog9 09 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation) Winsock: Catalog9 10 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation) Winsock: Catalog9 11 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation) Winsock: Catalog9 23 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation) Winsock: Catalog9-x64 01 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation) Winsock: Catalog9-x64 02 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation) Winsock: Catalog9-x64 03 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation) Winsock: Catalog9-x64 04 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation) Winsock: Catalog9-x64 05 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation) Winsock: Catalog9-x64 06 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation) Winsock: Catalog9-x64 07 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation) Winsock: Catalog9-x64 08 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation) Winsock: Catalog9-x64 09 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation) Winsock: Catalog9-x64 10 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation) Winsock: Catalog9-x64 11 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation) Winsock: Catalog9-x64 23 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation) Tcpip\Parameters: [DhcpNameServer] 192.168.178.1 FireFox: ======== FF ProfilePath: C:\Users\Kathlen\AppData\Roaming\Mozilla\Firefox\Profiles\l2abf66u.default FF Homepage: about:home FF NetworkProxy: "type", 0 FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_9_900_170.dll () FF Plugin: @microsoft.com/GENUINE - disabled No File FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation) FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_44.dll () FF Plugin-x32: @Google.com/GoogleEarthPlugin - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google) FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 - C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.) FF Plugin-x32: @java.com/DTPlugin,version=10.15.2 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation) FF Plugin-x32: @microsoft.com/GENUINE - disabled No File FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation) FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation) FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.) FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.) FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\amazondotcom-de.xml FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\eBay-de.xml FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\leo_ende_de.xml FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\yahoo-de.xml FF HKLM-x32\...\Firefox\Extensions: [litmus-ff@f-secure.com] - C:\Program Files (x86)\F-Secure\NRS\litmus-ff@f-secure.com FF Extension: Browsing Protection - C:\Program Files (x86)\F-Secure\NRS\litmus-ff@f-secure.com [2011-10-21] FF HKLM-x32\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 FF Extension: HP Smart Web Printing - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011-12-29] FF HKCU\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 FF Extension: HP Smart Web Printing - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011-12-29] ==================== Services (Whitelisted) ================= R2 F-Secure Gatekeeper Handler Starter; C:\Program Files (x86)\F-Secure\Anti-Virus\fsgk32st.exe [221864 2011-10-21] (F-Secure Corporation) R3 FSDFWD; C:\Program Files (x86)\F-Secure\FWES\Program\fsdfwd.exe [849576 2011-10-21] (F-Secure Corporation) R2 FSMA; C:\Program Files (x86)\F-Secure\Common\FSMA32.EXE [189096 2011-10-21] (F-Secure Corporation) R3 FSORSPClient; C:\Program Files (x86)\F-Secure\ORSP Client\fsorsp.exe [60352 2013-06-06] (F-Secure Corporation) R2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [244904 2009-12-01] () ==================== Drivers (Whitelisted) ==================== R3 F-Secure Gatekeeper; C:\Program Files (x86)\F-Secure\Anti-Virus\minifilter\fsgk.sys [202176 2013-07-10] (F-Secure Corporation) R1 F-Secure HIPS; C:\Program Files (x86)\F-Secure\HIPS\drivers\fshs.sys [61960 2011-10-21] (F-Secure Corporation) R0 fsbts; C:\Windows\System32\Drivers\fsbts.sys [56016 2012-08-20] () R0 fsbts; C:\Windows\SysWOW64\Drivers\fsbts.sys [42672 2011-10-21] () R1 FSES; C:\Windows\System32\drivers\fses.sys [46664 2011-10-21] (F-Secure Corporation) R1 FSFW; C:\Windows\System32\drivers\fsdfw.sys [95784 2011-10-21] (F-Secure Corporation) R1 fsvista; C:\Program Files (x86)\F-Secure\Anti-Virus\minifilter\fsvista.sys [15016 2011-10-21] () S3 VBoxUSB; C:\Windows\System32\Drivers\VBoxUSB.sys [117040 2011-10-03] (Oracle