Trojaner-Board - WoW - Account gehackt und nun

Trojaner-Board (https://www.trojaner-board.de/)

- Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)

- - WoW - Account gehackt und nun (https://www.trojaner-board.de/76868-wow-account-gehackt.html)

(Teil 2 - RSIT log)

======Scheduled tasks folder======

C:\Windows\tasks\User_Feed_Synchronization-{CB4612E8-04B7-4246-A325-ACC739B11959}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2009-07-15 1586472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-18 1008184]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2007-07-06 4669440]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-02-26 153136]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]
"Skytel"=C:\Windows\Skytel.exe [2007-06-15 1826816]
"NvSvc"=C:\Windows\system32\nvsvc.dll [2008-01-10 92704]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2008-01-10 8530464]
"NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2008-01-10 88608]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"=D:\_Stuff_Programme\_Mbam_Scanner\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c7f31d8-9328-11de-a353-806e6f6e6963}]
shell\AutoRun\command - E:\SETUP.EXE /AUTORUN
shell\configure\command - E:\SETUP.EXE
shell\install\command - E:\SETUP.EXE

(Teil 3 - RSIT log)

im Anhang als Datei (war glaub echt zuviel zum Posten)

(Teil 4 - RSIT log)

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys [2009-02-13 11608]
R1 avipbb;avipbb; C:\Windows\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 ssmdrv;ssmdrv; C:\Windows\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R2 avgntflt;avgntflt; C:\Windows\system32\DRIVERS\avgntflt.sys [2009-07-28 55656]
R3 FETND6V;VIA Rhine Family Fast Ethernet Adapter Driver; C:\Windows\system32\DRIVERS\fetnd6v.sys [2008-09-22 43520]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2007-07-18 1841312]
R3 MBAMSwissArmy;MBAMSwissArmy; \??\C:\Windows\system32\drivers\mbamswissarmy.sys [2009-08-03 38160]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2008-01-10 8237120]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-18 83328]
S3 drmkaud;Microsoft Kernel-DRM-Audioentschlüsselung; C:\Windows\system32\drivers\drmkaud.sys [2008-01-18 5632]
S3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service; C:\Windows\system32\DRIVERS\fetnd5bv.sys [2007-04-17 42496]
S3 FETNDIS;VIA Rhine-Familie--Fast-Ethernet-Adaptertreiberdienst; C:\Windows\system32\DRIVERS\fetnd5.sys [2006-11-02 45568]
S3 HdAudAddService;Microsoft 1.1 UAA-Funktionstreiber für High Definition Audio-Dienst; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-18 8192]
S3 MSPCLOCK;Microsoft Proxy für Streaming Clock; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-18 5888]
S3 MSPQM;Microsoft Proxy für Streaming Quality Manager; C:\Windows\system32\drivers\MSPQM.sys [2008-01-18 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink-Konvertierung; C:\Windows\system32\drivers\MSTEE.sys [2008-01-18 6016]
S4 iaStor;Intel RAID Controller; C:\Windows\system32\drivers\iastor.sys [2007-07-12 305176]
S4 JRAID;JRAID; C:\Windows\system32\drivers\jraid.sys [2007-06-13 48256]
S4 nvrd32;NVIDIA nForce RAID Driver; C:\Windows\system32\drivers\nvrd32.sys [2007-07-02 131616]
S4 nvstor32;nvstor32; C:\Windows\system32\drivers\nvstor32.sys [2007-07-02 110112]
S4 viamraid;viamraid; C:\Windows\system32\drivers\viamraid.sys [2006-11-08 102912]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Planer; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-07-21 185089]
R2 ProtexisLicensing;ProtexisLicensing; c:\Windows\system32\PSIService.exe [2006-11-02 174656]
R2 TestHandler;Fujitsu Siemens Computers Diagnostic Testhandler; C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe [2006-12-08 204800]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-02-26 267824]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 UPnPService;UPnPService; C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [2006-12-14 544768]

-----------------EOF-----------------

Ende - MfG. Kezzy

Zitat:

Zitat von Lucky (Beitrag 460647)

Also auf den ersten Blick sieht das gut aus. Ich lass aber nochmal jemand drüber gucken.
Was mir auffällt, der Curse Client ist ja ein Addon Verwalter. Hast du Addons für WoW installiert? Denn evtl. kann sich ja über so einen Weg Malware/Spyware und Co einschließen und deine Logindaten zum "Ersteller" übersehen.

