| |
| |||||||
Log-Analyse und Auswertung: win32:zbot-ncp und trojan fakeavWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML |
 |
13.05.2011, 21:36
| #1 |
| |  win32:zbot-ncp und trojan fakeav hallo. habe wie einige andere wohl einen üblen plagegeist ergattert. hintergrundbild im vista ist verschwunden und ist nun schwarz, ausserdem auch diverse dateien aus privaten ordnern weg und beim hochfahren kommt die fehlermeldung: Catalyst control centre : Host application hat ein problem festgestellt und muss beendet werden hier txt aus otl (die extra wird augenblicklich nicht erstellt, die funktion fix in otl gibt die fehlermeldung: es wurde kein fix vorgesehen) bin für tips dankbar:OTL Logfile: Code:
ATTFilter OTL logfile created on: 13.05.2011 22:16:54 - Run 3 OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\****\Downloads Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation Internet Explorer (Version = 7.0.6001.18000) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 62,00% Memory free 4,00 Gb Paging File | 3,00 Gb Available in Paging File | 79,00% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 282,09 Gb Total Space | 255,28 Gb Free Space | 90,50% Space Free | Partition Type: NTFS Drive D: | 15,00 Gb Total Space | 7,35 Gb Free Space | 49,02% Space Free | Partition Type: NTFS Computer Name: ****** | User Name: ****** | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 360 Days ========== Processes (SafeList) ========== PRC - C:\Users\Alfred\Downloads\OTL.exe (OldTimer Tools) PRC - C:\Programme\Alwil Software\Avast5\AvastUI.exe (AVAST Software) PRC - C:\Programme\Alwil Software\Avast5\AvastSvc.exe (AVAST Software) PRC - C:\Windows\explorer.exe (Microsoft Corporation) PRC - \\?\C:\Windows\System32\wbem\WMIADAP.EXE () PRC - C:\Programme\Windows Defender\MSASCui.exe (Microsoft Corporation) PRC - C:\Programme\Windows Sidebar\sidebar.exe (Microsoft Corporation) ========== Modules (SafeList) ========== MOD - C:\Users\Alfred\Downloads\OTL.exe (OldTimer Tools) MOD - C:\Programme\Alwil Software\Avast5\snxhk.dll (AVAST Software) MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18523_none_5cdd65e20837faf2\comctl32.dll (Microsoft Corporation) ========== Win32 Services (SafeList) ========== SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software) SRV - (Rezip) -- C:\Windows\System32\Rezip.exe () SRV - (WinDefend) -- C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation) ========== Driver Services (SafeList) ========== DRV - (aswSP) -- C:\Windows\System32\drivers\aswSP.sys (AVAST Software) DRV - (aswTdi) -- C:\Windows\System32\drivers\aswTdi.sys (AVAST Software) DRV - (aswRdr) -- C:\Windows\System32\drivers\aswRdr.sys (AVAST Software) DRV - (aswMonFlt) -- C:\Windows\System32\drivers\aswMonFlt.sys (AVAST Software) DRV - (aswFsBlk) -- C:\Windows\System32\drivers\aswFsBlk.sys (AVAST Software) DRV - (rtl8192se) -- C:\Windows\System32\drivers\rtl8192se.sys (Realtek Semiconductor Corporation ) DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation ) DRV - (SASENUM) -- C:\Programme\SUPERAntiSpyware\SASENUM.SYS ( SUPERAdBlocker.com and SUPERAntiSpyware.com) DRV - (SASKUTIL) -- C:\Programme\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com) DRV - (SASDIFSV) -- C:\Programme\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com) DRV - (atikmdag) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.medion.com/ IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-3759040712-2264673185-2536960619-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.medion.com/ IE - HKU\S-1-5-21-3759040712-2264673185-2536960619-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.medion.com/ IE - HKU\S-1-5-21-3759040712-2264673185-2536960619-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-3759040712-2264673185-2536960619-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.medion.com/ IE - HKU\S-1-5-21-3759040712-2264673185-2536960619-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.medion.com/ IE - HKU\S-1-5-21-3759040712-2264673185-2536960619-1005\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKU\S-1-5-21-3759040712-2264673185-2536960619-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2pre\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010.03.26 22:22:23 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2pre\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011.05.13 15:42:49 | 000,000,000 | ---D | M] [2010.03.26 22:22:21 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions [2010.03.16 20:28:04 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml [2010.03.16 20:28:04 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml [2010.03.16 20:28:04 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml [2010.03.16 20:28:04 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml [2010.03.16 20:28:04 | 000,001,105 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2006.09.18 23:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (Windows Live Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation) O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.) O4 - HKLM..\Run: [avast5] C:\Programme\Alwil Software\Avast5\AvastUI.exe (AVAST Software) O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.) O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation) O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation) O4 - HKU\S-1-5-21-3759040712-2264673185-2536960619-1004..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation) O4 - HKU\S-1-5-21-3759040712-2264673185-2536960619-1005..