Corporation) U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation) ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2014-02-15 11:37 - 2014-02-15 11:37 - 00003324 _____ () C:\Windows\System32\Tasks\SamsungSupportCenter 2014-02-15 11:37 - 2014-02-15 11:37 - 00002078 _____ () C:\Users\Public\Desktop\Samsung Support Center.lnk 2014-02-13 22:14 - 2013-12-21 10:53 - 00548864 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll 2014-02-13 22:14 - 2013-12-21 09:56 - 00454656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll 2014-02-13 22:13 - 2014-02-06 13:16 - 23170048 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll 2014-02-13 22:13 - 2014-02-06 12:30 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb 2014-02-13 22:13 - 2014-02-06 12:30 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll 2014-02-13 22:13 - 2014-02-06 12:12 - 02765824 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll 2014-02-13 22:13 - 2014-02-06 12:07 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll 2014-02-13 22:13 - 2014-02-06 12:06 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll 2014-02-13 22:13 - 2014-02-06 11:57 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll 2014-02-13 22:13 - 2014-02-06 11:56 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll 2014-02-13 22:13 - 2014-02-06 11:52 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll 2014-02-13 22:13 - 2014-02-06 11:49 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe 2014-02-13 22:13 - 2014-02-06 11:48 - 00708608 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll 2014-02-13 22:13 - 2014-02-06 11:48 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe 2014-02-13 22:13 - 2014-02-06 11:38 - 17103872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2014-02-13 22:13 - 2014-02-06 11:32 - 00218624 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe 2014-02-13 22:13 - 2014-02-06 11:20 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2014-02-13 22:13 - 2014-02-06 11:17 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll 2014-02-13 22:13 - 2014-02-06 11:11 - 05768704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll 2014-02-13 22:13 - 2014-02-06 11:01 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll 2014-02-13 22:13 - 2014-02-06 11:00 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll 2014-02-13 22:13 - 2014-02-06 10:57 - 02168320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2014-02-13 22:13 - 2014-02-06 10:57 - 00627200 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll 2014-02-13 22:13 - 2014-02-06 10:52 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2014-02-13 22:13 - 2014-02-06 10:52 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll 2014-02-13 22:13 - 2014-02-06 10:50 - 02041856 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl 2014-02-13 22:13 - 2014-02-06 10:49 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2014-02-13 22:13 - 2014-02-06 10:47 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe 2014-02-13 22:13 - 2014-02-06 10:46 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll 2014-02-13 22:13 - 2014-02-06 10:25 - 04244480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2014-02-13 22:13 - 2014-02-06 10:25 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll 2014-02-13 22:13 - 2014-02-06 10:24 - 02334208 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll 2014-02-13 22:13 - 2014-02-06 10:22 - 13051392 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll 2014-02-13 22:13 - 2014-02-06 10:13 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll 2014-02-13 22:13 - 2014-02-06 10:09 - 01964032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl 2014-02-13 22:13 - 2014-02-06 10:03 - 11266048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2014-02-13 22:13 - 2014-02-06 09:55 - 01393664 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll 2014-02-13 22:13 - 2014-02-06 09:41 - 01820160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2014-02-13 22:13 - 2014-02-06 09:40 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll 2014-02-13 22:13 - 2014-02-06 09:36 - 01156096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2014-02-13 22:13 - 2014-02-06 09:34 - 00703488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll 2014-02-13 22:09 - 2014-01-01 00:05 - 00420008 _____ () C:\Windows\SysWOW64\locale.nls 2014-02-13 22:09 - 2014-01-01 00:04 - 00420008 _____ () C:\Windows\system32\locale.nls 2014-02-13 22:09 - 2013-12-25 00:09 - 01987584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10warp.dll 2014-02-13 22:09 - 2013-12-24 23:48 - 02565120 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll 2014-02-13 22:09 - 2013-12-06 