| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Bankwebseite wollte 20 Tans Bank sagt TrojanerWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
15.07.2010, 18:33
| #1 |
 |  Bankwebseite wollte 20 Tans Bank sagt Trojaner Hallo zusammen, wie der Titel bereits sagt, wollte mein Onlinebanking eine zusätzlich die Eingabe von ca. 20 Tan Nummern  Ich gleich Anruf bei der Bank und die haben meinen Zugang gesperrt und mir mitgteilt, das ich einen Trojaner hab  Habe erstmal wie hier genannt CC Cleaner ausgefürt und anschließend schnellscan Malwarebytes-Anti-Malware (ohne Befund) und danach RIST. Vorher/während dessen hatte ich noch den Onlinescanner ESET gestartet und leider vershentlich abgebrochen. Hier hatte ich 3 infizierte Dateien Der Name war glaube ich Win32/Trojan.NAZ oder so... und darunter Stand was mit Java/Trojan? .....  Hat ihn wohl gelöscht, da der Scanne beim 2. durchlauf (läuft noch) bis jetzt noch nichts gefunden hat und schon auf dem nächsten Laufwerk sucht.Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Datenbank Version: 4316 Windows 6.1.7600 Internet Explorer 8.0.7600.16385 15.07.2010 18:21:52 mbam-log-2010-07-15 (18-21-52).txt Art des Suchlaufs: Quick-Scan Durchsuchte Objekte: 132963 Laufzeit: 2 Minute(n), 49 Sekunde(n) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 0 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: (Keine bösartigen Objekte gefunden) RSIT Logfile: Code:
ATTFilter Logfile of random's system information tool 1.08 (written by random/random) Run by Chris at 2010-07-15 19:17:50 Microsoft Windows 7 Ultimate System drive C: has 8 GB (13%) free of 62 GB Total RAM: 3327 MB (49% free) Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 19:18:05, on 15.07.2010 Platform: Windows 7 (WinNT 6.00.3504) MSIE: Internet Explorer v8.00 (8.00.7600.16385) Boot mode: Normal Running processes: C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe C:\Windows\WindowsMobile\wmdc.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\Program Files\SetPoint\SetPoint.exe C:\Program Files\Trillian\trillian.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\Java\jre6\bin\javaw.exe C:\Users\Administrator\AppData\Local\Apps\2.0\75CBPPTK.Z44\G452A621.RH8\frit..tion_f8d772dfbb3f7453_0002.0001_0db5bf169ed5c0c1\fritzbox-usb-fernanschluss.exe C:\Program Files\Common Files\Acronis\TrueImageHome\TrueImageHomeNotify.exe C:\Program Files\Common Files\Acronis\TrueImageHome\TrueImageHomeService.exe C:\Windows\system32\ctfmon.exe C:\Windows\system32\ctfmon.exe C:\Program Files\DAEMON Tools Pro\DTProShellHlp.exe C:\Program Files\Java\jre6\bin\javaw.exe C:\Program Files\ESET\ESET Online Scanner\OnlineScannerApp.exe C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe C:\Windows\system32\conhost.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Windows\system32\taskhost.exe C:\Windows\system32\NOTEPAD.EXE C:\Windows\system32\SearchFilterHost.exe C:\Users\Administrator\Desktop\RSIT.exe C:\Program Files\trend micro\Chris.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100711101300.dll O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\progra~1\mcafee\sitead~1\mcieplg.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKCU\..\Run: [AVMUSBFernanschluss] C:\Users\Administrator\AppData\Local\Apps\2.0\75CBPPTK.Z44\G452A621.RH8\frit..tion_f8d772dfbb3f7453_0002.0001_0db5bf169ed5c0c1\AVMAutoStart.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETZWERKDIENST') O4 - Startup: PS3 Media Server.lnk = C:\Program Files\PS3 Media Server\PMS.exe O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\SetPoint\SetPoint.exe O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O15 - Trusted Zone: hxxp://*.mcafee.com O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe O23 - Service: Acronis Nonstop Backup service (afcdpsrv) - Acronis - C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe O23 - Service: McAfee Personal Firewall-Dienst (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: PS3 Media Server - Unknown owner - C:\Program Files\PS3 Media Server\win32\service\wrapper.exe O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe O23 - Service: TeamViewer 5 (TeamViewer5) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe -- End of file - 9177 bytes ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}] Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-06-19 75200] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}] Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}] Groove GFS Browser Helper - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}] scriptproxy - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100711101300.dll [2010-05-31 73288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}] McAfee SiteAdvisor BHO - c:\progra~1\mcafee\sitead~1\mcieplg.dll [2010-02-01 251416] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}] Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-11-25 41760] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - McAfee SiteAdvisor Toolbar - c:\progra~1\mcafee\sitead~1\mcieplg.dll [2010-02-01 251416] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Kernel and Hardware Abstraction Layer"=C:\Windows\KHALMNPR.EXE [2009-06-17 55824] "Acronis Scheduler2 Service"=C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe [2009-11-12 362032] "Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-06-09 976832] "Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-06-20 35760] "TrueImageMonitor.exe"=C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe [2009-11-12 5140960] "Windows Mobile Device Center"=C:\Windows\WindowsMobile\wmdc.exe [2007-05-31 648072] "QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2010-03-17 421888] "mcui_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2010-06-24 1193848] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce] "Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2010-04-29 437584] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "AVMUSBFernanschluss"=C:\Users\Administrator\AppData\Local\Apps\2.0\75CBPPTK.Z44\G452A621.RH8\frit..tion_f8d772dfbb3f7453_0002.0001_0db5bf169ed5c0c1\AVMAutoStart.exe [2009-10-28 139264] "SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2008-10-25 31072] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup Logitech SetPoint.lnk - C:\Program Files\SetPoint\SetPoint.exe C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup PS3 Media Server.lnk - C:\Program Files\PS3 Media Server\PMS.exe Trillian.lnk - C:\Program Files\Trillian\trillian.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn] c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll [2009-07-20 72208] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"=credssp.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AFD] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\McMPFSvc] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mfefire] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mfefirek] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mfefirek.sys] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mfehidk] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mfehidk.sys] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mfevtp] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "ConsentPromptBehaviorAdmin"=5 "ConsentPromptBehaviorUser"=3 "EnableUIADesktopToggle"=0 "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=145 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] ======File associations====== .js - edit - C:\Windows\System32\Notepad.exe %1 .js - open - C:\Windows\System32\WScript.exe "%1" %* ======List of files/folders created in the last 1 months====== 2010-07-15 19:14:06 ----D---- C:\rsit 2010-07-15 19:09:58 ----D---- C:\Program Files\Panda Security 2010-07-15 17:55:53 ----D---- C:\Users\Administrator\AppData\Roaming\Malwarebytes 2010-07-15 17:55:48 ----A---- C:\Windows\system32\drivers\mbamswissarmy.sys 2010-07-15 17:55:47 ----D---- C:\ProgramData\Malwarebytes 2010-07-15 17:55:46 ----D---- C:\Program Files\Malwarebytes' Anti-Malware 2010-07-15 17:55:46 ----A---- C:\Windows\system32\drivers\mbam.sys 2010-07-15 17:44:21 ----D---- C:\Program Files\ESET 2010-07-14 20:51:48 ----D---- C:\ProgramData\NVIDIA Corporation 2010-07-14 20:51:07 ----A---- C:\Windows\system32\OpenCL.dll 2010-07-14 20:51:07 ----A---- C:\Windows\system32\drivers\nvlddmkm.sys 2010-07-14 20:51:06 ----A---- C:\Windows\system32\nvoglv32.dll 2010-07-14 20:51:05 ----A---- C:\Windows\system32\nvencodemft.dll 2010-07-14 20:51:05 ----A---- C:\Windows\system32\nvdecodemft.dll 2010-07-14 20:51:04 ----A---- C:\Windows\system32\nvcuvid.dll 2010-07-14 20:51:04 ----A---- C:\Windows\system32\nvcuvenc.dll 2010-07-14 20:51:04 ----A---- C:\Windows\system32\nvcuda.dll 2010-07-14 20:51:03 ----A---- C:\Windows\system32\nvcompiler.dll 2010-07-14 20:51:03 ----A---- C:\Windows\system32\nvcod1921.dll 2010-07-14 20:51:03 ----A---- C:\Windows\system32\nvcod.dll 2010-07-13 20:09:55 ----D---- C:\Users\Administrator\AppData\Roaming\Mozilla 2010-07-12 21:39:24 ----A---- C:\Windows\system32\kernel32.dll 2010-07-12 21:39:24 ----A---- C:\Windows\system32\apphelp.dll 2010-07-10 08:23:10 ----AH---- C:\Windows\system32\hwrrmsdt.dll 2010-07-08 18:57:25 ----A---- C:\Windows\system32\drivers\mfeclnk.sys 2010-07-08 18:57:20 ----A---- C:\Windows\system32\drivers\mfewfpk.sys 2010-07-08 18:57:20 ----A---- C:\Windows\system32\drivers\mferkdet.sys 2010-07-08 18:57:20 ----A---- C:\Windows\system32\drivers\mfenlfk.sys 2010-07-08 18:57:20 ----A---- C:\Windows\system32\drivers\mfefirek.sys 2010-07-08 18:57:20 ----A---- C:\Windows\system32\drivers\mfebopk.sys 2010-07-08 18:57:20 ----A---- C:\Windows\system32\drivers\mfeavfk.sys 2010-07-08 18:57:20 ----A---- C:\Windows\system32\drivers\cfwids.sys 2010-07-08 18:57:19 ----D---- C:\Program Files\McAfee.com 2010-07-07 23:02:25 ----D---- C:\Users\Administrator\AppData\Roaming\McAfee 2010-06-30 21:23:45 ----D---- C:\Program Files\POI FINDER 3.5 Becker 2010-06-30 17:34:10 ----D---- C:\Program Files\Becker 2010-06-23 07:22:54 ----A---- C:\Windows\system32\PresentationHostProxy.dll 2010-06-23 07:22:54 ----A---- C:\Windows\system32\PresentationHost.exe 2010-06-23 07:22:54 ----A---- C:\Windows\system32\netfxperf.dll 2010-06-23 07:22:54 ----A---- C:\Windows\system32\mscoree.dll 2010-06-23 07:22:54 ----A---- C:\Windows\system32\dfshim.dll 2010-06-23 07:10:40 ----A---- C:\Windows\system32\ntdll.dll 2010-06-23 07:10:39 ----A---- C:\Windows\system32\msdri.dll 2010-06-23 07:10:39 ----A---- C:\Windows\system32\CPFilters.dll ======List of files/folders modified in the last 1 months====== 2010-07-15 19:17:53 ----D---- C:\Program Files\Trend Micro 2010-07-15 19:17:15 ----D---- C:\ProgramData\Spybot - Search & Destroy 2010-07-15 19:16:21 ----D---- C:\Windows\Temp 2010-07-15 19:10:10 ----D---- C:\Windows\system32\Tasks 2010-07-15 19:09:58 ----RD---- C:\Program Files 2010-07-15 18:57:08 ----D---- C:\Program Files\Spybot - Search & Destroy 2010-07-15 18:56:28 ----D---- C:\Program Files\JDownloader 2010-07-15 18:48:23 ----D---- C:\Windows\system32\drivers 2010-07-15 18:45:54 ----D---- C:\Windows\System32 2010-07-15 18:45:54 ----D---- C:\Windows\inf 2010-07-15 18:45:54 ----A---- C:\Windows\system32\PerfStringBackup.INI 2010-07-15 18:04:49 ----D---- C:\Users\Administrator\AppData\Roaming\Desktopicon 2010-07-15 17:57:47 ----D---- C:\Windows\debug 2010-07-15 17:57:47 ----D---- C:\Windows 2010-07-15 17:55:47 ----HD---- C:\ProgramData 2010-07-15 17:27:47 ----D---- C:\Windows\system32\config 2010-07-15 17:21:55 ----D---- C:\Users\Administrator\AppData\Roaming\QuickScan 2010-07-15 17:14:32 ----D---- C:\Program Files\Trillian 2010-07-15 17:14:29 ----D---- C:\ProgramData\NVIDIA 2010-07-14 21:28:39 ----SHD---- C:\Windows\Installer 2010-07-14 21:27:56 ----D---- C:\Program Files\NVIDIA Corporation 2010-07-14 21:27:48 ----D---- C:\Windows\system32\DriverStore 2010-07-14 21:27:48 ----D---- C:\Windows\system32\catroot 2010-07-14 21:18:08 ----D---- C:\Windows\Help 2010-07-14 20:58:55 ----D---- C:\Windows\system32\catroot2 2010-07-14 07:18:31 ----A---- C:\Windows\(null)toolkit.ini 2010-07-13 20:09:50 ----D---- C:\Program Files\Mozilla Firefox 2010-07-13 18:48:19 ----D---- C:\Windows\system32\wdi 2010-07-13 06:39:03 ----D---- C:\Windows\winsxs 2010-07-08 21:57:35 ----D---- C:\ProgramData\McAfee 2010-07-08 18:57:31 ----D---- C:\Program Files\McAfee 2010-07-08 18:57:31 ----D---- C:\Program Files\Common Files\Mcafee 2010-07-03 09:35:59 ----D---- C:\Windows\system32\drivers\UMDF 2010-07-03 09:35:10 ----D---- C:\Windows\WindowsMobile 2010-07-02 21:39:05 ----A---- C:\Windows\system32\MRT.exe 2010-07-01 22:18:37 ----D---- C:\Users\Administrator\AppData\Roaming\vlc 2010-06-25 17:22:50 ----RSD---- C:\Windows\assembly 2010-06-25 17:22:50 ----D---- C:\Windows\Microsoft.NET 2010-06-25 07:19:06 ----D---- C:\Windows\system32\de-DE 2010-06-25 07:17:44 ----D---- C:\Windows\system32\en-US 2010-06-25 07:17:44 ----D---- C:\Program Files\Microsoft.NET 2010-06-23 07:22:53 ----D---- C:\Windows\ehome 2010-06-23 07:22:52 ----D---- C:\Windows\AppPatch ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R0 mfehidk;McAfee Inc. mfehidk; C:\Windows\system32\drivers\mfehidk.sys [2010-05-31 385880] R0 mfewfpk;McAfee Inc. mfewfpk; C:\Windows\system32\drivers\mfewfpk.sys [2010-05-31 160720] R0 nvstor32;nvstor32; C:\Windows\system32\DRIVERS\nvstor32.sys [2009-08-04 213024] R0 pciide;pciide; C:\Windows\system32\DRIVERS\pciide.sys [2009-07-14 12368] R0 rdyboost;ReadyBoost; C:\Windows\System32\drivers\rdyboost.sys [2009-07-14 173648] R0 SiRemFil;SATALink External Device Filter; C:\Windows\system32\DRIVERS\SiRemFil.sys [2008-08-20 15400] R0 snapman;Acronis Snapshots Manager; C:\Windows\system32\DRIVERS\snapman.sys [2010-01-17 158272] R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258); C:\Windows\system32\DRIVERS\tdrpm258.sys [2010-06-09 911680] R0 timounter;Acronis Backup Archive Explorer; C:\Windows\system32\DRIVERS\timntr.sys [2010-06-09 581984] R1 CSC;@%systemroot%\system32\cscsvc.dll,-202; C:\Windows\system32\drivers\csc.sys [2009-07-14 387584] R1 mfenlfk;McAfee NDIS Light Filter; C:\Windows\system32\DRIVERS\mfenlfk.sys [2010-05-31 64304] R3 afcdp;afcdp; C:\Windows\system32\DRIVERS\afcdp.sys [2010-06-09 160288] R3 avmaura;AVM USB-Fernanschluss; C:\Windows\system32\DRIVERS\avmaura.sys [2009-10-28 101248] R3 cfwids;McAfee Inc. cfwids; C:\Windows\system32\drivers\cfwids.sys [2010-05-31 55456] R3 L8042Kbd;Logitech SetPoint Keyboard Driver; C:\Windows\system32\DRIVERS\L8042Kbd.sys [2009-06-17 20240] R3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver; C:\Windows\system32\DRIVERS\LHidFilt.Sys [2009-06-17 35472] R3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver; C:\Windows\system32\DRIVERS\LMouFilt.Sys [2009-06-17 37392] R3 mfeapfk;McAfee Inc. mfeapfk; C:\Windows\system32\drivers\mfeapfk.sys [2010-05-31 95568] R3 mfeavfk;McAfee Inc. mfeavfk; C:\Windows\system32\drivers\mfeavfk.sys [2010-05-31 152320] R3 mfebopk;McAfee Inc. mfebopk; C:\Windows\system32\drivers\mfebopk.sys [2010-05-31 51688] R3 mfefirek;McAfee Inc. mfefirek; C:\Windows\system32\drivers\mfefirek.sys [2010-05-31 312616] R3 MTsensor;ATK0110 ACPI UTILITY; C:\Windows\system32\DRIVERS\ASACPI.sys [2004-08-13 5810] R3 NVNET;NVIDIA nForce Ethernet Driver; C:\Windows\system32\DRIVERS\nvmf6232.sys [2009-07-30 287392] R3 RDPDR;Terminal Server Device Redirector Driver; C:\Windows\System32\drivers\rdpdr.sys [2009-07-14 133120] R3 usbscan;USB-Scannertreiber; C:\Windows\system32\DRIVERS\usbscan.sys [2009-07-14 35840] S0 sptd;sptd; C:\Windows\System32\Drivers\sptd.sys [2010-02-03 691696] S1 Uim_IM;UIM Drive Backup Image Plugin; C:\Windows\System32\Drivers\Uim_IM.sys [2008-06-28 130688] S1 UimBus;Universal Image Mounter Controller; C:\Windows\system32\DRIVERS\UimBus.sys [2008-06-28 33072] S2 Parvdm;Parvdm; C:\Windows\system32\DRIVERS\parvdm.sys [2009-07-14 8704] S3 aic78xx;aic78xx; C:\Windows\system32\DRIVERS\djsvs.sys [2009-07-14 70720] S3 amdagp;AMD AGP-Bus-Filtertreiber; C:\Windows\system32\DRIVERS\amdagp.sys [2009-07-14 53312] S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\b57nd60x.sys [2009-07-14 229888] S3 E1G60;Intel(R) PRO/1000 NDIS 6-Adaptertreiber; C:\Windows\system32\DRIVERS\E1G60I32.sys [2009-07-14 118784] S3 ENTECH;ENTECH; \??\C:\Windows\system32\DRIVERS\ENTECH.sys [2008-09-17 27672] S3 mfeavfk01;McAfee Inc.; C:\Windows\system32\drivers\mfeavfk01.sys [] S3 mferkdet;McAfee Inc. mferkdet; C:\Windows\system32\drivers\mferkdet.sys [2010-05-31 83496] S3 NVENETFD;NVIDIA nForce-Netzwerkcontrollertreiber; C:\Windows\system32\DRIVERS\nvm62x32.sys [2009-07-14 347264] S3 s3cap;s3cap; C:\Windows\system32\DRIVERS\vms3cap.sys [2009-07-14 5632] S3 sisagp;SIS AGP-Bus-Filter; C:\Windows\system32\DRIVERS\sisagp.sys [2009-07-14 52304] S3 storvsc;storvsc; C:\Windows\system32\DRIVERS\storvsc.sys [2009-07-14 28224] S3 usb_rndisx;USB-RNDIS-Adapter; C:\Windows\system32\DRIVERS\usb8023x.sys [2009-07-14 15872] S3 viaagp;VIA AGP-Bus-Filter; C:\Windows\system32\DRIVERS\viaagp.sys [2009-07-14 53328] S3 ViaC7;VIA C7-Prozessortreiber; C:\Windows\system32\DRIVERS\viac7.sys [2009-07-14 52736] S3 vmbus;@%SystemRoot%\system32\vmbusres.dll,-1000; C:\Windows\system32\DRIVERS\vmbus.sys [2009-07-14 175824] S3 VMBusHID;VMBusHID; C:\Windows\system32\DRIVERS\VMBusHID.sys [2009-07-14 17920] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 AcrSch2Svc;Acronis Scheduler2 Service; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [2009-11-12 661072] R2 afcdpsrv;Acronis Nonstop Backup service; C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe [2010-06-09 2480048] R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2009-07-14 20992] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480] R2 McMPFSvc;McAfee Personal Firewall-Dienst; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480] R2 mcmscsvc;McAfee Services; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480] R2 McNaiAnn;McAfee VirusScan Announcer; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480] R2 McNASvc;McAfee Network Agent; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480] R2 McProxy;McAfee Proxy Service; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480] R2 McShield;McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [2010-04-14 170144] R2 mfefire;McAfee Firewall Core Service; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-05-31 188136] R2 mfevtp;McAfee Validation Trust Protection Service; C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-05-31 141792] R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2010-06-07 129640] R2 PS3 Media Server;PS3 Media Server; C:\Program Files\PS3 Media Server\win32\service\wrapper.exe [2008-08-17 217088] R2 RapiMgr;@%windir%\WindowsMobile\rapimgr.dll,-104; C:\Windows\system32\svchost.exe [2009-07-14 20992] R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service; C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-06-07 240232] R2 TeamViewer5;TeamViewer 5; C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe [2009-12-17 185640] R2 TVersityMediaServer;TVersityMediaServer; C:\Program Files\TVersity\Media Server\MediaServer.exe [2009-09-22 856064] R2 WcesComm;@%windir%\WindowsMobile\wcescomm.dll,-40079; C:\Windows\system32\svchost.exe [2009-07-14 20992] R3 McODS;McAfee Scanner; C:\Program Files\McAfee\VirusScan\mcods.exe [2010-04-15 364216] R3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2009-07-14 20992] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] S2 SBSDWSCService;SBSD Security Center Service; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368] S3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2009-07-14 20992] S3 LBTServ;Logitech Bluetooth Service; C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe [2009-07-20 121360] S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2008-10-25 65888] S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712] S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184] S3 PeerDistSvc;@%SystemRoot%\system32\peerdistsvc.dll,-9000; C:\Windows\System32\svchost.exe [2009-07-14 20992] -----------------EOF----------------- Konnte ausrasten, hat mir den ganzen Abend versaut und bestimmt noch die nächsten Tage. Ich hoffe habe die ersten Schritte richtig gemacht, bin über jede Hilfe dankbar  ESET ist durchgelaufen udn zeigt mir nun die Quaranten Dateien (Siehe Sreenshot im Anhang) Folgenden Fund machte Panda Aktiv Scan: Bedrohungen (1) Niedrige Gefährdungsstufe (1) Trj/CI.A Virus Aktiv Ausblenden + Info 1. c:\windows\system32\hwrrmsdt.dll |
|
15.07.2010, 20:00
| #2 |
| /// Winkelfunktion /// TB-Süch-Tiger™   | Bankwebseite wollte 20 Tans Bank sagt Trojaner Hallo und
__________________ bitte nen Vollscan mit Malwarebytes machen und Log posten. Danach OTL: Systemscan mit OTL Lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop
__________________ |
|
15.07.2010, 20:11
| #3 |
| | Bankwebseite wollte 20 Tans Bank sagt Trojaner Hallo Arne,
__________________danke für die schnelle reaktion  Maleware lief der Komplettscan bereits durch, auch hier ohne befund. Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Datenbank Version: 4316 Windows 6.1.7600 Internet Explorer 8.0.7600.16385 15.07.2010 20:34:21 mbam-log-2010-07-15 (20-34-21).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|E:\|Z:\|) Durchsuchte Objekte: 284125 Laufzeit: 54 Minute(n), 46 Sekunde(n) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 0 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: (Keine bösartigen Objekte gefunden) Hier OTL 1 OTL Logfile: Code:
ATTFilter OTL Extras logfile created on: 15.07.2010 21:06:03 - Run 1
OTL by OldTimer - Version 3.2.9.0 Folder = C:\Users\Administrator\Desktop
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 47,00% Memory free
6,00 Gb Paging File | 4,00 Gb Available in Paging File | 68,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 60,10 Gb Total Space | 7,76 Gb Free Space | 12,91% Space Free | Partition Type: NTFS
Drive D: | 465,76 Gb Total Space | 106,04 Gb Free Space | 22,77% Space Free | Partition Type: NTFS
Drive E: | 870,10 Gb Total Space | 502,89 Gb Free Space | 57,80% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 967,22 Mb Total Space | 966,88 Mb Free Space | 99,96% Space Free | Partition Type: FAT
Drive Z: | 525,10 Gb Total Space | 245,30 Gb Free Space | 46,71% Space Free | Partition Type: NTFS
Computer Name: BIG-MOTHER
Current User Name: Chris
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [TVersity] -- "C:\Program Files\TVersity\Media Server\GUILaunch.exe" -type "folder" -url "%1" -title "" -tags "" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
========== Authorized Applications List ==========
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{04830D0F-F980-4EC0-89F1-594F2FD2A1B5}" = ElsterFormular 2008/2009
"{04858915-9F49-4B2A-AED4-DC49A7DE6A7B}" = Battlefield 2(TM)
"{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP510" = Canon MP510
"{21AE04E8-EBF6-40DB-9AA9-B7A80C5D057D}" = mkv2vob
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java(TM) 6 Update 17
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{2EA870FA-585F-4187-903D-CB9FFD21E2E0}" = DHTML Editing Component
"{3101CB58-3482-4D21-AF1A-7057FC935355}" = KhalInstallWrapper
"{3A05B900-A3E7-11DE-A9B7-005056806466}" = Google Earth
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{537575D6-3B96-474C-BD8F-DFF667363DBD}" = Naviextras Toolbox Prerequesities
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{67ED38A3-4882-448B-B44D-3428AB00D7D5}" = Acronis*True*Image*Home
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7F3AD00A-1819-4B15-BB7D-08B3586336D7}" = 3DMark06
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8927E07C-97F7-4A54-88FB-D976F50DD46E}" = Turbo Lister 2
"{90120000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2007
"{90120000-0015-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
"{90120000-0016-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
"{90120000-0018-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2007
"{90120000-0019-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2007
"{90120000-001A-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
"{90120000-001B-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_ENTERPRISE_{A0516415-ED61-419A-981D-93596DA74165}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-001F-0410-0000-0000000FF1CE}_ENTERPRISE_{322296D4-1EAE-4030-9FBC-D2787EB25FA2}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0044-0407-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (German) 2007
"{90120000-0044-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}_ENTERPRISE_{26454C26-D259-4543-AA60-3189E09C5F76}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007
"{90120000-00A1-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-00BA-0407-0000-0000000FF1CE}" = Microsoft Office Groove MUI (German) 2007
"{90120000-00BA-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{904CCF62-818D-4675-BC76-D37EB399F917}" = Windows Mobile-Gerätecenter
"{957E1902-30C7-4A35-890B-90EB94B956D6}" = Intel® Solid-State Drive Toolbox
"{A498D9EB-927B-459B-85D6-DD6EF8C2C564}" = erLT
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{AC76BA86-7AD7-1031-7B44-A93000000001}" = Adobe Reader 9.3.3 - Deutsch
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B4F3A360-E1E2-479D-ADE7-9BE3B07F4539}" = NVIDIA PhysX
"{BEE64C14-BEF1-4610-8A68-A16EAA47B882}" = Futuremark SystemInfo
"{C40C3C3D-97CF-44B5-836C-766E374464B3}" = 3DMark Vantage
"{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}" = Full Tilt Poker
"{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}" = Logitech SetPoint
"{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AviSynth" = AviSynth 2.5
"Burn4Free" = Burn4Free CD and DVD
"CCleaner" = CCleaner
"CDex" = CDex - Open Source Digital Audio CD Extractor
"Content Manager 2" = Content Manager 2
"ElsterFormular 11.2.0.4074" = ElsterFormular
"ENTERPRISE" = Microsoft Office Enterprise 2007
"ESET Online Scanner" = ESET Online Scanner v3
"EVEREST Ultimate Edition_is1" = EVEREST Ultimate Edition v4.60
"ffdshow_is1" = ffdshow [rev 1723] [2007-12-24]
"HD Tune_is1" = HD Tune 2.55
"HijackThis" = HijackThis 2.0.2
"ImgBurn" = ImgBurn
"JDownloader" = JDownloader
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mass Effect 2 German_is1" = Mass Effect 2 German
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"Mozilla Firefox (3.6.6)" = Mozilla Firefox (3.6.6)
"MP Navigator 3.0" = Canon MP Navigator 3.0
"MSC" = McAfee AntiVirus Plus
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"OpenAL" = OpenAL
"POI FINDER (Becker)_is1" = POI FINDER 3.80 (Becker)
"PS3 Video 9" = PS3 Video 9 4.06
"SystemRequirementsLab" = System Requirements Lab
"TeamViewer 5" = TeamViewer 5
"Trillian" = Trillian
"TVersity Codec Pack" = TVersity Codec Pack 1.2
"Update Service" = Update Service
"VLC media player" = VLC media player 1.0.5
"WinRAR archiver" = WinRAR
"Zattoo" = Zattoo 3.3.4 Beta
"Zattoo4" = Zattoo4 4.0.3
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"f018cf21c0452c64" = AVM FRITZ!Box USB-Fernanschluss - 1
"f6791b188d8f3ff8" = AVM FRITZ!Box USB-Fernanschluss
========== Last 10 Event Log Errors ==========
Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!