Also nochmal zum Ablauf, und ich weiss glaub wo ich mir ihn eingefangen hab.
Curse Client seit gestern erst drauf, hab aber addons drauf die ich shcon jahre nutze.

Sonntag:
> google - WoW Addons gesucht, "FishAddon" gefunden, gedownloadet und > angeklickt (man was für eine Dummheit, es war ne .exe nach der sich nix tat)

Montag:
> Account wurde gehackt, Battle.Net Accoutn vom Hacker erstellt!
Meine Maßnahmen:
- Blizzard benachrichtigt,
- System mit allen möglichen Mitteln durchsucht, Teilweise Meldungen behoben
Avira Antivir installiert und aktiv in Benutzung
Ergebniss:
- kein Funde mehr
- alle Passwörter geändert

Donnerstag früh um 3 Uhr:
- Account war wieder hergestellt,
- kurz nach 3 Uhr eingelogt, ca. 20 min später aus dem Spiel geflogen,
> Account wurde gehackt, Battle.Net Account vom "Hacker" erstellt!
> Blizzard sperrt Account bis Freitag früh
- unter c:\ direkt, konnte ich einige Datein sehen, 2 Bilder mit WoW- Inhalt, 2 Dateien boot.bak und .rnd (boot.bak der name nicht mehr ganz in erinnerung)
Diese beiden Datein online überprüfen lassen -> wurden als gefahr eingestuft -> per Hand gelöscht
Meine Maßnahmen:
- System neu aufgesetzt,
- Antivir aktiv in Benutzung,
- Alle Passwörter über anderen PC (vom hoch vertraulichen Bekannten) ändern lassen
- Battle.Net Account in diesem Zusammenhang erstellen lassen von dem Bekannten
- Anmeldung & Hilfesuche hier im Forum ;)
Freitag bis JETZT:
- Windows Updates, Softwareupdates usw. halt die Anweisungen von Dir befolgt
- in der restlichen Zeit konnte ich bis zum jetzigen Zeitpunkt wieder WoW spielen ohne einen Fremdzugriff registrieren zu können.

MfG. Kezzy

Hast du sämtliche Kennwörter geändert oder nur die im Zusammenhang mit WoW?

Führe bitte folgendes aus:

Code:

Rootkitscan mit RootRepealGehe hierhin, scrolle runter und downloade RootRepeal.zip.

 Entpacke die Datei auf Deinen Desktop.

 Doppelklicke die RootRepeal.exe, um den Scanner zu starten.

 Klicke auf den Reiter Report und dann auf den Button Scan.

 Mache einen Haken bei den folgenden Elementen und klicke Ok.
 .
 Drivers

Files

Processes

SSDT

Stealth Objects

Hidden Services

Shadow SSDT
 .

 Im Anschluss wirst Du gefragt, welche Laufwerke gescannt werden sollen.

 Wähle C:\ und klicke wieder Ok.

 Der Suchlauf beginnt automatisch, es wird eine Weile dauern, bitte Geduld.

 Wenn der Suchlauf beendet ist, klicke auf Save Report.

 Speichere das Logfile als RootRepeal.txt auf dem Desktop.

 Kopiere den Inhalt hier in den Thread.

Zitat:

- in der restlichen Zeit konnte ich bis zum jetzigen Zeitpunkt wieder WoW spielen ohne einen Fremdzugriff registrieren zu können.

Das finde ich etwas riskant, wo noch nicht geklärt ist ob das System sauber ist.

Zitat:

Zitat von Kezzy (Beitrag 460661)

- unter c:\ direkt, konnte ich einige Datein sehen, 2 Bilder mit WoW- Inhalt, 2 Dateien boot.bak und .rnd (boot.bak der name nicht mehr ganz in erinnerung)
Diese beiden Datein online überprüfen lassen -> wurden als gefahr eingestuft -> per Hand gelöscht

Weisst du noch was genau gemeldet wurde? Also welche Malware es war?

Alle Passwörter geändert (am PC des Bekannten), auch die die nicht mit WoW in Verbindung stehen!