03:30 - 01882112 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll 2014-02-13 22:09 - 2013-12-06 03:30 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll 2014-02-13 22:09 - 2013-12-06 03:02 - 01237504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll 2014-02-13 22:09 - 2013-12-06 03:02 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll 2014-02-13 22:09 - 2013-12-04 03:27 - 00488448 _____ (Microsoft Corporation) C:\Windows\system32\secproc.dll 2014-02-13 22:09 - 2013-12-04 03:27 - 00485888 _____ (Microsoft Corporation) C:\Windows\system32\secproc_isv.dll 2014-02-13 22:09 - 2013-12-04 03:27 - 00123392 _____ (Microsoft Corporation) C:\Windows\system32\secproc_ssp_isv.dll 2014-02-13 22:09 - 2013-12-04 03:27 - 00123392 _____ (Microsoft Corporation) C:\Windows\system32\secproc_ssp.dll 2014-02-13 22:09 - 2013-12-04 03:26 - 00528384 _____ (Microsoft Corporation) C:\Windows\system32\msdrm.dll 2014-02-13 22:09 - 2013-12-04 03:16 - 00658432 _____ (Microsoft Corporation) C:\Windows\system32\RMActivate_isv.exe 2014-02-13 22:09 - 2013-12-04 03:16 - 00626176 _____ (Microsoft Corporation) C:\Windows\system32\RMActivate.exe 2014-02-13 22:09 - 2013-12-04 03:16 - 00553984 _____ (Microsoft Corporation) C:\Windows\system32\RMActivate_ssp.exe 2014-02-13 22:09 - 2013-12-04 03:16 - 00552960 _____ (Microsoft Corporation) C:\Windows\system32\RMActivate_ssp_isv.exe 2014-02-13 22:09 - 2013-12-04 03:03 - 00428032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secproc.dll 2014-02-13 22:09 - 2013-12-04 03:03 - 00423936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secproc_isv.dll 2014-02-13 22:09 - 2013-12-04 03:03 - 00087040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secproc_ssp_isv.dll 2014-02-13 22:09 - 2013-12-04 03:03 - 00087040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secproc_ssp.dll 2014-02-13 22:09 - 2013-12-04 03:02 - 00390144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msdrm.dll 2014-02-13 22:09 - 2013-12-04 02:54 - 00594944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RMActivate_isv.exe 2014-02-13 22:09 - 2013-12-04 02:54 - 00572416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RMActivate.exe 2014-02-13 22:09 - 2013-12-04 02:54 - 00510976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RMActivate_ssp.exe 2014-02-13 22:09 - 2013-12-04 02:54 - 00508928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RMActivate_ssp_isv.exe 2014-02-13 22:09 - 2013-11-26 09:16 - 03419136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d2d1.dll 2014-02-13 22:09 - 2013-11-22 23:48 - 03928064 _____ (Microsoft Corporation) C:\Windows\system32\d2d1.dll ==================== One Month Modified Files and Folders ======= 2014-02-15 11:53 - 2013-12-30 18:45 - 00000000 ____D () C:\FRST 2014-02-15 11:40 - 2012-10-30 21:57 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job 2014-02-15 11:37 - 2014-02-15 11:37 - 00003324 _____ () C:\Windows\System32\Tasks\SamsungSupportCenter 2014-02-15 11:37 - 2014-02-15 11:37 - 00002078 _____ () C:\Users\Public\Desktop\Samsung Support Center.lnk 2014-02-15 11:37 - 2011-03-17 05:38 - 00000000 ____D () C:\Program Files (x86)\Samsung 2014-02-15 11:36 - 2011-10-21 19:36 - 00001112 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2014-02-15 11:33 - 2011-03-17 05:36 - 01358413 _____ () C:\Windows\WindowsUpdate.log 2014-02-15 11:30 - 2009-07-14 05:45 - 00014144 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2014-02-15 11:30 - 2009-07-14 05:45 - 00014144 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2014-02-15 11:25 - 2011-10-21 19:35 - 00001108 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2014-02-15 11:24 - 2013-10-09 18:33 - 00008512 _____ () C:\Windows\setupact.log 2014-02-15 11:24 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT 2014-02-13 22:23 - 2011-03-17 22:00 - 00661980 _____ () C:\Windows\system32\perfh007.dat 2014-02-13 22:23 - 2011-03-17 22:00 - 00133678 _____ () C:\Windows\system32\perfc007.dat 2014-02-13 22:23 - 2009-07-14 06:13 - 01544098 _____ () C:\Windows\system32\PerfStringBackup.INI 2014-02-11 17:32 - 2014-01-02 19:00 - 00003804 _____ () C:\Windows\PFRO.log 2014-02-10 23:02 - 2011-10-21 17:42 - 00000000 ____D () C:\Users\Kathlen\AppData\Roaming\SoftGrid Client 2014-02-08 12:40 - 2012-10-30 21:57 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2014-02-08 12:40 - 2012-10-30 21:57 - 00003822 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater 2014-02-08 12:40 - 2011-10-21 16:43 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl 2014-02-06 13:16 - 2014-02-13 22:13 - 23170048 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll 2014-02-06 12:30 - 2014-02-13 22:13 