| |
| |||||||
Log-Analyse und Auswertung: WIN7: Telekom-Rechnung (Trojaner) - Pc versendet Rechnungs-eMails und GrukartenWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder stndig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu knnen, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswrdig ist und bis zur vollstndigen Entfernung der Malware nicht verwendet werden sollte.XML. |
 |
05.12.2014, 21:25
| #1 |
| |  WIN7: Telekom-Rechnung (Trojaner) - Pc versendet Rechnungs-eMails und Grukarten Hallo zusammen, leider wurde die Telekom-Rechnungs-Mail geffnet und seit diesem Zeitpunkt werden Spam-Mails versendet bzw. Rechnungen-Mails und Grukarten. Mein Fall zhlt zur Ausnahme fr gewerblich genutzte Rechner. Der PC wird in einer Tierarztpraxis verwendet und ich bin der befreundete IT-Beauftragte.  ... was knnte ich noch machen  Danke fr die Mhe. LOG FRST Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 03-12-2014
Ran by Administrator (administrator) on DIANA-PC on 05-12-2014 20:29:18
Running from C:\Users\Administrator\Desktop
Loaded Profile: Administrator (Available profiles: Diana & Administrator)
Platform: Microsoft Windows 7 Home Premium Service Pack 1 (X86) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX86\officeclicktorun.exe
(McAfee, Inc.) C:\Program Files\McAfee\Common Framework\FrameworkService.exe
(McAfee, Inc.) C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(McAfee, Inc.) C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
(McAfee, Inc.) C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Primax Electronics Ltd.) C:\Windows\System32\ico.exe
(Brother Industries, Ltd.) C:\Program Files\Brother\ControlCenter3\BrccMCtl.exe
() C:\Windows\System32\FSRremoS.EXE
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(McAfee, Inc.) C:\Program Files\McAfee\Common Framework\UdaterUI.exe
(McAfee, Inc.) C:\Program Files\McAfee\Common Framework\McTray.exe
(McAfee, Inc.) C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM\...\Run: [BrMfcWnd] => C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [1159168 2009-05-26] (Brother Industries, Ltd.)
HKLM\...\Run: [ControlCenter3] => C:\Program Files\Brother\ControlCenter3\brctrcen.exe [114688 2008-12-24] (Brother Industries, Ltd.)
HKLM\...\Run: [Mouse Suite 98 Daemon] => C:\Windows\system32\ICO.EXE [57344 2004-07-14] (Primax Electronics Ltd.)
HKLM\...\Run: [McAfeeUpdaterUI] => C:\Program Files\McAfee\Common Framework\udaterui.exe [333416 2012-09-05] (McAfee, Inc.)
HKLM\...\Run: [ShStatEXE] => C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE [215656 2012-08-14] (McAfee, Inc.)
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-21-750750560-3555848559-3144871155-500\...\Policies\Explorer: [NoFolderOptions] 0
HKU\S-1-5-21-750750560-3555848559-3144871155-500\...\Policies\Explorer: [NoControlPanel] 0
ShellIconOverlayIdentifiers: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-750750560-3555848559-3144871155-500\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-750750560-3555848559-3144871155-500\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-750750560-3555848559-3144871155-500\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x405F3571EF0FD001
HKU\S-1-5-21-750750560-3555848559-3144871155-500\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-AT
HKU\S-1-5-21-750750560-3555848559-3144871155-500\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/de-at/?ocid=iehp
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll (Microsoft Corporation)
BHO: scriptproxy -> {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -> C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20141204194206.dll (McAfee, Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
FireFox:
========
FF ProfilePath: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vmsdwcoq.default
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{D19CA586-DD6C-4a0a-96F8-14644F340D60}] - C:\Program Files\Common Files\McAfee\SystemCore
FF Extension: IDS_SS_NAME - C:\Program Files\Common Files\McAfee\SystemCore [2014-12-04]
Chrome:
=======
========================== Services (Whitelisted) =================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX86\OfficeClickToRun.exe [1674928 2014-10-29] (Microsoft Corporation)
R2 McAfeeFramework; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [132712 2012-09-05] (McAfee, Inc.)
R2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [167344 2014-12-04] (McAfee, Inc.)
R2 McTaskManager; C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe [210056 2012-08-14] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [159640 2014-12-04] (McAfee, Inc.)
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
R3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [121544 2014-12-04] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [215024 2014-12-04] (McAfee, Inc.)
R3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [59616 2014-12-04] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [477584 2014-12-04] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [87816 2014-12-04] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [180720 2014-12-04] (McAfee, Inc.)
S3 pelmouse; C:\Windows\System32\DRIVERS\pelmouse.sys [16384 2003-01-10] (Primax Electronics Ltd.)
S3 pelusblf; C:\Windows\System32\DRIVERS\pelusblf.sys [9216 2003-02-11] (Primax Electronics Ltd.)
U5 AppMgmt; C:\Windows\system32\svchost.exe [20992 2009-07-14] (Microsoft Corporation)
S3 catchme; \??\C:\Users\ADMINI~1\AppData\Local\Temp\catchme.sys [X]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
U3 mfeavfk01; No ImagePath
==================== NetSvcs (Whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
==================== One Month Created Files and Folders ========
(If an entry is included in the fixlist, the file\folder will be moved.)
2014-12-05 20:29 - 2014-12-05 20:29 - 00008876 _____ () C:\Users\Administrator\Desktop\FRST.txt
2014-12-05 20:29 - 2014-12-05 20:28 - 01110016 _____ (Farbar) C:\Users\Administrator\Desktop\FRST.exe
2014-12-05 19:53 - 2014-12-05 20:29 - 00000000 ____D () C:\FRST
2014-12-04 20:54 - 2014-12-04 20:54 - 00000000 ____D () C:\Users\Diana\AppData\Roaming\McAfee
2014-12-04 20:46 - 2014-12-04 20:46 - 00000000 ____D () C:\QUARANTINE
2014-12-04 20:08 - 2014-12-04 20:09 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Mozilla
2014-12-04 20:01 - 2014-12-04 20:01 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\JAM Software
2014-12-04 20:01 - 2014-12-04 20:01 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TreeSize Professional
2014-12-04 20:01 - 2014-12-04 20:01 - 00000000 ____D () C:\Program Files\TreeSize Professional
2014-12-04 19:42 - 2014-12-04 19:42 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\McAfee
2014-12-04 19:42 - 2014-12-04 19:40 - 00215024 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfeavfk.sys
2014-12-04 19:42 - 2014-12-04 19:40 - 00121544 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfeapfk.sys
2014-12-04 19:42 - 2014-12-04 19:40 - 00087816 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mferkdet.sys
2014-12-04 19:42 - 2014-12-04 19:40 - 00075656 _____ (McAfee, Inc.) C:\Windows\system32\MfeOtlkAddin.dll
2014-12-04 19:42 - 2014-12-04 19:40 - 00059616 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfebopk.sys
2014-12-04 19:42 - 2014-12-04 19:40 - 00023112 _____ (McAfee, Inc.) C:\Windows\system32\MFEOtlk.dll
2014-12-04 19:42 - 2014-12-04 19:40 - 00009648 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfeclnk.sys
2014-12-04 19:41 - 2014-12-04 19:40 - 00477584 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfehidk.sys
2014-12-04 19:40 - 2014-12-04 19:40 - 00180720 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfewfpk.sys
2014-12-04 19:40 - 2014-12-04 19:40 - 00159640 _____ (McAfee, Inc.) C:\Windows\system32\mfevtps.exe
2014-12-04 19:40 - 2014-12-04 19:40 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
2014-12-04 19:39 - 2014-12-04 19:40 - 00000000 ____D () C:\ProgramData\McAfee
2014-12-04 19:39 - 2014-12-04 19:40 - 00000000 ____D () C:\Program Files\Common Files\McAfee
2014-12-04 19:39 - 2014-12-04 19:39 - 00000000 ____D () C:\Program Files\McAfee
2014-12-01 19:18 - 2014-12-01 19:18 - 00000000 __SHD () C:\Users\Diana\AppData\Local\EmieBrowserModeList
2014-11-26 17:52 - 2014-12-04 19:42 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-11-26 16:05 - 2014-11-26 16:14 - 00000000 ____D () C:\Windows\erdnt
2014-11-26 16:05 - 2011-06-26 07:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-11-26 16:05 - 2010-11-07 18:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-11-26 16:05 - 2009-04-20 05:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-11-26 16:05 - 2000-08-31 01:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-11-26 16:05 - 2000-08-31 01:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-11-26 16:05 - 2000-08-31 01:00 - 00098816 _____ () C:\Windows\sed.exe
2014-11-26 16:05 - 2000-08-31 01:00 - 00080412 _____ () C:\Windows\grep.exe
2014-11-26 16:05 - 2000-08-31 01:00 - 00068096 _____ () C:\Windows\zip.exe
2014-11-19 15:29 - 2014-11-11 03:44 - 00550912 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-11-19 15:29 - 2014-11-11 03:44 - 00186880 _____ (Microsoft Corporation) C:\Windows\system32\pku2u.dll
2014-11-18 12:40 - 2014-11-18 12:40 - 00000000 __SHD () C:\Users\Administrator\AppData\Local\EmieBrowserModeList
2014-11-12 17:25 - 2014-11-12 17:57 - 00030720 _____ () C:\Users\Diana\Desktop\Medikamentenprfprotokoll November 2014.xls
2014-11-12 11:50 - 2014-10-18 02:33 - 00571904 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2014-11-12 11:49 - 2014-11-07 20:23 - 00341168 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-11-12 11:49 - 2014-11-06 04:28 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-11-12 11:49 - 2014-11-06 04:28 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-11-12 11:49 - 2014-11-06 04:13 - 00501248 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-11-12 11:49 - 2014-11-06 04:13 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-11-12 11:49 - 2014-11-06 04:12 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-11-12 11:49 - 2014-11-06 04:10 - 19781632 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-11-12 11:49 - 2014-11-06 04:10 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-11-12 11:49 - 2014-11-06 04:05 - 02277376 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-11-12 11:49 - 2014-11-06 04:04 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-11-12 11:49 - 2014-11-06 04:03 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-11-12 11:49 - 2014-11-06 04:00 - 00478208 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-11-12 11:49 - 2014-11-06 03:59 - 00115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-11-12 11:49 - 2014-11-06 03:59 - 00102912 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-11-12 11:49 - 2014-11-06 03:58 - 00620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-11-12 11:49 - 2014-11-06 03:51 - 00667648 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-11-12 11:49 - 2014-11-06 03:48 - 00418304 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-11-12 11:49 - 2014-11-06 03:42 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-11-12 11:49 - 2014-11-06 03:37 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-11-12 11:49 - 2014-11-06 03:36 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-11-12 11:49 - 2014-11-06 03:34 - 00285696 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-11-12 11:49 - 2014-11-06 03:22 - 00688640 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-11-12 11:49 - 2014-11-06 03:22 - 00683008 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-11-12 11:49 - 2014-11-06 03:21 - 04298240 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-11-12 11:49 - 2014-11-06 03:21 - 02051072 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-11-12 11:49 - 2014-11-06 03:20 - 01155072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-11-12 11:49 - 2014-11-06 03:03 - 12819456 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-11-12 11:49 - 2014-11-06 02:52 - 01892864 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-11-12 11:49 - 2014-11-06 02:48 - 01310208 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-11-12 11:49 - 2014-11-06 02:47 - 00708096 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-11-12 11:49 - 2014-11-05 18:50 - 00254464 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2014-11-12 11:49 - 2014-11-05 18:50 - 00203776 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-11-12 11:49 - 2014-11-05 18:47 - 00302592 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-11-12 11:49 - 2014-10-25 02:32 - 00067584 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll
2014-11-12 11:49 - 2014-10-14 02:56 - 00136632 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2014-11-12 11:49 - 2014-10-14 02:50 - 02363904 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2014-11-12 11:49 - 2014-10-14 02:50 - 01059840 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-11-12 11:49 - 2014-10-14 02:50 - 00523776 _____ (Microsoft Corporation) C:\Windows\system32\termsrv.dll
2014-11-12 11:49 - 2014-10-14 02:47 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2014-11-12 11:49 - 2014-10-14 02:46 - 00681984 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2014-11-12 11:49 - 2014-10-10 01:45 - 02379264 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-11-12 11:49 - 2014-10-03 02:44 - 00475136 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll
2014-11-12 11:49 - 2014-10-03 02:44 - 00442880 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll
2014-11-12 11:49 - 2014-10-03 02:44 - 00374784 _____ (Microsoft Corporation) C:\Windows\system32\AudioEng.dll
2014-11-12 11:49 - 2014-10-03 02:44 - 00275968 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll
2014-11-12 11:49 - 2014-10-03 02:44 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\AudioSes.dll
2014-11-12 11:49 - 2014-09-19 10:23 - 00259584 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2014-11-12 11:49 - 2014-09-19 10:23 - 00248832 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-11-12 11:49 - 2014-09-19 10:23 - 00221184 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2014-11-12 11:49 - 2014-09-19 10:23 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2014-11-12 11:49 - 2014-09-19 10:23 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2014-11-12 11:49 - 2014-09-19 10:23 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2014-11-12 11:49 - 2014-08-21 07:26 - 01237504 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2014-11-12 11:49 - 2014-08-21 07:23 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2014-11-12 11:49 - 2014-08-12 02:36 - 00701440 _____ (Microsoft Corporation) C:\Windows\system32\IMJP10K.DLL
==================== One Month Modified Files and Folders =======
(If an entry is included in the fixlist, the file\folder will be moved.)