\Run: [aGxoSBhalgOAPeG] File not found O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.) O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll (Google Inc.) O9 - Extra Button: eBay - Der weltweite Online-Marktplatz - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - File not found O9 - Extra 'Tools' menuitem : eBay - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - File not found O9 - Extra Button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O13 - gopher Prefix: missing O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18) O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1 O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation) O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies) O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programme\Windows Live\Mail\mailcomm.dll (Microsoft Corporation) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKU\S-1-5-21-3759040712-2264673185-2536960619-1005 Winlogon: Shell - (C:\Users\Alfred\AppData\Local\Temp\rro32ueg.exe) - File not found O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Programme\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com) O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Programme\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 360 Days ========== [2011.05.05 13:32:36 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\Apphlpdm.dll [2011.05.05 13:32:33 | 004,240,384 | ---- | C] (Microsoft) -- C:\Windows\System32\GameUXLegacyGDFs.dll [2011.05.05 13:15:35 | 000,000,000 | -H-D | C] -- C:\ProgramData\SUPERAntiSpyware.com [2011.05.05 13:13:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware [2011.05.05 13:13:48 | 000,000,000 | ---D | C] -- C:\Users\spieler\AppData\Roaming\SUPERAntiSpyware.com [2011.05.05 13:13:48 | 000,000,000 | ---D | C] -- C:\Programme\SUPERAntiSpyware [2011.05.05 13:11:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner [2011.05.05 13:11:14 | 000,000,000 | ---D | C] -- C:\Programme\CCleaner [2011.05.05 13:10:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome [2011.05.05 13:09:46 | 000,000,000 | ---D | C] -- C:\Users\spieler\AppData\Roaming\Malwarebytes [2011.05.05 13:09:33 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2011.05.05 13:09:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware [2011.05.05 13:09:30 | 000,000,000 | -H-D | C] -- C:\ProgramData\Malwarebytes [2011.05.05 13:09:27 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2011.05.05 13:09:27 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware [2011.05.05 13:05:52 | 000,000,000 | ---D | C] -- C:\Users\spieler\AppData\Roaming\HP [2011.04.13 10:53:06 | 000,292,864 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll [2011.04.13 10:53:05 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\System32\atmlib.dll [2011.04.13 10:53:00 | 001,161,728 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfc42u.dll [2011.04.13 10:53:00 | 001,136,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfc42.dll [2011.04.13 10:52:56 | 000,025,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dnscacheugc.exe [2011.04.13 10:52:49 | 000,380,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dll [2011.04.13 10:52:47 | 000,671,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll [2011.04.13 10:52:47 | 000,230,400 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieaksie.dll [2011.04.13 10:52:46 | 001,383,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb [2011.04.13 10:52:46 | 000,467,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll [2011.04.13 10:52:46 | 000,389,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec [2011.04.13 10:52:46 | 000,389,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll [2011.04.13 10:52:46 | 000,193,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll [2011.04.13 10:52:46 | 000,078,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieencode.dll [2011.04.13 10:52:46 | 000,028,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll [2011.04.13 10:52:33 | 002,040,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys [2011.04.13 10:52:29 | 000,512,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll [2011.04.13 10:52:29 | 000,430,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll [2011.03.13 14:53:22 | 000,429,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\EncDec.dll [2011.03.13 14:53:21 | 000,323,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\sbe.dll [2011.03.13 14:53:21 | 000,177,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mpg2splt.ax [2011.03.13 14:53:21 | 000,153,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\sbeio.dll [2011.02.24 11:07:25 | 000,000,000 | ---D | C] -- C:\Windows\System32\WindowsPowerShell [2011.02.24 11:06:27 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winrsmgr.dll [2011.02.24 11:06:19 | 000,040,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winrs.exe [2011.02.24 11:06:19 | 000,020,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winrshost.exe [2011.02.24 11:06:19 | 000,012,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wsmprovhost.exe [2011.02.24 11:06:18 | 000,010,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wsmplpxy.dll [2011.02.24 11:06:18 | 000,010,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winrssrv.dll [2011.02.24 11:06:17 | 000,081,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wevtfwd.dll [2011.02.24 11:06:17 | 000,079,872 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wecutil.exe [2011.02.24 11:06:17 | 000,056,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wecapi.dll [2011.02.24 11:06:17 | 000,054,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WsmRes.dll [2011.02.24 11:06:17 | 000,041,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\pwrshplugin.dll [2011.02.24 11:06:12 | 000,145,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WsmAuto.dll [2011.02.24 11:06:11 | 000,252,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WSManMigrationPlugin.dll [2011.02.24 11:06:11 | 000,246,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WSManHTTPConfig.exe [2011.02.24 11:06:11 | 000,241,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winrscmd.dll [2011.02.24 11:06:11 | 000,214,016 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WsmWmiPl.dll [2011.02.11 15:36:45 | 003,548,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe [2011.02.11 15:36:44 | 003,600,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe [2011.01.12 