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb 2014-02-06 12:30 - 2014-02-13 22:13 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll 2014-02-06 12:12 - 2014-02-13 22:13 - 02765824 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll 2014-02-06 12:07 - 2014-02-13 22:13 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll 2014-02-06 12:06 - 2014-02-13 22:13 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll 2014-02-06 11:57 - 2014-02-13 22:13 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll 2014-02-06 11:56 - 2014-02-13 22:13 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll 2014-02-06 11:52 - 2014-02-13 22:13 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll 2014-02-06 11:49 - 2014-02-13 22:13 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe 2014-02-06 11:48 - 2014-02-13 22:13 - 00708608 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll 2014-02-06 11:48 - 2014-02-13 22:13 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe 2014-02-06 11:38 - 2014-02-13 22:13 - 17103872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2014-02-06 11:32 - 2014-02-13 22:13 - 00218624 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe 2014-02-06 11:20 - 2014-02-13 22:13 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2014-02-06 11:17 - 2014-02-13 22:13 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll 2014-02-06 11:11 - 2014-02-13 22:13 - 05768704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll 2014-02-06 11:01 - 2014-02-13 22:13 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll 2014-02-06 11:00 - 2014-02-13 22:13 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll 2014-02-06 10:57 - 2014-02-13 22:13 - 02168320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2014-02-06 10:57 - 2014-02-13 22:13 - 00627200 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll 2014-02-06 10:52 - 2014-02-13 22:13 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2014-02-06 10:52 - 2014-02-13 22:13 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll 2014-02-06 10:50 - 2014-02-13 22:13 - 02041856 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl 2014-02-06 10:49 - 2014-02-13 22:13 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2014-02-06 10:47 - 2014-02-13 22:13 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe 2014-02-06 10:46 - 2014-02-13 22:13 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll 2014-02-06 10:25 - 2014-02-13 22:13 - 04244480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2014-02-06 10:25 - 2014-02-13 22:13 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll 2014-02-06 10:24 - 2014-02-13 22:13 - 02334208 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll 2014-02-06 10:22 - 2014-02-13 22:13 - 13051392 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll 2014-02-06 10:13 - 2014-02-13 22:13 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll 2014-02-06 10:09 - 2014-02-13 22:13 - 01964032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl 2014-02-06 10:03 - 2014-02-13 22:13 - 11266048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2014-02-06 09:55 - 2014-02-13 22:13 - 01393664 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll 2014-02-06 09:41 - 2014-02-13 22:13 - 01820160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2014-02-06 09:40 - 2014-02-13 22:13 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll 2014-02-06 09:36 - 2014-02-13 22:13 - 01156096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2014-02-06 09:34 - 2014-02-13 22:13 - 00703488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll 2014-01-23 18:55 - 2011-10-21 15:59 - 00000000 ____D () C:\Users\Kathlen\AppData\Roaming\Acronis 2014-01-20 18:49 - 2009-07-14 06:08 - 00032632 _____ () C:\Windows\Tasks\SCHEDLGU.TXT 2014-01-20 09:27 - 2011-10-31 13:26 - 00000000 ____D () C:\Windows\pss 2014-01-20 09:27 - 2011-10-21 15:22 - 00000000 ___RD () C:\Users\Kathlen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup Some content of TEMP: ==================== C:\Users\Kathlen\AppData\Local\Temp\Quarantine.exe ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\rpcss.dll => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit LastRegBack: 2014-02-09 10:44 ==================== End Of Log ============================ |
Themen zu Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig |
anwendung, ausgeführt, defogger, erschein, erscheint, f-secure, gestoppt, hartnäckig, hijack.searchpage, logfiles, manuell, nicht mehr, popup, pup.optional.downloadguide.a, pup.optional.hometab.a, pup.optional.iminent.a, pup.optional.installcore, software.updater.ui.exe, taskmanager, trojaner, weihnachtsgeschenke, windows, windows7 |