2014-12-05 19:56 - 2009-07-14 05:34 - 00028944 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-12-05 19:56 - 2009-07-14 05:34 - 00028944 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-12-05 19:52 - 2013-09-21 20:43 - 01960915 _____ () C:\Windows\WindowsUpdate.log
2014-12-05 19:50 - 2009-07-14 05:39 - 00054774 _____ () C:\Windows\setupact.log
2014-12-05 19:49 - 2009-07-14 05:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-12-05 19:06 - 2013-10-30 19:59 - 00000000 ____D () C:\Program Files\tierarztpraxis
2014-12-05 18:39 - 1980-01-03 23:56 - 00000000 ____D () C:\ProgramData\ELORD.200
2014-12-04 20:09 - 1980-01-03 23:16 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Mozilla
2014-12-04 19:38 - 2010-11-20 22:01 - 01618320 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-12-04 19:17 - 2010-11-20 22:48 - 00087428 _____ () C:\Windows\PFRO.log
2014-12-04 19:08 - 2009-07-14 03:04 - 00000215 _____ () C:\Windows\system.ini
2014-12-01 12:50 - 2014-08-28 07:27 - 00000000 ____D () C:\Users\Diana\Desktop\Informationsbltter Kastration
2014-12-01 12:43 - 2013-11-26 19:41 - 00000000 ____D () C:\Users\Diana\Desktop\Scans
2014-11-28 17:23 - 2013-09-21 18:17 - 00000000 ____D () C:\Users\Administrator
2014-11-26 18:20 - 1980-01-03 23:45 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-11-26 16:47 - 2009-07-14 03:37 - 00000000 ____D () C:\Windows\TAPI
2014-11-26 16:25 - 2013-09-21 18:19 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2014-11-26 16:23 - 2009-07-14 05:46 - 00001515 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2014-11-26 16:15 - 2009-07-14 03:37 - 00000000 ___RD () C:\Users\Public
2014-11-18 13:01 - 2009-07-14 03:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-11-18 12:56 - 2013-09-21 18:48 - 00000000 ____D () C:\Program Files\Microsoft Office 15
2014-11-12 15:24 - 2009-07-14 05:33 - 00435136 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-11-12 15:22 - 2014-05-07 18:58 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-11-12 15:22 - 2009-07-14 03:37 - 00000000 ____D () C:\Windows\system32\de-DE
2014-11-12 15:04 - 2013-09-21 18:31 - 00000000 ____D () C:\Windows\system32\MRT
2014-11-12 15:01 - 2013-09-21 18:31 - 100445232 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2014-12-05 10:59
==================== End Of Log ============================
Code:
ATTFilter Additional scan result of Farbar Recovery Scan Tool (x86) Version: 03-12-2014
Ran by Administrator at 2014-12-05 20:29:49
Running from C:\Users\Administrator\Desktop
Boot Mode: Normal
==========================================================
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AV: McAfee VirusScan Enterprise (Enabled - Up to date) {ADA629C7-7F48-5689-624A-3B76997E0892}
AS: McAfee VirusScan Enterprise Antispyware Module (Enabled - Up to date) {16C7C823-5972-5907-58FA-0004E2F9422F}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
==================== Installed Programs ======================
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
Adobe Reader XI (11.0.09) - Deutsch (HKLM\...\{AC76BA86-7AD7-1031-7B44-AB0000000001}) (Version: 11.0.09 - Adobe Systems Incorporated)
Brother MFL-Pro Suite MFC-7420 (HKLM\...\{C2530D63-B66B-48B5-BB50-7C6281FE7AA6}) (Version: 1.0.1.0 - Brother Industries, Ltd.)
IBM Object REXX for Windows Runtime Version 2.1.3.0 (HKLM\...\{209363AB-C4EA-4A16-926F-5228D4DA81CC}) (Version: 2.1.3.0 - )
Intel(R) Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1930 - Intel Corporation)
IrfanView (remove only) (HKLM\...\IrfanView) (Version: 4.36 - Irfan Skiljan)
McAfee Agent (HKLM\...\{D107EA80-023A-443C-AA79-1C4B0CB2E227}) (Version: 4.6.0.2988 - McAfee, Inc.)
McAfee VirusScan Enterprise (HKLM\...\{CE15D1B6-19B6-4D4D-8F43-CF5D2C3356FF}) (Version: 8.8.02004 - McAfee, Inc.)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office Professional Plus 2013 - de-de (HKLM\...\ProPlusRetail - de-de) (Version: 15.0.4667.1002 - Microsoft Corporation)
Mouse Suite (HKLM\...\MouseSuite98) (Version: - )
Mozilla Firefox 33.1.1 (x86 de) (HKLM\...\Mozilla Firefox 33.1.1 (x86 de)) (Version: 33.1.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla)
Office 15 Click-to-Run Extensibility Component (Version: 15.0.4667.1002 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (Version: 15.0.4667.1002 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (Version: 15.0.4667.1002 - Microsoft Corporation) Hidden
TreeSize Professional 5.2.3 (HKLM\...\TreeSize Professional_is1) (Version: - JAM Software)
==================== Custom CLSID (selected items): ==========================
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
==================== Restore Points =========================
04-12-2014 18:39:37 McAfee VirusScan Enterprise wurde installiert.
==================== Hosts content: ==========================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2009-07-14 03:04 - 2014-11-26 16:13 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 localhost
==================== Scheduled Tasks (whitelisted) =============
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
Task: {510A6E99-B4BF-4A50-888B-123DBB2635D7} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX86\OfficeC2RClient.exe [2014-10-07] (Microsoft Corporation)
Task: {56789CE3-8F75-4910-B226-D92B2D397917} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe [2014-10-07] (Microsoft Corporation)
Task: {634059F3-87ED-4E86-90B3-9D6096E300A3} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe [2014-10-07] (Microsoft Corporation)
Task: {BB1D0AC7-424F-4A52-B351-DD6E55CF080B} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
==================== Loaded Modules (whitelisted) =============
2014-03-24 17:52 - 2014-05-20 03:11 - 00080040 _____ () C:\Program Files\Microsoft Office 15\ClientX86\ApiClient.dll
2007-04-18 20:30 - 2007-04-18 20:30 - 00393216 _____ () C:\Program Files\McAfee\Common Framework\cryptocme2.dll
2007-04-18 20:30 - 2007-04-18 20:30 - 00471040 _____ () C:\Program Files\McAfee\Common Framework\ccme_base.dll
2012-08-14 20:08 - 2012-08-14 20:08 - 00150328 _____ () C:\Program Files\McAfee\VirusScan Enterprise\WscAv.dll
2013-10-29 22:28 - 2009-02-27 16:38 - 00139264 ____R () C:\Program Files\Brother\BrUtilities\BrLogAPI.dll
2013-10-30 20:30 - 2003-11-06 15:51 - 00020480 _____ () C:\Windows\System32\FSRremoS.EXE
==================== Alternate Data Streams (whitelisted) =========
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
==================== Safe Mode (whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Driver"
==================== EXE Association (whitelisted) =============
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
==================== MSCONFIG/TASK MANAGER disabled items =========
(Currently there is no automatic fix for this section.)
========================= Accounts: ==========================
Administrator (S-1-5-21-750750560-3555848559-3144871155-500 - Administrator - Enabled) => C:\Users\Administrator
Diana (S-1-5-21-750750560-3555848559-3144871155-1000 - Limited - Enabled) => C:\Users\Diana
Gast (S-1-5-21-750750560-3555848559-3144871155-501 - Limited - Disabled)
==================== Faulty Device Manager Devices =============
Name: PS/2-kompatible Maus
Description: PS/2-kompatible Maus
Class Guid: {4d36e96f-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
Name: Standardtastatur (PS/2)
Description: Standardtastatur (PS/2)
Class Guid: {4d36e96b-e325-11ce-bfc1-08002be10318}
Manufacturer: (Standardtastaturen)
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
==================== Event log errors: =========================
Application errors:
==================
Error: (12/05/2014 07:51:15 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (12/05/2014 03:45:30 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (12/05/2014 00:26:19 PM) (Source: Brother BrLog) (EventID: 1001) (User: )
Description: STI BrtSTI: [2014/12/05 12:26:19.687]: [00000744]: CUsbScnDev: DeviceIoControl() failed. ErrorCode = 5
Error: (12/05/2014 10:36:16 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (12/04/2014 09:09:58 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (12/04/2014 09:04:26 PM) (Source: McLogEvent) (EventID: 259) (User: Diana-PC)
Description: Der Scan hat Entdeckungen gefunden. Scan-Modul der Version 5600.1067 DAT-Version 7642.
Error: (12/04/2014 08:31:32 PM) (Source: Brother BrLog) (EventID: 1001) (User: )
Description: CTLCN BrtCTLCN: [2014/12/04 20:31:32.979]: [00002764]: brccMCtl.exe: ErrorMessage.cpp (0241) : -------- error code is [0x00030018].
Error: (12/04/2014 08:25:05 PM) (Source: Brother BrLog) (EventID: 1001) (User: )
Description: CTLCN BrtCTLCN: [2014/12/04 20:25:05.181]: [00002764]: brccMCtl.exe: ErrorMessage.cpp (0241) : -------- error code is [0x00030018].
Error: (12/04/2014 08:24:28 PM) (Source: Brother BrLog) (EventID: 1001) (User: )
Description: WIA BrtWIA: [2014/12/04 20:24:28.680]: [00000392]: Releasing IDrvItemRoot interface
Error: (12/04/2014 08:24:28 PM) (Source: Brother BrLog) (EventID: 1001) (User: )
Description: WIA BrtWIA: [2014/12/04 20:24:28.680]: [00000392]: Unlinking WIA item tree
System errors:
=============
Error: (12/05/2014 00:26:19 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {995C996E-D918-4A8C-A302-45719A6F4EA7}
Error: (12/04/2014 07:35:16 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Dienst "Adobe Acrobat Update Service" wurde unerwartet beendet. Dies ist bereits 1 Mal passiert.
Error: (12/04/2014 07:19:52 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Dienst "Adobe Acrobat Update Service" wurde unerwartet beendet. Dies ist bereits 1 Mal passiert.