15:46:31 | 000,409,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\odbc32.dll [2011.01.12 15:46:25 | 001,169,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\sdclt.exe [2010.12.15 19:04:27 | 000,357,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\taskschd.dll [2010.12.15 19:04:27 | 000,345,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmicmiplugin.dll [2010.12.15 19:04:26 | 000,270,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\taskcomp.dll [2010.12.15 19:04:22 | 000,081,920 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\consent.exe [2010.12.15 19:04:21 | 000,072,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\fontsub.dll [2010.12.15 19:04:03 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll [2010.10.20 16:58:57 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msshsq.dll [2010.10.20 14:00:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth [2010.10.20 13:52:17 | 008,147,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmploc.DLL [2010.10.20 13:51:54 | 000,017,920 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\netevent.dll [2010.10.20 13:51:33 | 000,157,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\t2embed.dll [2010.10.20 13:51:30 | 000,954,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfc40.dll [2010.10.20 13:51:30 | 000,954,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfc40u.dll [2010.10.20 13:51:23 | 000,866,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmpmde.dll [2010.10.20 13:32:48 | 000,000,000 | ---D | C] -- C:\Programme\Common Files\Adobe [2010.10.20 13:32:48 | 000,000,000 | ---D | C] -- C:\Programme\Adobe [2010.09.20 11:46:32 | 000,317,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MP4SDECD.DLL [2010.08.12 11:41:00 | 000,081,920 | ---- | C] (Radius Inc.) -- C:\Windows\System32\iccvid.dll [2010.08.12 11:40:40 | 000,036,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\rtutils.dll [2010.07.01 16:45:59 | 000,038,848 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr [2010.06.30 17:01:01 | 000,000,000 | ---D | C] -- C:\Users\spieler\AppData\Roaming\Google [2010.06.30 17:01:01 | 000,000,000 | ---D | C] -- C:\Users\spieler\AppData\Local\Google [2010.06.23 19:53:36 | 000,080,896 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MSNP.ax [2010.06.23 19:53:36 | 000,069,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\Mpeg2Data.ax [2010.06.23 19:53:36 | 000,057,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MSDvbNP.ax [2010.06.23 19:53:30 | 000,293,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\psisdecd.dll [2010.06.23 19:53:29 | 000,217,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\psisrndr.ax [2010.06.23 19:53:24 | 000,295,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHost.exe [2010.06.23 19:53:24 | 000,099,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHostProxy.dll [2010.06.23 19:53:24 | 000,049,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\netfxperf.dll [2010.06.08 21:40:20 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\asycfilt.dll [2010.06.08 21:39:55 | 000,026,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe [2010.06.08 21:39:42 | 001,314,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\quartz.dll [2010.06.03 20:43:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight [1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ] ========== Files - Modified Within 360 Days ========== [2011.05.13 22:21:01 | 000,001,098 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2011.05.13 22:19:26 | 000,628,504 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2011.05.13 22:19:26 | 000,126,248 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2011.05.13 22:19:26 | 000,103,872 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2011.05.13 22:19:26 | 000,004,498 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2011.05.13 22:14:52 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job [2011.05.13 22:12:58 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2011.05.13 22:12:54 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2011.05.13 22:12:54 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2011.05.13 22:12:24 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2011.05.13 22:11:50 | 2012,536,832 | -HS- | M] () -- C:\hiberfil.sys [2011.05.13 22:08:34 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat [2011.05.13 15:45:17 | 000,000,420 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{3BCA7624-8D23-4846-89EB-706B6A6EEA94}.job [2011.05.13 15:42:49 | 000,001,891 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk [2011.05.12 13:43:20 | 000,000,144 | -H-- | M] () -- C:\ProgramData\~38788856 [2011.05.12 13:43:16 | 000,000,120 | -H-- | M] () -- C:\ProgramData\~38788856r [2011.05.12 13:42:51 | 000,000,336 | -H-- | M] () -- C:\ProgramData\38788856 [2011.05.11 13:21:56 | 000,001,975 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk [2011.05.05 13:13:51 | 000,000,906 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk [2011.05.05 13:11:17 | 000,000,808 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk [2011.05.05 13:09:35 | 000,000,910 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2011.05.05 13:04:46 | 000,001,593 | ---- | M] () -- C:\Users\Public\Desktop\Browserwahl.lnk [2011.04.14 09:24:41 | 000,303,016 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2011.03.10 18:12:54 | 001,161,728 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mfc42u.dll [2011.03.10 18:12:54 | 001,136,640 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mfc42.dll [2011.03.03 16:56:40 | 000,028,672 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\Apphlpdm.dll [2011.03.03 15:01:01 | 004,240,384 | ---- | M] (Microsoft) -- C:\Windows\System32\GameUXLegacyGDFs.dll [2011.03.03 14:53:48 | 002,040,832 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys [2011.02.18 17:46:06 | 000,671,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll [2011.02.18 17:45:52 | 000,467,456 