< End of report >
Hier OTL 2 OTL Logfile: Code:
ATTFilter OTL logfile created on: 15.07.2010 21:06:03 - Run 1 OTL by OldTimer - Version 3.2.9.0 Folder = C:\Users\Administrator\Desktop Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation Internet Explorer (Version = 8.0.7600.16385) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 47,00% Memory free 6,00 Gb Paging File | 4,00 Gb Available in Paging File | 68,00% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 60,10 Gb Total Space | 7,76 Gb Free Space | 12,91% Space Free | Partition Type: NTFS Drive D: | 465,76 Gb Total Space | 106,04 Gb Free Space | 22,77% Space Free | Partition Type: NTFS Drive E: | 870,10 Gb Total Space | 502,89 Gb Free Space | 57,80% Space Free | Partition Type: NTFS F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded Drive I: | 967,22 Mb Total Space | 966,88 Mb Free Space | 99,96% Space Free | Partition Type: FAT Drive Z: | 525,10 Gb Total Space | 245,30 Gb Free Space | 46,71% Space Free | Partition Type: NTFS Computer Name: BIG-MOTHER Current User Name: Chris Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Processes (SafeList) ========== PRC - C:\Users\Administrator\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Programme\Trillian\trillian.exe (Cerulean Studios) PRC - C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation) PRC - C:\Programme\McAfee.com\Agent\mcagent.exe (McAfee, Inc.) PRC - C:\Programme\Common Files\Acronis\CDP\afcdpsrv.exe (Acronis) PRC - C:\Programme\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation) PRC - C:\Programme\Common Files\Mcafee\SystemCore\mfefire.exe (McAfee, Inc.) PRC - C:\Programme\Common Files\Mcafee\SystemCore\mfevtps.exe (McAfee, Inc.) PRC - C:\Programme\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation) PRC - C:\Programme\McAfee\VirusScan\mcods.exe (McAfee, Inc.) PRC - C:\Programme\Common Files\Mcafee\SystemCore\mcshield.exe (McAfee, Inc.) PRC - C:\Programme\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.) PRC - C:\Programme\DAEMON Tools Pro\DTProShellHlp.exe (DT Soft Ltd) PRC - C:\Programme\TeamViewer\Version5\TeamViewer_Service.exe (TeamViewer GmbH) PRC - C:\Programme\Java\jre6\bin\javaw.exe (Sun Microsystems, Inc.) PRC - C:\Windows\System32\java.exe (Sun Microsystems, Inc.) PRC - C:\Programme\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis) PRC - C:\Programme\Common Files\Acronis\Schedule2\schedul2.exe (Acronis) PRC - C:\Programme\Common Files\Acronis\TrueImageHome\TrueImageHomeNotify.exe (Acronis) PRC - C:\Programme\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis) PRC - C:\Programme\Common Files\Acronis\TrueImageHome\TrueImageHomeService.exe (Acronis) PRC - C:\Windows\explorer.exe (Microsoft Corporation) PRC - C:\Users\Administrator\AppData\Local\Apps\2.0\75CBPPTK.Z44\G452A621.RH8\frit..tion_f8d772dfbb3f7453_0002.0001_0db5bf169ed5c0c1\fritzbox-usb-fernanschluss.exe (AVM Berlin) PRC - C:\Programme\TVersity\Media Server\MediaServer.exe () PRC - C:\Programme\SetPoint\SetPoint.exe (Logitech, Inc.) PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation) PRC - C:\Windows\System32\conhost.exe (Microsoft Corporation) PRC - C:\Programme\Common Files\Logishrd\KHAL2\KHALMNPR.exe (Logitech, Inc.) PRC - C:\Programme\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.) PRC - C:\Programme\PS3 Media Server\win32\service\wrapper.exe () ========== Modules (SafeList) ========== MOD - C:\Users\Administrator\Desktop\OTL.exe (OldTimer Tools) MOD - C:\Windows\System32\hwrrmsdt.dll () MOD - c:\Programme\McAfee\SiteAdvisor\sahook.dll (McAfee, Inc.) MOD - C:\Programme\SetPoint\lgscroll.dll (Logitech, Inc.) MOD - C:\Programme\SetPoint\GameHook.dll (Logitech, Inc.) MOD - C:\Windows\System32\sspicli.dll (Microsoft Corporation) MOD - C:\Windows\System32\sechost.dll (Microsoft Corporation) MOD - C:\Windows\System32\samcli.dll (Microsoft Corporation) MOD - C:\Windows\System32\profapi.dll (Microsoft Corporation) MOD - C:\Windows\System32\netutils.dll (Microsoft Corporation) MOD - C:\Windows\System32\KernelBase.dll (Microsoft Corporation) MOD - C:\Windows\System32\dwmapi.dll (Microsoft Corporation) MOD - C:\Windows\System32\devobj.dll (Microsoft Corporation) MOD - C:\Windows\System32\cryptbase.dll (Microsoft Corporation) MOD - C:\Windows\System32\cfgmgr32.dll (Microsoft Corporation) MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation) MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll (Microsoft Corporation) MOD - C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4927_none_d08a205e442db5b5\msvcr80.dll (Microsoft Corporation) ========== Win32 Services (SafeList) ========== SRV - (afcdpsrv) -- C:\Programme\Common Files\Acronis\CDP\afcdpsrv.exe (Acronis) SRV - (Stereo Service) -- C:\Programme\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation) SRV - (mfefire) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe (McAfee, Inc.) SRV - (mfevtp) -- C:\Programme\Common Files\Mcafee\SystemCore\mfevtps.exe (McAfee, Inc.) SRV - (McODS) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.) SRV - (McShield) -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe () SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation) SRV - (McProxy) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.) SRV - (McNASvc) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.) SRV - (McNaiAnn) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.) SRV - (mcmscsvc) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.) SRV - (McMPFSvc) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.) SRV - (McAfee SiteAdvisor Service) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.) SRV - (TeamViewer5) -- C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe (TeamViewer GmbH) SRV - (AcrSch2Svc) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (Acronis) SRV - (TVersityMediaServer) -- C:\Program Files\TVersity\Media Server\MediaServer.exe () SRV - (LBTServ) -- C:\Programme\Common Files\Logishrd\Bluetooth\LBTServ.exe (Logitech, Inc.) SRV - (WwanSvc) -- C:\Windows\System32\wwansvc.dll (Microsoft Corporation) SRV - (WbioSrvc) -- C:\Windows\System32\wbiosrvc.dll (Microsoft Corporation) SRV - (Power) -- C:\Windows\System32\umpo.dll (Microsoft Corporation) SRV - (Themes) -- C:\Windows\System32\themeservice.dll (Microsoft Corporation) SRV - (sppuinotify) -- C:\Windows\System32\sppuinotify.dll (Microsoft Corporation) SRV - (RpcEptMapper) -- C:\Windows\System32\RpcEpMap.dll (Microsoft Corporation) SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation) SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation) SRV - (PNRPsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation) SRV - (p2pimsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation) SRV - (HomeGroupProvider) -- C:\Windows\System32\provsvc.dll (Microsoft Corporation) SRV - (PNRPAutoReg) -- C:\Windows\System32\pnrpauto.dll (Microsoft Corporation) SRV - (WinDefend) -- C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation) SRV - (HomeGroupListener) -- C:\Windows\System32\ListSvc.dll (Microsoft Corporation) SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation) SRV - (Dhcp) -- C:\Windows\System32\dhcpcore.dll (Microsoft Corporation) SRV - (defragsvc) -- C:\Windows\System32\defragsvc.dll (Microsoft Corporation) SRV - (BDESVC) -- C:\Windows\System32\bdesvc.dll (Microsoft Corporation) SRV - (AxInstSV) ActiveX-Installer (AxInstSV) -- C:\Windows\System32\AxInstSv.dll (Microsoft Corporation) SRV - (AppIDSvc) -- C:\Windows\System32\appidsvc.dll (Microsoft Corporation) SRV - (sppsvc) -- C:\Windows\System32\sppsvc.exe (Microsoft Corporation) SRV - (SBSDWSCService) -- C:\Programme\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.) SRV - (PS3 Media Server) -- C:\Program Files\PS3 Media Server\win32\service\wrapper.exe () SRV - (WcesComm) -- C:\Windows\WindowsMobile\wcescomm.dll (Microsoft Corporation) SRV - (RapiMgr) -- C:\Windows\WindowsMobile\rapimgr.dll (Microsoft Corporation) ========== Driver Services (SafeList) ========== DRV - (DwProt) -- File not found DRV - (afcdp) -- C:\Windows\System32\drivers\afcdp.sys (Acronis) DRV - (tdrpman258) Acronis Try&Decide and Restore Points filter (build 258) -- C:\Windows\system32\DRIVERS\tdrpm258.sys (Acronis) DRV - (timounter) -- C:\Windows\system32\DRIVERS\timntr.sys (Acronis) DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation) DRV - (mfehidk) -- C:\Windows\system32\drivers\mfehidk.sys (McAfee, Inc.) DRV - (mfefirek) -- C:\Windows\System32\drivers\mfefirek.sys (McAfee, Inc.) DRV - (mfewfpk) -- C:\Windows\system32\drivers\mfewfpk.sys (McAfee, Inc.) DRV - (mfeavfk) -- C:\Windows\System32\drivers\mfeavfk.sys (McAfee, Inc.) DRV - (mfeapfk) -- C:\Windows\System32\drivers\mfeapfk.sys (McAfee, Inc.) DRV - (mferkdet) -- C:\Windows\System32\drivers\mferkdet.sys (McAfee, Inc.) DRV - (mfenlfk) -- C:\Windows\System32\drivers\mfenlfk.sys (McAfee, Inc.) DRV - (cfwids) -- C:\Windows\System32\drivers\cfwids.sys (McAfee, Inc.) DRV - (mfebopk) -- C:\Windows\System32\drivers\mfebopk.sys (McAfee, Inc.) DRV - (sptd) -- C:\Windows\System32\Drivers\sptd.sys (Duplex Secure Ltd.) DRV - (snapman) -- C:\Windows\system32\DRIVERS\snapman.sys (Acronis) DRV - (KSecPkg) -- C:\Windows\System32\Drivers\ksecpkg.sys (Microsoft Corporation) DRV - (avmaura) -- C:\Windows\System32\drivers\avmaura.sys (AVM Berlin) DRV - (nvstor32) -- C:\Windows\system32\DRIVERS\nvstor32.sys (NVIDIA Corporation) DRV - (NVNET) -- C:\Windows\System32\drivers\nvmf6232.sys (NVIDIA Corporation) DRV - (cmdide) -- C:\Windows\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.) DRV - (adpahci) -- C:\Windows\system32\DRIVERS\adpahci.sys (Adaptec, Inc.) DRV - (adp94xx) -- C:\Windows\system32\DRIVERS\adp94xx.sys (Adaptec, Inc.) DRV - (amdsbs) -- C:\Windows\system32\DRIVERS\amdsbs.sys (AMD Technologies Inc.) DRV - (adpu320) -- C:\Windows\system32\DRIVERS\adpu320.sys (Adaptec, Inc.) DRV - (arcsas) -- C:\Windows\system32\DRIVERS\arcsas.sys (Adaptec, Inc.) DRV - (amdsata) -- C:\Windows\system32\DRIVERS\amdsata.sys (Advanced Micro Devices) DRV - (arc) -- C:\Windows\system32\DRIVERS\arc.sys (Adaptec, Inc.) DRV - (amdxata) -- C:\Windows\system32\DRIVERS\amdxata.sys (Advanced Micro Devices) DRV - (aliide) -- C:\Windows\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.) DRV - (nvstor) -- C:\Windows\system32\DRIVERS\nvstor.sys (NVIDIA Corporation) DRV - (nvraid) -- C:\Windows\system32\DRIVERS\nvraid.sys (NVIDIA Corporation) DRV - (nfrd960) -- C:\Windows\system32\DRIVERS\nfrd960.sys (IBM Corporation) DRV - (LSI_SAS) -- C:\Windows\system32\DRIVERS\lsi_sas.sys (LSI Corporation) DRV - (iaStorV) -- C:\Windows\system32\DRIVERS\iaStorV.sys (Intel Corporation) DRV - (MegaSR) -- C:\Windows\system32\DRIVERS\MegaSR.sys (LSI Corporation, Inc.) DRV - (LSI_SCSI) -- C:\Windows\system32\DRIVERS\lsi_scsi.sys (LSI Corporation) DRV - (LSI_FC) -- C:\Windows\system32\DRIVERS\lsi_fc.sys (LSI Corporation) DRV - (LSI_SAS2) -- C:\Windows\system32\DRIVERS\lsi_sas2.sys (LSI Corporation) DRV - (iirsp) -- C:\Windows\system32\DRIVERS\iirsp.sys (Intel Corp./ICP vortex GmbH) DRV - (megasas) -- C:\Windows\system32\DRIVERS\megasas.sys (LSI Corporation) DRV - (hwpolicy) -- C:\Windows\System32\drivers\hwpolicy.sys (Microsoft Corporation) DRV - (elxstor) -- C:\Windows\system32\DRIVERS\elxstor.sys (Emulex) DRV - (aic78xx) -- C:\Windows\system32\DRIVERS\djsvs.sys (Adaptec, Inc.) DRV - (HpSAMD) -- C:\Windows\system32\DRIVERS\HpSAMD.sys (Hewlett-Packard Company) DRV - (FsDepends) -- C:\Windows\System32\drivers\fsdepends.sys (Microsoft Corporation) DRV - (vsmraid) -- C:\Windows\system32\DRIVERS\vsmraid.sys (VIA Technologies Inc.,Ltd) DRV - (vmbus) -- C:\Windows\system32\DRIVERS\vmbus.sys (Microsoft Corporation) DRV - (vhdmp) -- C:\Windows\system32\DRIVERS\vhdmp.sys (Microsoft Corporation) DRV - (storflt) -- C:\Windows\system32\DRIVERS\vmstorfl.sys (Microsoft Corporation) DRV - (vdrvroot) -- C:\Windows\system32\DRIVERS\vdrvroot.sys (Microsoft Corporation) DRV - (storvsc) -- C:\Windows\system32\DRIVERS\storvsc.sys (Microsoft Corporation) DRV - (WIMMount) -- C:\Windows\System32\drivers\wimmount.sys (Microsoft Corporation) DRV - (viaide) -- C:\Windows\system32\DRIVERS\viaide.sys (VIA Technologies, Inc.) DRV - (ql2300) -- C:\Windows\system32\DRIVERS\ql2300.sys (QLogic Corporation) DRV - (rdyboost) -- C:\Windows\System32\drivers\rdyboost.sys (Microsoft Corporation) DRV - (ql40xx) -- C:\Windows\system32\DRIVERS\ql40xx.sys (QLogic Corporation) DRV - (SiSRaid4) -- C:\Windows\system32\DRIVERS\sisraid4.sys (Silicon Integrated Systems) DRV - (pcw) -- C:\Windows\System32\drivers\pcw.sys (Microsoft Corporation) DRV - (SiSRaid2) -- C:\Windows\system32\DRIVERS\SiSRaid2.sys (Silicon Integrated Systems Corp.) DRV - (stexstor) -- C:\Windows\system32\DRIVERS\stexstor.sys (Promise Technology) DRV - (CNG) -- C:\Windows\System32\Drivers\cng.sys (Microsoft Corporation) DRV - (Brserid) Brother MFC-Seriellschnittstellentreiber (WDM) -- C:\Windows\System32\Drivers\Brserid.sys (Brother Industries Ltd.) DRV - (rdpbus) -- C:\Windows\System32\drivers\rdpbus.sys (Microsoft Corporation) DRV - (RDPREFMP) -- C:\Windows\System32\drivers\RDPREFMP.sys (Microsoft Corporation) DRV - (RasAgileVpn) WAN Miniport (IKEv2) -- C:\Windows\System32\drivers\agilevpn.sys (Microsoft Corporation) DRV - (WfpLwf) -- C:\Windows\System32\drivers\wfplwf.sys (Microsoft Corporation) DRV - (NdisCap) -- C:\Windows\System32\drivers\ndiscap.sys (Microsoft Corporation) DRV - (vwifibus) -- C:\Windows\System32\drivers\vwifibus.sys (Microsoft Corporation) DRV - (1394ohci) -- C:\Windows\System32\drivers\1394ohci.sys (Microsoft Corporation) DRV - (UmPass) -- C:\Windows\system32\DRIVERS\umpass.sys (Microsoft Corporation) DRV - (mshidkmdf) -- C:\Windows\System32\drivers\mshidkmdf.sys (Microsoft Corporation) DRV - (MTConfig) -- C:\Windows\system32\DRIVERS\MTConfig.sys (Microsoft Corporation) DRV - (CompositeBus) -- C:\Windows\System32\drivers\CompositeBus.sys (Microsoft Corporation) DRV - (AppID) -- C:\Windows\system32\drivers\appid.sys (Microsoft Corporation) DRV - (scfilter) -- C:\Windows\System32\drivers\scfilter.sys (Microsoft Corporation) DRV - (s3cap) -- C:\Windows\system32\DRIVERS\vms3cap.sys (Microsoft Corporation) DRV - (VMBusHID) -- C:\Windows\system32\DRIVERS\VMBusHID.sys (Microsoft Corporation) DRV - (discache) -- C:\Windows\System32\drivers\discache.sys (Microsoft Corporation) DRV - (HidBatt) -- C:\Windows\system32\DRIVERS\HidBatt.sys (Microsoft Corporation) DRV - (AcpiPmi) -- C:\Windows\system32\DRIVERS\acpipmi.sys (Microsoft Corporation) DRV - (AmdPPM) -- C:\Windows\system32\DRIVERS\amdppm.sys (Microsoft Corporation) DRV - (hcw85cir) -- C:\Windows\system32\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.) DRV - (BrUsbMdm) Brother MFC-nur-Fax-Modem (USB) -- C:\Windows\System32\Drivers\BrUsbMdm.sys (Brother Industries Ltd.) DRV - (BrUsbSer) Brother MFC-WDM-Treiber (USB,seriell) -- C:\Windows\System32\Drivers\BrUsbSer.sys (Brother Industries Ltd.) DRV - (BrSerWdm) Brother WDM-Treiber (seriell) -- C:\Windows\System32\Drivers\BrSerWdm.sys (Brother Industries Ltd.) DRV - (BrFiltLo) -- C:\Windows\system32\DRIVERS\BrFiltLo.sys (Brother Industries, Ltd.) DRV - (BrFiltUp) -- C:\Windows\system32\DRIVERS\BrFiltUp.sys (Brother Industries, Ltd.) DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvm62x32.sys (NVIDIA Corporation) DRV - (E1G60) Intel(R) -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation) DRV - (b57nd60x) -- C:\Windows\System32\drivers\b57nd60x.sys (Broadcom Corporation) DRV - (ebdrv) -- C:\Windows\system32\DRIVERS\evbdx.sys (Broadcom Corporation) DRV - (b06bdrv) -- C:\Windows\system32\DRIVERS\bxvbdx.sys (Broadcom Corporation) DRV - (LMouFilt) -- C:\Windows\System32\drivers\LMouFilt.Sys (Logitech, Inc.) DRV - (LHidFilt) -- C:\Windows\System32\drivers\LHidFilt.Sys (Logitech, Inc.) DRV - (L8042Kbd) -- C:\Windows\System32\drivers\L8042Kbd.sys (Logitech, Inc.) DRV - (SiRemFil) -- C:\Windows\system32\DRIVERS\SiRemFil.sys (Silicon Image, Inc) DRV - (Uim_IM) -- C:\Windows\System32\drivers\Uim_IM.sys (Paragon Software Group) DRV - (UimBus) -- C:\Windows\System32\drivers\UimBus.sys (Paragon Software Group) DRV - (MTsensor) -- C:\Windows\System32\drivers\ASACPI.sys () ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 20 52 9D FD 41 20 CB 01 [binary data] IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Programme\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.) IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.1 FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010.07.08 19:10:25 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.5.4\extensions\\Components: C:\Programme\Mozilla Firefox\components [2010.07.13 20:09:56 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.5.4\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2010.07.13 20:09:49 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Programme\Mozilla Firefox\components [2010.07.13 20:09:56 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2010.07.13 20:09:49 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Components: C:\Programme\Mozilla Firefox\components [2010.07.13 20:09:56 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2010.07.13 20:09:49 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Programme\Mozilla Firefox\components [2010.07.13 20:09:56 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2010.07.13 20:09:49 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2pre\extensions\\Components: C:\Programme\Mozilla Firefox\components [2010.07.13 20:09:56 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2pre\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2010.07.13 20:09:49 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010.07.13 20:09:56 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010.07.13 20:09:49 | 000,000,000 | ---D | M] [2010.07.13 20:10:01 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\mozilla\Extensions [2010.07.13 19:30:54 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\mozilla\Firefox\Profiles\93eigdzf.default\extensions [2010.07.15 20:46:29 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\mozilla\Firefox\Profiles\ozxyyju9.default\extensions [2010.07.13 20:13:43 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Administrator\AppData\Roaming\mozilla\Firefox\Profiles\ozxyyju9.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010.07.13 20:13:43 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Users\Administrator\AppData\Roaming\mozilla\Firefox\Profiles\ozxyyju9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} [2010.07.13 20:13:43 | 000,000,000 | ---D | M] (Dr.Web anti-virus link checker) -- C:\Users\Administrator\AppData\Roaming\mozilla\Firefox\Profiles\ozxyyju9.default\extensions\{6614d11d-d21d-b211-ae23-815234e1ebb5} [2010.07.13 20:13:44 | 000,000,000 | ---D | M] (NoScript) -- C:\Users\Administrator\AppData\Roaming\mozilla\Firefox\Profiles\ozxyyju9.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232} [2010.07.13 20:13:44 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Administrator\AppData\Roaming\mozilla\Firefox\Profiles\ozxyyju9.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [2010.07.13 20:13:44 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Administrator\AppData\Roaming\mozilla\Firefox\Profiles\ozxyyju9.