Error: (12/04/2014 07:08:56 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: Der Dienst "PEVSystemStart" ist als interaktiver Dienst gekennzeichnet. Das System wurde jedoch so konfiguriert, dass interaktive Dienste nicht mglich sind. Der Dienst wird mglicherweise nicht richtig funktionieren.
Error: (12/04/2014 07:05:54 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: Der Dienst "PEVSystemStart" ist als interaktiver Dienst gekennzeichnet. Das System wurde jedoch so konfiguriert, dass interaktive Dienste nicht mglich sind. Der Dienst wird mglicherweise nicht richtig funktionieren.
Error: (12/04/2014 07:03:13 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: Der Dienst "PEVSystemStart" ist als interaktiver Dienst gekennzeichnet. Das System wurde jedoch so konfiguriert, dass interaktive Dienste nicht mglich sind. Der Dienst wird mglicherweise nicht richtig funktionieren.
Error: (12/04/2014 04:17:47 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrckmeldung von Dienst ShellHWDetection erreicht.
Error: (12/04/2014 04:02:43 PM) (Source: volsnap) (EventID: 36) (User: )
Description: Die Schattenkopien von Volume "C:" wurden abgebrochen, weil der Schattenkopiespeicher nicht auf ein benutzerdefiniertes Limit vergrert werden konnte.
Error: (12/01/2014 00:31:33 PM) (Source: volsnap) (EventID: 36) (User: )
Description: Die Schattenkopien von Volume "C:" wurden abgebrochen, weil der Schattenkopiespeicher nicht auf ein benutzerdefiniertes Limit vergrert werden konnte.
Error: (11/26/2014 05:30:30 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Dienst "Adobe Acrobat Update Service" wurde unerwartet beendet. Dies ist bereits 1 Mal passiert.
Microsoft Office Sessions:
=========================
Error: (12/05/2014 07:51:15 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (12/05/2014 03:45:30 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (12/05/2014 00:26:19 PM) (Source: Brother BrLog) (EventID: 1001) (User: )
Description: STIBrtSTI: [2014/12/05 12:26:19.687]: [00000744]: CUsbScnDev: DeviceIoControl() failed. ErrorCode = 5
Error: (12/05/2014 10:36:16 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (12/04/2014 09:09:58 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (12/04/2014 09:04:26 PM) (Source: McLogEvent) (EventID: 259) (User: Diana-PC)
Description: Der Scan hat Entdeckungen gefunden. Scan-Modul der Version 5600.1067 DAT-Version 7642.
Error: (12/04/2014 08:31:32 PM) (Source: Brother BrLog) (EventID: 1001) (User: )
Description: CTLCNBrtCTLCN: [2014/12/04 20:31:32.979]: [00002764]: brccMCtl.exe: ErrorMessage.cpp (0241) : -------- error code is [0x00030018].
Error: (12/04/2014 08:25:05 PM) (Source: Brother BrLog) (EventID: 1001) (User: )
Description: CTLCNBrtCTLCN: [2014/12/04 20:25:05.181]: [00002764]: brccMCtl.exe: ErrorMessage.cpp (0241) : -------- error code is [0x00030018].
Error: (12/04/2014 08:24:28 PM) (Source: Brother BrLog) (EventID: 1001) (User: )
Description: WIABrtWIA: [2014/12/04 20:24:28.680]: [00000392]: Releasing IDrvItemRoot interface
Error: (12/04/2014 08:24:28 PM) (Source: Brother BrLog) (EventID: 1001) (User: )
Description: WIABrtWIA: [2014/12/04 20:24:28.680]: [00000392]: Unlinking WIA item tree
==================== Memory info ===========================
Processor: Intel(R) Pentium(R) D CPU 3.40GHz
Percentage of memory in use: 26%
Total physical RAM: 3319.32 MB
Available physical RAM: 2433.5 MB
Total Pagefile: 6636.94 MB
Available Pagefile: 5753.32 MB
Total Virtual: 2047.88 MB
Available Virtual: 1936.07 MB
==================== Drives ================================
Drive c: () (Fixed) (Total:21.96 GB) (Free:1.19 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive e: (DATA) (Fixed) (Total:15.31 GB) (Free:6.35 GB) NTFS
Drive f: (BOOT) (Removable) (Total:7.52 GB) (Free:3.49 GB) FAT32
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 37.3 GB) (Disk ID: AF67AF67)
Partition 1: (Active) - (Size=22 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=15.3 GB) - (Type=05)
========================================================
Disk: 1 (Size: 7.5 GB) (Disk ID: 00077EFE)
Partition 1: (Active) - (Size=7.5 GB) - (Type=0B)
==================== End Of Log ============================
Code:
ATTFilter GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2014-12-05 21:01:51
Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 Maxtor_6N040T0 rev.NAN51680 37,27GB
Running: Gmer-19357.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\ugloapog.sys
---- System - GMER 2.1 ----
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8BC714C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8BC714F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8BC714DE]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x8BC714B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
---- Kernel code sections - GMER 2.1 ----
.text ntkrnlpa.exe!ZwYieldExecution 82E43C55 5 Bytes JMP 8BC714B8 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 82E55A15 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E8F212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
PAGE ntkrnlpa.exe!NtMapViewOfSection 8305F601 7 Bytes JMP 8BC714CC \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 83073DAA 5 Bytes JMP 8BC714F6 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 8307D9CA 5 Bytes JMP 8BC714E2 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
---- User code sections - GMER 2.1 ----
.text C:\Windows\system32\services.exe[528] ntdll.dll!NtCreateFile 76F75608 5 Bytes JMP 0020000A
.text C:\Windows\system32\services.exe[528] ntdll.dll!NtCreateProcess 76F756D8 5 Bytes JMP 00200025
.text C:\Windows\system32\services.exe[528] ntdll.dll!NtProtectVirtualMemory 76F75F58 5 Bytes JMP 00200FEF
.text C:\Windows\system32\services.exe[528] kernel32.dll!GetStartupInfoA 75FF1E10 5 Bytes JMP 00180F40
.text C:\Windows\system32\services.exe[528] kernel32.dll!CreateProcessW 75FF204D 5 Bytes JMP 001800BD
.text C:\Windows\system32\services.exe[528] kernel32.dll!CreateProcessA 75FF2082 5 Bytes JMP 00180F1E
.text C:\Windows\system32\services.exe[528] kernel32.dll!CreateNamedPipeW 76022E67 5 Bytes JMP 00180011
.text C:\Windows\system32\services.exe[528] kernel32.dll!VirtualProtect 76032CDD 5 Bytes JMP 0018004E
.text C:\Windows\system32\services.exe[528] kernel32.dll!LoadLibraryExA 76034576 5 Bytes JMP 0018003D
.text C:\Windows\system32\services.exe[528] kernel32.dll!LoadLibraryExW 76035189 5 Bytes JMP 00180F80
.text C:\Windows\system32\services.exe[528] kernel32.dll!GetProcAddress 7603CD44 5 Bytes JMP 001800D8
.text C:\Windows\system32\services.exe[528] kernel32.dll!LoadLibraryA 7603DD15 5 Bytes JMP 00180022
.text C:\Windows\system32\services.exe[528] kernel32.dll!GetStartupInfoW 7603E38D 5 Bytes JMP 0018008E
.text C:\Windows\system32\services.exe[528] kernel32.dll!CreateFileW 7603E955 5 Bytes JMP 00180FDB
.text C:\Windows\system32\services.exe[528] kernel32.dll!CreateFileA 7603EB11 5 Bytes JMP 00180000
.text C:\Windows\system32\services.exe[528] kernel32.dll!LoadLibraryW 7603EFF2 5 Bytes JMP 00180F9B
.text C:\Windows\system32\services.exe[528] kernel32.dll!CreatePipe 7605135E 5 Bytes JMP 00180F5B
.text C:\Windows\system32\services.exe[528] kernel32.dll!CreateNamedPipeA 7607E038 5 Bytes JMP 00180FCA
.text C:\Windows\system32\services.exe[528] kernel32.dll!WinExec 7607F22E 5 Bytes JMP 00180F2F
.text C:\Windows\system32\services.exe[528] kernel32.dll!VirtualProtectEx 76080269 5 Bytes JMP 00180069
.text C:\Windows\system32\services.exe[528] msvcrt.dll!_open 76847E48 5 Bytes JMP 0022000C
.text C:\Windows\system32\services.exe[528] msvcrt.dll!_wsystem 7687B057 5 Bytes JMP 00220FCA
.text C:\Windows\system32\services.exe[528] msvcrt.dll!system 7687B177 5 Bytes JMP 00220FE5
.text C:\Windows\system32\services.exe[528] msvcrt.dll!_creat 7687ED31 5 Bytes JMP 00220044
.text C:\Windows\system32\services.exe[528] msvcrt.dll!_wcreat 76880396 5 Bytes JMP 00220055
.text C:\Windows\system32\services.exe[528] msvcrt.dll!_wopen 76880578 5 Bytes JMP 00220029
.text C:\Windows\system32\services.exe[528] ADVAPI32.dll!RegOpenKeyA 770CCBB5 5 Bytes JMP 00230000
.text C:\Windows\system32\services.exe[528] ADVAPI32.dll!RegCreateKeyA 770CCCA1 5 Bytes JMP 00230FC3
.text C:\Windows\system32\services.exe[528] ADVAPI32.dll!RegCreateKeyExA 770D13E9 5 Bytes JMP 00230054
.text C:\Windows\system32\services.exe[528] ADVAPI32.dll!RegCreateKeyW 770D1494 5 Bytes JMP 00230FA8
.text C:\Windows\system32\services.exe[528] ADVAPI32.dll!RegOpenKeyW 770D23D9 5 Bytes JMP 00230FE5
.text C:\Windows\system32\services.exe[528] ADVAPI32.dll!RegCreateKeyExW 770D407E 5 Bytes JMP 00230F97
.text C:\Windows\system32\services.exe[528] ADVAPI32.dll!RegOpenKeyExW 770D460D 5 Bytes JMP 00230FD4
.text C:\Windows\system32\services.exe[528] ADVAPI32.dll!RegOpenKeyExA 770D4887 5 Bytes JMP 0023001B
.text C:\Windows\system32\services.exe[528] WS2_32.dll!socket 75273EB8 5 Bytes JMP 00210FEF
.text C:\Windows\system32\lsass.exe[540] ntdll.dll!NtCreateFile 76F75608 5 Bytes JMP 00160000
.text C:\Windows\system32\lsass.exe[540] ntdll.dll!NtCreateProcess 76F756D8 5 Bytes JMP 00160FDB
.text C:\Windows\system32\lsass.exe[540] ntdll.dll!NtProtectVirtualMemory 76F75F58 5 Bytes JMP 0016001B
.text C:\Windows\system32\lsass.exe[540] kernel32.dll!GetStartupInfoA 75FF1E10 5 Bytes JMP 0015005B