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll [2011.02.18 17:45:16 | 000,028,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll [2011.02.18 17:45:03 | 000,193,024 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll [2011.02.18 17:45:02 | 000,389,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll [2011.02.18 17:45:02 | 000,380,928 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dll [2011.02.18 17:45:02 | 000,230,400 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieaksie.dll [2011.02.18 17:45:02 | 000,078,336 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieencode.dll [2011.02.18 16:09:54 | 000,389,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\html.iec [2011.02.18 15:48:10 | 001,383,424 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb [2011.02.16 17:35:41 | 000,430,080 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll [2011.02.16 17:32:46 | 000,512,000 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll [2011.02.16 17:29:56 | 000,034,304 | ---- | M] (Adobe Systems) -- C:\Windows\System32\atmlib.dll [2011.02.16 15:24:56 | 000,292,864 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll [2011.02.05 14:13:19 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt [2011.02.02 18:11:20 | 000,222,080 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe [2011.01.13 10:47:35 | 000,038,848 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr [2011.01.13 10:47:32 | 000,188,216 | ---- | M] (AVAST Software) -- C:\Windows\System32\aswBoot.exe [2011.01.13 10:41:16 | 000,294,608 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys [2011.01.13 10:40:16 | 000,047,440 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys [2011.01.13 10:37:30 | 000,023,632 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys [2011.01.13 10:37:19 | 000,051,280 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys [2011.01.13 10:37:09 | 000,017,744 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys [2010.12.29 19:41:21 | 000,153,088 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sbeio.dll [2010.12.29 19:39:28 | 000,177,664 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mpg2splt.ax [2010.12.28 16:57:35 | 000,409,600 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\odbc32.dll [2010.12.20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2010.12.20 18:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2010.12.14 17:49:30 | 001,169,408 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sdclt.exe [2010.11.06 13:10:29 | 000,345,088 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wmicmiplugin.dll [2010.11.06 13:10:13 | 000,357,376 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskschd.dll [2010.11.06 13:10:13 | 000,270,336 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskcomp.dll [2010.10.28 14:56:58 | 000,002,048 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll [2010.10.20 14:00:54 | 000,002,077 | ---- | M] () -- C:\Users\Public\Desktop\Google Earth.lnk [2010.10.18 16:01:05 | 000,081,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\consent.exe [2010.10.15 16:08:12 | 003,600,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe [2010.10.15 16:08:12 | 003,548,048 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe [2010.09.20 11:25:01 | 000,231,936 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msshsq.dll [2010.09.10 18:37:06 | 008,147,456 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wmploc.DLL [2010.09.06 18:23:14 | 000,017,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netevent.dll [2010.08.31 17:41:42 | 000,954,752 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mfc40.dll [2010.08.31 17:41:42 | 000,954,288 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mfc40u.dll [2010.08.26 18:07:25 | 000,157,184 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\t2embed.dll [2010.08.20 17:21:02 | 000,866,816 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wmpmde.dll [2010.06.18 18:43:54 | 000,036,352 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\rtutils.dll [2010.06.16 17:12:25 | 000,072,704 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\fontsub.dll [2010.05.27 21:16:09 | 000,081,920 | ---- | M] (Radius Inc.) -- C:\Windows\System32\iccvid.dll [1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ] ========== Files Created - No Company Name ========== [2011.05.12 13:43:16 | 000,000,144 | -H-- | C] () -- C:\ProgramData\~38788856 [2011.05.12 13:43:16 | 000,000,120 | -H-- | C] () -- C:\ProgramData\~38788856r [2011.05.12 13:42:51 | 000,000,336 | -H-- | C] () -- C:\ProgramData\38788856 [2011.05.05 13:13:51 | 000,000,906 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk [2011.05.05 13:11:17 | 000,000,808 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk [2011.05.05 13:10:46 | 000,001,975 | ---- | C] () -- C:\Users\Public\Desktop\Google Chrome.lnk [2011.05.05 13:09:35 | 000,000,910 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2011.05.05 13:04:46 | 000,001,593 | ---- | C] () -- C:\Users\Public\Desktop\Browserwahl.lnk [2011.05.05 13:04:05 | 2012,536,832 | -HS- | C] () -- C:\hiberfil.sys [2011.02.24 11:06:13 | 000,201,184 | ---- | C] () -- C:\Windows\System32\winrm.vbs [2011.02.24 11:06:13 | 000,004,675 | ---- | C] () -- C:\Windows\System32\wsmanconfig_schema.xml [2011.02.24 11:06:13 | 000,002,426 | ---- | C] () -- C:\Windows\System32\WsmTxt.xsl [2011.02.16 15:49:00 | 000,000,868 | ---- | C] () -- C:\Windows\tasks\Google Software Updater.job [2010.10.20 14:00:54 | 000,002,077 | ---- | C] () -- C:\Users\Public\Desktop\Google Earth.lnk [2010.10.20 13:33:00 | 000,002,425 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader 9.lnk [2010.10.20 13:33:00 | 000,001,891 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk [2010.03.31 16:23:08 | 000,007,680 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll [2010.03.30 12:54:43 | 000,164,174 | ---- | C] () -- C:\Windows\hpoins19.dat [2010.03.30 12:48:01 | 000,026,952 | ---- | C] () -- C:\Windows\hpomdl19.dat [2010.03.12 23:20:25 