Welche Malware es war - leider weiss ich es nicht mehr, lerne hier aber dazu mir das alles zu notieren beim nächsten mal ;)

Deine weiteren Anwisungen werden dann ausgeführt.

MfG. Kezzy

(Teil 1)

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/08/29 16:55
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP2
==================================================

Drivers
-------------------
Name: dump_ViPrt.sys
Image Path: C:\Windows\System32\Drivers\dump_ViPrt.sys
Address: 0x8CB51000 Size: 65536 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0x9A187000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings
Status: Locked to the Windows API!

Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\ProgramData\Application Data
Status: Locked to the Windows API!

Path: C:\ProgramData\Desktop
Status: Locked to the Windows API!

Path: C:\ProgramData\Documents
Status: Locked to the Windows API!

Path: C:\ProgramData\Favorites
Status: Locked to the Windows API!

Path: C:\ProgramData\Start Menu
Status: Locked to the Windows API!

Path: C:\ProgramData\Templates
Status: Locked to the Windows API!

Path: C:\System Volume Information\{08cee851-93d9-11de-8118-0019dbd44aa6}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{0962aab7-9340-11de-9b1f-0019dbd44aa6}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{108eb8ef-934a-11de-8ad4-0019dbd44aa6}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{23912966-932e-11de-a768-0019dbd44aa6}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{513400be-933d-11de-88a1-0019dbd44aa6}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{513401e2-933d-11de-88a1-0019dbd44aa6}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{58a3dbc7-9336-11de-a64a-0019dbd44aa6}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{69f78e6d-93e9-11de-825a-0019dbd44aa6}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{6d8679ab-9342-11de-bc22-0019dbd44aa6}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{71ab90b8-9334-11de-9f50-0019dbd44aa6}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{82660b79-9348-11de-8abb-0019dbd44aa6}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{960d3ed7-93cf-11de-bec2-0019dbd44aa6}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{b1c4b1fe-93d4-11de-aa3c-0019dbd44aa6}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{bbec3e8f-934b-11de-a200-0019dbd44aa6}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{bbec404b-934b-11de-a200-0019dbd44aa6}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{bc85d2e6-934d-11de-a1ea-0019dbd44aa6}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{beab4788-9329-11de-9e1f-0019dbd44aa6}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{c82d8c78-9354-11de-bb66-0019dbd44aa6}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{cbb4539c-9344-11de-930f-0019dbd44aa6}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{dd4ecd6d-93ec-11de-bc7b-0019dbd44aa6}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{dd4ecd9b-93ec-11de-bc7b-0019dbd44aa6}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{dd4ecdfd-93ec-11de-bc7b-0019dbd44aa6}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{e08ef276-9340-11de-831e-0019dbd44aa6}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\Users\All Users
Status: Locked to the Windows API!

Path: C:\Users\Default User
Status: Locked to the Windows API!

Path: C:\Users\Default\Application Data
Status: Locked to the Windows API!

Path: C:\Users\Default\Cookies
Status: Locked to the Windows API!

Path: C:\Users\Default\Local Settings
Status: Locked to the Windows API!

Path: C:\Users\Default\My Documents
Status: Locked to the Windows API!

Path: C:\Users\Default\NetHood
Status: Locked to the Windows API!

Path: C:\Users\Default\PrintHood
Status: Locked to the Windows API!

Path: C:\Users\Default\Recent
Status: Locked to the Windows API!

Path: C:\Users\Default\SendTo
Status: Locked to the Windows API!

Path: C:\Users\Default\Start Menu
Status: Locked to the Windows API!

Path: C:\Users\Default\Templates
Status: Locked to the Windows API!

Path: C:\Users\Default\Documents\My Music
Status: Locked to the Windows API!

Path: C:\Users\Default\Documents\My Pictures
Status: Locked to the Windows API!

Path: C:\Users\Default\Documents\My Videos
Status: Locked to the Windows API!

Path: C:\Users\Public\Documents\My Music
Status: Locked to the Windows API!

Path: C:\Users\Public\Documents\My Pictures
Status: Locked to the Windows API!