.text C:\Windows\system32\lsass.exe[540] kernel32.dll!CreateProcessW 75FF204D 5 Bytes JMP 00150EF2
.text C:\Windows\system32\lsass.exe[540] kernel32.dll!CreateProcessA 75FF2082 5 Bytes JMP 00150091
.text C:\Windows\system32\lsass.exe[540] kernel32.dll!CreateNamedPipeW 76022E67 5 Bytes JMP 00150FAF
.text C:\Windows\system32\lsass.exe[540] kernel32.dll!VirtualProtect 76032CDD 5 Bytes JMP 00150F68
.text C:\Windows\system32\lsass.exe[540] kernel32.dll!LoadLibraryExA 76034576 5 Bytes JMP 0015002C
.text C:\Windows\system32\lsass.exe[540] kernel32.dll!LoadLibraryExW 76035189 5 Bytes JMP 00150F79
.text C:\Windows\system32\lsass.exe[540] kernel32.dll!GetProcAddress 7603CD44 5 Bytes JMP 00150EE1
.text C:\Windows\system32\lsass.exe[540] kernel32.dll!LoadLibraryA 7603DD15 5 Bytes JMP 0015001B
.text C:\Windows\system32\lsass.exe[540] kernel32.dll!GetStartupInfoW 7603E38D 5 Bytes JMP 00150076
.text C:\Windows\system32\lsass.exe[540] kernel32.dll!CreateFileW 7603E955 5 Bytes JMP 0015000A
.text C:\Windows\system32\lsass.exe[540] kernel32.dll!CreateFileA 7603EB11 5 Bytes JMP 00150FEF
.text C:\Windows\system32\lsass.exe[540] kernel32.dll!LoadLibraryW 7603EFF2 5 Bytes JMP 00150F8A
.text C:\Windows\system32\lsass.exe[540] kernel32.dll!CreatePipe 7605135E 5 Bytes JMP 00150F32
.text C:\Windows\system32\lsass.exe[540] kernel32.dll!CreateNamedPipeA 7607E038 5 Bytes JMP 00150FD4
.text C:\Windows\system32\lsass.exe[540] kernel32.dll!WinExec 7607F22E 5 Bytes JMP 00150F17
.text C:\Windows\system32\lsass.exe[540] kernel32.dll!VirtualProtectEx 76080269 5 Bytes JMP 00150F4D
.text C:\Windows\system32\lsass.exe[540] msvcrt.dll!_open 76847E48 5 Bytes JMP 00180FEF
.text C:\Windows\system32\lsass.exe[540] msvcrt.dll!_wsystem 7687B057 5 Bytes JMP 00180FA8
.text C:\Windows\system32\lsass.exe[540] msvcrt.dll!system 7687B177 5 Bytes JMP 00180FB9
.text C:\Windows\system32\lsass.exe[540] msvcrt.dll!_creat 7687ED31 5 Bytes JMP 00180029
.text C:\Windows\system32\lsass.exe[540] msvcrt.dll!_wcreat 76880396 5 Bytes JMP 00180FD4
.text C:\Windows\system32\lsass.exe[540] msvcrt.dll!_wopen 76880578 5 Bytes JMP 0018000C
.text C:\Windows\system32\lsass.exe[540] ADVAPI32.dll!RegOpenKeyA 770CCBB5 5 Bytes JMP 00370FEF
.text C:\Windows\system32\lsass.exe[540] ADVAPI32.dll!RegCreateKeyA 770CCCA1 5 Bytes JMP 00370025
.text C:\Windows\system32\lsass.exe[540] ADVAPI32.dll!RegCreateKeyExA 770D13E9 5 Bytes JMP 00370036
.text C:\Windows\system32\lsass.exe[540] ADVAPI32.dll!RegCreateKeyW 770D1494 5 Bytes JMP 00370F94
.text C:\Windows\system32\lsass.exe[540] ADVAPI32.dll!RegOpenKeyW 770D23D9 5 Bytes JMP 00370014
.text C:\Windows\system32\lsass.exe[540] ADVAPI32.dll!RegCreateKeyExW 770D407E 5 Bytes JMP 00370047
.text C:\Windows\system32\lsass.exe[540] ADVAPI32.dll!RegOpenKeyExW 770D460D 5 Bytes JMP 00370FB9
.text C:\Windows\system32\lsass.exe[540] ADVAPI32.dll!RegOpenKeyExA 770D4887 5 Bytes JMP 00370FDE
.text C:\Windows\system32\lsass.exe[540] WS2_32.dll!socket 75273EB8 5 Bytes JMP 00170FEF
.text C:\Windows\system32\svchost.exe[648] ntdll.dll!NtCreateFile 76F75608 5 Bytes JMP 00340000
.text C:\Windows\system32\svchost.exe[648] ntdll.dll!NtCreateProcess 76F756D8 5 Bytes JMP 0034001B
.text C:\Windows\system32\svchost.exe[648] ntdll.dll!NtProtectVirtualMemory 76F75F58 5 Bytes JMP 00340FEF
.text C:\Windows\system32\svchost.exe[648] kernel32.dll!GetStartupInfoA 75FF1E10 5 Bytes JMP 00330073
.text C:\Windows\system32\svchost.exe[648] kernel32.dll!CreateProcessW 75FF204D 5 Bytes JMP 003300CB
.text C:\Windows\system32\svchost.exe[648] kernel32.dll!CreateProcessA 75FF2082 5 Bytes JMP 003300B0
.text C:\Windows\system32\svchost.exe[648] kernel32.dll!CreateNamedPipeW 76022E67 5 Bytes JMP 00330FB9
.text C:\Windows\system32\svchost.exe[648] kernel32.dll!VirtualProtect 76032CDD 5 Bytes JMP 00330051
.text C:\Windows\system32\svchost.exe[648] kernel32.dll!LoadLibraryExA 76034576 5 Bytes JMP 00330036
.text C:\Windows\system32\svchost.exe[648] kernel32.dll!LoadLibraryExW 76035189 5 Bytes JMP 00330F79
.text C:\Windows\system32\svchost.exe[648] kernel32.dll!GetProcAddress 7603CD44 5 Bytes JMP 00330F11
.text C:\Windows\system32\svchost.exe[648] kernel32.dll!LoadLibraryA 7603DD15 5 Bytes JMP 00330025
.text C:\Windows\system32\svchost.exe[648] kernel32.dll!GetStartupInfoW 7603E38D 5 Bytes JMP 0033008E
.text C:\Windows\system32\svchost.exe[648] kernel32.dll!CreateFileW 7603E955 5 Bytes JMP 0033000A
.text C:\Windows\system32\svchost.exe[648] kernel32.dll!CreateFileA 7603EB11 5 Bytes JMP 00330FEF
.text C:\Windows\system32\svchost.exe[648] kernel32.dll!LoadLibraryW 7603EFF2 5 Bytes JMP 00330F9E
.text C:\Windows\system32\svchost.exe[648] kernel32.dll!CreatePipe 7605135E 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[648] kernel32.dll!CreatePipe 7605135E 5 Bytes JMP 00330062
.text C:\Windows\system32\svchost.exe[648] kernel32.dll!CreateNamedPipeA 7607E038 5 Bytes JMP 00330FD4
.text C:\Windows\system32\svchost.exe[648] kernel32.dll!WinExec 7607F22E 5 Bytes JMP 0033009F
.text C:\Windows\system32\svchost.exe[648] kernel32.dll!VirtualProtectEx 76080269 5 Bytes JMP 00330F5E
.text C:\Windows\system32\svchost.exe[648] msvcrt.dll!_open 76847E48 5 Bytes JMP 003F0FEF
.text C:\Windows\system32\svchost.exe[648] msvcrt.dll!_wsystem 7687B057 5 Bytes JMP 003F0FA3
.text C:\Windows\system32\svchost.exe[648] msvcrt.dll!system 7687B177 5 Bytes JMP 003F0FBE
.text C:\Windows\system32\svchost.exe[648] msvcrt.dll!_creat 7687ED31 5 Bytes JMP 003F001D
.text C:\Windows\system32\svchost.exe[648] msvcrt.dll!_wcreat 76880396 5 Bytes JMP 003F002E
.text C:\Windows\system32\svchost.exe[648] msvcrt.dll!_wopen 76880578 5 Bytes JMP 003F0000
.text C:\Windows\system32\svchost.exe[648] ADVAPI32.dll!RegOpenKeyA 770CCBB5 5 Bytes JMP 0040000A
.text C:\Windows\system32\svchost.exe[648] ADVAPI32.dll!RegCreateKeyA 770CCCA1 5 Bytes JMP 00400FC3
.text C:\Windows\system32\svchost.exe[648] ADVAPI32.dll!RegCreateKeyExA 770D13E9 5 Bytes JMP 00400054
.text C:\Windows\system32\svchost.exe[648] ADVAPI32.dll!RegCreateKeyW 770D1494 5 Bytes JMP 00400FA8
.text C:\Windows\system32\svchost.exe[648] ADVAPI32.dll!RegOpenKeyW 770D23D9 5 Bytes JMP 00400FEF
.text C:\Windows\system32\svchost.exe[648] ADVAPI32.dll!RegCreateKeyExW 770D407E 5 Bytes JMP 0040006F
.text C:\Windows\system32\svchost.exe[648] ADVAPI32.dll!RegOpenKeyExW 770D460D 5 Bytes JMP 0040002F
.text C:\Windows\system32\svchost.exe[648] ADVAPI32.dll!RegOpenKeyExA 770D4887 5 Bytes JMP 00400FDE
.text C:\Windows\system32\svchost.exe[648] WS2_32.dll!socket 75273EB8 5 Bytes JMP 003A0000
.text C:\Windows\system32\svchost.exe[724] ntdll.dll!NtCreateFile 76F75608 5 Bytes JMP 003E0000
.text C:\Windows\system32\svchost.exe[724] ntdll.dll!NtCreateProcess 76F756D8 5 Bytes JMP 003E0025
.text C:\Windows\system32\svchost.exe[724] ntdll.dll!NtProtectVirtualMemory 76F75F58 5 Bytes JMP 003E0FEF
.text C:\Windows\system32\svchost.exe[724] kernel32.dll!GetStartupInfoA 75FF1E10 5 Bytes JMP 00170F57
.text C:\Windows\system32\svchost.exe[724] kernel32.dll!CreateProcessW 75FF204D 5 Bytes JMP 001700B9
.text C:\Windows\system32\svchost.exe[724] kernel32.dll!CreateProcessA 75FF2082 5 Bytes JMP 00170F1A
.text C:\Windows\system32\svchost.exe[724] kernel32.dll!CreateNamedPipeW 76022E67 5 Bytes JMP 00170FC3
.text C:\Windows\system32\svchost.exe[724] kernel32.dll!VirtualProtect 76032CDD 5 Bytes JMP 00170F86
.text C:\Windows\system32\svchost.exe[724] kernel32.dll!LoadLibraryExA 76034576 5 Bytes JMP 00170FA8
.text C:\Windows\system32\svchost.exe[724] kernel32.dll!LoadLibraryExW 76035189 5 Bytes JMP 00170F97
.text C:\Windows\system32\svchost.exe[724] kernel32.dll!GetProcAddress 7603CD44 5 Bytes JMP 00170F09
.text C:\Windows\system32\svchost.exe[724] kernel32.dll!LoadLibraryA 7603DD15 5 Bytes JMP 00170039
.text C:\Windows\system32\svchost.exe[724] kernel32.dll!GetStartupInfoW 7603E38D 5 Bytes JMP 00170F46
.text C:\Windows\system32\svchost.exe[724] kernel32.dll!CreateFileW 7603E955 5 Bytes JMP 00170FE5
.text C:\Windows\system32\svchost.exe[724] kernel32.dll!CreateFileA 7603EB11 5 Bytes JMP 0017000A
.text C:\Windows\system32\svchost.exe[724] kernel32.dll!LoadLibraryW 7603EFF2 5 Bytes JMP 0017004A
.text C:\Windows\system32\svchost.exe[724] kernel32.dll!CreatePipe 7605135E 5 Bytes JMP 0017008A
.text C:\Windows\system32\svchost.exe[724] kernel32.dll!CreateNamedPipeA 7607E038 5 Bytes JMP 00170FD4
.text C:\Windows\system32\svchost.exe[724] kernel32.dll!WinExec 7607F22E 5 Bytes JMP 00170F2B
.text C:\Windows\system32\svchost.exe[724] kernel32.dll!VirtualProtectEx 76080269 5 Bytes JMP 00170079
.text C:\Windows\system32\svchost.exe[724] msvcrt.dll!_open 76847E48 5 Bytes JMP 00400FEF
.text C:\Windows\system32\svchost.exe[724] msvcrt.dll!_wsystem 7687B057 5 Bytes JMP 00400F75
.text C:\Windows\system32\svchost.exe[724] msvcrt.dll!system 7687B177 5 Bytes JMP 00400F90
.text C:\Windows\system32\svchost.exe[724] msvcrt.dll!_creat 7687ED31 5 Bytes JMP 00400FC6
.text C:\Windows\system32\svchost.exe[724] msvcrt.dll!_wcreat 76880396 5 Bytes JMP 00400FAB
.text C:\Windows\system32\svchost.exe[724] msvcrt.dll!_wopen 76880578 5 Bytes JMP 00400000
.text C:\Windows\system32\svchost.exe[724] ADVAPI32.dll!RegOpenKeyA 770CCBB5 5 Bytes JMP 0042000A
.text C:\Windows\system32\svchost.exe[724] ADVAPI32.dll!RegCreateKeyA 770CCCA1 5 Bytes JMP 0042003D
.text C:\Windows\system32\svchost.exe[724] ADVAPI32.dll!RegCreateKeyExA 770D13E9 5 Bytes JMP 00420FB6