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat [2009.05.19 20:40:57 | 000,628,504 | ---- | C] () -- C:\Windows\System32\perfh007.dat [2009.05.19 20:40:57 | 000,290,748 | ---- | C] () -- C:\Windows\System32\perfi007.dat [2009.05.19 20:40:57 | 000,126,248 | ---- | C] () -- C:\Windows\System32\perfc007.dat [2009.05.19 20:40:57 | 000,036,916 | ---- | C] () -- C:\Windows\System32\perfd007.dat [2009.05.19 12:07:33 | 000,311,296 | ---- | C] () -- C:\Windows\System32\Rezip.exe [2009.05.19 11:58:22 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin [2009.05.19 11:01:48 | 000,106,605 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin [2009.05.19 11:01:48 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin [2009.05.19 10:48:19 | 000,000,012 | ---- | C] () -- C:\Windows\bthservsdp.dat [2009.02.25 23:34:55 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll [2009.01.08 21:25:27 | 000,181,944 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat [2008.10.07 09:13:30 | 000,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll [2008.10.07 09:13:22 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll [2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll [2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll [2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll [2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll [2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll [2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll [2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll [2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll [2006.11.02 14:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat [2006.11.02 14:47:37 | 000,303,016 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT [2006.11.02 14:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll [2006.11.02 12:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat [2006.11.02 12:33:01 | 000,103,872 | ---- | C] () -- C:\Windows\System32\perfc009.dat [2006.11.02 12:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat [2006.11.02 12:33:01 | 000,004,498 | ---- | C] () -- C:\Windows\System32\perfh009.dat [2006.11.02 12:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat [2006.11.02 10:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin [2006.11.02 10:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT [2006.11.02 09:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini [2006.11.02 09:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat ========== LOP Check ========== [2010.03.12 23:44:21 | 000,000,000 | ---D | M] -- C:\Users\Linde\AppData\Roaming\BullGuard [2011.05.13 22:08:36 | 000,032,626 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT [2011.05.13 15:45:17 | 000,000,420 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{3BCA7624-8D23-4846-89EB-706B6A6EEA94}.job ========== Purity Check ========== < End of report > hier eine extra von vorhin:OTL Logfile: Code:
ATTFilter OTL Extras logfile created on: 13.05.2011 21:46:14 - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\****\Downloads
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 48,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 75,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 282,09 Gb Total Space | 255,28 Gb Free Space | 90,50% Space Free | Partition Type: NTFS
Drive D: | 15,00 Gb Total Space | 7,35 Gb Free Space | 49,02% Space Free | Partition Type: NTFS
Computer Name: ***** | User Name: **** | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 360 Days
========== Extra Registry (All) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\Windows\hh.exe (Microsoft Corporation)
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.hta [@ = htafile] -- C:\Windows\System32\mshta.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)
.inf [@ = inffile] -- C:\Windows\System32\NOTEPAD.EXE (Microsoft Corporation)
.ini [@ = inifile] -- C:\Windows\System32\NOTEPAD.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l
.js [@ = JSFile] -- C:\Windows\System32\WScript.exe (Microsoft Corporation)
.jse [@ = JSEFile] -- C:\Windows\System32\WScript.exe (Microsoft Corporation)
.reg [@ = regfile] -- C:\Windows\regedit.exe (Microsoft Corporation)
.txt [@ = txtfile] -- C:\Windows\System32\NOTEPAD.EXE (Microsoft Corporation)
.vbe [@ = VBEFile] -- C:\Windows\System32\WScript.exe (Microsoft Corporation)
.vbs [@ = VBSFile] -- C:\Windows\System32\WScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\Windows\System32\WScript.exe (Microsoft Corporation)
.wsh [@ = WSHFile] -- C:\Windows\System32\WScript.exe (Microsoft Corporation)
[HKEY_USERS\S-1-5-21-3759040712-2264673185-2536960619-1004\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found
[HKEY_USERS\S-1-5-21-3759040712-2264673185-2536960619-1005\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
chm.file [open] -- "%SystemRoot%\hh.exe" %1 (Microsoft Corporation)
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- C:\Windows\system32\mshta.exe "%1" %* (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
inffile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
inifile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
InternetShortcut [print] -- rundll32.exe C:\Windows\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
jsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
jsefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\notepad.exe "%1" (Microsoft Corporation)
regfile [open] -- regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\notepad.exe /p "%1" (Microsoft Corporation)
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)
vbefile [edit] -- "%SystemRoot%\System32\Notepad.exe" %1 (Microsoft Corporation)
vbefile [open] -- "%SystemRoot%\System32\WScript.exe" "%1" %* (Microsoft Corporation)
vbefile [print] -- "%SystemRoot%\System32\Notepad.exe" /p %1 (Microsoft Corporation)
vbsfile [edit] -- "%SystemRoot%\System32\Notepad.exe" %1 (Microsoft Corporation)
vbsfile [open] -- "%SystemRoot%\System32\WScript.exe" "%1" %* (Microsoft Corporation)