Path: C:\Users\Public\Documents\My Videos
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_ecdf8c290e547f39.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_81c25f21d3d46d84.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_b7e00e6c7b30b69b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9849.0_none_a6e7a8e20e9863b4.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_a6dea5dc0ea08098.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a620671dde41.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_365945b9da656e4d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_60a5df56e60dc5df.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_7dd1e0ebd6590e0b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_e163563597edeada.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.1.microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_8b7b15c031cda6db.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_dcc7eae99ad0d9cf.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9849.0_none_b7e911727b2899b7.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_7ab8cc63a6e4c2a3.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_818f59bf601aa775.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_8550c6b5d18a9128.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_e29d1181971ae11e.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Manifests\70f19edeeb8e3329aad18f744094ea0319d2ecc78dd6a12559a1e765c42418f7.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Manifests\3582cf91bea0e0e7b5f4b8a168a2e4bf248a01f764aa3c5d7c4f352ebc681e9d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Manifests\a2f948df89c5a4090fb47a74b09ed39300f3a2d09a1cd13212bee8c7ee928959.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Manifests\9f4b272407008a230979f286064e895aa72cac13cd57d536a67ea34c9dd91a2c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Manifests\f3c343567eb07e928a24a5c8b8bf732a5523d0acd4762015ba309f48255a5baf.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_fdproxy_31bf3856ad364e35_6.0.6000.16386_none_792f8ff471a64e3b\$$DeleteMe.fdProxy.dll.01ca2800bbf4746e.001e
Status: Locked to the Windows API!

(Teil 2)