.text C:\Windows\system32\svchost.exe[724] ADVAPI32.dll!RegCreateKeyW 770D1494 5 Bytes JMP 00420058
.text C:\Windows\system32\svchost.exe[724] ADVAPI32.dll!RegOpenKeyW 770D23D9 5 Bytes JMP 0042001B
.text C:\Windows\system32\svchost.exe[724] ADVAPI32.dll!RegCreateKeyExW 770D407E 5 Bytes JMP 0042007D
.text C:\Windows\system32\svchost.exe[724] ADVAPI32.dll!RegOpenKeyExW 770D460D 5 Bytes JMP 0042002C
.text C:\Windows\system32\svchost.exe[724] ADVAPI32.dll!RegOpenKeyExA 770D4887 5 Bytes JMP 00420FE5
.text C:\Windows\system32\svchost.exe[724] WS2_32.dll!socket 75273EB8 5 Bytes JMP 003F0000
.text C:\Windows\System32\svchost.exe[788] ntdll.dll!NtCreateFile 76F75608 5 Bytes JMP 005D0FE5
.text C:\Windows\System32\svchost.exe[788] ntdll.dll!NtCreateProcess 76F756D8 5 Bytes JMP 005D0011
.text C:\Windows\System32\svchost.exe[788] ntdll.dll!NtProtectVirtualMemory 76F75F58 5 Bytes JMP 005D0000
.text C:\Windows\System32\svchost.exe[788] kernel32.dll!GetStartupInfoA 75FF1E10 5 Bytes JMP 005C0F6F
.text C:\Windows\System32\svchost.exe[788] kernel32.dll!CreateProcessW 75FF204D 5 Bytes JMP 005C00D8
.text C:\Windows\System32\svchost.exe[788] kernel32.dll!CreateProcessA 75FF2082 5 Bytes JMP 005C0F39
.text C:\Windows\System32\svchost.exe[788] kernel32.dll!CreateNamedPipeW 76022E67 5 Bytes JMP 005C002C
.text C:\Windows\System32\svchost.exe[788] kernel32.dll!VirtualProtect 76032CDD 5 Bytes JMP 005C007D
.text C:\Windows\System32\svchost.exe[788] kernel32.dll!LoadLibraryExA 76034576 5 Bytes JMP 005C0FB6
.text C:\Windows\System32\svchost.exe[788] kernel32.dll!LoadLibraryExW 76035189 5 Bytes JMP 005C0FA5
.text C:\Windows\System32\svchost.exe[788] kernel32.dll!GetProcAddress 7603CD44 5 Bytes JMP 005C00E9
.text C:\Windows\System32\svchost.exe[788] kernel32.dll!LoadLibraryA 7603DD15 5 Bytes JMP 005C003D
.text C:\Windows\System32\svchost.exe[788] kernel32.dll!GetStartupInfoW 7603E38D 5 Bytes JMP 005C00B3
.text C:\Windows\System32\svchost.exe[788] kernel32.dll!CreateFileW 7603E955 5 Bytes JMP 005C0FDB
.text C:\Windows\System32\svchost.exe[788] kernel32.dll!CreateFileA 7603EB11 5 Bytes JMP 005C0000
.text C:\Windows\System32\svchost.exe[788] kernel32.dll!LoadLibraryW 7603EFF2 5 Bytes JMP 005C004E
.text C:\Windows\System32\svchost.exe[788] kernel32.dll!CreatePipe 7605135E 5 Bytes JMP 005C0F8A
.text C:\Windows\System32\svchost.exe[788] kernel32.dll!CreateNamedPipeA 7607E038 5 Bytes JMP 005C0011
.text C:\Windows\System32\svchost.exe[788] kernel32.dll!WinExec 7607F22E 5 Bytes JMP 005C0F4A
.text C:\Windows\System32\svchost.exe[788] kernel32.dll!VirtualProtectEx 76080269 5 Bytes JMP 005C0098
.text C:\Windows\System32\svchost.exe[788] msvcrt.dll!_open 76847E48 5 Bytes JMP 005F0FE3
.text C:\Windows\System32\svchost.exe[788] msvcrt.dll!_wsystem 7687B057 5 Bytes JMP 005F0036
.text C:\Windows\System32\svchost.exe[788] msvcrt.dll!system 7687B177 5 Bytes JMP 005F0FA1
.text C:\Windows\System32\svchost.exe[788] msvcrt.dll!_creat 7687ED31 5 Bytes JMP 005F0FC6
.text C:\Windows\System32\svchost.exe[788] msvcrt.dll!_wcreat 76880396 5 Bytes JMP 005F0011
.text C:\Windows\System32\svchost.exe[788] msvcrt.dll!_wopen 76880578 5 Bytes JMP 005F0000
.text C:\Windows\System32\svchost.exe[788] ADVAPI32.dll!RegOpenKeyA 770CCBB5 5 Bytes JMP 00AB0FEF
.text C:\Windows\System32\svchost.exe[788] ADVAPI32.dll!RegCreateKeyA 770CCCA1 5 Bytes JMP 00AB0FC3
.text C:\Windows\System32\svchost.exe[788] ADVAPI32.dll!RegCreateKeyExA 770D13E9 5 Bytes JMP 00AB0FA8
.text C:\Windows\System32\svchost.exe[788] ADVAPI32.dll!RegCreateKeyW 770D1494 5 Bytes JMP 00AB004A
.text C:\Windows\System32\svchost.exe[788] ADVAPI32.dll!RegOpenKeyW 770D23D9 5 Bytes JMP 00AB0FD4
.text C:\Windows\System32\svchost.exe[788] ADVAPI32.dll!RegCreateKeyExW 770D407E 5 Bytes JMP 00AB0065
.text C:\Windows\System32\svchost.exe[788] ADVAPI32.dll!RegOpenKeyExW 770D460D 5 Bytes JMP 00AB002F
.text C:\Windows\System32\svchost.exe[788] ADVAPI32.dll!RegOpenKeyExA 770D4887 5 Bytes JMP 00AB0014
.text C:\Windows\System32\svchost.exe[788] WS2_32.dll!socket 75273EB8 5 Bytes JMP 005E0FEF
.text C:\Windows\System32\svchost.exe[852] ntdll.dll!NtCreateFile 76F75608 5 Bytes JMP 003A0000
.text C:\Windows\System32\svchost.exe[852] ntdll.dll!NtCreateProcess 76F756D8 1 Byte [E9]
.text C:\Windows\System32\svchost.exe[852] ntdll.dll!NtCreateProcess 76F756D8 5 Bytes JMP 003A002C
.text C:\Windows\System32\svchost.exe[852] ntdll.dll!NtProtectVirtualMemory 76F75F58 5 Bytes JMP 003A001B
.text C:\Windows\System32\svchost.exe[852] kernel32.dll!GetStartupInfoA 75FF1E10 5 Bytes JMP 00390F7D
.text C:\Windows\System32\svchost.exe[852] kernel32.dll!CreateProcessW 75FF204D 5 Bytes JMP 00390F5B
.text C:\Windows\System32\svchost.exe[852] kernel32.dll!CreateProcessA 75FF2082 5 Bytes JMP 003900F0
.text C:\Windows\System32\svchost.exe[852] kernel32.dll!CreateNamedPipeW 76022E67 5 Bytes JMP 00390022
.text C:\Windows\System32\svchost.exe[852] kernel32.dll!VirtualProtect 76032CDD 5 Bytes JMP 00390095
.text C:\Windows\System32\svchost.exe[852] kernel32.dll!LoadLibraryExA 76034576 5 Bytes JMP 00390073
.text C:\Windows\System32\svchost.exe[852] kernel32.dll!LoadLibraryExW 76035189 5 Bytes JMP 00390084
.text C:\Windows\System32\svchost.exe[852] kernel32.dll!GetProcAddress 7603CD44 5 Bytes JMP 00390115
.text C:\Windows\System32\svchost.exe[852] kernel32.dll!LoadLibraryA 7603DD15 5 Bytes JMP 0039003D
.text C:\Windows\System32\svchost.exe[852] kernel32.dll!GetStartupInfoW 7603E38D 5 Bytes JMP 00390F6C
.text C:\Windows\System32\svchost.exe[852] kernel32.dll!CreateFileW 7603E955 5 Bytes JMP 00390011
.text C:\Windows\System32\svchost.exe[852] kernel32.dll!CreateFileA 7603EB11 5 Bytes JMP 00390000
.text C:\Windows\System32\svchost.exe[852] kernel32.dll!LoadLibraryW 7603EFF2 5 Bytes JMP 0039004E
.text C:\Windows\System32\svchost.exe[852] kernel32.dll!CreatePipe 7605135E 5 Bytes JMP 00390F98
.text C:\Windows\System32\svchost.exe[852] kernel32.dll!CreateNamedPipeA 7607E038 5 Bytes JMP 00390FDB
.text C:\Windows\System32\svchost.exe[852] kernel32.dll!WinExec 7607F22E 5 Bytes JMP 003900D5
.text C:\Windows\System32\svchost.exe[852] kernel32.dll!VirtualProtectEx 76080269 5 Bytes JMP 003900A6
.text C:\Windows\System32\svchost.exe[852] msvcrt.dll!_open 76847E48 5 Bytes JMP 00400FE3
.text C:\Windows\System32\svchost.exe[852] msvcrt.dll!_wsystem 7687B057 5 Bytes JMP 00400027
.text C:\Windows\System32\svchost.exe[852] msvcrt.dll!system 7687B177 5 Bytes JMP 00400F9C
.text C:\Windows\System32\svchost.exe[852] msvcrt.dll!_creat 7687ED31 5 Bytes JMP 00400016
.text C:\Windows\System32\svchost.exe[852] msvcrt.dll!_wcreat 76880396 5 Bytes JMP 00400FB7
.text C:\Windows\System32\svchost.exe[852] msvcrt.dll!_wopen 76880578 5 Bytes JMP 00400FD2
.text C:\Windows\System32\svchost.exe[852] ADVAPI32.dll!RegOpenKeyA 770CCBB5 5 Bytes JMP 003F0000
.text C:\Windows\System32\svchost.exe[852] ADVAPI32.dll!RegCreateKeyA 770CCCA1 5 Bytes JMP 003F0FD4
.text C:\Windows\System32\svchost.exe[852] ADVAPI32.dll!RegCreateKeyExA 770D13E9 5 Bytes JMP 003F0FB9
.text C:\Windows\System32\svchost.exe[852] ADVAPI32.dll!RegCreateKeyW 770D1494 5 Bytes JMP 003F005B
.text C:\Windows\System32\svchost.exe[852] ADVAPI32.dll!RegOpenKeyW 770D23D9 5 Bytes JMP 003F001B
.text C:\Windows\System32\svchost.exe[852] ADVAPI32.dll!RegCreateKeyExW 770D407E 5 Bytes JMP 003F0FA8
.text C:\Windows\System32\svchost.exe[852] ADVAPI32.dll!RegOpenKeyExW 770D460D 5 Bytes JMP 003F0036
.text C:\Windows\System32\svchost.exe[852] ADVAPI32.dll!RegOpenKeyExA 770D4887 5 Bytes JMP 003F0FE5
.text C:\Windows\System32\svchost.exe[852] WS2_32.dll!socket 75273EB8 5 Bytes JMP 003B0FEF
.text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtCreateFile 76F75608 5 Bytes JMP 00700000
.text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtCreateProcess 76F756D8 5 Bytes JMP 00700FD4
.text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtProtectVirtualMemory 76F75F58 5 Bytes JMP 00700FE5
.text C:\Windows\system32\svchost.exe[876] kernel32.dll!GetStartupInfoA 75FF1E10 5 Bytes JMP 005F0F68
.text C:\Windows\system32\svchost.exe[876] kernel32.dll!CreateProcessW 75FF204D 5 Bytes JMP 005F00EC
.text C:\Windows\system32\svchost.exe[876] kernel32.dll!CreateProcessA 75FF2082 5 Bytes JMP 005F00C7
.text C:\Windows\system32\svchost.exe[876] kernel32.dll!CreateNamedPipeW 76022E67 5 Bytes JMP 005F0025
.text C:\Windows\system32\svchost.exe[876] kernel32.dll!VirtualProtect 76032CDD 5 Bytes JMP 005F0F83
.text C:\Windows\system32\svchost.exe[876] kernel32.dll!LoadLibraryExA 76034576 5 Bytes JMP 005F004A
.text C:\Windows\system32\svchost.exe[876] kernel32.dll!LoadLibraryExW 76035189 5 Bytes JMP 005F005B
.text C:\Windows\system32\svchost.exe[876] kernel32.dll!GetProcAddress 7603CD44 5 Bytes JMP 005F00FD
.text C:\Windows\system32\svchost.exe[876] kernel32.dll!LoadLibraryA 7603DD15 5 Bytes JMP 005F0FB9
.text C:\Windows\system32\svchost.exe[876] kernel32.dll!GetStartupInfoW 7603E38D 5 Bytes JMP 005F00AC
.text C:\Windows\system32\svchost.exe[876] kernel32.dll!CreateFileW 7603E955 5 Bytes JMP 005F0FCA
.text C:\Windows\system32\svchost.exe[876] kernel32.dll!CreateFileA 7603EB11 5 Bytes JMP 005F0FE5
.text C:\Windows\system32\svchost.exe[876] kernel32.dll!LoadLibraryW 7603EFF2 5 Bytes JMP 005F0FA8
.text C:\Windows\system32\svchost.exe[876] kernel32.dll!CreatePipe 7605135E 5 Bytes JMP 005F0091