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360} [2010.07.13 20:10:01 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\mozilla\Firefox\Profiles\vugxvwkr.default\extensions [2010.07.15 20:46:29 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions [2010.05.31 20:32:58 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Programme\Mozilla Firefox\components\Scriptff.dll [2010.06.26 10:03:55 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml [2010.06.26 10:03:55 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml [2010.06.26 10:03:55 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml [2010.06.26 10:03:55 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml [2010.06.26 10:03:55 | 000,001,105 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2010.06.13 10:30:09 | 000,404,455 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 www.007guard.com O1 - Hosts: 127.0.0.1 007guard.com O1 - Hosts: 127.0.0.1 008i.com O1 - Hosts: 127.0.0.1 www.008k.com O1 - Hosts: 127.0.0.1 008k.com O1 - Hosts: 127.0.0.1 www.00hq.com O1 - Hosts: 127.0.0.1 00hq.com O1 - Hosts: 127.0.0.1 010402.com O1 - Hosts: 127.0.0.1 www.032439.com O1 - Hosts: 127.0.0.1 032439.com O1 - Hosts: 127.0.0.1 www.0scan.com O1 - Hosts: 127.0.0.1 0scan.com O1 - Hosts: 127.0.0.1 www.1000gratisproben.com O1 - Hosts: 127.0.0.1 1000gratisproben.com O1 - Hosts: 127.0.0.1 www.1001namen.com O1 - Hosts: 127.0.0.1 1001namen.com O1 - Hosts: 127.0.0.1 100888290cs.com O1 - Hosts: 127.0.0.1 www.100888290cs.com O1 - Hosts: 127.0.0.1 100sexlinks.com O1 - Hosts: 127.0.0.1 www.100sexlinks.com O1 - Hosts: 127.0.0.1 10sek.com O1 - Hosts: 127.0.0.1 www.10sek.com O1 - Hosts: 127.0.0.1 www.1-2005-search.com O1 - Hosts: 127.0.0.1 1-2005-search.com O1 - Hosts: 127.0.0.1 123haustiereundmehr.com O1 - Hosts: 13982 more lines... O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation) O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Programme\Common Files\Mcafee\SystemCore\ScriptSn.20100711101300.dll (McAfee, Inc.) O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Programme\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.) O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Programme\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.) O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis) O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech, Inc.) O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.) O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Programme\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis) O4 - HKCU..\Run: [AVMUSBFernanschluss] C:\Users\Administrator\AppData\Local\Apps\2.0\75CBPPTK.Z44\G452A621.RH8\frit..tion_f8d772dfbb3f7453_0002.0001_0db5bf169ed5c0c1\AVMAutoStart.exe (AVM Berlin) O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.) O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) O4 - Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PS3 Media Server.lnk = C:\Programme\PS3 Media Server\PMS.exe (A. Brochard) O4 - Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Trillian.lnk = C:\Programme\Trillian\trillian.exe (Cerulean Studios) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation) O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O13 - gopher Prefix: missing O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites) O15 - HKCU\..Trusted Domains: mcafee.com ([]http in Trusted sites) O15 - HKCU\..Trusted Domains: mcafee.com ([]https in Trusted sites) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1 O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Programme\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.) O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programme\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Programme\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - c:\Programme\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.) O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found. O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation) O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O32 - AutoRun File - [2010.03.06 14:14:43 | 000,000,000 | ---- | M] () - D:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O36 - AppCertDlls: charlwiz - (C:\Windows\system32\hwrrmsdt.dll) - C:\Windows\System32\hwrrmsdt.dll () O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2010.07.15 21:02:58 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.exe [2010.07.15 20:20:16 | 000,028,552 | ---- | C] (Panda Security, S.L.) -- C:\Windows\System32\drivers\pavboot.sys [2010.07.15 19:14:06 | 000,000,000 | ---D | C] -- C:\rsit [2010.07.15 19:09:58 | 000,000,000 | ---D | C] -- C:\Programme\Panda Security [2010.07.15 18:52:45 | 016,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Users\Administrator\Desktop\spybotsd162.exe [2010.07.15 18:51:55 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Users\Administrator\Desktop\HiJackThis204.exe [2010.07.15 17:55:53 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Malwarebytes [2010.07.15 17:55:48 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2010.07.15 17:55:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2010.07.15 17:55:46 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2010.07.15 17:55:46 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware [2010.07.15 17:55:08 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Administrator\Desktop\mbam146-setup.exe [2010.07.15 17:44:21 | 000,000,000 | ---D | C] -- C:\Programme\ESET [2010.07.14 20:51:48 | 000,000,000 | ---D | C] -- C:\ProgramData\NVIDIA Corporation [2010.07.14 20:51:07 | 010,888,168 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\drivers\nvlddmkm.sys [2010.07.14 20:51:07 | 000,056,936 | ---- | C] (Khronos Group) -- C:\Windows\System32\OpenCL.dll [2010.07.14 20:51:07 | 000,010,920 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\drivers\nvBridge.kmd [2010.07.14 20:51:06 | 015,764,072 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvoglv32.dll [2010.07.14 20:51:05 | 002,890,856 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvencodemft.dll [2010.07.14 20:51:05 | 000,332,392 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvdecodemft.dll [2010.07.14 20:51:04 | 004,513,384 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvcuda.dll [2010.07.14 20:51:04 | 002,632,296 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvcuvenc.dll [2010.07.14 20:51:04 | 002,145,896 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvcuvid.dll [2010.07.14 20:51:03 | 010,263,144 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvcompiler.dll [2010.07.14 20:51:03 | 000,232,040 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvcod1921.dll [2010.07.14 20:51:03 | 000,232,040 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvcod.dll [2010.07.14 20:38:59 | 131,453,256 | ---- | C] (NVIDIA Corporation) -- C:\Users\Administrator\Desktop\257.21_desktop_win7_winvista_32bit_international_whql.exe [2010.07.13 20:09:55 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Mozilla [2010.07.13 20:09:55 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\Mozilla [2010.07.08 18:57:25 | 000,009,344 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfeclnk.sys [2010.07.08 18:57:20 | 000,312,616 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfefirek.sys [2010.07.08 18:57:20 | 000,160,720 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfewfpk.sys [2010.07.08 18:57:20 | 000,152,320 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfeavfk.sys [2010.07.08 18:57:20 | 000,083,496 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mferkdet.sys [2010.07.08 18:57:20 | 000,064,304 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfenlfk.sys [2010.07.08 18:57:20 | 000,055,456 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\cfwids.sys [2010.07.08 18:57:20 | 000,051,688 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfebopk.sys [2010.07.08 18:57:19 | 000,000,000 | ---D | C] -- C:\Programme\McAfee.com [2010.07.07 23:02:25 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\McAfee [2010.07.02 07:03:14 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\Becker [2010.06.30 21:23:45 | 000,000,000 | ---D | C] -- C:\Programme\POI FINDER 3.5 Becker [2010.06.30 20:19:05 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\Speicherkarte X1 [2010.06.30 17:34:10 | 000,000,000 | ---D | C] -- C:\Programme\Becker [2010.06.23 07:22:54 | 000,295,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHost.exe [2010.06.23 07:22:54 | 000,099,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHostProxy.dll [2010.06.23 07:22:54 | 000,049,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\netfxperf.dll [2010.06.23 07:10:39 | 000,641,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\CPFilters.dll [2010.06.23 07:10:39 | 000,417,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msdri.dll [2010.06.23 07:10:39 | 000,199,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mpg2splt.ax [2010.06.23 07:10:38 | 000,204,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MSNP.ax [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2010.07.15 21:07:02 | 006,553,600 | -HS- | M] () -- C:\Users\Administrator\NTUSER.DAT [2010.07.15 21:03:00 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.exe [2010.07.15 20:16:24 | 000,096,511 | ---- | M] () -- C:\Users\Administrator\Desktop\Unbenannt.png [2010.07.15 19:13:59 | 000,339,991 | ---- | M] () -- C:\Users\Administrator\Desktop\RSIT.exe [2010.07.15 18:55:01 | 000,001,222 | ---- | M] () -- C:\Users\Administrator\Desktop\Spybot - Search & Destroy.lnk [2010.07.15 18:53:52 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Users\Administrator\Desktop\spybotsd162.exe [2010.07.15 18:51:55 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Users\Administrator\Desktop\HiJackThis204.exe [2010.07.15 18:48:12 | 047,552,864 | ---- | M] () -- C:\Users\Administrator\Desktop\dg624yqp.exe [2010.07.15 18:45:54 | 001,507,106 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI [2010.07.15 18:45:54 | 000,657,438 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2010.07.15 18:45:54 | 000,618,714 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2010.07.15 18:45:54 | 000,130,810 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2010.07.15 18:45:54 | 000,107,034 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2010.07.15 17:55:50 | 000,000,985 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2010.07.15 17:55:32 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Administrator\Desktop\mbam146-setup.exe [2010.07.15 17:44:11 | 002,672,312 | ---- | M] () -- C:\Users\Administrator\Desktop\esetsmartinstaller_enu.exe [2010.07.15 17:19:38 | 000,014,016 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2010.07.15 17:19:38 | 000,014,016 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2010.07.15 17:16:31 | 000,001,834 | ---- | M] () -- C:\Users\Public\Desktop\McAfee AntiVirus Plus.lnk [2010.07.15 17:14:26 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT [2010.07.15 17:14:25 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2010.07.15 17:14:21 | 2616,107,008 | -HS- | M] () -- C:\hiberfil.sys [2010.07.15 17:13:33 | 001,950,891 | -H-- | M] () -- C:\Users\Administrator\AppData\Local\IconCache.db [2010.07.15 06:55:27 | 076,119,629 | ---- | M] () -- C:\Users\Administrator\Desktop\teil.rar [2010.07.14 21:07:23 | 000,045,621 | ---- | M] () -- C:\Users\Administrator\Desktop\rotate.php.jpg [2010.07.14 20:49:01 | 131,453,256 | ---- | M] (NVIDIA Corporation) -- C:\Users\Administrator\Desktop\257.21_desktop_win7_winvista_32bit_international_whql.exe [2010.07.14 07:18:31 | 000,000,113 | ---- | M] () -- C:\Windows\(null)toolkit.ini [2010.07.13 20:09:51 | 000,001,891 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk [2010.07.13 19:32:25 | 000,307,991 | ---- | M] () -- C:\Users\Administrator\Desktop\bookmarks.html [2010.07.13 07:10:24 | 001,406,976 | ---- | M] () -- C:\Users\Administrator\Desktop\Kopie von GTTC_DB_V1.3.9-1.xls [2010.07.12 23:13:15 | 000,009,290 | ---- | M] () -- C:\Users\Administrator\Desktop\cc_20100712_231306.reg [2010.07.11 20:13:52 | 000,015,608 | ---- | M] () -- C:\Users\Administrator\Desktop\automatix.gif [2010.07.10 08:23:10 | 000,046,592 | -H-- | M] () -- C:\Windows\System32\hwrrmsdt.dll [2010.07.02 16:37:22 | 000,017,408 | ---- | M] () -- C:\Users\Administrator\AppData\Local\WebpageIcons.db [2010.06.26 07:51:25 | 000,002,606 | ---- | M] () -- C:\Users\Administrator\Desktop\Gérard.08 [2010.06.26 07:49:56 | 000,009,645 | ---- | M] () -- C:\Users\Administrator\Desktop\Gerard 2009.elfo [2010.06.21 16:58:10 | 000,010,382 | ---- | M] () -- C:\Users\Administrator\Desktop\SMS.docx [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files Created - No Company Name ========== [2010.07.15 20:16:24 | 000,096,511 | ---- | C] () -- C:\Users\Administrator\Desktop\Unbenannt.png [2010.07.15 19:13:55 | 000,339,991 | ---- | C] () -- C:\Users\Administrator\Desktop\RSIT.exe [2010.07.15 18:55:01 | 000,001,222 | ---- | C] () -- C:\Users\Administrator\Desktop\Spybot - Search & Destroy.lnk [2010.07.15 18:44:59 | 047,552,864 | ---- | C] () -- C:\Users\Administrator\Desktop\dg624yqp.exe [2010.07.15 17:55:50 | 000,000,985 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2010.07.15 17:44:02 | 002,672,312 | ---- | C] () -- C:\Users\Administrator\Desktop\esetsmartinstaller_enu.exe [2010.07.15 06:47:22 | 076,119,629 | ---- | C] () -- C:\Users\Administrator\Desktop\teil.rar [2010.07.14 21:07:22 | 000,045,621 | ---- | C] () -- C:\Users\Administrator\Desktop\rotate.php.jpg [2010.07.13 20:09:51 | 000,001,891 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk [2010.07.13 19:32:25 | 000,307,991 | ---- | C] () -- C:\Users\Administrator\Desktop\bookmarks.html [2010.07.12 23:13:10 | 000,009,290 | ---- | C] () -- C:\Users\Administrator\Desktop\cc_20100712_231306.reg [2010.07.12 20:45:19 | 001,406,976 | ---- | C] () -- C:\Users\Administrator\Desktop\Kopie von GTTC_DB_V1.3.9-1.xls [2010.07.11 20:13:51 | 000,015,608 | ---- | C] () -- C:\Users\Administrator\Desktop\automatix.gif [2010.07.10 08:23:10 | 000,046,592 | -H-- | C] () -- C:\Windows\System32\hwrrmsdt.dll [2010.07.08 18:57:40 | 000,001,834 | ---- | C] () -- C:\Users\Public\Desktop\McAfee AntiVirus Plus.lnk [2010.06.26 07:49:54 | 000,009,645 | ---- | C] () -- C:\Users\Administrator\Desktop\Gerard 2009.elfo [2010.06.21 16:58:02 | 000,010,382 | ---- | C] () -- C:\Users\Administrator\Desktop\SMS.docx [2010.06.16 17:37:01 | 000,017,408 | ---- | C] () -- C:\Users\Administrator\AppData\Local\WebpageIcons.db [2010.04.14 17:22:04 | 000,116,224 | ---- | C] () -- C:\Windows\System32\pdfcmnnt.dll [2010.01.30 01:55:29 | 000,000,113 | ---- | C] () -- C:\Windows\(null)toolkit.ini [2009.11.18 20:07:28 | 000,007,680 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll [2009.11.18 20:07:28 | 000,000,547 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll.manifest [2009.07.14 01:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll [2009.07.14 01:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll [2008.06.28 03:42:44 | 000,013,576 | ---- | C] () -- C:\Windows\System32\wnaspi32.dll [2004.08.13 10:56:20 | 000,005,810 | ---- | C] () -- C:\Windows\System32\drivers\ASACPI.sys [1996.04.03 21:33:26 | 000,005,248 | ---- | C] () -- C:\Windows\System32\giveio.sys < End of report > Danke für die Mühe Gruß Chris Geändert von Heho01 (15.07.2010 um 20:17 Uhr) |
|
15.07.2010, 20:56
| #4 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Bankwebseite wollte 20 Tans Bank sagt Trojaner Beende alle Programme, starte OTL und kopiere folgenden Text in die "Custom Scan/Fixes" Box (unten in OTL): (das ":OTL" muss mitkopiert werden!!!) Code:
ATTFilter :OTL
MOD - C:\Windows\System32\hwrrmsdt.dll ()
O32 - AutoRun File - [2010.03.06 14:14:43 | 000,000,000 | ---- | M] () - D:\AUTOEXEC.BAT -- [ NTFS ]
O36 - AppCertDlls: charlwiz - (C:\Windows\system32\hwrrmsdt.dll) - C:\Windows\System32\hwrrmsdt.dll ()
:Commands
[purity]
[resethosts]
[emptytemp]
Das Logfile müsste geöffnet werden, wenn Du nach dem Fixen auf ok klickst, poste das bitte. Evtl. wird der Rechner neu gestartet.
__________________ Logfiles bitte immer in CODE-Tags posten  |
|
15.07.2010, 21:15
| #5 |
| | Bankwebseite wollte 20 Tans Bank sagt Trojaner Hallo, Logfile wurde erst nach dem Neustart angezeigt oder war ich zu schnell  All processes killed ========== OTL ========== D:\AUTOEXEC.BAT moved successfully. Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\\charlwiz:C:\Windows\system32\hwrrmsdt.dll deleted successfully. C:\Windows\System32\hwrrmsdt.dll moved successfully. ========== COMMANDS ========== C:\Windows\System32\drivers\etc\Hosts moved successfully. HOSTS file reset successfully [EMPTYTEMP] User: Administrator ->Temp folder emptied: 2900300 bytes ->Temporary Internet Files folder emptied: 623020 bytes ->Java cache emptied: 19423570 bytes ->FireFox cache emptied: 64138671 bytes ->Flash cache emptied: 2715 bytes User: All Users User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Public %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 155648 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 176910 bytes RecycleBin emptied: 177456 bytes Total Files Cleaned = 84,00 mb OTL by OldTimer - Version 3.2.9.0 log created on 07152010_221010 Files\Folders moved on Reboot... Registry entries deleted on Reboot... |
|
16.07.2010, 06:05
| #6 |
| | Bankwebseite wollte 20 Tans Bank sagt Trojaner Wollte nur mal anfragen ob das Problem jetzt bereits beseitigt, da die hwrrmsdt.dll jetzt gelöscht wurde oder ist mein System noch unsicher? Betsen Dank |
|
16.07.2010, 08:42
| #7 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Bankwebseite wollte 20 Tans Bank sagt Trojaner Weiter gehts mit CF: ComboFix Ein Leitfaden und Tutorium zur Nutzung von ComboFix
Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
__________________ Logfiles bitte immer in CODE-Tags posten |
|
16.07.2010, 17:17
| #8 |
| | Bankwebseite wollte 20 Tans Bank sagt Trojaner Hallo, folgende Pobleme wenn ich Combfix Heruntreladen möchte  1. Datei konnte nicht gespeichert werden 2. Beim herunterladen erkennt McAffe einen Trojaner (Vermute mal, dass wegen der autom. Bereinigung Speicherung fehlschägt) Beide Meldungen im Sceenshot beigefügt. Wie soll ich hier verfahren? Geändert von Heho01 (16.07.2010 um 17:27 Uhr) |
|
16.07.2010, 17:31
| #9 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Bankwebseite wollte 20 Tans Bank sagt Trojaner Deaktivier den Virenscanner und lad Combofix neu herunter. Was McAfee da meint zu sehen, interessiert im Moment nicht 
__________________ Logfiles bitte immer in CODE-Tags posten |
|
16.07.2010, 21:35
| #10 |
| | Bankwebseite wollte 20 Tans Bank sagt Trojaner So hab alles erledigt sowit, hier die log Datei Combofix Logfile: Code:
ATTFilter ComboFix 10-07-15.05 - Chris 16.07.2010 22:30:12.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.49.1031.18.3327.2384 [GMT 2:00]
ausgeführt von:: c:\users\Administrator\Desktop\cofi.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
* Neuer Wiederherstellungspunkt wurde erstellt
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\users\Administrator\AppData\Roaming\Desktopicon
.