Path: C:\Windows\winsxs\x86_fdssdp_31bf3856ad364e35_6.0.6001.18000_none_3addf297743e6161\$$DeleteMe.fdSSDP.dll.01ca2800be94cb92.0047
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_fdwsd_31bf3856ad364e35_6.0.6001.18000_none_7da88373c225d895\$$DeleteMe.fdWSD.dll.01ca2800c415d958.008a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_fundisc_31bf3856ad364e35_6.0.6001.18000_none_7be46ed83ae29055\$$DeleteMe.fundisc.dll.01ca2800bd686346.0036
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.0.6001.18000_none_d51103be4cb9d6c3\$$DeleteMe.apphelp.dll.01ca2800c42689ce.008d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-a..terface-ldapc-layer_31bf3856ad364e35_6.0.6001.18000_none_5f327439667d597c\$$DeleteMe.adsldpc.dll.01ca2800bd639e92.0034
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.0.6001.18000_de-de_6f98a23ac1f6e3d2\$$DeleteMe.advapi32.dll.mui.01ca2800cc9dc360.00b2
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-advapi32_31bf3856ad364e35_6.0.6001.18000_none_e34851aa8681b8b0\$$DeleteMe.advapi32.dll.01ca2800bb3a7d02.0019
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-atl_31bf3856ad364e35_6.0.6001.18293_none_aac1f52459f8aeb3\$$DeleteMe.atl.dll.01ca2800c2107b0e.0066
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-bcrypt-dll_31bf3856ad364e35_6.0.6001.18000_none_ee8c936cef65a88f\$$DeleteMe.bcrypt.dll.01ca2800bb8b8cf6.001c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-bits-client_31bf3856ad364e35_6.0.6001.18000_none_2390c4ecf9720b8c\$$DeleteMe.qmgr.dll.01ca2800bfc39638.0051
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-bits-igdsearcher_31bf3856ad364e35_6.0.6001.18000_none_b16c3d098f004f58\$$DeleteMe.bitsigd.dll.01ca2800bf001564.004b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-c..complus-eventsystem_31bf3856ad364e35_6.0.6001.18057_none_0cbe918751dfdd3f\$$DeleteMe.es.dll.01ca2800c3c72bbe.0082
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-c..rformance-xperfcore_31bf3856ad364e35_6.0.6001.18000_none_d71173946e986845\$$DeleteMe.diagperf.dll.01ca2800c60ce986.009d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-c..tionauthorityclient_31bf3856ad364e35_6.0.6001.18000_none_d77db57c3ca78826\$$DeleteMe.certcli.dll.01ca2800bdbbd594.0039
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-cmi_31bf3856ad364e35_6.0.6001.18000_none_a9ce4a485a8ade99\$$DeleteMe.cmiv2.dll.01ca2800c9e594b8.00ae
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-credui_31bf3856ad364e35_6.0.6001.18000_none_db374cc18eed7408\$$DeleteMe.credui.dll.01ca2800b9115b72.000a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6001.18000_none_5b6fc1dbddd3c6da\$$DeleteMe.crypt32.dll.01ca2800c2428c70.006c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6001.18000_none_75ff99649acf4de9\$$DeleteMe.cryptsvc.dll.01ca2800be24bd0c.0040
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-cryptui-dll_31bf3856ad364e35_6.0.6001.18000_none_85ee5b5e98235317\$$DeleteMe.cryptui.dll.01ca2800c06cdd2e.0057
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..pwindowmanager-core_31bf3856ad364e35_6.0.6001.18000_none_8da39414bd31fb37\$$DeleteMe.uxsms.dll.01ca2800c4589b30.0090
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-dhcp-client-dll_31bf3856ad364e35_6.0.6001.18000_none_d75a29a02e8fcf7a\$$DeleteMe.dhcpcsvc.dll.01ca2800c4622498.0092
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-dhcp-client-dll_31bf3856ad364e35_6.0.6001.18000_none_d75a29a02e8fcf7a\$$DeleteMe.dhcpcsvc6.dll.01ca2800b93ea820.000d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-directory-services-sam_31bf3856ad364e35_6.0.6001.18000_none_b1ee595da0f48e64\$$DeleteMe.samlib.dll.01ca2800bf8a5dc8.004d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-directory-services-sam_31bf3856ad364e35_6.0.6001.18000_none_b1ee595da0f48e64\$$DeleteMe.samsrv.dll.01ca2800ba9f8428.0016
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-dns-client_31bf3856ad364e35_6.0.6001.18000_none_e1e27cdd8259636b\$$DeleteMe.dnsapi.dll.01ca2800ba369cb0.0013
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-dns-client_31bf3856ad364e35_6.0.6001.18000_none_e1e27cdd8259636b\$$DeleteMe.dnsrslvr.dll.01ca2800bcff7bce.002e
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-e..emorydevicesservice_31bf3856ad364e35_6.0.6001.18000_none_9e8bec4ef6ba613c\$$DeleteMe.emdmgmt.dll.01ca27f97dcb8c97.0000
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-e..emorydevicesservice_31bf3856ad364e35_6.0.6001.18098_none_9e329f52f6fc276d\$$DeleteMe.emdmgmt.dll.01ca2800c25f28a8.006e
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-e..estorageengine-isam_31bf3856ad364e35_6.0.6001.18000_none_f1e446e12c0bbf09\$$DeleteMe.esent.dll.01ca2800c0eb39d0.005d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-eventlog-api_31bf3856ad364e35_6.0.6001.18000_none_ac31021c654a3267\$$DeleteMe.wevtapi.dll.01ca2800b945cf2e.000e
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-eventlog_31bf3856ad364e35_6.0.6001.18000_none_dcc45c1a12d92f84\$$DeleteMe.wevtsvc.dll.01ca2800bb2e9140.0017
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-feclient_31bf3856ad364e35_6.0.6001.18000_none_beda112b5794d4e0\$$DeleteMe.feclient.dll.01ca2800c4bf204e.0097
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gdi32_31bf3856ad364e35_6.0.6001.18159_none_59519ee04971f856\$$DeleteMe.gdi32.dll.01ca2800c2428c70.006b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-grouppolicy-base_31bf3856ad364e35_6.0.6001.18000_none_282361dee702a605\$$DeleteMe.gpapi.dll.01ca2800bfba0cd0.0050
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-grouppolicy-base_31bf3856ad364e35_6.0.6001.18000_none_282361dee702a605\$$DeleteMe.gpsvc.dll.01ca2800c2c5adc6.0074
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-hid-user_31bf3856ad364e35_6.0.6000.16386_none_d47586718a839763\$$DeleteMe.hidserv.dll.01ca2800c31de4c8.0077
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-i..nal-core-locale-nls_31bf3856ad364e35_6.0.6001.18000_none_6ab830d9a945c1d1\$$DeleteMe.locale.nls.01ca2800c669e53c.009e
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-i..oexistencemigration_31bf3856ad364e35_6.0.6001.18000_none_11e312d27c5a6ba6\$$DeleteMe.iphlpsvc.dll.01ca2800b5d3a91a.0004
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-imm32_31bf3856ad364e35_6.0.6001.18000_none_5c561e167a6afd02\$$DeleteMe.imm32.dll.01ca2800bc6baa02.0025
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.0.6001.18215_none_93b81a93564f1da0\$$DeleteMe.kernel32.dll.01ca2800bc6947a8.0024
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ldap-client_31bf3856ad364e35_6.0.6001.18000_none_f33c4797566bb3db\$$DeleteMe.Wldap32.dll.01ca2800bfa497a6.004f
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mfplat_31bf3856ad364e35_6.0.6001.18000_none_f6aa98ad53755122\$$DeleteMe.mfplat.dll.01ca2800b9ac544c.0010
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mmdeviceapi_31bf3856ad364e35_6.0.6001.18000_none_55044397b961da8a\$$DeleteMe.MMDevAPI.dll.01ca2800c557b6ce.009b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mprapi_31bf3856ad364e35_6.0.6001.18000_none_140c84ec53049b39\$$DeleteMe.mprapi.dll.01ca2800b9188280.000c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mpr_31bf3856ad364e35_6.0.6001.18000_none_add5c97257f151a1\$$DeleteMe.mpr.dll.01ca2800bdfe976c.003d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-msauditevtlog_31bf3856ad364e35_6.0.6001.18000_none_c7427a4e786d74bc\$$DeleteMe.adtschema.dll.01ca2800c2238dde.0069