.text C:\Windows\system32\svchost.exe[876] kernel32.dll!CreateNamedPipeA 7607E038 5 Bytes JMP 005F000A
.text C:\Windows\system32\svchost.exe[876] kernel32.dll!WinExec 7607F22E 5 Bytes JMP 005F0F4D
.text C:\Windows\system32\svchost.exe[876] kernel32.dll!VirtualProtectEx 76080269 5 Bytes JMP 005F0076
.text C:\Windows\system32\svchost.exe[876] msvcrt.dll!_open 76847E48 5 Bytes JMP 007B0000
.text C:\Windows\system32\svchost.exe[876] msvcrt.dll!_wsystem 7687B057 5 Bytes JMP 007B0FA6
.text C:\Windows\system32\svchost.exe[876] msvcrt.dll!system 7687B177 5 Bytes JMP 007B0FB7
.text C:\Windows\system32\svchost.exe[876] msvcrt.dll!_creat 7687ED31 5 Bytes JMP 007B0FE3
.text C:\Windows\system32\svchost.exe[876] msvcrt.dll!_wcreat 76880396 5 Bytes JMP 007B0FD2
.text C:\Windows\system32\svchost.exe[876] msvcrt.dll!_wopen 76880578 5 Bytes JMP 007B0011
.text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyA 770CCBB5 5 Bytes JMP 0071000A
.text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyA 770CCCA1 5 Bytes JMP 00710FAF
.text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyExA 770D13E9 5 Bytes JMP 00710036
.text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyW 770D1494 5 Bytes JMP 00710F94
.text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyW 770D23D9 5 Bytes JMP 00710FEF
.text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyExW 770D407E 5 Bytes JMP 00710F79
.text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyExW 770D460D 5 Bytes JMP 0071001B
.text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyExA 770D4887 5 Bytes JMP 00710FD4
.text C:\Windows\system32\svchost.exe[876] WS2_32.dll!socket 75273EB8 5 Bytes JMP 007A000A
.text C:\Windows\system32\svchost.exe[904] ntdll.dll!NtCreateFile 76F75608 5 Bytes JMP 00B90FEF
.text C:\Windows\system32\svchost.exe[904] ntdll.dll!NtCreateProcess 76F756D8 5 Bytes JMP 00B9000A
.text C:\Windows\system32\svchost.exe[904] ntdll.dll!NtProtectVirtualMemory 76F75F58 5 Bytes JMP 00B90FD4
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!GetStartupInfoA 75FF1E10 5 Bytes JMP 007A0F80
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreateProcessW 75FF204D 5 Bytes JMP 007A0F14
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreateProcessA 75FF2082 5 Bytes JMP 007A0F2F
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreateNamedPipeW 76022E67 5 Bytes JMP 007A0047
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!VirtualProtect 76032CDD 5 Bytes JMP 007A0F9B
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!LoadLibraryExA 76034576 5 Bytes JMP 007A006C
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!LoadLibraryExW 76035189 5 Bytes JMP 007A007D
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!GetProcAddress 7603CD44 5 Bytes JMP 007A0F03
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!LoadLibraryA 7603DD15 5 Bytes JMP 007A0FE5
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!GetStartupInfoW 7603E38D 5 Bytes JMP 007A0F5B
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreateFileW 7603E955 5 Bytes JMP 007A001B
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreateFileA 7603EB11 5 Bytes JMP 007A0000
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!LoadLibraryW 7603EFF2 5 Bytes JMP 007A0FCA
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreatePipe 7605135E 5 Bytes JMP 007A00A9
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreateNamedPipeA 7607E038 5 Bytes JMP 007A002C
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!WinExec 7607F22E 5 Bytes JMP 007A0F40
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!VirtualProtectEx 76080269 5 Bytes JMP 007A0098
.text C:\Windows\system32\svchost.exe[904] msvcrt.dll!_open 76847E48 5 Bytes JMP 00830FEF
.text C:\Windows\system32\svchost.exe[904] msvcrt.dll!_wsystem 7687B057 5 Bytes JMP 00830F7F
.text C:\Windows\system32\svchost.exe[904] msvcrt.dll!system 7687B177 5 Bytes JMP 0083000A
.text C:\Windows\system32\svchost.exe[904] msvcrt.dll!_creat 7687ED31 5 Bytes JMP 00830FAB
.text C:\Windows\system32\svchost.exe[904] msvcrt.dll!_wcreat 76880396 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[904] msvcrt.dll!_wcreat 76880396 5 Bytes JMP 00830F9A
.text C:\Windows\system32\svchost.exe[904] msvcrt.dll!_wopen 76880578 5 Bytes JMP 00830FC6
.text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyA 770CCBB5 5 Bytes JMP 00BA0FEF
.text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyA 770CCCA1 5 Bytes JMP 00BA0025
.text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyExA 770D13E9 5 Bytes JMP 00BA0040
.text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyW 770D1494 5 Bytes JMP 00BA0FA8
.text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyW 770D23D9 5 Bytes JMP 00BA000A
.text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyExW 770D407E 5 Bytes JMP 00BA005B
.text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyExW 770D460D 5 Bytes JMP 00BA0FB9
.text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyExA 770D4887 5 Bytes JMP 00BA0FD4
.text C:\Windows\system32\svchost.exe[904] WS2_32.dll!socket 75273EB8 5 Bytes JMP 00750000
.text C:\Windows\system32\svchost.exe[1072] ntdll.dll!NtCreateFile 76F75608 5 Bytes JMP 01610000
.text C:\Windows\system32\svchost.exe[1072] ntdll.dll!NtCreateProcess 76F756D8 5 Bytes JMP 01610FE5
.text C:\Windows\system32\svchost.exe[1072] ntdll.dll!NtProtectVirtualMemory 76F75F58 5 Bytes JMP 01610011
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!GetStartupInfoA 75FF1E10 5 Bytes JMP 015F006F
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!CreateProcessW 75FF204D 5 Bytes JMP 015F009B
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!CreateProcessA 75FF2082 5 Bytes JMP 015F0F06
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!CreateNamedPipeW 76022E67 5 Bytes JMP 015F0FA8
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!VirtualProtect 76032CDD 5 Bytes JMP 015F0F4D
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!LoadLibraryExA 76034576 5 Bytes JMP 015F0025
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!LoadLibraryExW 76035189 5 Bytes JMP 015F0F68
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!GetProcAddress 7603CD44 5 Bytes JMP 015F00AC
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!LoadLibraryA 7603DD15 5 Bytes JMP 015F0F8D
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!GetStartupInfoW 7603E38D 5 Bytes JMP 015F0080
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!CreateFileW 7603E955 5 Bytes JMP 015F0FD4
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!CreateFileA 7603EB11 5 Bytes JMP 015F0FEF
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!LoadLibraryW 7603EFF2 5 Bytes JMP 015F0014
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!CreatePipe 7605135E 5 Bytes JMP 015F004A
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!CreateNamedPipeA 7607E038 5 Bytes JMP 015F0FC3
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!WinExec 7607F22E 5 Bytes JMP 015F0F17
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!VirtualProtectEx 76080269 5 Bytes JMP 015F0F3C
.text C:\Windows\system32\svchost.exe[1072] msvcrt.dll!_open 76847E48 5 Bytes JMP 01600FEF
.text C:\Windows\system32\svchost.exe[1072] msvcrt.dll!_wsystem 7687B057 5 Bytes JMP 01600FAD
.text C:\Windows\system32\svchost.exe[1072] msvcrt.dll!system 7687B177 5 Bytes JMP 01600FC8
.text C:\Windows\system32\svchost.exe[1072] msvcrt.dll!_creat 7687ED31 5 Bytes JMP 0160001D
.text C:\Windows\system32\svchost.exe[1072] msvcrt.dll!_wcreat 76880396 5 Bytes JMP 0160002E
.text C:\Windows\system32\svchost.exe[1072] msvcrt.dll!_wopen 76880578 5 Bytes JMP 0160000C
.text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyA 770CCBB5 5 Bytes JMP 0162000A
.text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyA 770CCCA1 5 Bytes JMP 01620FDE
.text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExA 770D13E9 5 Bytes JMP 01620065
.text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyW 770D1494 5 Bytes JMP 01620FC3
.text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyW 770D23D9 5 Bytes JMP 01620025
.text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExW 770D407E 5 Bytes JMP 01620F9E
.text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExW 770D460D 5 Bytes JMP 01620FEF
.text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExA 770D4887 5 Bytes JMP 01620040
.text C:\Windows\system32\svchost.exe[1072] WS2_32.dll!socket 75273EB8 5 Bytes JMP 015A000A
.text C:\Windows\system32\svchost.exe[1232] ntdll.dll!NtCreateFile 76F75608 5 Bytes JMP 00A20FEF
.text C:\Windows\system32\svchost.exe[1232] ntdll.dll!NtCreateProcess 76F756D8 5 Bytes JMP 00A2000A
.text C:\Windows\system32\svchost.exe[1232] ntdll.dll!NtProtectVirtualMemory 76F75F58 5 Bytes JMP 00A20FDE
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!GetStartupInfoA 75FF1E10 5 Bytes JMP 006F00BA
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!CreateProcessW 75FF204D 5 Bytes JMP 006F0F43
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!CreateProcessA 75FF2082 5 Bytes JMP 006F0F54
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!CreateNamedPipeW 76022E67 5 Bytes JMP 006F0FCA
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!VirtualProtect 76032CDD 5 Bytes JMP 006F007D
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!LoadLibraryExA 76034576 5 Bytes JMP 006F0051