vbsfile [print] -- "%SystemRoot%\System32\Notepad.exe" /p %1 (Microsoft Corporation)
wsffile [edit] -- "%SystemRoot%\System32\Notepad.exe" %1 (Microsoft Corporation)
wsffile [open] -- "%SystemRoot%\System32\WScript.exe" "%1" %* (Microsoft Corporation)
wsffile [print] -- "%SystemRoot%\System32\Notepad.exe" /p %1 (Microsoft Corporation)
wshfile [open] -- "%SystemRoot%\System32\WScript.exe" "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
========== Authorized Applications List ==========
========== Vista Active Open Ports Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{B7BE29BA-4F6B-4B17-8569-30BFE38C79DF}" = lport=2869 | protocol=6 | dir=in | app=system |
"{C2ACBF32-04A5-4070-A8CB-827C6FCAD094}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
========== Vista Active Application Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{059B4050-A3AC-4A1A-A490-182CD2E4CE61}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{318EDD8E-540E-49BF-BFD6-56614E023726}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{32A48DD2-6146-45BB-BB01-0DE12087931D}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe |
"{83982F61-AD0E-4993-B6AA-88FC7BBF68FC}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe |
"{F5F03457-F49F-4D28-9E19-C242DC1CAEB6}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{FE26EEA8-9A32-4240-8D93-AD172647C092}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"TCP Query User{57ABD460-E444-4A4C-B73B-1394496EEC65}C:\program files\google\google earth\plugin\geplugin.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\plugin\geplugin.exe |
"TCP Query User{6876B6EE-85CB-4B31-BA35-808F32372C9A}C:\program files\google\google earth\client\googleearth.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe |
"UDP Query User{2D65C2C2-E1D8-4EAA-AB72-F3F0B3051EE6}C:\program files\google\google earth\plugin\geplugin.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\plugin\geplugin.exe |
"UDP Query User{CEF0C979-8305-4A52-A7D6-1BA7ED547E04}C:\program files\google\google earth\client\googleearth.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe |
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu
"{082C8591-A04B-C51B-99C1-729A9765C559}" = CCC Help English
"{0C49AFCF-4EEC-F150-3748-56906B26116D}" = Catalyst Control Center Graphics Full Existing
"{0D2E9DCB-9938-475E-B4DD-8851738852FF}" = AIO_Scan
"{1746EA69-DCB6-4408-B5A5-E75F55439CDF}" = Scan
"{179C56A4-F57F-4561-8BBF-F911D26EB435}" = WebReg
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{18778440-FBC2-7845-5D75-2E3FB2901CA3}" = Catalyst Control Center Core Implementation
"{1C4551A6-4743-4093-91E4-1477CD655043}" = NVIDIA PhysX
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool
"{2160868F-58F6-7B2D-03A3-89A3582AEA1C}" = Skins
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java(TM) 6 Update 18
"{39D0E034-1042-4905-BECB-5502909FCB7C}" = Microsoft Works
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3F11A4D1-FAEC-E1FD-5D35-25C94EC33D46}" = ccc-core-static
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go
"{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google Earth
"{49F2B650-2D7B-4F59-B33D-346F63776BD3}" = DocProc
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4AB8B41B-3AF1-46BE-99B0-0ACD3B300C0A}" = Junk Mail filter update
"{508D251A-9378-C840-90A0-563C649BC749}" = Catalyst Control Center Graphics Previews Vista
"{560BEED8-69A3-0471-FFAE-9BA8AC58B61A}" = ccc-utility
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{580D6A69-F3F7-CB21-A5F5-3451A38CA1C2}" = Catalyst Control Center InstallProxy
"{5A166C0B-9557-4364-A057-F946D674E6AC}" = Windows Live Mail
"{62E965A8-25BB-2C3C-D9D5-D73CF4CC55AB}" = Catalyst Control Center HydraVision Full
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{67D3F1A0-A1F2-49b7-B9EE-011277B170CD}" = HPProductAssistant
"{68D1CBD5-899D-037D-FC17-191811C44EA5}" = ATI Catalyst Install Manager
"{6B96DADA-1A27-4A04-8CB2-CC45168D05FA}" = Windows Live Fotogalerie
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7528F5C4-1707-A9D6-4564-F2D5C64FA3A6}" = Catalyst Control Center Graphics Light
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7A7DC702-DEDE-42A8-8722-B3BA724D546F}" = Fax
"{81821BF8-DA20-4F8C-AA87-F70A274828D4}" = Windows Live Writer
"{835686C5-8650-49EB-8CA0-4528B4035495}" = Windows Live Call
"{837B6259-6FF5-4E66-87C1-A5A15ED36FF4}" = Windows Live Messenger
"{83E2CFA9-E0EB-4E08-9F85-43E577FF3D60}" = Windows Live Anmelde-Assistent
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 8168 8101E 8102E Ethernet Driver
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8C1E2925-14F8-45AA-B999-1E2A74BF5607}" = Windows Live Sync
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
"{90120000-0016-0407-0000-0000000FF1CE}_HOMESTUDENTR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
"{90120000-0018-0407-0000-0000000FF1CE}_HOMESTUDENTR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
"{90120000-001B-0407-0000-0000000FF1CE}_HOMESTUDENTR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_HOMESTUDENTR_{A0516415-ED61-419A-981D-93596DA74165}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-001F-0410-0000-0000000FF1CE}_HOMESTUDENTR_{322296D4-1EAE-4030-9FBC-D2787EB25FA2}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0020-0407-0000-0000000FF1CE}" = Compatibility Pack für 2007 Office System
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}_HOMESTUDENTR_{26454C26-D259-4543-AA60-3189E09C5F76}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007
"{90120000-00A1-0407-0000-0000000FF1CE}_HOMESTUDENTR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00AF-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (German)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{978C25EE-5777-46e4-8988-732C297CBDBD}" = Status
"{97959329-F1E9-2D17-E910-253C05B00C6E}" = Catalyst Control Center Graphics Full New
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{9B1FD9CE-0776-4f0b-A6F5-C6AB7B650CDF}" = Destinations