((((((((((((((((((((((( Dateien erstellt von 2010-06-16 bis 2010-07-16 ))))))))))))))))))))))))))))))
.
2010-07-16 20:33 . 2010-07-16 20:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-15 20:25 . 2010-07-15 20:28 -------- d-----w- c:\users\Administrator\DoctorWeb
2010-07-15 20:10 . 2010-07-15 20:10 -------- d-----w- C:\_OTL
2010-07-15 18:20 . 2009-06-30 07:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-07-15 17:14 . 2010-07-15 17:14 -------- d-----w- C:\rsit
2010-07-15 17:09 . 2010-07-15 17:09 -------- d-----w- c:\program files\Panda Security
2010-07-15 15:55 . 2010-07-15 15:55 -------- d-----w- c:\users\Administrator\AppData\Roaming\Malwarebytes
2010-07-15 15:55 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-15 15:55 . 2010-07-15 15:55 -------- d-----w- c:\programdata\Malwarebytes
2010-07-15 15:55 . 2010-07-15 15:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-15 15:55 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-15 15:44 . 2010-07-15 15:44 -------- d-----w- c:\program files\ESET
2010-07-14 18:51 . 2010-07-14 18:51 -------- d-----w- c:\programdata\NVIDIA Corporation
2010-07-14 18:51 . 2010-06-07 23:57 56936 ----a-w- c:\windows\system32\OpenCL.dll
2010-07-14 18:51 . 2010-06-07 23:57 10888168 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2010-07-14 18:51 . 2010-06-07 23:57 15764072 ----a-w- c:\windows\system32\nvoglv32.dll
2010-07-14 18:51 . 2010-06-07 23:57 332392 ----a-w- c:\windows\system32\nvdecodemft.dll
2010-07-14 18:51 . 2010-06-07 23:57 2890856 ----a-w- c:\windows\system32\nvencodemft.dll
2010-07-14 18:51 . 2010-06-07 23:57 4513384 ----a-w- c:\windows\system32\nvcuda.dll
2010-07-14 18:51 . 2010-06-07 23:57 2632296 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-07-14 18:51 . 2010-06-07 23:57 2145896 ----a-w- c:\windows\system32\nvcuvid.dll
2010-07-14 18:51 . 2010-06-07 23:57 232040 ----a-w- c:\windows\system32\nvcod1921.dll
2010-07-14 18:51 . 2010-06-07 23:57 232040 ----a-w- c:\windows\system32\nvcod.dll
2010-07-14 18:51 . 2010-06-07 23:57 10263144 ----a-w- c:\windows\system32\nvcompiler.dll
2010-07-13 18:13 . 2010-05-31 14:34 702120 ----a-w- c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ozxyyju9.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-07-13 18:13 . 2010-05-31 14:34 868456 ----a-w- c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ozxyyju9.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-07-13 18:13 . 2010-07-01 11:52 1496064 ----a-w- c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ozxyyju9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-07-13 18:13 . 2010-07-01 11:51 43008 ----a-w- c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ozxyyju9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-07-13 18:13 . 2010-07-01 11:51 338944 ----a-w- c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ozxyyju9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-07-13 18:13 . 2010-07-01 11:51 346112 ----a-w- c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ozxyyju9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-07-13 18:09 . 2010-07-13 18:09 -------- d-----w- c:\users\Administrator\AppData\Local\Mozilla
2010-07-12 19:39 . 2009-12-08 11:32 292864 ----a-w- c:\windows\system32\apphelp.dll
2010-07-08 16:57 . 2010-05-31 18:32 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-07-08 16:57 . 2010-05-31 18:32 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-07-08 16:57 . 2010-05-31 18:32 64304 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2010-07-08 16:57 . 2010-05-31 18:32 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-07-08 16:57 . 2010-05-31 18:32 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-07-08 16:57 . 2010-05-31 18:32 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-07-08 16:57 . 2010-05-31 18:32 160720 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2010-07-08 16:57 . 2010-05-31 18:32 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-07-08 16:57 . 2010-07-08 16:57 -------- d-----w- c:\program files\McAfee.com
2010-07-07 21:02 . 2010-07-07 21:02 300384 ----a-w- c:\users\Administrator\AppData\Roaming\McAfee\Supportability\MVTLogs\Results\detect.dll
2010-07-07 21:02 . 2010-07-07 21:02 -------- d-----w- c:\users\Administrator\AppData\Roaming\McAfee
2010-06-30 19:23 . 2010-06-30 19:25 -------- d-----w- c:\program files\POI FINDER 3.5 Becker
2010-06-30 15:34 . 2010-06-30 15:34 -------- d-----w- c:\program files\Becker
2010-06-23 05:22 . 2009-11-25 10:47 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-23 05:22 . 2009-11-25 10:47 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-23 05:22 . 2009-11-25 10:47 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-23 05:22 . 2009-11-25 10:47 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-23 05:22 . 2009-11-25 10:47 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-23 05:10 . 2010-03-24 06:37 1286456 ----a-w- c:\windows\system32\ntdll.dll
2010-06-23 05:10 . 2010-05-09 09:14 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-06-23 05:10 . 2010-05-09 09:14 417792 ----a-w- c:\windows\system32\msdri.dll
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-16 20:28 . 2010-01-20 06:06 -------- d-----w- c:\program files\Trillian
2010-07-16 20:26 . 2009-07-14 08:47 657438 ----a-w- c:\windows\system32\perfh007.dat
2010-07-16 20:26 . 2009-07-14 08:47 130810 ----a-w- c:\windows\system32\perfc007.dat
2010-07-16 20:20 . 2010-05-13 14:30 -------- d-----w- c:\programdata\NVIDIA
2010-07-16 16:42 . 2009-10-29 06:15 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-07-16 16:40 . 2010-06-13 08:33 -------- d-----w- c:\program files\CCleaner
2010-07-15 17:17 . 2009-10-28 17:18 -------- d-----w- c:\program files\Trend Micro
2010-07-15 16:57 . 2009-10-29 06:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-15 16:56 . 2009-12-09 16:01 -------- d-----w- c:\program files\JDownloader
2010-07-15 15:21 . 2010-03-16 06:11 -------- d-----w- c:\users\Administrator\AppData\Roaming\QuickScan
2010-07-14 19:27 . 2010-05-13 14:29 -------- d-----w- c:\program files\NVIDIA Corporation
2010-07-08 19:57 . 2009-10-28 16:55 -------- d-----w- c:\programdata\McAfee
2010-07-08 16:57 . 2010-05-08 05:26 -------- d-----w- c:\program files\McAfee
2010-07-08 16:57 . 2010-04-22 19:51 -------- d-----w- c:\program files\Common Files\Mcafee
2010-07-01 20:18 . 2010-02-25 05:57 -------- d-----w- c:\users\Administrator\AppData\Roaming\vlc
2010-06-25 05:17 . 2009-10-28 17:07 -------- d-----w- c:\program files\Microsoft.NET
2010-06-09 17:58 . 2010-06-09 17:58 160288 ----a-w- c:\windows\system32\drivers\afcdp.sys
2010-06-09 17:58 . 2010-01-17 00:48 911680 ----a-w- c:\windows\system32\drivers\tdrpm258.sys
2010-06-09 17:58 . 2010-06-09 17:58 581984 ----a-w- c:\windows\system32\drivers\timntr.sys
2010-06-09 17:58 . 2010-01-17 00:48 -------- d-----w- c:\program files\Common Files\Acronis
2010-06-09 16:16 . 2010-06-09 16:15 -------- d-----w- c:\program files\QuickTime
2010-06-09 16:15 . 2010-06-09 16:15 -------- d-----w- c:\programdata\Apple Computer
2010-06-09 16:15 . 2010-06-09 16:15 -------- d-----w- c:\program files\Common Files\Apple
2010-06-09 16:15 . 2010-06-09 16:15 -------- d-----w- c:\program files\Apple Software Update
2010-06-09 14:36 . 2009-10-28 20:35 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-06-09 14:35 . 2009-10-28 18:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-07 23:57 . 2010-07-14 18:51 10920 ----a-w- c:\windows\system32\drivers\nvBridge.kmd
2010-06-07 23:57 . 2010-04-03 20:55 9712744 ----a-w- c:\windows\system32\nvd3dum.dll
2010-06-07 23:57 . 2010-04-03 20:55 4967528 ----a-w- c:\windows\system32\nvwgf2um.dll
2010-06-07 23:57 . 2010-04-03 20:55 1592424 ----a-w- c:\windows\system32\nvapi.dll
2010-06-07 15:47 . 2010-06-07 15:47 1691752 ----a-w- c:\windows\system32\nvsvcr.dll
2010-06-07 15:47 . 2010-06-07 15:47 13917800 ----a-w- c:\windows\system32\nvcpl.dll
2010-06-07 15:47 . 2010-06-07 15:47 1331816 ----a-w- c:\windows\system32\nvsvc.dll
2010-06-07 15:47 . 2010-06-07 15:47 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-06-07 15:47 . 2010-06-07 15:47 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-05-31 19:50 . 2010-04-11 16:53 -------- d-----w- c:\users\Administrator\AppData\Roaming\dvdcss
2010-05-31 19:50 . 2010-02-03 16:45 -------- d-----w- c:\users\Administrator\AppData\Roaming\DAEMON Tools Pro
2010-05-31 19:50 . 2009-12-29 22:10 -------- d-----w- c:\users\Administrator\AppData\Roaming\Download Manager
2010-05-31 19:50 . 2010-03-08 15:46 -------- d-----w- c:\users\Administrator\AppData\Roaming\skypePM
2010-05-31 19:50 . 2010-03-08 15:40 -------- d-----w- c:\users\Administrator\AppData\Roaming\Skype
2010-05-31 19:50 . 2010-02-20 12:27 -------- d-----w- c:\users\Administrator\AppData\Roaming\ShareTV
2010-05-31 19:50 . 2009-11-22 09:23 -------- d-----w- c:\users\Administrator\AppData\Roaming\TeamViewer
2010-05-31 18:32 . 2010-04-14 10:50 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-05-31 18:32 . 2010-04-14 10:50 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-05-31 05:04 . 2010-04-24 07:33 -------- d-----w- c:\program files\Burn4Free
2010-05-28 10:58 . 2010-05-13 14:29 600680 ----a-w- c:\windows\system32\nvuninst.exe
2010-05-27 07:24 . 2010-06-11 04:43 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-27 03:49 . 2010-06-11 04:43 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-05-25 08:12 . 2010-05-25 08:12 7680 ----a-w- c:\users\Administrator\AppData\Roaming\Trillian\languages\de\talk.dll
2010-05-25 08:12 . 2010-05-25 08:12 7168 ----a-w- c:\users\Administrator\AppData\Roaming\Trillian\languages\de\events.dll
2010-05-25 08:12 . 2010-05-25 08:12 2048 ----a-w- c:\users\Administrator\AppData\Roaming\Trillian\languages\de\toolkit.dll
2010-05-25 08:12 . 2010-05-25 08:12 10240 ----a-w- c:\users\Administrator\AppData\Roaming\Trillian\languages\de\buddy.dll
2010-05-21 12:14 . 2009-10-14 02:21 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-21 05:18 . 2010-06-11 04:43 977920 ----a-w- c:\windows\system32\wininet.dll
2010-05-14 19:48 . 2010-05-14 19:48 29184 ----a-r- c:\users\Administrator\AppData\Roaming\Microsoft\Installer\{21AE04E8-EBF6-40DB-9AA9-B7A80C5D057D}\Icon21AE04E8.exe
2010-05-13 14:58 . 2010-05-13 14:58 108824 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-13 14:40 . 2010-05-13 14:40 21532 ----a-w- c:\windows\system32\emptyregdb.dat
2010-05-01 14:49 . 2010-06-11 04:43 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-04-23 07:13 . 2010-05-26 04:46 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-31 18:32 . 2010-07-08 16:57 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVMUSBFernanschluss"="c:\users\Administrator\AppData\Local\Apps\2.0\75CBPPTK.Z44\G452A621.RH8\frit..tion_f8d772dfbb3f7453_0002.0001_0db5bf169ed5c0c1\AVMAutoStart.exe" [2009-10-28 139264]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-11-12 362032]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-11-12 5140960]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-24 1193848]
c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
PS3 Media Server.lnk - c:\program files\PS3 Media Server\PMS.exe [2009-3-9 169367]
Trillian.lnk - c:\program files\Trillian\trillian.exe [2010-6-30 2066272]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\SetPoint\SetPoint.exe [2009-10-28 813584]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 11:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 10:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-02-03 691696]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 PS3 Media Server;PS3 Media Server;c:\program files\PS3 Media Server\win32\service\wrapper.exe [2008-08-17 217088]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-05-31 83496]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-05-31 160720]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
S0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\DRIVERS\tdrpm258.sys [2010-06-09 911680]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-05-31 64304]
S2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [2010-06-09 2480048]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McMPFSvc;McAfee Personal Firewall-Dienst;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-05-31 188136]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-05-31 141792]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-06-07 240232]
S2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2009-12-17 185640]
S3 afcdp;afcdp;c:\windows\system32\DRIVERS\afcdp.sys [2010-06-09 160288]
S3 avmaura;AVM USB-Fernanschluss;c:\windows\system32\DRIVERS\avmaura.sys [2009-10-28 101248]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-05-31 55456]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-05-31 312616]
--- Andere Dienste/Treiber im Speicher ---
*Deregistered* - mfeavfk01
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
.
------- Zusätzlicher Suchlauf -------
.
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ozxyyju9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Amazon.de
FF - prefs.js: browser.startup.homepage - http://www.trojaner-board.de/plagege...af8-1279190461
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ozxyyju9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ozxyyju9.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ozxyyju9.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
---- FIREFOX Richtlinien ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4f,51,82,6b,42,b8,bb,4b,b7,53,23,\
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4f,51,82,6b,42,b8,bb,4b,b7,53,23,\
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.3G2"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.3GP"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.3G2"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.3GP"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.aa"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AAC\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ADTS"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADT\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ADTS"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADTS\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ADTS"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AVI"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.CDA"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\iexplore.exe"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2t\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M2TS"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2ts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M2TS"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.m3u"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M4A"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP4"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.MHT"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.MHT"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mkv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="VLC.mkv"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mod\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MOV"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP3"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP3"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP4"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP4"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M2TS"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.PFD\UserChoice]
@Denied: (2) (Administrator)
"Progid"="PFD_auto_file"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\AudibleDownloadHelper.exe"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.TTS"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.TTS"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.URL"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAV"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wax\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAX"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMA"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMD"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMS"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMV"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMZ"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WPL"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WVX"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
[HKEY_USERS\S-1-5-21-757285342-3440227590-3234987713-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
- - - - - - - > 'Explorer.exe'(3924)
c:\progra~1\mcafee\sitead~1\saHook.dll
.
Zeit der Fertigstellung: 2010-07-16 22:35:06
ComboFix-quarantined-files.txt 2010-07-16 20:35
Vor Suchlauf: 8.269.160.448 Bytes frei
Nach Suchlauf: 8.238.428.160 Bytes frei
- - End Of File - - 0942123C25F0B8248A5CF4681AC45372
|
|
17.07.2010, 18:01
| #11 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Bankwebseite wollte 20 Tans Bank sagt Trojaner Ok. Bitte nun Logs mit GMER und OSAM erstellen und posten. GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus Anschließend den bootkit_remover herunterladen. Entpacke das Tool in einen eigenen Ordner auf dem Desktop und führe in diesem Ordner die Datei remove.exe aus. Wenn Du Windows Vista oder Windows 7 verwendest, musst Du die remover.exe über ein Rechtsklick => als Administrator ausführen Ein schwarzes Fenster wird sich öffnen und automatisch nach bösartigen Veränderungen im MBR suchen. Poste dann bitte, ob es Veränderungen gibt und wenn ja in welchem device. Am besten alles posten was die remover.exe ausgibt.