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!LoadLibraryExW 76035189 5 Bytes JMP 006F006C
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!GetProcAddress 7603CD44 5 Bytes JMP 006F00F3
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!LoadLibraryA 7603DD15 5 Bytes JMP 006F0036
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!GetStartupInfoW 7603E38D 5 Bytes JMP 006F0F80
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!CreateFileW 7603E955 5 Bytes JMP 006F0FEF
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!CreateFileA 7603EB11 5 Bytes JMP 006F0000
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!LoadLibraryW 7603EFF2 5 Bytes JMP 006F0FB9
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!CreatePipe 7605135E 5 Bytes JMP 006F00A9
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!CreateNamedPipeA 7607E038 5 Bytes JMP 006F0025
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!WinExec 7607F22E 5 Bytes JMP 006F0F65
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!VirtualProtectEx 76080269 5 Bytes JMP 006F0098
.text C:\Windows\system32\svchost.exe[1232] msvcrt.dll!_open 76847E48 5 Bytes JMP 00700000
.text C:\Windows\system32\svchost.exe[1232] msvcrt.dll!_wsystem 7687B057 5 Bytes JMP 0070004E
.text C:\Windows\system32\svchost.exe[1232] msvcrt.dll!system 7687B177 5 Bytes JMP 00700FC3
.text C:\Windows\system32\svchost.exe[1232] msvcrt.dll!_creat 7687ED31 5 Bytes JMP 00700022
.text C:\Windows\system32\svchost.exe[1232] msvcrt.dll!_wcreat 76880396 5 Bytes JMP 00700033
.text C:\Windows\system32\svchost.exe[1232] msvcrt.dll!_wopen 76880578 5 Bytes JMP 00700011
.text C:\Windows\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyA 770CCBB5 5 Bytes JMP 00A30000
.text C:\Windows\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyA 770CCCA1 5 Bytes JMP 00A3002F
.text C:\Windows\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyExA 770D13E9 5 Bytes JMP 00A30FA8
.text C:\Windows\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyW 770D1494 5 Bytes JMP 00A30040
.text C:\Windows\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyW 770D23D9 5 Bytes JMP 00A30FEF
.text C:\Windows\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyExW 770D407E 5 Bytes JMP 00A30F97
.text C:\Windows\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyExW 770D460D 5 Bytes JMP 00A30FB9
.text C:\Windows\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyExA 770D4887 5 Bytes JMP 00A30FD4
.text C:\Windows\system32\svchost.exe[1232] WS2_32.dll!socket 75273EB8 5 Bytes JMP 00660000
.text C:\Windows\system32\svchost.exe[1564] ntdll.dll!NtCreateFile 76F75608 5 Bytes JMP 002C000A
.text C:\Windows\system32\svchost.exe[1564] ntdll.dll!NtCreateProcess 76F756D8 5 Bytes JMP 002C0FDE
.text C:\Windows\system32\svchost.exe[1564] ntdll.dll!NtProtectVirtualMemory 76F75F58 5 Bytes JMP 002C0FEF
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!GetStartupInfoA 75FF1E10 5 Bytes JMP 00160F4D
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!CreateProcessW 75FF204D 5 Bytes JMP 00160EF5
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!CreateProcessA 75FF2082 5 Bytes JMP 00160F1A
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!CreateNamedPipeW 76022E67 5 Bytes JMP 00160022
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!VirtualProtect 76032CDD 5 Bytes JMP 00160F79
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!LoadLibraryExA 76034576 5 Bytes JMP 00160FAF
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!LoadLibraryExW 76035189 5 Bytes JMP 00160F94
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!GetProcAddress 7603CD44 5 Bytes JMP 001600A5
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!LoadLibraryA 7603DD15 5 Bytes JMP 00160FC0
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!GetStartupInfoW 7603E38D 5 Bytes JMP 00160F3C
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!CreateFileW 7603E955 5 Bytes JMP 00160000
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!CreateFileA 7603EB11 5 Bytes JMP 00160FEF
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!LoadLibraryW 7603EFF2 5 Bytes JMP 00160051
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!CreatePipe 7605135E 5 Bytes JMP 00160080
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!CreateNamedPipeA 7607E038 5 Bytes JMP 00160011
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!WinExec 7607F22E 5 Bytes JMP 00160F2B
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!VirtualProtectEx 76080269 5 Bytes JMP 00160F68
.text C:\Windows\system32\svchost.exe[1564] msvcrt.dll!_open 76847E48 5 Bytes JMP 00270FEF
.text C:\Windows\system32\svchost.exe[1564] msvcrt.dll!_wsystem 7687B057 5 Bytes JMP 00270F7F
.text C:\Windows\system32\svchost.exe[1564] msvcrt.dll!system 7687B177 5 Bytes JMP 00270F90
.text C:\Windows\system32\svchost.exe[1564] msvcrt.dll!_creat 7687ED31 5 Bytes JMP 00270FB5
.text C:\Windows\system32\svchost.exe[1564] msvcrt.dll!_wcreat 76880396 5 Bytes JMP 00270000
.text C:\Windows\system32\svchost.exe[1564] msvcrt.dll!_wopen 76880578 5 Bytes JMP 00270FD2
.text C:\Windows\system32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyA 770CCBB5 5 Bytes JMP 002D0FEF
.text C:\Windows\system32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyA 770CCCA1 5 Bytes JMP 002D0F9E
.text C:\Windows\system32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyExA 770D13E9 5 Bytes JMP 002D0036
.text C:\Windows\system32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyW 770D1494 5 Bytes JMP 002D0025
.text C:\Windows\system32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyW 770D23D9 5 Bytes JMP 002D0FDE
.text C:\Windows\system32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyExW 770D407E 5 Bytes JMP 002D0F83
.text C:\Windows\system32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyExW 770D460D 5 Bytes JMP 002D0FB9
.text C:\Windows\system32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyExA 770D4887 5 Bytes JMP 002D0014
.text C:\Windows\Explorer.EXE[3512] ntdll.dll!NtCreateFile 76F75608 5 Bytes JMP 00040FEF
.text C:\Windows\Explorer.EXE[3512] ntdll.dll!NtCreateProcess 76F756D8 5 Bytes JMP 0004000A
.text C:\Windows\Explorer.EXE[3512] ntdll.dll!NtProtectVirtualMemory 76F75F58 5 Bytes JMP 00040FD4
.text C:\Windows\Explorer.EXE[3512] kernel32.dll!GetStartupInfoA 75FF1E10 5 Bytes JMP 00010084
.text C:\Windows\Explorer.EXE[3512] kernel32.dll!CreateProcessW 75FF204D 5 Bytes JMP 000100D2
.text C:\Windows\Explorer.EXE[3512] kernel32.dll!CreateProcessA 75FF2082 5 Bytes JMP 000100C1
.text C:\Windows\Explorer.EXE[3512] kernel32.dll!CreateNamedPipeW 76022E67 5 Bytes JMP 00010022
.text C:\Windows\Explorer.EXE[3512] kernel32.dll!VirtualProtect 76032CDD 5 Bytes JMP 00010055
.text C:\Windows\Explorer.EXE[3512] kernel32.dll!LoadLibraryExA 76034576 5 Bytes JMP 00010044
.text C:\Windows\Explorer.EXE[3512] kernel32.dll!LoadLibraryExW 76035189 5 Bytes JMP 00010F87
.text C:\Windows\Explorer.EXE[3512] kernel32.dll!GetProcAddress 7603CD44 5 Bytes JMP 00010F2C
.text C:\Windows\Explorer.EXE[3512] kernel32.dll!LoadLibraryA 7603DD15 5 Bytes JMP 00010FAC
.text C:\Windows\Explorer.EXE[3512] kernel32.dll!GetStartupInfoW 7603E38D 5 Bytes JMP 00010095
.text C:\Windows\Explorer.EXE[3512] kernel32.dll!CreateFileW 7603E955 5 Bytes JMP 00010000
.text C:\Windows\Explorer.EXE[3512] kernel32.dll!CreateFileA 7603EB11 5 Bytes JMP 00010FEF
.text C:\Windows\Explorer.EXE[3512] kernel32.dll!LoadLibraryW 7603EFF2 5 Bytes JMP 00010033
.text C:\Windows\Explorer.EXE[3512] kernel32.dll!CreatePipe 7605135E 5 Bytes JMP 00010F51
.text C:\Windows\Explorer.EXE[3512] kernel32.dll!CreateNamedPipeA 7607E038 5 Bytes JMP 00010011
.text C:\Windows\Explorer.EXE[3512] kernel32.dll!WinExec 7607F22E 5 Bytes JMP 000100A6
.text C:\Windows\Explorer.EXE[3512] kernel32.dll!VirtualProtectEx 76080269 5 Bytes JMP 00010F6C
.text C:\Windows\Explorer.EXE[3512] ADVAPI32.dll!RegOpenKeyA 770CCBB5 5 Bytes JMP 000E0000
.text C:\Windows\Explorer.EXE[3512] ADVAPI32.dll!RegCreateKeyA 770CCCA1 5 Bytes JMP 000E0FEF
.text C:\Windows\Explorer.EXE[3512] ADVAPI32.dll!RegCreateKeyExA 770D13E9 5 Bytes JMP 000E009B
.text C:\Windows\Explorer.EXE[3512] ADVAPI32.dll!RegCreateKeyW 770D1494 5 Bytes JMP 000E0080
.text C:\Windows\Explorer.EXE[3512] ADVAPI32.dll!RegOpenKeyW 770D23D9 5 Bytes JMP 000E001B
.text C:\Windows\Explorer.EXE[3512] ADVAPI32.dll!RegCreateKeyExW 770D407E 5 Bytes JMP 000E00B6
.text C:\Windows\Explorer.EXE[3512] ADVAPI32.dll!RegOpenKeyExW 770D460D 5 Bytes JMP 000E0051
.text C:\Windows\Explorer.EXE[3512] ADVAPI32.dll!RegOpenKeyExA 770D4887 5 Bytes JMP 000E0036
.text C:\Windows\Explorer.EXE[3512] msvcrt.dll!_open 76847E48 5 Bytes JMP 000F0000
.text C:\Windows\Explorer.EXE[3512] msvcrt.dll!_wsystem 7687B057 5 Bytes JMP 000F006B
.text C:\Windows\Explorer.EXE[3512] msvcrt.dll!system 7687B177 5 Bytes JMP 000F005A
.text C:\Windows\Explorer.EXE[3512] msvcrt.dll!_creat 7687ED31 5 Bytes JMP 000F002E
.text C:\Windows\Explorer.EXE[3512] msvcrt.dll!_wcreat 76880396 5 Bytes JMP 000F0049
.text C:\Windows\Explorer.EXE[3512] msvcrt.dll!_wopen 76880578 5 Bytes JMP 000F001D
.text C:\Windows\Explorer.EXE[3512] WININET.dll!InternetOpenA 761B34F0 5 Bytes JMP 024E0FEF
.text C:\Windows\Explorer.EXE[3512] WININET.dll!InternetOpenW 761B3A80 5 Bytes JMP 024E0FD4
.text C:\Windows\Explorer.EXE[3512] WININET.dll!InternetOpenUrlA 76269610 5 Bytes JMP 024E000A