"{9D3D8C60-A55F-4fed-B2B9-173F09590E16}" = REALTEK Wireless LAN Driver
"{a0fe116e-9a8a-466f-aee0-625cb7c207e3}" = Microsoft Visual C++ 2005 Redistributable - KB2467175
"{A36CD345-625C-4d6c-B3E2-76E1248CB451}" = SolutionCenter
"{A3B7C670-4A1E-4EE2-950E-C875BC1965D0}" = Copy
"{A402B569-BA69-8849-1DFC-6D4CE9F4EDA5}" = Catalyst Control Center Graphics Previews Common
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1031-7B44-A94000000001}" = Adobe Reader 9.4.4 - Deutsch
"{BAC80EF3-E106-4AEA-8C57-F217F9BC7358}" = Microsoft SQL Server 2005 Compact Edition [DEU]
"{BE77A81F-B315-4666-9BF3-AE70C0ADB057}" = BufferChm
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = CyberLink LabelPrint
"{C716522C-3731-4667-8579-40B098294500}" = Toolbox
"{C916D86C-AB76-49c7-B0E4-A946E0FD9BC2}" = HP Photosmart, Officejet, PSC and Deskjet All-In-One Driver Software 8.0.B
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D3B1C799-CB73-42DE-BA0F-2344793A095C}" = Catalyst Control Center - Branding
"{DF5F687F-8018-4542-9F98-7084E9022917}" = Windows Live Essentials
"{E06F04B9-45E6-4AC0-8083-85F7515F40F7}" = UnloadSupport
"{E09575B2-498D-4C8B-A9D2-623F78574F29}" = AIO_CDB_Software
"{E3D04529-6EDB-11D8-A372-0050BAE317E1}" = CyberLink PowerDVD Copy
"{E7112940-5F8E-4918-B9FE-251F2F8DC81F}" = AIO_CDB_ProductContext
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{F69E83CF-B440-43F8-89E6-6EA80712109B}" = Windows Live Communications Platform
"{FF075778-6E50-47ed-991D-3B07FD4E3250}" = TrayApp
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"avast5" = avast! Free Antivirus
"CCleaner" = CCleaner
"ffdshow_is1" = ffdshow [rev 1928] [2008-04-10]
"Google Chrome" = Google Chrome
"Google Updater" = Google Updater
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"HP Imaging Device Functions" = HP Imaging Device Functions 8.0
"HP Solution Center & Imaging Support Tools" = HP Solution Center 8.0
"HPOCR" = HP OCR Software 8.0
"InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go
"InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = CyberLink LabelPrint
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox (3.6.2pre)" = Mozilla Firefox (3.6.2pre)
"Picasa 3" = Picasa 3
"Skyscraper Simulator" = Skyscraper Simulator
"WinLiveSuite_Wave3" = Windows Live Essentials
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 09.05.2011 09:26:16 | Computer Name = Alfred-PC | Source = WinMgmt | ID = 10
Description =
Error - 09.05.2011 11:40:37 | Computer Name = Alfred-PC | Source = EventSystem | ID = 4621
Description =
Error - 11.05.2011 07:22:06 | Computer Name = Alfred-PC | Source = WinMgmt | ID = 10
Description =
Error - 11.05.2011 08:05:34 | Computer Name = Alfred-PC | Source = EventSystem | ID = 4621
Description =
Error - 12.05.2011 07:18:52 | Computer Name = Alfred-PC | Source = WinMgmt | ID = 10
Description =
Error - 12.05.2011 07:43:30 | Computer Name = Alfred-PC | Source = WinMgmt | ID = 10
Description =
Error - 12.05.2011 07:49:46 | Computer Name = Alfred-PC | Source = WinMgmt | ID = 10
Description =
Error - 12.05.2011 08:05:17 | Computer Name = Alfred-PC | Source = WinMgmt | ID = 10
Description =
Error - 13.05.2011 09:37:19 | Computer Name = Alfred-PC | Source = WinMgmt | ID = 10
Description =
Error - 13.05.2011 14:20:30 | Computer Name = Alfred-PC | Source = WinMgmt | ID = 10
Description =
[ System Events ]
Error - 17.02.2011 08:42:22 | Computer Name = Alfred-PC | Source = HTTP | ID = 15016
Description =
Error - 19.02.2011 10:01:39 | Computer Name = Alfred-PC | Source = HTTP | ID = 15016
Description =
Error - 20.02.2011 10:09:49 | Computer Name = Alfred-PC | Source = HTTP | ID = 15016
Description =
Error - 20.02.2011 10:21:30 | Computer Name = Alfred-PC | Source = HTTP | ID = 15016
Description =
Error - 22.02.2011 08:50:20 | Computer Name = Alfred-PC | Source = HTTP | ID = 15016
Description =
Error - 23.02.2011 11:04:43 | Computer Name = Alfred-PC | Source = HTTP | ID = 15016
Description =
Error - 24.02.2011 06:20:21 | Computer Name = Alfred-PC | Source = HTTP | ID = 15016
Description =
Error - 25.02.2011 10:46:30 | Computer Name = Alfred-PC | Source = HTTP | ID = 15016
Description =
Error - 28.02.2011 04:55:21 | Computer Name = Alfred-PC | Source = HTTP | ID = 15016
Description =
Error - 28.02.2011 06:17:42 | Computer Name = Alfred-PC | Source = HTTP | ID = 15016
Description =
< End of report >
einen Malwarebytes report habe ich auch. allerdings ist die malware version ewig alt, ein update wird nach dem download abgebrochen mit fehlermeldung. Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6512 Windows 6.0.6001 Service Pack 1 Internet Explorer 7.0.6001.18000 13.05.2011 21:22:08 mbam-log-2011-05-13 (21-21-53).txt Scan type: Quick scan Objects scanned: 132878 Time elapsed: 4 minute(s), 8 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 1 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: c:\Users\Alfred\AppData\Roaming\microsoft\Windows\start menu\Programs\windows recovery (Trojan.FakeAV) -> No action taken. Files Infected: c:\Users\Alfred\Desktop\windows recovery.lnk (Trojan.FakeAV) -> No action taken. c:\Users\Alfred\AppData\Roaming\microsoft\Windows\start menu\Programs\windows recovery\uninstall windows recovery.lnk (Trojan.FakeAV) -> No action taken. c:\Users\Alfred\AppData\Roaming\microsoft\Windows\start menu\Programs\windows recovery\windows recovery.lnk (Trojan.FakeAV) -> No action taken. bin für jede hilfe dankbar habs geschafft über ein anderes benutzerkonto malware zu aktualisieren. der neue scan zeigt keine infektkion mehr, aber probleme sind immer noch die gleichen: Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6569 Windows 6.0.6001 Service Pack 1 Internet Explorer 7.0.6001.18000 14.05.2011 00:38:59 mbam-log-2011-05-14 (00-38-59).txt Scan type: Full scan (C:\|D:\|) Objects scanned: 252531 Time elapsed: 48 minute(s), 6 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) |
|
14.05.2011, 10:47
| #2 |
| /// Malware-holic   | win32:zbot-ncp und trojan fakeav bitte erstelle und poste ein combofix log.