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-msvcrt_31bf3856ad364e35_6.0.6001.18000_none_d15536209ee61dad\$$DeleteMe.msvcrt.dll.01ca2800bece0402.004a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-msxml30_31bf3856ad364e35_6.0.6001.18136_none_8853d47896e90b40\$$DeleteMe.msxml3.dll.01ca2800c3c4c964.0081
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.0.6001.18094_none_43b129adec4a9f41\$$DeleteMe.IPSECSVC.DLL.01ca2800be75cd00.0046
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ncrypt-dll_31bf3856ad364e35_6.0.6001.18000_none_5dde5591f19c0ea3\$$DeleteMe.ncrypt.dll.01ca2800c0aada52.0058
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-netshell_31bf3856ad364e35_6.0.6001.18000_none_d5836ad30e0ac92d\$$DeleteMe.netshell.dll.01ca2800c3977cb6.007f
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6001.18157_none_8d050f6301b2186f\$$DeleteMe.netapi32.dll.01ca2800c35e4446.007b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-o..inefiles-win32-apis_31bf3856ad364e35_6.0.6001.18000_none_ab6af9d0f92539f0\$$DeleteMe.cscapi.dll.01ca2800c45fc23e.0091
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ole-automation_31bf3856ad364e35_6.0.6001.18000_none_bd002a8dfb7a3328\$$DeleteMe.oleaut32.dll.01ca2800bcfd1974.002d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..ooler-core-localspl_31bf3856ad364e35_6.0.6001.18247_none_2ff7241d92c8344e\$$DeleteMe.localspl.dll.01ca2800c42db0dc.008e
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..pooler-core-spoolss_31bf3856ad364e35_6.0.6001.18000_none_5b3992df8e604356\$$DeleteMe.spoolss.dll.01ca2800c0eb39d0.005c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..rnetprinting-client_31bf3856ad364e35_6.0.6001.18000_none_8ad265adc8633a42\$$DeleteMe.inetpp.dll.01ca2800bce7a44a.002a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..rtmonitor-tcpmondll_31bf3856ad364e35_6.0.6001.18000_none_d2ac9d5aa723258e\$$DeleteMe.tcpmon.dll.01ca2800c5cc8a08.009c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..ooler-networkclient_31bf3856ad364e35_6.0.6001.18119_none_39716f4d70ea0119\$$DeleteMe.win32spl.dll.01ca2800bca4e272.0028
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..ting-spooler-client_31bf3856ad364e35_6.0.6001.18000_none_932df61f18add086\$$DeleteMe.winspool.drv.01ca2800c38b90f4.007e
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..ting-wsdportmonitor_31bf3856ad364e35_6.0.6001.18000_none_16d3442ddf994157\$$DeleteMe.WSDMon.dll.01ca2800bc006030.0020
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-pantherengine_31bf3856ad364e35_6.0.6001.18000_none_ae116f90a5d6b7d4\$$DeleteMe.wdscore.dll.01ca2800c00b1cc4.0053
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-profsvc_31bf3856ad364e35_6.0.6001.18000_none_fbb1576d32ad0ba9\$$DeleteMe.profsvc.dll.01ca2800c2913a0a.0070
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-propsys.resources_31bf3856ad364e35_6.0.6001.18000_de-de_3f16907f1a8085c4\$$DeleteMe.propsys.dll.mui.01ca27f97ff4ae27.000c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rasapi_31bf3856ad364e35_6.0.6001.18000_none_6d377f6a4f85327c\$$DeleteMe.rasapi32.dll.01ca2800b9bd04c2.0011
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-raschap_31bf3856ad364e35_6.0.6001.18000_none_12bf0305774c76e6\$$DeleteMe.raschap.dll.01ca2800bcea06a4.002b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rasmanservice_31bf3856ad364e35_6.0.6001.18000_none_9ebd9641a0a88359\$$DeleteMe.rasmans.dll.01ca2800c1aebaa4.0063
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rasplap_31bf3856ad364e35_6.0.6001.18000_none_1236753177b2477f\$$DeleteMe.rasplap.dll.01ca2800c400642e.0088
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rasppp_31bf3856ad364e35_6.0.6001.18000_none_6c94b11e4fff8902\$$DeleteMe.rasppp.dll.01ca2800be0820d4.003e
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rpc-local_31bf3856ad364e35_6.0.6001.18247_none_b3d66539452e6ad2\$$DeleteMe.rpcrt4.dll.01ca2800c479fc1c.0094
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rsaenh-dll_31bf3856ad364e35_6.0.6001.18000_none_5fc70fc7b14478d4\$$DeleteMe.rsaenh.dll.01ca2800bdcc860a.003b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..cardsubsystemclient_31bf3856ad364e35_6.0.6001.18000_none_18e47a437999387f\$$DeleteMe.WinSCard.dll.01ca2800bf1f13f6.004c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..configurationengine_31bf3856ad364e35_6.0.6001.18000_none_b924e3b3889aaa51\$$DeleteMe.scesrv.dll.01ca2800c4e2e394.0099
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..entication-usermode_31bf3856ad364e35_6.0.6001.18000_none_3a21c33374546c1e\$$DeleteMe.authz.dll.01ca2800c360a6a0.007c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..entication-usermode_31bf3856ad364e35_6.0.6001.18000_none_3a21c33374546c1e\$$DeleteMe.ntmarta.dll.01ca2800be4ae2ac.0044
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..icensing-slc-client_31bf3856ad364e35_6.0.6001.18000_none_c51f5aefa5ed5be4\$$DeleteMe.SLC.dll.01ca2800be546c14.0045
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..mmaintenanceservice_31bf3856ad364e35_6.0.6001.18000_none_3d4df24ae03752d7\$$DeleteMe.sysmain.dll.01ca2800bec21840.0049
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..nsing-slc.resources_31bf3856ad364e35_6.0.6001.18000_de-de_25dbedadb6f08ea6\$$DeleteMe.SLsvc.exe.mui.01ca2800cc622896.00af
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\$$DeleteMe.services.exe.01ca2800bbf93922.001f
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\$$DeleteMe.scecli.dll.01ca2800b90ef918.0009
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6001.18272_none_3a83a0037cec045c\$$DeleteMe.wdigest.dll.01ca2800bd2f2ad6.0031
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-security-licensing-wga_31bf3856ad364e35_6.0.6001.18000_none_4e4769e7f9aab897\$$DeleteMe.slwga.dll.01ca2800beb62c7e.0048
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\$$DeleteMe.netlogon.dll.01ca2800bc1110a6.0021
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6001.18272_none_21cc9ffa5579c754\$$DeleteMe.schannel.dll.01ca2800c0e8d776.005b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-security-kerberos_31bf3856ad364e35_6.0.6001.18272_none_e68d3217b104808b\$$DeleteMe.kerberos.dll.01ca2800c2f0981a.0075
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-shdocvw_31bf3856ad364e35_6.0.6001.18000_none_e774ed850be62dd0\$$DeleteMe.shdocvw.dll.01ca2800c06a7ad4.0056
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6001.18167_none_6bef4f42122643ed\$$DeleteMe.shell32.dll.01ca2800c12936f4.005f
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6001.18000_none_cd305d2a1ced96e2\$$DeleteMe.shsvcs.dll.01ca2800c0d82700.0059
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-slc-component-sku-ocur_31bf3856ad364e35_6.0.6002.18005_none_1a3913896b7e0bf6\SECURI~3.XRM
Status: Locked to the Windows API!