__________________ Logfiles bitte immer in CODE-Tags posten |
|
17.07.2010, 20:49
| #12 |
| | Bankwebseite wollte 20 Tans Bank sagt Trojaner So zuerst die GMER GMER 1.0.15.15281 - hxxp://www.gmer.net Rootkit scan 2010-07-17 21:22:57 Windows 6.1.7600 Running: ut4o198c.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\awtoyuow.sys ---- System - GMER 1.0.15 ---- INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83837AF8 INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83837104 INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 838373F4 INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8381F634 INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8381F898 INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 838371DC INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83837958 INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 838376F8 INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83837F2C INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 838381A8 Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8C86BD88] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8C86BDB2] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8C86BD9E] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x8C86BD74] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwYieldExecution 83438148 5 Bytes JMP 8C86BD78 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 83450599 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83474F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} PAGE ntkrnlpa.exe!ZwTerminateProcess 8366EB7D 5 Bytes JMP 8C86BDB6 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 83688D1C 5 Bytes JMP 8C86BDA2 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtMapViewOfSection 8368BF17 7 Bytes JMP 8C86BD8C \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) .text peauth.sys A4408C9D 2 Bytes [9E, 22] .text peauth.sys A4408CC1 2 Bytes [9E, 22] PAGE peauth.sys A440F02C 102 Bytes [C1, FF, A5, 14, BE, 26, 27, ...] PAGE spsys.sys!?SPRevision@@3PADA + 4F90 A44E2000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...] PAGE spsys.sys!?SPRevision@@3PADA + 50B3 A44E2123 486 Bytes [D5, 4D, A4, FE, 05, 34, D5, ...] PAGE spsys.sys!?SPRevision@@3PADA + 529A A44E230A 142 Bytes [4D, A4, 3B, 08, 77, 04, 3B, ...] PAGE spsys.sys!?SPRevision@@3PADA + 5329 A44E2399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...] PAGE spsys.sys!?SPRevision@@3PADA + 538F A44E23FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...] PAGE ... ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\Explorer.EXE[564] ntdll.dll!NtCreateFile 777B4A30 5 Bytes JMP 03C10FEF .text C:\Windows\Explorer.EXE[564] ntdll.dll!NtCreateProcess 777B4B00 5 Bytes JMP 03C10FCA .text C:\Windows\Explorer.EXE[564] ntdll.dll!NtProtectVirtualMemory 777B5380 5 Bytes JMP 03C1000A .text C:\Windows\Explorer.EXE[564] kernel32.dll!GetStartupInfoA 75C01DF0 5 Bytes JMP 03B40F28 .text C:\Windows\Explorer.EXE[564] kernel32.dll!CreateProcessW 75C0202D 5 Bytes JMP 03B40EE1 .text C:\Windows\Explorer.EXE[564] kernel32.dll!CreateProcessA 75C02062 5 Bytes JMP 03B40EFC .text C:\Windows\Explorer.EXE[564] kernel32.dll!CreateNamedPipeW 75C31FD6 5 Bytes JMP 03B40F94 .text C:\Windows\Explorer.EXE[564] kernel32.dll!CreatePipe 75C34A8B 5 Bytes JMP 03B40F43 .text C:\Windows\Explorer.EXE[564] kernel32.dll!VirtualProtect 75C450AB 5 Bytes JMP 03B40036 .text C:\Windows\Explorer.EXE[564] kernel32.dll!LoadLibraryExW 75C4B6BF 5 Bytes JMP 03B40F5E .text C:\Windows\Explorer.EXE[564] kernel32.dll!LoadLibraryExA 75C4BC8B 5 Bytes JMP 03B40F6F .text C:\Windows\Explorer.EXE[564] kernel32.dll!CreateFileW 75C50B7D 5 Bytes JMP 03B40FD4 .text C:\Windows\Explorer.EXE[564] kernel32.dll!GetProcAddress 75C51857 5 Bytes JMP 03B40ED0 .text C:\Windows\Explorer.EXE[564] kernel32.dll!LoadLibraryA 75C52884 5 Bytes JMP 03B40000 .text C:\Windows\Explorer.EXE[564] kernel32.dll!LoadLibraryW 75C528D2 5 Bytes JMP 03B40011 .text C:\Windows\Explorer.EXE[564] kernel32.dll!CreateFileA 75C5291C 5 Bytes JMP 03B40FE5 .text C:\Windows\Explorer.EXE[564] kernel32.dll!GetStartupInfoW 75C57CD5 5 Bytes JMP 03B40076 .text C:\Windows\Explorer.EXE[564] kernel32.dll!CreateNamedPipeA 75C8D5BF 5 Bytes JMP 03B40FB9 .text C:\Windows\Explorer.EXE[564] kernel32.dll!WinExec 75C8E76D 5 Bytes JMP 03B40F17 .text C:\Windows\Explorer.EXE[564] kernel32.dll!VirtualProtectEx 75C8F729 5 Bytes JMP 03B40047 .text C:\Windows\Explorer.EXE[564] ADVAPI32.dll!RegOpenKeyA 75CED2ED 5 Bytes JMP 03B90FE5 .text C:\Windows\Explorer.EXE[564] ADVAPI32.dll!RegCreateKeyA 75CED3C1 5 Bytes JMP 03B9002C .text C:\Windows\Explorer.EXE[564] ADVAPI32.dll!RegCreateKeyExA 75CF1B71 5 Bytes JMP 03B90047 .text C:\Windows\Explorer.EXE[564] ADVAPI32.dll!RegCreateKeyW 75CF1CC0 5 Bytes JMP 03B90FA5 .text C:\Windows\Explorer.EXE[564] ADVAPI32.dll!RegOpenKeyW 75CF3129 5 Bytes JMP 03B90FD4 .text C:\Windows\Explorer.EXE[564] ADVAPI32.dll!RegCreateKeyExW 75CFB946 5 Bytes JMP 03B90062 .text C:\Windows\Explorer.EXE[564] ADVAPI32.dll!RegOpenKeyExA 75CFBC0D 5 Bytes JMP 03B9000A .text C:\Windows\Explorer.EXE[564] ADVAPI32.dll!RegOpenKeyExW 75CFBEC4 5 Bytes JMP 03B9001B .text C:\Windows\Explorer.EXE[564] msvcrt.dll!_open 77587E48 5 Bytes JMP 03D80000 .text C:\Windows\Explorer.EXE[564] msvcrt.dll!_wsystem 775BB04F 5 Bytes JMP 03D80051 .text C:\Windows\Explorer.EXE[564] msvcrt.dll!system 775BB16F 5 Bytes JMP 03D80036 .text C:\Windows\Explorer.EXE[564] msvcrt.dll!_creat 775BED29 5 Bytes JMP 03D80011 .text C:\Windows\Explorer.EXE[564] msvcrt.dll!_wcreat 775C038E 5 Bytes JMP 03D80FC6 .text C:\Windows\Explorer.EXE[564] msvcrt.dll!_wopen 775C0570 5 Bytes JMP 03D80FD7 .text C:\Windows\Explorer.EXE[564] WININET.dll!InternetOpenA 76367E1C 5 Bytes JMP 03C8000A .text C:\Windows\Explorer.EXE[564] WININET.dll!InternetOpenW 76369DA0 5 Bytes JMP 03C8001B .text C:\Windows\Explorer.EXE[564] WININET.dll!InternetOpenUrlA 7636DC18 5 Bytes JMP 03C80036 .text C:\Windows\Explorer.EXE[564] WININET.dll!InternetOpenUrlW 763BDC34 5 Bytes JMP 03C80FE5 .text C:\Windows\Explorer.EXE[564] WS2_32.dll!socket 75BC3F00 5 Bytes JMP 03C70000 .text C:\Windows\system32\services.exe[848] ntdll.dll!NtCreateFile 777B4A30 5 Bytes JMP 0023000A .text C:\Windows\system32\services.exe[848] ntdll.dll!NtCreateProcess 777B4B00 5 Bytes JMP 00230040 .text C:\Windows\system32\services.exe[848] ntdll.dll!NtProtectVirtualMemory 777B5380 5 Bytes JMP 00230025 .text C:\Windows\system32\services.exe[848] kernel32.dll!GetStartupInfoA 75C01DF0 5 Bytes JMP 00110F79 .text C:\Windows\system32\services.exe[848] kernel32.dll!CreateProcessW 75C0202D 5 Bytes JMP 00110F5E .text C:\Windows\system32\services.exe[848] kernel32.dll!CreateProcessA 75C02062 5 Bytes JMP 001100E9 .text C:\Windows\system32\services.exe[848] kernel32.dll!CreateNamedPipeW 75C31FD6 5 Bytes JMP 00110040 .text C:\Windows\system32\services.exe[848] kernel32.dll!CreatePipe 75C34A8B 5 Bytes JMP 001100A2 .text C:\Windows\system32\services.exe[848] kernel32.dll!VirtualProtect 75C450AB 5 Bytes JMP 00110F9E .text C:\Windows\system32\services.exe[848] kernel32.dll!LoadLibraryExW 75C4B6BF 5 Bytes JMP 00110FAF .text C:\Windows\system32\services.exe[848] kernel32.dll!LoadLibraryExA 75C4BC8B 5 Bytes JMP 0011006C .text C:\Windows\system32\services.exe[848] kernel32.dll!CreateFileW 75C50B7D 5 Bytes JMP 0011000A .text C:\Windows\system32\services.exe[848] kernel32.dll!GetProcAddress 75C51857 5 Bytes JMP 00110104 .text C:\Windows\system32\services.exe[848] kernel32.dll!LoadLibraryA 75C52884 5 Bytes JMP 00110051 .text C:\Windows\system32\services.exe[848] kernel32.dll!LoadLibraryW 75C528D2 5 Bytes JMP 00110FC0 .text C:\Windows\system32\services.exe[848] kernel32.dll!CreateFileA 75C5291C 5 Bytes JMP 00110FEF .text C:\Windows\system32\services.exe[848] kernel32.dll!GetStartupInfoW 75C57CD5 5 Bytes JMP 001100C7 .text C:\Windows\system32\services.exe[848] kernel32.dll!CreateNamedPipeA 75C8D5BF 5 Bytes JMP 00110025 .text C:\Windows\system32\services.exe[848] kernel32.dll!WinExec 75C8E76D 5 Bytes JMP 001100D8 .text C:\Windows\system32\services.exe[848] kernel32.dll!VirtualProtectEx 75C8F729 5 Bytes JMP 00110091 .text C:\Windows\system32\services.exe[848] msvcrt.dll!_open 77587E48 5 Bytes JMP 00250FEF .text C:\Windows\system32\services.exe[848] msvcrt.dll!_wsystem 775BB04F 5 Bytes JMP 00250042 .text C:\Windows\system32\services.exe[848] msvcrt.dll!system 775BB16F 5 Bytes JMP 00250FB7 .text C:\Windows\system32\services.exe[848] msvcrt.dll!_creat 775BED29 5 Bytes JMP 00250FD2 .text C:\Windows\system32\services.exe[848] msvcrt.dll!_wcreat 775C038E 5 Bytes JMP 0025001D .text C:\Windows\system32\services.exe[848] msvcrt.dll!_wopen 775C0570 5 Bytes JMP 0025000C .text C:\Windows\system32\services.exe[848] ADVAPI32.dll!RegOpenKeyA 75CED2ED 5 Bytes JMP 00240FEF .text C:\Windows\system32\services.exe[848] ADVAPI32.dll!RegCreateKeyA 75CED3C1 5 Bytes JMP 00240F8D .text C:\Windows\system32\services.exe[848] ADVAPI32.dll!RegCreateKeyExA 75CF1B71 5 Bytes JMP 00240F68 .text C:\Windows\system32\services.exe[848] ADVAPI32.dll!RegCreateKeyW 75CF1CC0 5 Bytes JMP 00240014 .text C:\Windows\system32\services.exe[848] ADVAPI32.dll!RegOpenKeyW 75CF3129 5 Bytes JMP 00240FDE .text C:\Windows\system32\services.exe[848] ADVAPI32.dll!RegCreateKeyExW 75CFB946 5 Bytes JMP 00240F4D .text C:\Windows\system32\services.exe[848] ADVAPI32.dll!RegOpenKeyExA 75CFBC0D 5 Bytes JMP 00240FC3 .text C:\Windows\system32\services.exe[848] ADVAPI32.dll!RegOpenKeyExW 75CFBEC4 5 Bytes JMP 00240FB2 .text C:\Windows\system32\services.exe[848] WS2_32.dll!socket 75BC3F00 5 Bytes JMP 00260FE5 .text C:\Windows\system32\lsass.exe[864] ntdll.dll!NtCreateFile 777B4A30 5 Bytes JMP 0008000A .text C:\Windows\system32\lsass.exe[864] ntdll.dll!NtCreateProcess 777B4B00 5 Bytes JMP 00080FCA .text C:\Windows\system32\lsass.exe[864] ntdll.dll!NtProtectVirtualMemory 777B5380 5 Bytes JMP 00080FEF .text C:\Windows\system32\lsass.exe[864] kernel32.dll!GetStartupInfoA 75C01DF0 5 Bytes JMP 00070F5E .text C:\Windows\system32\lsass.exe[864] kernel32.dll!CreateProcessW 75C0202D 5 Bytes JMP 00070F32 .text C:\Windows\system32\lsass.exe[864] kernel32.dll!CreateProcessA 75C02062 5 Bytes JMP 00070F43 .text C:\Windows\system32\lsass.exe[864] kernel32.dll!CreateNamedPipeW 75C31FD6 5 Bytes JMP 00070036 .text C:\Windows\system32\lsass.exe[864] kernel32.dll!CreatePipe 75C34A8B 5 Bytes JMP 00070F79 .text C:\Windows\system32\lsass.exe[864] kernel32.dll!VirtualProtect 75C450AB 5 Bytes JMP 00070F94 .text C:\Windows\system32\lsass.exe[864] kernel32.dll!LoadLibraryExW 75C4B6BF 5 Bytes JMP 00070FA5 .text C:\Windows\system32\lsass.exe[864] kernel32.dll!LoadLibraryExA 75C4BC8B 5 Bytes JMP 00070FB6 .text C:\Windows\system32\lsass.exe[864] kernel32.dll!CreateFileW 75C50B7D 5 Bytes JMP 00070000 .text C:\Windows\system32\lsass.exe[864] kernel32.dll!GetProcAddress 75C51857 5 Bytes JMP 00070F0D .text C:\Windows\system32\lsass.exe[864] kernel32.dll!LoadLibraryA 75C52884 5 Bytes JMP 00070047 .text C:\Windows\system32\lsass.exe[864] kernel32.dll!LoadLibraryW 75C528D2 5 Bytes JMP 00070058 .text C:\Windows\system32\lsass.exe[864] kernel32.dll!CreateFileA 75C5291C 5 Bytes JMP 00070FE5 .text C:\Windows\system32\lsass.exe[864] kernel32.dll!GetStartupInfoW 75C57CD5 5 Bytes JMP 000700A2 .text C:\Windows\system32\lsass.exe[864] kernel32.dll!CreateNamedPipeA 75C8D5BF 5 Bytes JMP 0007001B .text C:\Windows\system32\lsass.exe[864] kernel32.dll!WinExec 75C8E76D 5 Bytes JMP 000700BD .text C:\Windows\system32\lsass.exe[864] kernel32.dll!VirtualProtectEx 75C8F729 5 Bytes JMP 00070087 .text C:\Windows\system32\lsass.exe[864] msvcrt.dll!_open 77587E48 5 Bytes JMP 00620000 .text C:\Windows\system32\lsass.exe[864] msvcrt.dll!_wsystem 775BB04F 5 Bytes JMP 00620FB2 .text C:\Windows\system32\lsass.exe[864] msvcrt.dll!system 775BB16F 5 Bytes JMP 00620047 .text C:\Windows\system32\lsass.exe[864] msvcrt.dll!_creat 775BED29 5 Bytes JMP 00620FD7 .text C:\Windows\system32\lsass.exe[864] msvcrt.dll!_wcreat 775C038E 5 Bytes JMP 0062002C .text C:\Windows\system32\lsass.exe[864] msvcrt.dll!_wopen 775C0570 5 Bytes JMP 00620011 .text C:\Windows\system32\lsass.exe[864] ADVAPI32.dll!RegOpenKeyA 75CED2ED 5 Bytes JMP 000A0FE5 .text C:\Windows\system32\lsass.exe[864] ADVAPI32.dll!RegCreateKeyA 75CED3C1 5 Bytes JMP 000A0FC3 .text C:\Windows\system32\lsass.exe[864] ADVAPI32.dll!RegCreateKeyExA 75CF1B71 5 Bytes JMP 000A004A .text C:\Windows\system32\lsass.exe[864] ADVAPI32.dll!RegCreateKeyW 75CF1CC0 5 Bytes JMP 000A0FA8 .text C:\Windows\system32\lsass.exe[864] ADVAPI32.dll!RegOpenKeyW 75CF3129 5 Bytes JMP 000A0FD4 .text C:\Windows\system32\lsass.exe[864] ADVAPI32.dll!RegCreateKeyExW 75CFB946 5 Bytes JMP 000A005B .text C:\Windows\system32\lsass.exe[864] ADVAPI32.dll!RegOpenKeyExA 75CFBC0D 5 Bytes JMP 000A0014 .text C:\Windows\system32\lsass.exe[864] ADVAPI32.dll!RegOpenKeyExW 75CFBEC4 5 Bytes JMP 000A002F .text C:\Windows\system32\lsass.exe[864] WS2_32.dll!socket 75BC3F00 5 Bytes JMP 00090000 .text C:\Windows\system32\svchost.exe[1016] ntdll.dll!NtCreateFile 777B4A30 5 Bytes JMP 003D000A .text C:\Windows\system32\svchost.exe[1016] ntdll.dll!NtCreateProcess 777B4B00 5 Bytes JMP 003D0040 .text C:\Windows\system32\svchost.exe[1016] ntdll.dll!NtProtectVirtualMemory 777B5380 5 Bytes JMP 003D001B .text C:\Windows\system32\svchost.exe[1016] kernel32.dll!GetStartupInfoA 75C01DF0 5 Bytes JMP 00380F5E .text C:\Windows\system32\svchost.exe[1016] kernel32.dll!CreateProcessW 75C0202D 5 Bytes JMP 003800BD .text C:\Windows\system32\svchost.exe[1016] kernel32.dll!CreateProcessA 75C02062 5 Bytes JMP 00380F28 .text C:\Windows\system32\svchost.exe[1016] kernel32.dll!CreateNamedPipeW 75C31FD6 5 Bytes JMP 00380FCA .text C:\Windows\system32\svchost.exe[1016] kernel32.dll!CreatePipe 75C34A8B 5 Bytes JMP 00380F6F .text C:\Windows\system32\svchost.exe[1016] kernel32.dll!VirtualProtect 75C450AB 5 Bytes JMP 0038006C .text C:\Windows\system32\svchost.exe[1016] kernel32.dll!LoadLibraryExW 75C4B6BF 5 Bytes JMP 00380F94 .text C:\Windows\system32\svchost.exe[1016] kernel32.dll!LoadLibraryExA 75C4BC8B 5 Bytes JMP 0038005B .text C:\Windows\system32\svchost.exe[1016] kernel32.dll!CreateFileW 75C50B7D 5 Bytes JMP 00380000 .text C:\Windows\system32\svchost.exe[1016] kernel32.dll!GetProcAddress 75C51857 5 Bytes JMP 00380F0D .text C:\Windows\system32\svchost.exe[1016] kernel32.dll!LoadLibraryA 75C52884 5 Bytes JMP 00380040 .text C:\Windows\system32\svchost.exe[1016] kernel32.dll!LoadLibraryW 75C528D2 5 Bytes JMP 00380FB9 .text C:\Windows\system32\svchost.exe[1016] kernel32.dll!CreateFileA 75C5291C 5 Bytes JMP 00380FEF .text C:\Windows\system32\svchost.exe[1016] kernel32.dll!GetStartupInfoW 75C57CD5 5 Bytes JMP 00380F4D .text C:\Windows\system32\svchost.exe[1016] kernel32.dll!CreateNamedPipeA 75C8D5BF 5 Bytes JMP 0038001B .text C:\Windows\system32\svchost.exe[1016] kernel32.dll!WinExec 75C8E76D 5 Bytes JMP 003800AC .text C:\Windows\system32\svchost.exe[1016] kernel32.dll!VirtualProtectEx 75C8F729 5 Bytes JMP 00380087 .text C:\Windows\system32\svchost.exe[1016] msvcrt.dll!_open 77587E48 5 Bytes JMP 00440000 .text C:\Windows\system32\svchost.exe[1016] msvcrt.dll!_wsystem 775BB04F 5 Bytes JMP 00440FA3 .text C:\Windows\system32\svchost.exe[1016] msvcrt.dll!system 775BB16F 5 Bytes JMP 00440FB4 .text C:\Windows\system32\svchost.exe[1016] msvcrt.dll!_creat 775BED29 5 Bytes JMP 0044001D .text C:\Windows\system32\svchost.exe[1016] msvcrt.dll!_wcreat 775C038E 5 Bytes JMP 0044002E .text C:\Windows\system32\svchost.exe[1016] msvcrt.dll!_wopen 775C0570 5 Bytes JMP 00440FE3 .text C:\Windows\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyA 75CED2ED 5 Bytes JMP 00430000 .text C:\Windows\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyA 75CED3C1 5 Bytes JMP 00430036 .text C:\Windows\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyExA 75CF1B71 5 Bytes JMP 00430F9E .text C:\Windows\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyW 75CF1CC0 5 Bytes JMP 00430FAF .text C:\Windows\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyW 75CF3129 5 Bytes JMP 00430FE5 .text C:\Windows\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyExW 75CFB946 5 Bytes JMP 0043005B .text C:\Windows\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyExA 75CFBC0D 5 Bytes JMP 00430FD4 .text C:\Windows\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyExW 75CFBEC4 5 Bytes JMP 0043001B .text C:\Windows\system32\svchost.exe[1016] WS2_32.dll!socket 75BC3F00 5 Bytes JMP 0042000A .text C:\Windows\system32\svchost.exe[1144] ntdll.dll!NtCreateFile 777B4A30 5 Bytes JMP 001E0000 .text C:\Windows\system32\svchost.exe[1144] ntdll.dll!NtCreateProcess 777B4B00 5 Bytes JMP 001E0036 .text C:\Windows\system32\svchost.exe[1144] ntdll.dll!NtProtectVirtualMemory 777B5380 5 Bytes JMP 001E0011 .text C:\Windows\system32\svchost.exe[1144] kernel32.dll!GetStartupInfoA 75C01DF0 5 Bytes JMP 001D0F35 .text C:\Windows\system32\svchost.exe[1144] kernel32.dll!CreateProcessW 75C0202D 5 Bytes JMP 001D00A5 .text C:\Windows\system32\svchost.exe[1144] kernel32.dll!CreateProcessA 75C02062 5 Bytes JMP 001D0094 .text C:\Windows\system32\svchost.exe[1144] kernel32.dll!CreateNamedPipeW 75C31FD6 5 Bytes JMP 001D0FCA .text C:\Windows\system32\svchost.exe[1144] kernel32.dll!CreatePipe 75C34A8B 5 Bytes JMP 001D0F46 .text C:\Windows\system32\svchost.exe[1144] kernel32.dll!VirtualProtect 75C450AB 5 Bytes JMP 001D0F72 .text C:\Windows\system32\svchost.exe[1144] kernel32.dll!LoadLibraryExW 75C4B6BF 5 Bytes JMP 001D0F8D .text C:\Windows\system32\svchost.exe[1144] kernel32.dll!LoadLibraryExA 75C4BC8B 5 Bytes JMP 001D0FA8 .text C:\Windows\system32\svchost.exe[1144] kernel32.dll!CreateFileW 75C50B7D 5 Bytes JMP 001D0FE5 .text C:\Windows\system32\svchost.exe[1144] kernel32.dll!GetProcAddress 75C51857 5 Bytes JMP 001D0EF5 .text C:\Windows\system32\svchost.exe[1144] kernel32.dll!LoadLibraryA 75C52884 5 Bytes JMP 001D0040 .text C:\Windows\system32\svchost.exe[1144] kernel32.dll!LoadLibraryW 75C528D2 5 Bytes JMP 001D0FB9 .text C:\Windows\system32\svchost.exe[1144] kernel32.dll!CreateFileA 75C5291C 5 Bytes JMP 001D0000 .text C:\Windows\system32\svchost.exe[1144] kernel32.dll!GetStartupInfoW 75C57CD5 5 Bytes JMP 001D0079 .text C:\Windows\system32\svchost.exe[1144] kernel32.dll!CreateNamedPipeA 75C8D5BF 5 Bytes JMP 001D001B .text C:\Windows\system32\svchost.exe[1144] kernel32.dll!WinExec 75C8E76D 5 Bytes JMP 001D0F1A .text C:\Windows\system32\svchost.exe[1144] kernel32.dll!VirtualProtectEx 75C8F729 5 Bytes JMP 001D0F61 .text C:\Windows\system32\svchost.exe[1144] msvcrt.dll!_open 77587E48 5 Bytes JMP 003E0000 .text C:\Windows\system32\svchost.exe[1144] msvcrt.dll!_wsystem 775BB04F 5 Bytes JMP 003E0FC8 .text C:\Windows\system32\svchost.exe[1144] msvcrt.dll!system 775BB16F 5 Bytes JMP 003E0049 .text C:\Windows\system32\svchost.exe[1144] msvcrt.dll!_creat 775BED29 5 Bytes JMP 003E0038 .text C:\Windows\system32\svchost.exe[1144] msvcrt.dll!_wcreat 775C038E 5 Bytes JMP 003E0FD9 .text C:\Windows\system32\svchost.exe[1144] msvcrt.dll!