.text C:\Windows\Explorer.EXE[3512] WININET.dll!InternetOpenUrlW 7626A0D0 5 Bytes JMP 024E001B
.text C:\Windows\Explorer.EXE[3512] WS2_32.dll!socket 75273EB8 5 Bytes JMP 03390000
---- Devices - GMER 2.1 ----
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)
---- Registry - GMER 2.1 ----
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@23BEA621 469
---- EOF - GMER 2.1 ----
|
|
05.12.2014, 22:08
| #2 |
| /// Winkelfunktion /// TB-Sch-Tiger™   | WIN7: Telekom-Rechnung (Trojaner) - Pc versendet Rechnungs-eMails und Grukarten Hallo und
__________________ Hast du noch weitere Logs (mit Funden)? Malwarebytes und/oder andere Virenscanner, sind die mal fndig geworden? Ich frage deswegen nach => http://www.trojaner-board.de/125889-...tml#post941520 Bitte keine neuen Virenscans machen sondern erst nur schon vorhandene Logs in CODE-Tags posten! Relevant sind nur Logs der letzten 7 Tage bzw. seitdem das Problem besteht!  Lesestoff:Posten in CODE-Tags Die Logfiles anzuhngen oder sogar vorher in ein ZIP, RAR oder 7Z-Archiv zu packen erschwert mir massiv die Arbeit. Auch wenn die Logs fr einen Beitrag zu gro sein sollten, bitte ich dich die Logs direkt und notfalls ber mehrere Beitrge verteilt zu posten. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
__________________ |
|
05.12.2014, 22:58
| #3 |
| | WIN7: Telekom-Rechnung (Trojaner) - Pc versendet Rechnungs-eMails und Grukarten Anbei weitere Log Dateien:
__________________- Vollstndiger VirusScan von gestern da wurde folgende Datei entfernt (pylahflk.exe.vir Generic-FAVO!FA2F4D553195 (Trojanisches Pferd) - aktuelle mbam log Mbam habe ich schon vor ein paar Tagen ausgefhrt. Dabei wurden einige Datein gefunden und entfernt. (wei nur nicht mehr welche) Da ich die Dateien+Ornder (VirusScan-Log) entfernt habe ... dachte ich es wre vorbei. Jedoch habe ich selbst heute die Grukarten-Mail bekommen  und zwar zu einer Zeit wo die PCs definitiv nicht online waren Ein 2. PC hngt im Netzwerk wobei ich wei, das dort kein verdchtiges Mail geffnet wurde. Beide waren ausgeschaltet bis ca. 10:00 --> Mail-Eingang bei mir im Postfach: 00:15 VirusScan: Code:
ATTFilter 04.12.2014 20:04:04 Modulversion = 5600.1067
04.12.2014 20:04:04 AntiVirus-DAT-Version = 7642.0
04.12.2014 20:04:04 Anzahl an Entdeckungssignaturen in EXTRA.DAT= Kein
04.12.2014 20:04:04 Namen der Entdeckungssignaturen in EXTRA.DAT= Kein
04.12.2014 20:04:04 Scanvorgang wurde gestartet Diana-PC\Administrator Vollstndiger Scan
04.12.2014 20:30:00 Nicht gescannt (Die Datei ist verschlsselt) c:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vmsdwcoq.default\cache2\entries\3A97AAB334F1F9FE5B575784143DE3C052DDE13D
04.12.2014 20:30:31 Nicht gescannt (Die Datei ist verschlsselt) c:\Users\Administrator\Lokale Einstellungen\Mozilla\Firefox\Profiles\vmsdwcoq.default\cache2\entries\3A97AAB334F1F9FE5B575784143DE3C052DDE13D
04.12.2014 20:46:44 Gelscht Administrator ODS(Vollstndiger Scan) c:\Qoobox\Quarantine\C\Users\Diana\AppData\Roaming\Identities\pylahflk.exe.vir Generic-FAVO!FA2F4D553195 (Trojanisches Pferd)
04.12.2014 21:03:37 Nicht gescannt (Die Datei ist verschlsselt) c:\Documents and Settings\Administrator\Lokale Einstellungen\Mozilla\Firefox\Profiles\vmsdwcoq.default\cache2\entries\3A97AAB334F1F9FE5B575784143DE3C052DDE13D
04.12.2014 21:03:38 Nicht gescannt (Die Datei ist verschlsselt) c:\Documents and Settings\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vmsdwcoq.default\cache2\entries\3A97AAB334F1F9FE5B575784143DE3C052DDE13D
04.12.2014 21:03:56 Nicht gescannt (Die Datei ist verschlsselt) c:\Dokumente und Einstellungen\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vmsdwcoq.default\cache2\entries\3A97AAB334F1F9FE5B575784143DE3C052DDE13D
04.12.2014 21:04:01 Nicht gescannt (Die Datei ist verschlsselt) c:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Mozilla\Firefox\Profiles\vmsdwcoq.default\cache2\entries\3A97AAB334F1F9FE5B575784143DE3C052DDE13D
04.12.2014 21:04:26 Scan-Zusammenfassung Diana-PC\Administrator Scan-Zusammenfassung
04.12.2014 21:04:26 Scan-Zusammenfassung Diana-PC\Administrator Gescannte Prozesse: 52
04.12.2014 21:04:26 Scan-Zusammenfassung Diana-PC\Administrator Entdeckte Prozesse: 0
04.12.2014 21:04:26 Scan-Zusammenfassung Diana-PC\Administrator Gesuberte Prozesse: 0
04.12.2014 21:04:26 Scan-Zusammenfassung Diana-PC\Administrator Gescannte Boot-Sektoren: 2
04.12.2014 21:04:26 Scan-Zusammenfassung Diana-PC\Administrator Entdeckte Boot-Sektoren: 0
04.12.2014 21:04:26 Scan-Zusammenfassung Diana-PC\Administrator Gesuberte Boot-Sektoren: 0
04.12.2014 21:04:26 Scan-Zusammenfassung Diana-PC\Administrator Gescannte Dateien: 116886
04.12.2014 21:04:26 Scan-Zusammenfassung Diana-PC\Administrator Dateien mit Entdeckungen: 1
04.12.2014 21:04:26 Scan-Zusammenfassung Diana-PC\Administrator DateiEntdeckungen: 1
04.12.2014 21:04:26 Scan-Zusammenfassung Diana-PC\Administrator Gesuberte Dateien: 0
04.12.2014 21:04:26 Scan-Zusammenfassung Diana-PC\Administrator Gelschte Dateien: 1
04.12.2014 21:04:26 Scan-Zusammenfassung Diana-PC\Administrator Nicht gescannte Dateien: 131
04.12.2014 21:04:26 Scan-Zusammenfassung Diana-PC\Administrator Scan-Zusammenfassung (Scannen der Registrierung)
04.12.2014 21:04:26 Scan-Zusammenfassung Diana-PC\Administrator Gescannte Schlssel: 93718
04.12.2014 21:04:26 Scan-Zusammenfassung Diana-PC\Administrator Entdeckte Schlssel: 0
04.12.2014 21:04:26 Scan-Zusammenfassung Diana-PC\Administrator Gesuberte Schlssel: 0
04.12.2014 21:04:26 Scan-Zusammenfassung Diana-PC\Administrator Gelschte Schlssel : 0
04.12.2014 21:04:26 Scan-Zusammenfassung Diana-PC\Administrator Scan-Zusammenfassung (Scannen von Cookies)
04.12.2014 21:04:26 Scan-Zusammenfassung Diana-PC\Administrator Gescannte Cookies: 554
04.12.2014 21:04:26 Scan-Zusammenfassung Diana-PC\Administrator Entdeckte Cookies: 0
04.12.2014 21:04:26 Scan-Zusammenfassung Diana-PC\Administrator Gesuberte Cookies: 0
04.12.2014 21:04:26 Scan-Zusammenfassung Diana-PC\Administrator Gelschte Cookies: 0
04.12.2014 21:04:26 Scan-Zusammenfassung Diana-PC\Administrator Laufzeit: 1:00:23
04.12.2014 21:04:26 Scanvorgang wurde beendet Diana-PC\Administrator Vollstndiger Scan
Code:
ATTFilter Malwarebytes Anti-Malware www.malwarebytes.org Suchlauf Datum: 05.12.2014 Suchlauf-Zeit: 22:20:49 Logdatei: mm.txt Administrator: Ja Version: 2.00.4.1028 Malware Datenbank: v2014.12.05.11 Rootkit Datenbank: v2014.12.03.01 Lizenz: Testversion Malware Schutz: Aktiviert Bsartiger Webseiten Schutz: Aktiviert Selbstschutz: Deaktiviert Betriebssystem: Windows 7 Service Pack 1 CPU: x86 Dateisystem: NTFS Benutzer: Administrator Suchlauf-Art: Bedrohungs-Suchlauf Ergebnis: Abgeschlossen Durchsuchte Objekte: 341792 Verstrichene Zeit: 17 Min, 10 Sek Speicher: Aktiviert Autostart: Aktiviert Dateisystem: Aktiviert Archive: Aktiviert Rootkits: Deaktiviert Heuristik: Aktiviert PUP: Aktiviert PUM: Aktiviert Prozesse: 0 (Keine schdliche Elemente erkannt) Module: 0 (Keine schdliche Elemente erkannt) Registrierungsschlssel: 0 (Keine schdliche Elemente erkannt) Registrierungswerte: 0 (Keine schdliche Elemente erkannt) Registrierungsdaten: 0 (Keine schdliche Elemente erkannt) Ordner: 0 (Keine schdliche Elemente erkannt) Dateien: 0 (Keine schdliche Elemente erkannt) Physische Sektoren: 0 (Keine schdliche Elemente erkannt) (end) Gendert von h0nk (05.12.2014 um 23:03 Uhr) Grund: weitere Informationen hinzugefgt |
|
05.12.2014, 23:32
| #4 | |
| /// Winkelfunktion /// TB-Sch-Tiger™ | WIN7: Telekom-Rechnung (Trojaner) - Pc versendet Rechnungs-eMails und GrukartenZitat:
Was ist mit den anderen Logs von Malwarebytes? Oder hat MBAM nie was gefunden?
__________________ Logfiles bitte immer in CODE-Tags posten  |
|
06.12.2014, 09:20
| #5 |
| | WIN7: Telekom-Rechnung (Trojaner) - Pc versendet Rechnungs-eMails und Grukarten ComboFix habe ich selbst ausgefhrt. Leider habe ich keine Logs mehr dazu...  (Ordner gelscht und das Wiederherstellen hat jetzt nicht geklappt)Malwarebytes hat einiges gefunden und entfernt. -> danach habe ich aber die Software wieder deinstalliert. und deshalb habe ich dafr auch keine alten Log-Files.hm, waren nicht meine besten Momente.  |
|
06.12.2014, 15:38
| #6 |
| /// Winkelfunktion /// TB-Sch-Tiger™ | WIN7: Telekom-Rechnung (Trojaner) - Pc versendet Rechnungs-eMails und Grukarten Das Log liegt normalerweise direkt auf C
__________________ --> WIN7: Telekom-Rechnung (Trojaner) - Pc versendet Rechnungs-eMails und Grukarten |
|
06.12.2014, 19:38
| #7 |
| | WIN7: Telekom-Rechnung (Trojaner) - Pc versendet Rechnungs-eMails und Grukarten Habe jetzt einige Zeit versucht den Log-File wiederherzustellen. Leider ohne Erfolg - beide Dateien sind nicht mehr brauchbar. Eine davon habe ich angehngt da steht noch etwas lesbares drinnen.  Was jetzt? |
|
07.12.2014, 00:27
| #8 |
| /// Winkelfunktion /// TB-Sch-Tiger™ | WIN7: Telekom-Rechnung (Trojaner) - Pc versendet Rechnungs-eMails und GrukartenLesestoff:Posten in CODE-Tags Die Logfiles anzuhngen oder sogar vorher in ein ZIP, RAR oder 7Z-Archiv zu packen erschwert mir massiv die Arbeit. Auch wenn die Logs fr einen Beitrag zu gro sein sollten, bitte ich dich die Logs direkt und notfalls ber mehrere Beitrge verteilt zu posten. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
__________________ Logfiles bitte immer in CODE-Tags posten |
Linear-Darstellung