Path: c:\windows\winsxs\x86_microsoft-windows-slc-component-sku-ocur_31bf3856ad364e35_6.0.6002.18005_none_1a3913896b7e0bf6\security-licensing-slc-component-sku-ocur-ppdlic.xrm-ms
Status: Allocation size mismatch (API: 16384, Raw: 4096)

Path: C:\Windows\winsxs\x86_microsoft-windows-slc-component-sku-ocur_31bf3856ad364e35_6.0.6002.18005_none_1a3913896b7e0bf6\SECURI~2.XRM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-smss_31bf3856ad364e35_6.0.6001.18000_none_ac3aa7fd19319fba\$$DeleteMe.smss.exe.01ca2800b5b2482e.0000
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-snmp-winsnmp-api_31bf3856ad364e35_6.0.6001.18000_none_e04d7d11c2a2726e\$$DeleteMe.wsnmp32.dll.01ca2800bd6600ec.0035
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.0.6001.18027_none_46d13215b348e76c\$$DeleteMe.srclient.dll.01ca2800bb30f39a.0018
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-t..icesframework-msctf_31bf3856ad364e35_6.0.6001.18000_none_75c3b019eec51999\$$DeleteMe.msctf.dll.01ca2800b99e0630.000f
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-t..teconnectionmanager_31bf3856ad364e35_6.0.6001.18000_none_8e9f41c854441762\$$DeleteMe.termsrv.dll.01ca2800c41f62c0.008b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-tapiservice_31bf3856ad364e35_6.0.6001.18000_none_e33cd8dbe4f2987f\$$DeleteMe.tapisrv.dll.01ca2800bdeb849c.003c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-taskscheduler-engine_31bf3856ad364e35_6.0.6001.18000_none_e5ac4d2ebeda6d57\$$DeleteMe.taskeng.exe.01ca2800c1a2cee2.0062
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-time-service_31bf3856ad364e35_6.0.6001.18000_none_88a763af6d4aa52f\$$DeleteMe.w32time.dll.01ca2800c341a80e.0079
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-trustedinstaller_31bf3856ad364e35_6.0.6001.18000_none_910d33844d26b5fb\$$DeleteMe.TrustedInstaller.exe.01ca2800d38dfb4a.00b3
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-wiProcesses
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1212 Status: Locked to the Windows API!