_wopen 775C0570 5 Bytes JMP 003E001D .text C:\Windows\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyA 75CED2ED 5 Bytes JMP 003D0FEF .text C:\Windows\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyA 75CED3C1 5 Bytes JMP 003D0FAF .text C:\Windows\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyExA 75CF1B71 5 Bytes JMP 003D0F94 .text C:\Windows\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyW 75CF1CC0 5 Bytes JMP 003D0036 .text C:\Windows\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyW 75CF3129 5 Bytes JMP 003D0000 .text C:\Windows\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyExW 75CFB946 5 Bytes JMP 003D0F79 .text C:\Windows\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyExA 75CFBC0D 5 Bytes JMP 003D0FC0 .text C:\Windows\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyExW 75CFBEC4 5 Bytes JMP 003D001B .text C:\Windows\system32\svchost.exe[1144] WS2_32.dll!socket 75BC3F00 5 Bytes JMP 001F0FEF .text C:\Windows\System32\svchost.exe[1236] ntdll.dll!NtCreateFile 777B4A30 5 Bytes JMP 00DD0FE5 .text C:\Windows\System32\svchost.exe[1236] ntdll.dll!NtCreateProcess 777B4B00 5 Bytes JMP 00DD000A .text C:\Windows\System32\svchost.exe[1236] ntdll.dll!NtProtectVirtualMemory 777B5380 5 Bytes JMP 00DD0FD4 .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!GetStartupInfoA 75C01DF0 5 Bytes JMP 009600A2 .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!CreateProcessW 75C0202D 5 Bytes JMP 00960F4A .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!CreateProcessA 75C02062 5 Bytes JMP 009600DF .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!CreateNamedPipeW 75C31FD6 5 Bytes JMP 00960FDB .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!CreatePipe 75C34A8B 5 Bytes JMP 00960091 .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!VirtualProtect 75C450AB 5 Bytes JMP 00960F94 .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!LoadLibraryExW 75C4B6BF 5 Bytes JMP 00960FB9 .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!LoadLibraryExA 75C4BC8B 5 Bytes JMP 00960FCA .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!CreateFileW 75C50B7D 5 Bytes JMP 0096001B .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!GetProcAddress 75C51857 5 Bytes JMP 00960F39 .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!LoadLibraryA 75C52884 5 Bytes JMP 00960051 .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!LoadLibraryW 75C528D2 5 Bytes JMP 00960062 .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!CreateFileA 75C5291C 5 Bytes JMP 00960000 .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!GetStartupInfoW 75C57CD5 5 Bytes JMP 009600B3 .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!CreateNamedPipeA 75C8D5BF 5 Bytes JMP 0096002C .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!WinExec 75C8E76D 5 Bytes JMP 009600CE .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!VirtualProtectEx 75C8F729 5 Bytes JMP 00960F83 .text C:\Windows\System32\svchost.exe[1236] msvcrt.dll!_open 77587E48 5 Bytes JMP 00EA0FEF .text C:\Windows\System32\svchost.exe[1236] msvcrt.dll!_wsystem 775BB04F 5 Bytes JMP 00EA0F7A .text C:\Windows\System32\svchost.exe[1236] msvcrt.dll!system 775BB16F 5 Bytes JMP 00EA0F8B .text C:\Windows\System32\svchost.exe[1236] msvcrt.dll!_creat 775BED29 5 Bytes JMP 00EA0FB7 .text C:\Windows\System32\svchost.exe[1236] msvcrt.dll!_wcreat 775C038E 5 Bytes JMP 00EA0F9C .text C:\Windows\System32\svchost.exe[1236] msvcrt.dll!_wopen 775C0570 5 Bytes JMP 00EA0FDE .text C:\Windows\System32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyA 75CED2ED 5 Bytes JMP 00E90FEF .text C:\Windows\System32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyA 75CED3C1 5 Bytes JMP 00E90F9E .text C:\Windows\System32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyExA 75CF1B71 5 Bytes JMP 00E90036 .text C:\Windows\System32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyW 75CF1CC0 5 Bytes JMP 00E90025 .text C:\Windows\System32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyW 75CF3129 5 Bytes JMP 00E90000 .text C:\Windows\System32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyExW 75CFB946 5 Bytes JMP 00E90F79 .text C:\Windows\System32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyExA 75CFBC0D 5 Bytes JMP 00E90FD4 .text C:\Windows\System32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyExW 75CFBEC4 5 Bytes JMP 00E90FB9 .text C:\Windows\System32\svchost.exe[1236] WS2_32.dll!socket 75BC3F00 5 Bytes JMP 00E40FEF .text C:\Windows\System32\svchost.exe[1356] ntdll.dll!NtCreateFile 777B4A30 5 Bytes JMP 00550000 .text C:\Windows\System32\svchost.exe[1356] ntdll.dll!NtCreateProcess 777B4B00 5 Bytes JMP 00550FE5 .text C:\Windows\System32\svchost.exe[1356] ntdll.dll!NtProtectVirtualMemory 777B5380 5 Bytes JMP 0055001B .text C:\Windows\System32\svchost.exe[1356] kernel32.dll!GetStartupInfoA 75C01DF0 5 Bytes JMP 00540095 .text C:\Windows\System32\svchost.exe[1356] kernel32.dll!CreateProcessW 75C0202D 5 Bytes JMP 005400DC .text C:\Windows\System32\svchost.exe[1356] kernel32.dll!CreateProcessA 75C02062 5 Bytes JMP 005400CB .text C:\Windows\System32\svchost.exe[1356] kernel32.dll!CreateNamedPipeW 75C31FD6 5 Bytes JMP 00540FCA .text C:\Windows\System32\svchost.exe[1356] kernel32.dll!CreatePipe 75C34A8B 5 Bytes JMP 00540F76 .text C:\Windows\System32\svchost.exe[1356] kernel32.dll!VirtualProtect 75C450AB 5 Bytes JMP 00540069 .text C:\Windows\System32\svchost.exe[1356] kernel32.dll!LoadLibraryExW 75C4B6BF 5 Bytes JMP 00540058 .text C:\Windows\System32\svchost.exe[1356] kernel32.dll!LoadLibraryExA 75C4BC8B 5 Bytes JMP 00540FA5 .text C:\Windows\System32\svchost.exe[1356] kernel32.dll!CreateFileW 75C50B7D 5 Bytes JMP 00540FE5 .text C:\Windows\System32\svchost.exe[1356] kernel32.dll!GetProcAddress 75C51857 5 Bytes JMP 005400ED .text C:\Windows\System32\svchost.exe[1356] kernel32.dll!LoadLibraryA 75C52884 5 Bytes JMP 00540036 .text C:\Windows\System32\svchost.exe[1356] kernel32.dll!LoadLibraryW 75C528D2 5 Bytes JMP 00540047 .text C:\Windows\System32\svchost.exe[1356] kernel32.dll!CreateFileA 75C5291C 5 Bytes JMP 00540000 .text C:\Windows\System32\svchost.exe[1356] kernel32.dll!GetStartupInfoW 75C57CD5 5 Bytes JMP 005400A6 .text C:\Windows\System32\svchost.exe[1356] kernel32.dll!CreateNamedPipeA 75C8D5BF 3 Bytes JMP 0054001B .text C:\Windows\System32\svchost.exe[1356] kernel32.dll!CreateNamedPipeA + 4 75C8D5C3 1 Byte [8A] .text C:\Windows\System32\svchost.exe[1356] kernel32.dll!WinExec 75C8E76D 3 Bytes JMP 00540F51 .text C:\Windows\System32\svchost.exe[1356] kernel32.dll!WinExec + 4 75C8E771 1 Byte [8A] .text C:\Windows\System32\svchost.exe[1356] kernel32.dll!VirtualProtectEx 75C8F729 3 Bytes JMP 00540084 .text C:\Windows\System32\svchost.exe[1356] kernel32.dll!VirtualProtectEx + 4 75C8F72D 1 Byte [8A] .text C:\Windows\System32\svchost.exe[1356] msvcrt.dll!_open 77587E48 5 Bytes JMP 00570FEF .text C:\Windows\System32\svchost.exe[1356] msvcrt.dll!_wsystem 775BB04F 5 Bytes JMP 00570FAF .text C:\Windows\System32\svchost.exe[1356] msvcrt.dll!system 775BB16F 5 Bytes JMP 00570044 .text C:\Windows\System32\svchost.exe[1356] msvcrt.dll!_creat 775BED29 5 Bytes JMP 00570018 .text C:\Windows\System32\svchost.exe[1356] msvcrt.dll!_wcreat 775C038E 5 Bytes JMP 00570033 .text C:\Windows\System32\svchost.exe[1356] msvcrt.dll!_wopen 775C0570 5 Bytes JMP 00570FDE .text C:\Windows\System32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyA 75CED2ED 5 Bytes JMP 00560FEF .text C:\Windows\System32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyA 75CED3C1 5 Bytes JMP 00560047 .text C:\Windows\System32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExA 75CF1B71 5 Bytes JMP 00560062 .text C:\Windows\System32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyW 75CF1CC0 5 Bytes JMP 00560FC0 .text C:\Windows\System32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyW 75CF3129 5 Bytes JMP 0056000A .text C:\Windows\System32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExW 75CFB946 5 Bytes JMP 00560FA5 .text C:\Windows\System32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExA 75CFBC0D 5 Bytes JMP 00560025 .text C:\Windows\System32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExW 75CFBEC4 5 Bytes JMP 00560036 .text C:\Windows\System32\svchost.exe[1356] WS2_32.dll!socket 75BC3F00 5 Bytes JMP 00A9000A .text C:\Windows\system32\svchost.exe[1384] ntdll.dll!NtCreateFile 777B4A30 5 Bytes JMP 00B00FE5 .text C:\Windows\system32\svchost.exe[1384] ntdll.dll!NtCreateProcess 777B4B00 5 Bytes JMP 00B00FCA .text C:\Windows\system32\svchost.exe[1384] ntdll.dll!NtProtectVirtualMemory 777B5380 5 Bytes JMP 00B0000A .text C:\Windows\system32\svchost.exe[1384] kernel32.dll!GetStartupInfoA 75C01DF0 5 Bytes JMP 00A30F7C .text C:\Windows\system32\svchost.exe[1384] kernel32.dll!CreateProcessW 75C0202D 5 Bytes JMP 00A30F35 .text C:\Windows\system32\svchost.exe[1384] kernel32.dll!CreateProcessA 75C02062 5 Bytes JMP 00A30F46 .text C:\Windows\system32\svchost.exe[1384] kernel32.dll!CreateNamedPipeW 75C31FD6 5 Bytes JMP 00A30040 .text C:\Windows\system32\svchost.exe[1384] kernel32.dll!CreatePipe 75C34A8B 5 Bytes JMP 00A30F8D .text C:\Windows\system32\svchost.exe[1384] kernel32.dll!VirtualProtect 75C450AB 5 Bytes JMP 00A30091 .text C:\Windows\system32\svchost.exe[1384] kernel32.dll!LoadLibraryExW 75C4B6BF 5 Bytes JMP 00A30076 .text C:\Windows\system32\svchost.exe[1384] kernel32.dll!LoadLibraryExA 75C4BC8B 5 Bytes JMP 00A30051 .text C:\Windows\system32\svchost.exe[1384] kernel32.dll!CreateFileW 75C50B7D 5 Bytes JMP 00A30FEF .text C:\Windows\system32\svchost.exe[1384] kernel32.dll!GetProcAddress 75C51857 5 Bytes JMP 00A30F24 .text C:\Windows\system32\svchost.exe[1384] kernel32.dll!LoadLibraryA 75C52884 5 Bytes JMP 00A30FCA .text C:\Windows\system32\svchost.exe[1384] kernel32.dll!LoadLibraryW 75C528D2 5 Bytes JMP 00A30FB9 .text C:\Windows\system32\svchost.exe[1384] kernel32.dll!CreateFileA 75C5291C 5 Bytes JMP 00A30000 .text C:\Windows\system32\svchost.exe[1384] kernel32.dll!GetStartupInfoW 75C57CD5 5 Bytes JMP 00A300B6 .text C:\Windows\system32\svchost.exe[1384] kernel32.dll!CreateNamedPipeA 75C8D5BF 5 Bytes JMP 00A30025 .text C:\Windows\system32\svchost.exe[1384] kernel32.dll!WinExec 75C8E76D 5 Bytes JMP 00A30F57 .text C:\Windows\system32\svchost.exe[1384] kernel32.dll!VirtualProtectEx 75C8F729 5 Bytes JMP 00A30F9E .text C:\Windows\system32\svchost.exe[1384] msvcrt.dll!_open 77587E48 5 Bytes JMP 00EC000C .text C:\Windows\system32\svchost.exe[1384] msvcrt.dll!_wsystem 775BB04F 5 Bytes JMP 00EC003A .text C:\Windows\system32\svchost.exe[1384] msvcrt.dll!system 775BB16F 5 Bytes JMP 00EC0029 .text C:\Windows\system32\svchost.exe[1384] msvcrt.dll!_creat 775BED29 5 Bytes JMP 00EC0FD4 .text C:\Windows\system32\svchost.exe[1384] msvcrt.dll!_wcreat 775C038E 5 Bytes JMP 00EC0FB9 .text C:\Windows\system32\svchost.exe[1384] msvcrt.dll!_wopen 775C0570 5 Bytes JMP 00EC0FEF .text C:\Windows\system32\svchost.exe[1384] ADVAPI32.dll!RegOpenKeyA 75CED2ED 5 Bytes JMP 00EB0FE5 .text C:\Windows\system32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyA 75CED3C1 5 Bytes JMP 00EB002C .text C:\Windows\system32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyExA 75CF1B71 5 Bytes JMP 00EB0F9B .text C:\Windows\system32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyW 75CF1CC0 5 Bytes JMP 00EB0047 .text C:\Windows\system32\svchost.exe[1384] ADVAPI32.dll!RegOpenKeyW 75CF3129 5 Bytes JMP 00EB0000 .text C:\Windows\system32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyExW 75CFB946 5 Bytes JMP 00EB0F8A .text C:\Windows\system32\svchost.exe[1384] ADVAPI32.dll!RegOpenKeyExA 75CFBC0D 5 Bytes JMP 00EB001B .text C:\Windows\system32\svchost.exe[1384] ADVAPI32.dll!RegOpenKeyExW 75CFBEC4 5 Bytes JMP 00EB0FC0 .text C:\Windows\system32\svchost.exe[1384] WS2_32.dll!socket 75BC3F00 5 Bytes JMP 00B90FE5 .text C:\Windows\system32\svchost.exe[1632] ntdll.dll!NtCreateFile 777B4A30 5 Bytes JMP 00A50000 .text C:\Windows\system32\svchost.exe[1632] ntdll.dll!NtCreateProcess 777B4B00 5 Bytes JMP 00A50FD4 .text C:\Windows\system32\svchost.exe[1632] ntdll.dll!NtProtectVirtualMemory 777B5380 5 Bytes JMP 00A50FEF .text C:\Windows\system32\svchost.exe[1632] kernel32.dll!GetStartupInfoA 75C01DF0 5 Bytes JMP 00A400B3 .text C:\Windows\system32\svchost.exe[1632] kernel32.dll!CreateProcessW 75C0202D 5 Bytes JMP 00A400E9 .text C:\Windows\system32\svchost.exe[1632] kernel32.dll!CreateProcessA 75C02062 5 Bytes JMP 00A40F4A .text C:\Windows\system32\svchost.exe[1632] kernel32.dll!CreateNamedPipeW 75C31FD6 5 Bytes JMP 00A40FCA .text C:\Windows\system32\svchost.exe[1632] kernel32.dll!CreatePipe 75C34A8B 5 Bytes JMP 00A400A2 .text C:\Windows\system32\svchost.exe[1632] kernel32.dll!VirtualProtect 75C450AB 5 Bytes JMP 00A40076 .text C:\Windows\system32\svchost.exe[1632] kernel32.dll!LoadLibraryExW 75C4B6BF 5 Bytes JMP 00A40F9E .text C:\Windows\system32\svchost.exe[1632] kernel32.dll!LoadLibraryExA 75C4BC8B 5 Bytes JMP 00A40051 .text C:\Windows\system32\svchost.exe[1632] kernel32.dll!CreateFileW 75C50B7D 5 Bytes JMP 00A4001B .text C:\Windows\system32\svchost.exe[1632] kernel32.dll!GetProcAddress 75C51857 5 Bytes JMP 00A40F39 .text C:\Windows\system32\svchost.exe[1632] kernel32.dll!LoadLibraryA 75C52884 5 Bytes JMP 00A40FB9 .text C:\Windows\system32\svchost.exe[1632] kernel32.dll!LoadLibraryW 75C528D2 5 Bytes JMP 00A40040 .text C:\Windows\system32\svchost.exe[1632] kernel32.dll!CreateFileA 75C5291C 5 Bytes JMP 00A40000 .text C:\Windows\system32\svchost.exe[1632] kernel32.dll!GetStartupInfoW 75C57CD5 5 Bytes JMP 00A40F6F .text C:\Windows\system32\svchost.exe[1632] kernel32.dll!CreateNamedPipeA 75C8D5BF 5 Bytes JMP 00A40FDB .text C:\Windows\system32\svchost.exe[1632] kernel32.dll!WinExec 75C8E76D 5 Bytes JMP 00A400CE .text C:\Windows\system32\svchost.exe[1632] kernel32.dll!VirtualProtectEx 75C8F729 5 Bytes JMP 00A40087 .text C:\Windows\system32\svchost.exe[1632] msvcrt.dll!_open 77587E48 5 Bytes JMP 00AC0FEF .text C:\Windows\system32\svchost.exe[1632] msvcrt.dll!_wsystem 775BB04F 5 Bytes JMP 00AC0049 .text C:\Windows\system32\svchost.exe[1632] msvcrt.dll!system 775BB16F 5 Bytes JMP 00AC0038 .text C:\Windows\system32\svchost.exe[1632] msvcrt.dll!_creat 775BED29 5 Bytes JMP 00AC000C .text C:\Windows\system32\svchost.exe[1632] msvcrt.dll!_wcreat 775C038E 5 Bytes JMP 00AC001D .text C:\Windows\system32\svchost.exe[1632] msvcrt.dll!_wopen 775C0570 5 Bytes JMP 00AC0FDE .text C:\Windows\system32\svchost.exe[1632] ADVAPI32.dll!RegOpenKeyA 75CED2ED 5 Bytes JMP 00A70FEF .text C:\Windows\system32\svchost.exe[1632] ADVAPI32.dll!RegCreateKeyA 75CED3C1 5 Bytes JMP 00A70025 .text C:\Windows\system32\svchost.exe[1632] ADVAPI32.dll!RegCreateKeyExA 75CF1B71 5 Bytes JMP 00A70051 .text C:\Windows\system32\svchost.exe[1632] ADVAPI32.dll!RegCreateKeyW 75CF1CC0 5 Bytes JMP 00A70040 .text C:\Windows\system32\svchost.exe[1632] ADVAPI32.dll!RegOpenKeyW 75CF3129 5 Bytes JMP 00A70FDE .text C:\Windows\system32\svchost.exe[1632] ADVAPI32.dll!RegCreateKeyExW 75CFB946 5 Bytes JMP 00A7006C .text C:\Windows\system32\svchost.exe[1632] ADVAPI32.dll!RegOpenKeyExA 75CFBC0D 5 Bytes JMP 00A70014 .text C:\Windows\system32\svchost.exe[1632] ADVAPI32.dll!RegOpenKeyExW 75CFBEC4 5 Bytes JMP 00A70FC3 .text C:\Windows\system32\svchost.exe[1632] WS2_32.dll!socket 75BC3F00 5 Bytes JMP 00A60FEF .text C:\Windows\system32\svchost.exe[1764] ntdll.dll!NtCreateFile 777B4A30 5 Bytes JMP 00510000 .text C:\Windows\system32\svchost.exe[1764] ntdll.dll!NtCreateProcess 777B4B00 5 Bytes JMP 0051001B .text C:\Windows\system32\svchost.exe[1764] ntdll.dll!NtProtectVirtualMemory 777B5380 5 Bytes JMP 00510FE5 .text C:\Windows\system32\svchost.exe[1764] kernel32.dll!GetStartupInfoA 75C01DF0 5 Bytes JMP 00500F39 .text C:\Windows\system32\svchost.exe[1764] kernel32.dll!CreateProcessW 75C0202D 5 Bytes JMP 00500F06 .text C:\Windows\system32\svchost.exe[1764] kernel32.dll!CreateProcessA 75C02062 5 Bytes JMP 00500F17 .text C:\Windows\system32\svchost.exe[1764] kernel32.dll!CreateNamedPipeW 75C31FD6 5 Bytes JMP 00500FB9 .text C:\Windows\system32\svchost.exe[1764] kernel32.dll!CreatePipe 75C34A8B 5 Bytes JMP 00500058 .text C:\Windows\system32\svchost.exe[1764] kernel32.dll!VirtualProtect 75C450AB 3 Bytes JMP 00500047 .text C:\Windows\system32\svchost.exe[1764] kernel32.dll!VirtualProtect + 4 75C450AF 1 Byte [8A] .text C:\Windows\system32\svchost.exe[1764] kernel32.dll!LoadLibraryExW 75C4B6BF 3 Bytes JMP 00500F6F .text C:\Windows\system32\svchost.exe[1764] kernel32.dll!LoadLibraryExW + 4 75C4B6C3 1 Byte [8A] .text C:\Windows\system32\svchost.exe[1764] kernel32.dll!LoadLibraryExA 75C4BC8B 3 Bytes JMP 00500F94 .text C:\Windows\system32\svchost.exe[1764] kernel32.dll!LoadLibraryExA + 4 75C4BC8F 1 Byte [8A] .text C:\Windows\system32\svchost.exe[1764] kernel32.dll!CreateFileW 75C50B7D 3 Bytes JMP 00500FDE .text C:\Windows\system32\svchost.exe[1764] kernel32.dll!CreateFileW + 4 75C50B81 1 Byte [8A] .text C:\Windows\system32\svchost.exe[1764] kernel32.dll!GetProcAddress 75C51857 5 Bytes JMP 005000C0 .text C:\Windows\system32\svchost.exe[1764] kernel32.dll!LoadLibraryA 75C52884 5 Bytes JMP 00500025 .text C:\Windows\system32\svchost.exe[1764] kernel32.dll!LoadLibraryW 75C528D2 5 Bytes JMP 00500036 .text C:\Windows\system32\svchost.exe[1764] kernel32.dll!CreateFileA 75C5291C 5 Bytes JMP 00500FEF .text C:\Windows\system32\svchost.exe[1764] kernel32.dll!GetStartupInfoW 75C57CD5 5 Bytes JMP 00500F28 .text C:\Windows\system32\svchost.exe[1764] kernel32.dll!CreateNamedPipeA 75C8D5BF 5 Bytes JMP 00500014 .text C:\Windows\system32\svchost.exe[1764] kernel32.dll!WinExec 75C8E76D 5 Bytes JMP 00500087 .text C:\Windows\system32\svchost.exe[1764] kernel32.dll!VirtualProtectEx 75C8F729 5 Bytes JMP 00500F4A .text C:\Windows\system32\svchost.exe[1764] msvcrt.dll!_open 77587E48 5 Bytes JMP 00AC000C .text C:\Windows\system32\svchost.exe[1764] msvcrt.dll!_wsystem 775BB04F 5 Bytes JMP 00AC0FB7 .text C:\Windows\system32\svchost.exe[1764] msvcrt.dll!system 775BB16F 5 Bytes JMP 00AC0042 .text C:\Windows\system32\svchost.exe[1764] msvcrt.dll!_creat 775BED29 5 Bytes JMP 00AC0FD2 .text C:\Windows\system32\svchost.exe[1764] msvcrt.dll!_wcreat 775C038E 5 Bytes JMP 00AC0027 .text C:\Windows\system32\svchost.exe[1764] msvcrt.dll!_wopen 775C0570 5 Bytes JMP 00AC0FE3 .text C:\Windows\system32\svchost.exe[1764] ADVAPI32.dll!RegOpenKeyA 75CED2ED 5 Bytes JMP 00530000 .text C:\Windows\system32\svchost.exe[1764] ADVAPI32.dll!RegCreateKeyA 75CED3C1 5 Bytes JMP 00530F94 .text C:\Windows\system32\svchost.exe[1764] ADVAPI32.dll!RegCreateKeyExA 75CF1B71 5 Bytes JMP 00530036 .text C:\Windows\system32\svchost.exe[1764] ADVAPI32.dll!RegCreateKeyW 75CF1CC0 5 Bytes JMP 00530025 .text C:\Windows\system32\svchost.exe[1764] ADVAPI32.dll!RegOpenKeyW 75CF3129 5 Bytes JMP 00530FE5 .text C:\Windows\system32\svchost.exe[1764] ADVAPI32.dll!RegCreateKeyExW 75CFB946 5 Bytes JMP 00530F79 .text C:\Windows\system32\svchost.exe[1764] ADVAPI32.dll!RegOpenKeyExA 75CFBC0D 5 Bytes JMP 00530FCA .text C:\Windows\system32\svchost.exe[1764] ADVAPI32.dll!RegOpenKeyExW 75CFBEC4 5 Bytes JMP 00530FB9 .text C:\Windows\system32\svchost.exe[1764] WS2_32.dll!socket 75BC3F00 5 Bytes JMP 0052000A .text C:\Windows\system32\svchost.exe[1984] ntdll.dll!NtCreateFile 777B4A30 5 Bytes JMP 00E40FEF .text C:\Windows\system32\svchost.exe[1984] ntdll.dll!NtCreateProcess 777B4B00 5 Bytes JMP 00E40FD4 .text C:\Windows\system32\svchost.exe[1984] ntdll.dll!NtProtectVirtualMemory 777B5380 5 Bytes JMP 00E4000A .text C:\Windows\system32\svchost.exe[1984] kernel32.dll!GetStartupInfoA 75C01DF0 5 Bytes JMP 00DF00A2 .text C:\Windows\system32\svchost.exe[1984] kernel32.dll!CreateProcessW 75C0202D 5 Bytes JMP 00DF00EC .text C:\Windows\system32\svchost.exe[1984] kernel32.dll!CreateProcessA 75C02062 5 Bytes JMP 00DF00C7 .text C:\Windows\system32\svchost.exe[1984] kernel32.dll!CreateNamedPipeW 75C31FD6 5 Bytes JMP 00DF0FC0 .text C:\Windows\system32\svchost.exe[1984] kernel32.dll!CreatePipe 75C34A8B 5 Bytes JMP 00DF0087 .text C:\Windows\system32\svchost.exe[1984] kernel32.dll!VirtualProtect 75C450AB 5 Bytes JMP 00DF0F79 .text C:\Windows\system32\svchost.exe[1984] kernel32.dll!LoadLibraryExW 75C4B6BF 5 Bytes JMP 00DF0051 .text C:\Windows\system32\svchost.exe[1984] kernel32.dll!LoadLibraryExA 75C4BC8B 5 Bytes JMP 00DF0040 .text C:\Windows\system32\svchost.exe[1984] kernel32.dll!CreateFileW 75C50B7D 5 Bytes JMP 00DF0011 .text C:\Windows\system32\svchost.exe[1984] kernel32.dll!GetProcAddress 75C51857 5 Bytes JMP 00DF00FD .text C:\Windows\system32\svchost.exe[1984] kernel32.dll!LoadLibraryA 75C52884 5 Bytes JMP 00DF0FAF .text C:\Windows\system32\svchost.exe[1984] |