SSDT
-------------------
#: 078 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x9973750c

#: 194 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x997374f8

#: 201 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x997374fd

#: 334 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x99737507

==EOF==

Diese Datei mal online überprüfen lassen. Ist das vieleicht ein weiterer Anhaltspunkt?

PDF24Updater.exe fiel mir nur auf da der Win.defender immer Meldung gab udn das Ding im Autostart laufen wollte. Ich hab nicht viel Ahnung, will es aber halt ausschliessen das dort nicht was ist.

Virustotal. MD5: 544f0c3adcfaf4260fa8fb1f35e62430 Heuristic.BehavesLike.Win32.PasswordStealer.L

Hast du den PDF Drucker selber installiert?

Hi,

ja, hatte ich. Ist aber nun wieder deinstalliert, da ich eigentlich nur den PDFCreator-0_9_8 haben wollte.
Also denk mal das war nichts schlimmes!?

Was gibt es noch zu den vorher geposteten Logs/ Scanns zu sagen? Sieht alles ok aus? Kann ich schon eventeull sicher sein, dass mein System wieder sauber ist?

MfG. Kezzy

Sieht ok aus, hast du noch irgendwelche Auffälligkeiten oder Probleme wieder gehabt?

Um ehrlich zu sein, nein. Nichts auffälliges mehr und mein WoW Account gehört immernoch mir.

Ich denke/ hoffe mein System ist sauber. Und so nebei noch recht herzlichen Dank für den Support/ für die Hilfe.

MfG. Kezzy