|
17.07.2010, 20:50
| #13 |
| | Bankwebseite wollte 20 Tans Bank sagt Trojaner Fortsetzung  kernel32.dll!LoadLibraryW 75C528D2 5 Bytes JMP 00DF0F9E .text C:\Windows\system32\svchost.exe[1984] kernel32.dll!CreateFileA 75C5291C 5 Bytes JMP 00DF0000 .text C:\Windows\system32\svchost.exe[1984] kernel32.dll!GetStartupInfoW 75C57CD5 5 Bytes JMP 00DF0F5E .text C:\Windows\system32\svchost.exe[1984] kernel32.dll!CreateNamedPipeA 75C8D5BF 5 Bytes JMP 00DF0FDB .text C:\Windows\system32\svchost.exe[1984] kernel32.dll!WinExec 75C8E76D 5 Bytes JMP 00DF0F4D .text C:\Windows\system32\svchost.exe[1984] kernel32.dll!VirtualProtectEx 75C8F729 5 Bytes JMP 00DF006C .text C:\Windows\system32\svchost.exe[1984] msvcrt.dll!_open 77587E48 5 Bytes JMP 01030FE3 .text C:\Windows\system32\svchost.exe[1984] msvcrt.dll!_wsystem 775BB04F 5 Bytes JMP 01030F9C .text C:\Windows\system32\svchost.exe[1984] msvcrt.dll!system 775BB16F 5 Bytes JMP 01030027 .text C:\Windows\system32\svchost.exe[1984] msvcrt.dll!_creat 775BED29 5 Bytes JMP 01030FD2 .text C:\Windows\system32\svchost.exe[1984] msvcrt.dll!_wcreat 775C038E 5 Bytes JMP 01030FC1 .text C:\Windows\system32\svchost.exe[1984] msvcrt.dll!_wopen 775C0570 5 Bytes JMP 01030000 .text C:\Windows\system32\svchost.exe[1984] ADVAPI32.dll!RegOpenKeyA 75CED2ED 5 Bytes JMP 01020FEF .text C:\Windows\system32\svchost.exe[1984] ADVAPI32.dll!RegCreateKeyA 75CED3C1 5 Bytes JMP 01020F94 .text C:\Windows\system32\svchost.exe[1984] ADVAPI32.dll!RegCreateKeyExA 75CF1B71 5 Bytes JMP 0102002C .text C:\Windows\system32\svchost.exe[1984] ADVAPI32.dll!RegCreateKeyW 75CF1CC0 5 Bytes JMP 0102001B .text C:\Windows\system32\svchost.exe[1984] ADVAPI32.dll!RegOpenKeyW 75CF3129 5 Bytes JMP 01020FCA .text C:\Windows\system32\svchost.exe[1984] ADVAPI32.dll!RegCreateKeyExW 75CFB946 5 Bytes JMP 01020F6F .text C:\Windows\system32\svchost.exe[1984] ADVAPI32.dll!RegOpenKeyExA 75CFBC0D 5 Bytes JMP 01020FAF .text C:\Windows\system32\svchost.exe[1984] ADVAPI32.dll!RegOpenKeyExW 75CFBEC4 5 Bytes JMP 01020000 .text C:\Windows\system32\svchost.exe[1984] WS2_32.dll!socket 75BC3F00 5 Bytes JMP 01010FEF .text C:\Windows\system32\svchost.exe[2036] ntdll.dll!NtCreateFile 777B4A30 5 Bytes JMP 00930000 .text C:\Windows\system32\svchost.exe[2036] ntdll.dll!NtCreateProcess 777B4B00 5 Bytes JMP 00930FDB .text C:\Windows\system32\svchost.exe[2036] ntdll.dll!NtProtectVirtualMemory 777B5380 5 Bytes JMP 00930011 .text C:\Windows\system32\svchost.exe[2036] kernel32.dll!GetStartupInfoA 75C01DF0 5 Bytes JMP 00420094 .text C:\Windows\system32\svchost.exe[2036] kernel32.dll!CreateProcessW 75C0202D 5 Bytes JMP 00420F10 .text C:\Windows\system32\svchost.exe[2036] kernel32.dll!CreateProcessA 75C02062 5 Bytes JMP 004200AF .text C:\Windows\system32\svchost.exe[2036] kernel32.dll!CreateNamedPipeW 75C31FD6 5 Bytes JMP 00420025 .text C:\Windows\system32\svchost.exe[2036] kernel32.dll!CreatePipe 75C34A8B 5 Bytes JMP 00420F61 .text C:\Windows\system32\svchost.exe[2036] kernel32.dll!VirtualProtect 75C450AB 5 Bytes JMP 00420F72 .text C:\Windows\system32\svchost.exe[2036] kernel32.dll!LoadLibraryExW 75C4B6BF 5 Bytes JMP 0042004A .text C:\Windows\system32\svchost.exe[2036] kernel32.dll!LoadLibraryExA 75C4BC8B 5 Bytes JMP 00420F97 .text C:\Windows\system32\svchost.exe[2036] kernel32.dll!CreateFileW 75C50B7D 5 Bytes JMP 00420000 .text C:\Windows\system32\svchost.exe[2036] kernel32.dll!GetProcAddress 75C51857 5 Bytes JMP 00420EFF .text C:\Windows\system32\svchost.exe[2036] kernel32.dll!LoadLibraryA 75C52884 5 Bytes JMP 00420FB9 .text C:\Windows\system32\svchost.exe[2036] kernel32.dll!LoadLibraryW 75C528D2 5 Bytes JMP 00420FA8 .text C:\Windows\system32\svchost.exe[2036] kernel32.dll!CreateFileA 75C5291C 5 Bytes JMP 00420FE5 .text C:\Windows\system32\svchost.exe[2036] kernel32.dll!GetStartupInfoW 75C57CD5 5 Bytes JMP 00420F50 .text C:\Windows\system32\svchost.exe[2036] kernel32.dll!CreateNamedPipeA 75C8D5BF 5 Bytes JMP 00420FD4 .text C:\Windows\system32\svchost.exe[2036] kernel32.dll!WinExec 75C8E76D 5 Bytes JMP 00420F35 .text C:\Windows\system32\svchost.exe[2036] kernel32.dll!VirtualProtectEx 75C8F729 5 Bytes JMP 0042006F .text C:\Windows\system32\svchost.exe[2036] msvcrt.dll!_open 77587E48 5 Bytes JMP 00990FEF .text C:\Windows\system32\svchost.exe[2036] msvcrt.dll!_wsystem 775BB04F 5 Bytes JMP 00990031 .text C:\Windows\system32\svchost.exe[2036] msvcrt.dll!system 775BB16F 5 Bytes JMP 00990FA6 .text C:\Windows\system32\svchost.exe[2036] msvcrt.dll!_creat 775BED29 5 Bytes JMP 00990FC8 .text C:\Windows\system32\svchost.exe[2036] msvcrt.dll!_wcreat 775C038E 5 Bytes JMP 00990FB7 .text C:\Windows\system32\svchost.exe[2036] msvcrt.dll!_wopen 775C0570 5 Bytes JMP 0099000C .text C:\Windows\system32\svchost.exe[2036] ADVAPI32.dll!RegOpenKeyA 75CED2ED 5 Bytes JMP 00570FEF .text C:\Windows\system32\svchost.exe[2036] ADVAPI32.dll!RegCreateKeyA 75CED3C1 5 Bytes JMP 00570040 .text C:\Windows\system32\svchost.exe[2036] ADVAPI32.dll!RegCreateKeyExA 75CF1B71 5 Bytes JMP 00570FA8 .text C:\Windows\system32\svchost.exe[2036] ADVAPI32.dll!RegCreateKeyW 75CF1CC0 5 Bytes JMP 00570FB9 .text C:\Windows\system32\svchost.exe[2036] ADVAPI32.dll!RegOpenKeyW 75CF3129 5 Bytes JMP 0057000A .text C:\Windows\system32\svchost.exe[2036] ADVAPI32.dll!RegCreateKeyExW 75CFB946 5 Bytes JMP 00570065 .text C:\Windows\system32\svchost.exe[2036] ADVAPI32.dll!RegOpenKeyExA 75CFBC0D 5 Bytes JMP 0057001B .text C:\Windows\system32\svchost.exe[2036] ADVAPI32.dll!RegOpenKeyExW 75CFBEC4 5 Bytes JMP 00570FD4 .text C:\Windows\system32\svchost.exe[2036] WS2_32.dll!socket 75BC3F00 5 Bytes JMP 00980000 .text C:\Windows\system32\svchost.exe[2060] ntdll.dll!NtCreateFile 777B4A30 5 Bytes JMP 00040FEF .text C:\Windows\system32\svchost.exe[2060] ntdll.dll!NtCreateProcess 777B4B00 5 Bytes JMP 0004000A .text C:\Windows\system32\svchost.exe[2060] ntdll.dll!NtProtectVirtualMemory 777B5380 5 Bytes JMP 00040FDE .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!GetStartupInfoA 75C01DF0 5 Bytes JMP 00010098 .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!CreateProcessW 75C0202D 5 Bytes JMP 00010F1E .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!CreateProcessA 75C02062 5 Bytes JMP 00010F39 .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!CreateNamedPipeW 75C31FD6 5 Bytes JMP 00010FE5 .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!CreatePipe 75C34A8B 5 Bytes JMP 00010087 .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!VirtualProtect 75C450AB 5 Bytes JMP 00010F94 .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!LoadLibraryExW 75C4B6BF 5 Bytes JMP 00010FA5 .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!LoadLibraryExA 75C4BC8B 5 Bytes JMP 00010062 .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!CreateFileW 75C50B7D 5 Bytes JMP 0001001B .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!GetProcAddress 75C51857 5 Bytes JMP 00010F03 .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!LoadLibraryA 75C52884 5 Bytes JMP 00010FCA .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!LoadLibraryW 75C528D2 5 Bytes JMP 00010051 .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!CreateFileA 75C5291C 5 Bytes JMP 0001000A .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!GetStartupInfoW 75C57CD5 5 Bytes JMP 00010F5E .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!CreateNamedPipeA 75C8D5BF 5 Bytes JMP 00010036 .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!WinExec 75C8E76D 5 Bytes JMP 000100B3 .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!VirtualProtectEx 75C8F729 5 Bytes JMP 00010F83 .text C:\Windows\system32\svchost.exe[2060] msvcrt.dll!_open 77587E48 5 Bytes JMP 000E0000 .text C:\Windows\system32\svchost.exe[2060] msvcrt.dll!_wsystem 775BB04F 5 Bytes JMP 000E0038 .text C:\Windows\system32\svchost.exe[2060] msvcrt.dll!system 775BB16F 5 Bytes JMP 000E0027 .text C:\Windows\system32\svchost.exe[2060] msvcrt.dll!_creat 775BED29 5 Bytes JMP 000E0FD2 .text C:\Windows\system32\svchost.exe[2060] msvcrt.dll!_wcreat 775C038E 5 Bytes JMP 000E0FB7 .text C:\Windows\system32\svchost.exe[2060] msvcrt.dll!_wopen 775C0570 5 Bytes JMP 000E0FE3 .text C:\Windows\system32\svchost.exe[2060] ADVAPI32.dll!RegOpenKeyA 75CED2ED 5 Bytes JMP 00180FEF .text C:\Windows\system32\svchost.exe[2060] ADVAPI32.dll!RegCreateKeyA 75CED3C1 5 Bytes JMP 00180039 .text C:\Windows\system32\svchost.exe[2060] ADVAPI32.dll!RegCreateKeyExA 75CF1B71 5 Bytes JMP 00180FB2 .text C:\Windows\system32\svchost.exe[2060] ADVAPI32.dll!RegCreateKeyW 75CF1CC0 5 Bytes JMP 0018004A .text C:\Windows\system32\svchost.exe[2060] ADVAPI32.dll!RegOpenKeyW 75CF3129 5 Bytes JMP 00180FDE .text C:\Windows\system32\svchost.exe[2060] ADVAPI32.dll!RegCreateKeyExW 75CFB946 5 Bytes JMP 0018006F .text C:\Windows\system32\svchost.exe[2060] ADVAPI32.dll!RegOpenKeyExA 75CFBC0D 5 Bytes JMP 00180014 .text C:\Windows\system32\svchost.exe[2060] ADVAPI32.dll!RegOpenKeyExW 75CFBEC4 5 Bytes JMP 00180FCD .text C:\Windows\system32\svchost.exe[2060] WS2_32.dll!socket 75BC3F00 5 Bytes JMP 00190000 .text C:\Windows\system32\svchost.exe[2416] ntdll.dll!NtCreateFile 777B4A30 5 Bytes JMP 00360000 .text C:\Windows\system32\svchost.exe[2416] ntdll.dll!NtCreateProcess 777B4B00 5 Bytes JMP 00360FE5 .text C:\Windows\system32\svchost.exe[2416] ntdll.dll!NtProtectVirtualMemory 777B5380 5 Bytes JMP 0036001B .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!GetStartupInfoA 75C01DF0 5 Bytes JMP 00160F65 .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!CreateProcessW 75C0202D 5 Bytes JMP 001600BA .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!CreateProcessA 75C02062 5 Bytes JMP 001600A9 .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!CreateNamedPipeW 75C31FD6 5 Bytes JMP 00160FCA .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!CreatePipe 75C34A8B 5 Bytes JMP 00160F76 .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!VirtualProtect 75C450AB 5 Bytes JMP 00160F91 .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!LoadLibraryExW 75C4B6BF 5 Bytes JMP 00160069 .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!LoadLibraryExA 75C4BC8B 5 Bytes JMP 00160058 .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!CreateFileW 75C50B7D 5 Bytes JMP 00160011 .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!GetProcAddress 75C51857 5 Bytes JMP 001600CB .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!LoadLibraryA 75C52884 5 Bytes JMP 0016002C .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!LoadLibraryW 75C528D2 5 Bytes JMP 00160047 .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!CreateFileA 75C5291C 5 Bytes JMP 00160000 .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!GetStartupInfoW 75C57CD5 5 Bytes JMP 00160F54 .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!CreateNamedPipeA 75C8D5BF 5 Bytes JMP 00160FDB .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!WinExec 75C8E76D 5 Bytes JMP 00160F39 .text C:\Windows\system32\svchost.exe[2416] kernel32.dll!VirtualProtectEx 75C8F729 5 Bytes JMP 00160084 .text C:\Windows\system32\svchost.exe[2416] msvcrt.dll!_open 77587E48 5 Bytes JMP 00180FE3 .text C:\Windows\system32\svchost.exe[2416] msvcrt.dll!_wsystem 775BB04F 5 Bytes JMP 00180027 .text C:\Windows\system32\svchost.exe[2416] msvcrt.dll!system 775BB16F 5 Bytes JMP 00180F9C .text C:\Windows\system32\svchost.exe[2416] msvcrt.dll!_creat 775BED29 5 Bytes JMP 0018000C .text C:\Windows\system32\svchost.exe[2416] msvcrt.dll!_wcreat 775C038E 5 Bytes JMP 00180FAD .text C:\Windows\system32\svchost.exe[2416] msvcrt.dll!_wopen 775C0570 5 Bytes JMP 00180FD2 .text C:\Windows\system32\svchost.exe[2416] ADVAPI32.dll!RegOpenKeyA 75CED2ED 5 Bytes JMP 0017000A .text C:\Windows\system32\svchost.exe[2416] ADVAPI32.dll!RegCreateKeyA 75CED3C1 5 Bytes JMP 00170FC3 .text C:\Windows\system32\svchost.exe[2416] ADVAPI32.dll!RegCreateKeyExA 75CF1B71 5 Bytes JMP 00170F8D .text C:\Windows\system32\svchost.exe[2416] ADVAPI32.dll!RegCreateKeyW 75CF1CC0 5 Bytes JMP 00170F9E .text C:\Windows\system32\svchost.exe[2416] ADVAPI32.dll!RegOpenKeyW 75CF3129 5 Bytes JMP 00170FEF .text C:\Windows\system32\svchost.exe[2416] ADVAPI32.dll!RegCreateKeyExW 75CFB946 5 Bytes JMP 00170040 .text C:\Windows\system32\svchost.exe[2416] ADVAPI32.dll!RegOpenKeyExA 75CFBC0D 5 Bytes JMP 00170FD4 .text C:\Windows\system32\svchost.exe[2416] ADVAPI32.dll!RegOpenKeyExW 75CFBEC4 5 Bytes JMP 00170025 .text C:\Windows\system32\svchost.exe[4120] ntdll.dll!NtCreateFile 777B4A30 5 Bytes JMP 0004000A .text C:\Windows\system32\svchost.exe[4120] ntdll.dll!NtCreateProcess 777B4B00 5 Bytes JMP 00040025 .text C:\Windows\system32\svchost.exe[4120] ntdll.dll!NtProtectVirtualMemory 777B5380 5 Bytes JMP 00040FEF .text C:\Windows\system32\svchost.exe[4120] kernel32.dll!GetStartupInfoA 75C01DF0 5 Bytes JMP 00010F61 .text C:\Windows\system32\svchost.exe[4120] kernel32.dll!CreateProcessW 75C0202D 5 Bytes JMP 000100E2 .text C:\Windows\system32\svchost.exe[4120] kernel32.dll!CreateProcessA 75C02062 5 Bytes JMP 000100D1 .text C:\Windows\system32\svchost.exe[4120] kernel32.dll!CreateNamedPipeW 75C31FD6 5 Bytes JMP 0001001E .text C:\Windows\system32\svchost.exe[4120] kernel32.dll!CreatePipe 75C34A8B 5 Bytes JMP 00010F7C .text C:\Windows\system32\svchost.exe[4120] kernel32.dll!VirtualProtect 75C450AB 5 Bytes JMP 00010080 .text C:\Windows\system32\svchost.exe[4120] kernel32.dll!LoadLibraryExW 75C4B6BF 5 Bytes JMP 00010FA8 .text C:\Windows\system32\svchost.exe[4120] kernel32.dll!LoadLibraryExA 75C4BC8B 5 Bytes JMP 00010065 .text C:\Windows\system32\svchost.exe[4120] kernel32.dll!CreateFileW 75C50B7D 5 Bytes JMP 00010FDE .text C:\Windows\system32\svchost.exe[4120] kernel32.dll!GetProcAddress 75C51857 5 Bytes JMP 000100FD .text C:\Windows\system32\svchost.exe[4120] kernel32.dll!LoadLibraryA 75C52884 5 Bytes JMP 00010039 .text C:\Windows\system32\svchost.exe[4120] kernel32.dll!LoadLibraryW 75C528D2 5 Bytes JMP 0001004A .text C:\Windows\system32\svchost.exe[4120] kernel32.dll!CreateFileA 75C5291C 5 Bytes JMP 00010FEF .text C:\Windows\system32\svchost.exe[4120] kernel32.dll!GetStartupInfoW 75C57CD5 5 Bytes JMP 0001009B .text C:\Windows\system32\svchost.exe[4120] kernel32.dll!CreateNamedPipeA 75C8D5BF 5 Bytes JMP 00010FCD .text C:\Windows\system32\svchost.exe[4120] kernel32.dll!WinExec 75C8E76D 5 Bytes JMP 000100B6 .text C:\Windows\system32\svchost.exe[4120] kernel32.dll!VirtualProtectEx 75C8F729 5 Bytes JMP 00010F8D .text C:\Windows\system32\svchost.exe[4120] msvcrt.dll!_open 77587E48 5 Bytes JMP 000E0FEF .text C:\Windows\system32\svchost.exe[4120] msvcrt.dll!_wsystem 775BB04F 5 Bytes JMP 000E0F86 .text C:\Windows\system32\svchost.exe[4120] msvcrt.dll!system 775BB16F 5 Bytes JMP 000E0011 .text C:\Windows\system32\svchost.exe[4120] msvcrt.dll!_creat 775BED29 5 Bytes JMP 000E0FC6 .text C:\Windows\system32\svchost.exe[4120] msvcrt.dll!_wcreat 775C038E 5 Bytes JMP 000E0FAB .text C:\Windows\system32\svchost.exe[4120] msvcrt.dll!_wopen 775C0570 5 Bytes JMP 000E0000 .text C:\Windows\system32\svchost.exe[4120] ADVAPI32.dll!RegOpenKeyA 75CED2ED 5 Bytes JMP 000F0FE5 .text C:\Windows\system32\svchost.exe[4120] ADVAPI32.dll!RegCreateKeyA 75CED3C1 5 Bytes JMP 000F0014 .text C:\Windows\system32\svchost.exe[4120] ADVAPI32.dll!RegCreateKeyExA 75CF1B71 5 Bytes JMP 000F0F72 .text C:\Windows\system32\svchost.exe[4120] ADVAPI32.dll!RegCreateKeyW 75CF1CC0 5 Bytes JMP 000F0F8D .text C:\Windows\system32\svchost.exe[4120] ADVAPI32.dll!RegOpenKeyW 75CF3129 5 Bytes JMP 000F0FD4 .text C:\Windows\system32\svchost.exe[4120] ADVAPI32.dll!RegCreateKeyExW 75CFB946 5 Bytes JMP 000F002F .text C:\Windows\system32\svchost.exe[4120] ADVAPI32.dll!RegOpenKeyExA 75CFBC0D 5 Bytes JMP 000F0FB9 .text C:\Windows\system32\svchost.exe[4120] ADVAPI32.dll!RegOpenKeyExW 75CFBEC4 5 Bytes JMP 000F0FA8 .text C:\Windows\system32\svchost.exe[4120] WS2_32.dll!socket 75BC3F00 5 Bytes JMP 00180FE5 .text C:\Windows\System32\svchost.exe[4732] ntdll.dll!NtCreateFile 777B4A30 5 Bytes JMP 00040FEF .text C:\Windows\System32\svchost.exe[4732] ntdll.dll!NtCreateProcess 777B4B00 5 Bytes JMP 00040FDE .text C:\Windows\System32\svchost.exe[4732] ntdll.dll!NtProtectVirtualMemory 777B5380 5 Bytes JMP 00040014 .text C:\Windows\System32\svchost.exe[4732] kernel32.dll!GetStartupInfoA 75C01DF0 5 Bytes JMP 00010076 .text C:\Windows\System32\svchost.exe[4732] kernel32.dll!CreateProcessW 75C0202D 5 Bytes JMP 000100C0 .text C:\Windows\System32\svchost.exe[4732] kernel32.dll!CreateProcessA 75C02062 5 Bytes JMP 000100A5 .text C:\Windows\System32\svchost.exe[4732] kernel32.dll!CreateNamedPipeW 75C31FD6 5 Bytes JMP 00010FC3 .text C:\Windows\System32\svchost.exe[4732] kernel32.dll!CreatePipe 75C34A8B 5 Bytes JMP 00010065 .text C:\Windows\System32\svchost.exe[4732] kernel32.dll!VirtualProtect 75C450AB 5 Bytes JMP 0001004A .text C:\Windows\System32\svchost.exe[4732] kernel32.dll!LoadLibraryExW 75C4B6BF 5 Bytes JMP 00010F72 .text C:\Windows\System32\svchost.exe[4732] kernel32.dll!LoadLibraryExA 75C4BC8B 5 Bytes JMP 00010F8D .text C:\Windows\System32\svchost.exe[4732] kernel32.dll!CreateFileW 75C50B7D 5 Bytes JMP 0001000A .text C:\Windows\System32\svchost.exe[4732] kernel32.dll!GetProcAddress 75C51857 5 Bytes JMP 000100D1 .text C:\Windows\System32\svchost.exe[4732] kernel32.dll!LoadLibraryA 75C52884 5 Bytes JMP 00010FA8 .text C:\Windows\System32\svchost.exe[4732] kernel32.dll!LoadLibraryW 75C528D2 5 Bytes JMP 0001002F .text C:\Windows\System32\svchost.exe[4732] kernel32.dll!CreateFileA 75C5291C 5 Bytes JMP 00010FEF .text C:\Windows\System32\svchost.exe[4732] kernel32.dll!GetStartupInfoW 75C57CD5 5 Bytes JMP 00010F32 .text C:\Windows\System32\svchost.exe[4732] kernel32.dll!CreateNamedPipeA 75C8D5BF 5 Bytes JMP 00010FDE .text C:\Windows\System32\svchost.exe[4732] kernel32.dll!WinExec 75C8E76D 5 Bytes JMP 00010F21 .text C:\Windows\System32\svchost.exe[4732] kernel32.dll!VirtualProtectEx 75C8F729 5 Bytes JMP 00010F57 .text C:\Windows\System32\svchost.exe[4732] msvcrt.dll!_open 77587E48 5 Bytes JMP 000E0000 .text C:\Windows\System32\svchost.exe[4732] msvcrt.dll!_wsystem 775BB04F 5 Bytes JMP 000E005A .text C:\Windows\System32\svchost.exe[4732] msvcrt.dll!system 775BB16F 5 Bytes JMP 000E0049 .text C:\Windows\System32\svchost.exe[4732] msvcrt.dll!_creat 775BED29 5 Bytes JMP 000E002E .text C:\Windows\System32\svchost.exe[4732] msvcrt.dll!_wcreat 775C038E 5 Bytes JMP 000E0FD9 .text C:\Windows\System32\svchost.exe[4732] msvcrt.dll!_wopen 775C0570 5 Bytes JMP 000E001D .text C:\Windows\System32\svchost.exe[4732] WS2_32.dll!socket 75BC3F00 5 Bytes JMP 000F0000 .text C:\Windows\System32\svchost.exe[4732] ADVAPI32.dll!RegOpenKeyA 75CED2ED 5 Bytes JMP 001E0000 .text C:\Windows\System32\svchost.exe[4732] ADVAPI32.dll!RegCreateKeyA 75CED3C1 5 Bytes JMP 001E0FAF .text C:\Windows\System32\svchost.exe[4732] ADVAPI32.dll!RegCreateKeyExA 75CF1B71 5 Bytes JMP 001E0F83 .text C:\Windows\System32\svchost.exe[4732] ADVAPI32.dll!RegCreateKeyW 75CF1CC0 5 Bytes JMP 001E0F94 .text C:\Windows\System32\svchost.exe[4732] ADVAPI32.dll!RegOpenKeyW 75CF3129 5 Bytes JMP 001E0FE5 .text C:\Windows\System32\svchost.exe[4732] ADVAPI32.dll!RegCreateKeyExW 75CFB946 5 Bytes JMP 001E0F72 .text C:\Windows\System32\svchost.exe[4732] ADVAPI32.dll!RegOpenKeyExA 75CFBC0D 5 Bytes JMP 001E001B .text C:\Windows\System32\svchost.exe[4732] ADVAPI32.dll!RegOpenKeyExW 75CFBEC4 5 Bytes JMP 001E0FCA ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[2084] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [011C7740] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.) IAT C:\Windows\system32\rundll32.exe[2168] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75815E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[2168] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75815E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[2168] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75815E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.) AttachedDevice \FileSystem\Ntfs \Ntfs tdrpm258.sys (Acronis Try&Decide Volume Filter Driver/Acronis) Device \Driver\ACPI_HAL \Device\00000055 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 tdrpm258.sys (Acronis Try&Decide Volume Filter Driver/Acronis) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 tdrpm258.sys (Acronis Try&Decide Volume Filter Driver/Acronis) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 tdrpm258.sys (Acronis Try&Decide Volume Filter Driver/Acronis) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 tdrpm258.sys (Acronis Try&Decide Volume Filter Driver/Acronis) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 tdrpm258.sys (Acronis Try&Decide Volume Filter Driver/Acronis) AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.) AttachedDevice \FileSystem\fastfat \Fat tdrpm258.sys (Acronis Try&Decide Volume Filter Driver/Acronis) ---- EOF - GMER 1.0.15 ---- Jetzt OSAM OSAM Logfile: Code:
ATTFilter Report of OSAM: Autorun Manager v5.0.11926.0 hxxp://www.online-solutions.ru/en/ Saved at 21:35:03 on 17.07.2010 OS: Windows 7 Ultimate Edition (Build 7600), 32-bit Default Browser: Mozilla Corporation Firefox 3.6.6 Scanner Settings [x] Rootkits detection (hidden registry) [x] Rootkits detection (hidden files) [x] Retrieve files information [x] Check Microsoft signatures Filters [ ] Trusted entries [ ] Empty entries [x] Hidden registry entries (rootkit activity) [x] Exclusively opened files [x] Not found files [x] Files without detailed information [x] Existing files [ ] Non-startable services [ ] Non-startable drivers [x] Active entries [x] Disabled entries [Control Panel Objects] -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )----- "mlcfg32.cpl" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\MLCFG32.CPL "QuickTime" - "Apple Inc." - C:\Program Files\QuickTime\QTSystem\QuickTime.cpl [Drivers] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- "Acronis Snapshots Manager" (snapman) - "Acronis" - C:\Windows\System32\DRIVERS\snapman.sys "Acronis Try&Decide and Restore Points filter (build 258)" (tdrpman258) - "Acronis" - C:\Windows\System32\DRIVERS\tdrpm258.sys "afcdp" (afcdp) - "Acronis" - C:\Windows\System32\DRIVERS\afcdp.sys "catchme" (catchme) - ? - C:\Users\ADMINI~1\AppData\Local\Temp\catchme.sys (File not found) "ENTECH" (ENTECH) - "EnTech Taiwan" - C:\Windows\system32\DRIVERS\ENTECH.sys "McAfee Inc." (mfeavfk01) - ? - C:\Windows\system32\drivers\mfeavfk01.sys (File not found) "pavboot" (pavboot) - "Panda Security, S.L." - C:\Windows\System32\drivers\pavboot.sys "SATALink External Device Filter" (SiRemFil) - "Silicon Image, Inc" - C:\Windows\System32\DRIVERS\SiRemFil.sys "sptd" (sptd) - "Duplex Secure Ltd." - C:\Windows\System32\Drivers\sptd.sys [Explorer] -----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )----- {F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll -----( HKLM\Software\Classes\Protocols\Filter )----- {807563E5-5146-11D5-A672-00B0D022E945} "Microsoft Office InfoPath XML Mime Filter" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL -----( HKLM\Software\Classes\Protocols\Handler )----- {314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll {88FED34C-F0CA-4636-A375-3CB6248B04CD} "Local Groove Web Services Protocol" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll {5513F07E-936B-4E52-9B00-067394E91CC5} "McAfee SACore Protocol Handler" - "McAfee, Inc." - c:\progra~1\mcafee\sitead~1\mcieplg.dll {5513F07E-936B-4E52-9B00-067394E91CC5} "McAfee SACore Protocol Handler" - "McAfee, Inc." - c:\progra~1\mcafee\sitead~1\mcieplg.dll -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks )----- {B5A7F190-DDA6-4420-B3BA-52453494E6CD} "Groove GFS Stub Execution Hook" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll {AEB6717E-7E19-11d0-97EE-00C04FD91972} "{AEB6717E-7E19-11d0-97EE-00C04FD91972}" - ? - (File not found | COM-object registry key not found) -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )----- {C539A15B-3AF9-4c92-B771-50CB78F5C751} "Acronis Secure Zone" - "Acronis" - C:\Program Files\Acronis\TrueImageHome\tishell.dll {C539A15A-3AF9-4c92-B771-50CB78F5C751} "Acronis True Image Shell Context Menu Extension" - "Acronis" - C:\Program Files\Acronis\TrueImageHome\tishell.dll {1C311AAA-D8B1-4A0A-BEE5-2387FEC583DA} "Burn4Freecontext menu" - "Ikysasoft s.r.l. uninominale" - C:\Windows\System32\B4FM.dll {A70C977A-BF00-412C-90B7-034C51DA2439} "DesktopContext Class" - "NVIDIA Corporation" - C:\Windows\system32\nvcpl.dll {99FD978C-D287-4F50-827F-B2C658EDA8E7} "Groove Explorer Icon Overlay 1 (GFS Unread Stub)" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll {AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} "Groove Explorer Icon Overlay 2 (GFS Stub)" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll {920E6DB1-9907-4370-B3A0-BAFC03D81399} "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll {16F3DD56-1AF5-4347-846D-7C10C4192619} "Groove Explorer Icon Overlay 3 (GFS Folder)" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll {2916C86E-86A6-43FE-8112-43ABE6BF8DCC} "Groove Explorer Icon Overlay 4 (GFS Unread Mark)" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll {2A541AE1-5BF6-4665-A8A3-CFA9672E4291} "Groove Folder Synchronization" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll {72853161-30C5-4D22-B7F9-0BBC1D38A37E} "Groove GFS Browser Helper" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll {6C467336-8281-4E60-8204-430CED96822D} "Groove GFS Context Menu Handler" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll {B5A7F190-DDA6-4420-B3BA-52453494E6CD} "Groove GFS Stub Execution Hook" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll {A449600E-1DC6-4232-B948-9BD794D62056} "Groove GFS Stub Icon Handler" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll {387E725D-DC16-4D76-B310-2C93ED4752A0} "Groove XML Icon Handler" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll {DC70C4A5-2044-4c59-B806-DEFB9AE0DF7C} "KbLogiExt Class" - "Logitech, Inc." - C:\Program Files\SetPoint\kbcplext.dll {B9B9F083-2B04-452A-8691-83694AC1037B} "LogiExt Class" - "Logitech, Inc." - C:\Program Files\SetPoint\mcplext.dll {42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\msohevi.dll {993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll {5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C} "Microsoft Office OneNote Namespace Extension for Windows Desktop Search" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL {00020D75-0000-0000-C000-000000000046} "Microsoft Office Outlook" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL {C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} "NVIDIA CPL Context Menu Extension" - "NVIDIA Corporation" - C:\Windows\system32\nvshext.dll {FFB699E0-306A-11d3-8BD1-00104B6F7516} "NVIDIA CPL Extension" - "NVIDIA Corporation" - C:\Windows\system32\nvcpl.dll {0006F045-0000-0000-C000-000000000046} "Outlook File Icon Extension" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL {B41DB860-8EE4-11D2-9906-E49FADC173CA} "WinRAR" - "Alexander Roshal" - C:\Program Files\WinRAR\rarext.dll [Internet Explorer] -----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )----- ITBar7Height "ITBar7Height" - ? - (File not found | COM-object registry key not found) <binary data> "ITBar7Layout" - ? - (File not found | COM-object registry key not found) -----( HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks )----- {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} "McAfee SiteAdvisor Toolbar" - "McAfee, Inc." - c:\progra~1\mcafee\sitead~1\mcieplg.dll -----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )----- {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} "@C:\Windows\WindowsMobile\INetRepl.dll,-222" - "Microsoft Corporation" - C:\Windows\WindowsMobile\INetRepl.dll {48E73304-E1D6-4330-914C-F5F514E3486C} "An OneNote senden" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} "ClsidExtension" - "Microsoft Corporation" - C:\Windows\WindowsMobile\INetRepl.dll -----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar )----- {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} "McAfee SiteAdvisor Toolbar" - "McAfee, Inc." - c:\progra~1\mcafee\sitead~1\mcieplg.dll -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )----- {18DF081C-E8AD-4283-A596-FA578C2EBDC3} "Adobe PDF Link Helper" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll {72853161-30C5-4D22-B7F9-0BBC1D38A37E} "Groove GFS Browser Helper" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll {DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2ssv.dll {B164E929-A1B6-4A06-B104-2CD0E90A88FF} "McAfee SiteAdvisor BHO" - "McAfee, Inc." - c:\progra~1\mcafee\sitead~1\mcieplg.dll {7DB2D5A0-7241-4E79-B68D-6309F01C5231} "scriptproxy" - "McAfee, Inc." - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100711101300.dll {53707962-6F74-2D53-2644-206D7942484F} "{53707962-6F74-2D53-2644-206D7942484F}" - ? - (File not found | COM-object registry key not found) [Logon] -----( %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup )----- "desktop.ini" - ? - C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini "PS3 Media Server.lnk" - "A. Brochard" - C:\Program Files\PS3 Media Server\PMS.exe (Shortcut exists | File exists) "Trillian.lnk" - "Cerulean Studios" - C:\Program Files\Trillian\trillian.exe (Shortcut exists | File exists) -----( %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Startup )----- "desktop.ini" - ? - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini "Logitech SetPoint.lnk" - "Logitech, Inc." - C:\Program Files\SetPoint\SetPoint.exe (Shortcut exists | File exists) -----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )----- "AVMUSBFernanschluss" - "AVM Berlin" - C:\Users\Administrator\AppData\Local\Apps\2.0\75CBPPTK.Z44\G452A621.RH8\frit..tion_f8d772dfbb3f7453_0002.0001_0db5bf169ed5c0c1\AVMAutoStart.exe -----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )----- "Acronis Scheduler2 Service" - "Acronis" - "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" "Adobe ARM" - "Adobe Systems Incorporated" - "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" "Adobe Reader Speed Launcher" - "Adobe Systems Incorporated" - "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" "mcui_exe" - "McAfee, Inc." - "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey "QuickTime Task" - "Apple Inc." - "C:\Program Files\QuickTime\QTTask.exe" -atboottime "TrueImageMonitor.exe" - "Acronis" - C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe [Print Monitors] -----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )----- "PDFCreator" - ? - C:\Windows\system32\pdfcmnnt.dll (File found, but it contains no detailed information) "Send To Microsoft OneNote Monitor" - "Microsoft Corporation" - C:\Windows\system32\msonpmon.dll [Services] -----( HKLM\SYSTEM\CurrentControlSet\Services )----- "Acronis Nonstop Backup service" (afcdpsrv) - "Acronis" - C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe "Acronis Scheduler2 Service" (AcrSch2Svc) - "Acronis" - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe "Logitech Bluetooth Service" (LBTServ) - "Logitech, Inc." - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe "McAfee Firewall Core Service" (mfefire) - "McAfee, Inc." - C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe "McAfee Network Agent" (McNASvc) - "McAfee, Inc." - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe "McAfee Personal Firewall-Dienst" (McMPFSvc) - "McAfee, Inc." - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe "McAfee Proxy Service" (McProxy) - "McAfee, Inc." - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe "McAfee Scanner" (McODS) - "McAfee, Inc." - C:\Program Files\McAfee\VirusScan\mcods.exe "McAfee Services" (mcmscsvc) - "McAfee, Inc." - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe "McAfee SiteAdvisor Service" (McAfee SiteAdvisor Service) - "McAfee, Inc." - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe "McAfee Validation Trust Protection Service" (mfevtp) - "McAfee, Inc." - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe "McAfee VirusScan Announcer" (McNaiAnn) - "McAfee, Inc." - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe "McShield" (McShield) - "McAfee, Inc." - C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe "Microsoft .NET Framework NGEN v4.0.30319_X86" (clr_optimization_v4.0.30319_32) - "Microsoft Corporation" - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe "Microsoft Office Diagnostics Service" (odserv) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE "Microsoft Office Groove Audit Service" (Microsoft Office Groove Audit Service) - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe "NVIDIA Display Driver Service" (nvsvc) - "NVIDIA Corporation" - C:\Windows\system32\nvvsvc.exe "NVIDIA Stereoscopic 3D Driver Service" (Stereo Service) - "NVIDIA Corporation" - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe "Office Source Engine" (ose) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE "PS3 Media Server" (PS3 Media Server) - ? - C:\Program Files\PS3 Media Server\win32\service\wrapper.exe (File found, but it contains no detailed information) "SBSD Security Center Service" (SBSDWSCService) - "Safer Networking Ltd." - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe "TeamViewer 5" (TeamViewer5) - "TeamViewer GmbH" - C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe "TVersityMediaServer" (TVersityMediaServer) - ? - C:\Program Files\TVersity\Media Server\MediaServer.exe (File found, but it contains no detailed information) [Winlogon] -----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify )----- "LBTWlgn" - "Logitech, Inc." - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll ===[ Logfile end ]=========================================[ Logfile end ]=== If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru Bootkit Remover Bootkit Remover version 1.0.0.1 (c) 2009 eSage Lab www.esagelab.com \\.\C: -> \\.\PhysicalDrive0 MD5: bb4f1627d8b9beda49ac0d010229f3ff \\.\D: -> \\.\PhysicalDrive1 MD5: 5ddc20efcc4d1dab37c348c7db7289cf \\.\E: -> \\.\PhysicalDrive2 MD5: bb4f1627d8b9beda49ac0d010229f3ff \\.\Z: -> \\.\PhysicalDrive2 Size Device Name MBR Status -------------------------------------------- 74 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found) 465 GB \\.\PhysicalDrive1 Unknown boot code 1397 GB \\.\PhysicalDrive2 OK (DOS/Win32 Boot code found) Unknown boot code has been found on some of your physical disks. To inspect the boot code manually, dump the master boot sector: remover.exe dump <device_name> [output_file] To disinfect the master boot sector, use the following command: remover.exe fix <device_name> Press any key to quit... Danke nochmal für Deine Hilfe Geändert von Heho01 (17.07.2010 um 21:09 Uhr) |
|
17.07.2010, 21:03
| #14 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Bankwebseite wollte 20 Tans Bank sagt Trojaner Sieht ok aus. Mach bitte zur Kontrolle Vollscans mit Malwarebytes und SUPERAntiSpyware und poste die Logs. Denk dran beide Tools zu updaten vor dem Scan!!
__________________ Logfiles bitte immer in CODE-Tags posten |
|
17.07.2010, 22:00
| #15 |
| | Bankwebseite wollte 20 Tans Bank sagt Trojaner Hallo Arne, hört sich ja schonmal gut an   wobei Malewarebytes ja anfänglich nichts gefunden hat, ist das egal? Weiter würde mich interressieren ob man feststellen kann, wann ich mir den ungebetenen Gast eingefangen habe? Letzte Woche hatte ich ein Problem mit McAffee und hatte keine Lizenz mehr, habe deshalb 1-3 McAffe Neuinstalliert und leider kann ich McAffe nur mit Internetzugang installieren  d. h. dass ich zwangsläufig ohne Schutz nur über den Router in Netz bin und wenn ich mich recht erinenrn...nicht nur auf die McAffe Seite  Ist doch auch nicht das Gelbe vom Ei den Virenscanner Online zu installieren... ... dachte eigentlich bis zuletzt, dass mein System "relativ Sicher war/ist  McAffe (das Symbol vom Antivir gefällt nicht  ) HiJackThis (mit Online Auswertung) Spybot (glaube aber taugt nichts, oder) Brain.exe (wobei ich die anscheinend manchmal ausschalte) Online Scanner (Bei Verdacht oder wenn ich ein ungutes Gefühl habe) Wenn ich was besser machen kann?! Kontraproduktiv ist dass bei meinen ganzen Sicherheitsbedenken aus Bequemlichkeit als Admin in Windows unterwegs war Weiß nicht wieviel mehr Schutz ein beschränktes Konto bietet  Hätte hier mein Problem bestimmt auch nicht verhindert oder doch  Euer Forum ist Top War in der Vergangenheit schön öffter bei Euch, aber nur zum lesen und lernen. Klasse was Du/Ihr so drauf habt (Ich will nicht wissen wieviel Leute ein verseuchtest System habe und es nicht merken... der Virenscanner hats ja gelöscht, so hatte ich bis vo 3 Jahren auch noch gedacht Oder der Virenscanner meldet garnichts mehr, weil er schon übergelaufen ist ... Hab Dir da jetzt voll und ganz vertraut Irgendwie hatte ich ab und an auch ein mulmiges Gefühl (Brain.exe  ), vorallem dann wenn der Scanner anschlägt bzw. ausgemacht werden muss. Vielleicht, dachte ich mir, ist das Trojaner Board ja auch nur ein großer Trojaner und mein PC jetzt nach allen Seiten offen. Nichts für ungut  Bin jetzt noch ein wenig mehr paranoid als zuvor  Ein Spende gibts für Euer Klasse Board auch noch  (Wenn die ganze Sülze hier nicht passt, bitte verschieben.... würde mich über die ein oder andere Antwort freuen Die scans folgen dann, wollte mir nur mal ein wenig Luft machen Gruß Chris Geändert von Heho01 (17.07.2010 um 22:43 Uhr) |
|
| Themen zu Bankwebseite wollte 20 Tans Bank sagt Trojaner |
| 20 tan, 20 tans, administrator, adobe, bho, browser, cc cleaner, desktop, diagnostics, ebanking, escan, explorer, gesperrt, hijack, hijackthis, infizierte, infizierte dateien, mcafee firewall, nvidia, nvmf6232.sys, ohne befund, pdf, plug-in, programdata, proxy, registry, safer networking, security, senden, siteadvisor, software, sptd.sys, start menu, svchost.exe, system, tan, trj/ci.a, trojane, trojaner, windows 7 ultimate, winlogon, wscript.exe |
Linear-Darstellung