__________________Ein Leitfaden und Tutorium zur Nutzung von ComboFix
__________________ |
|
14.05.2011, 16:14
| #3 |
| | win32:zbot-ncp und trojan fakeav hallo markus, habe vor deiner antwort schon ein unhide und CCleaner laufen lassen. danach waren alle funktionen wieder da und der rechner läuft ohne fehlermeldung. ein kompletter scan mit avast zeigt ebenfalls keinen schädling mehr an. da ich ein bisschen respect vor combofix habe bin ich mir nicht sicher ob das noch nötig ist nachdem die anderen progs nichts mehr finden. auch Malwarebytes gibt keine bedrohung mehr an. soll ich trotzdem combofix laufen lassen?
__________________ |
|
14.05.2011, 16:17
| #4 |
| /// Malware-holic | win32:zbot-ncp und trojan fakeav ja sicher. wenn alle programme 100 % aller malware finden würden, hättest du ja kein problem mit trojanern etc gehabt.
__________________ -Verdächtige mails bitte an uns zur Analyse weiterleiten: markusg.trojaner-board@web.de Weiterleiten Anleitung: http://markusg.trojaner-board.de Mails bitte vorerst nach obiger Anleitung an markusg.trojaner-board@web.de Weiterleiten Wenn Ihr uns unterstützen möchtet |
|
14.05.2011, 21:07
| #5 |
| | win32:zbot-ncp und trojan fakeav hier der log: Combofix Logfile: Code:
ATTFilter ComboFix 11-05-13.03 - spieler 14.05.2011 21:38:12.1.1 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.49.1031.18.1919.909 [GMT 2:00]
ausgeführt von:: c:\users\Alfred\Desktop\cofi.exe.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Neuer Wiederherstellungspunkt wurde erstellt
.
.
((((((((((((((((((((((( Dateien erstellt von 2011-04-14 bis 2011-05-14 ))))))))))))))))))))))))))))))
.
.
2011-05-14 19:49 . 2011-05-14 19:49 -------- d-----w- c:\users\spieler\AppData\Local\temp
2011-05-14 19:49 . 2011-05-14 19:49 -------- d-----w- c:\users\Linde\AppData\Local\temp
2011-05-14 19:49 . 2011-05-14 19:49 -------- d-----w- c:\users\Gast\AppData\Local\temp
2011-05-14 19:49 . 2011-05-14 19:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-14 09:17 . 2011-05-14 09:17 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-14 09:11 . 2011-05-14 09:11 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-05-14 09:11 . 2011-05-14 09:11 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-05-14 08:47 . 2011-05-14 08:47 -------- d-----w- c:\windows\system32\ca-ES
2011-05-14 08:47 . 2011-05-14 08:47 -------- d-----w- c:\windows\system32\eu-ES
2011-05-14 08:47 . 2011-05-14 08:47 -------- d-----w- c:\windows\system32\vi-VN
2011-05-14 08:19 . 2011-05-14 08:19 -------- d-----w- c:\windows\system32\EventProviders
2011-05-13 21:36 . 2011-05-13 21:36 -------- d-----w- c:\users\spieler\AppData\Local\Mozilla
2011-05-13 21:08 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-13 13:52 . 2011-05-13 13:52 -------- d-----w- c:\users\Alfred\AppData\Roaming\SUPERAntiSpyware.com
2011-05-13 13:41 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0F48BC44-283B-4936-AA42-FCE16A7A2120}\mpengine.dll
2011-05-11 11:36 . 2011-04-07 12:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-05-05 13:34 . 2011-05-05 13:34 -------- d-----w- c:\users\Alfred\AppData\Roaming\Malwarebytes
2011-05-05 12:38 . 2011-05-05 12:38 -------- d-----w- c:\users\Gast\AppData\Roaming\Malwarebytes
2011-05-05 12:36 . 2011-05-05 12:36 -------- d-----w- c:\users\Linde\AppData\Roaming\Malwarebytes
2011-05-05 11:32 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-05-05 11:32 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-05-05 11:15 . 2011-05-05 11:15 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-05-05 11:13 . 2011-05-05 11:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-05 11:13 . 2011-05-05 11:13 -------- d-----w- c:\users\spieler\AppData\Roaming\SUPERAntiSpyware.com
2011-05-05 11:11 . 2011-05-14 07:33 -------- d-----w- c:\program files\CCleaner
2011-05-05 11:09 . 2011-05-05 11:09 -------- d-----w- c:\users\spieler\AppData\Roaming\Malwarebytes
2011-05-05 11:09 . 2010-12-20 16:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-05 11:09 . 2011-05-05 11:09 -------- d-----w- c:\programdata\Malwarebytes
2011-05-05 11:09 . 2011-05-05 11:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-05 11:09 . 2010-12-20 16:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-05 11:05 . 2011-05-05 11:05 -------- d-----w- c:\users\spieler\AppData\Roaming\HP
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-10 12:10 . 2010-07-01 14:45 40112 ----a-w- c:\windows\avastSS.scr
2011-05-10 12:10 . 2010-03-12 21:06 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-10 12:03 . 2010-03-12 21:06 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-10 12:02 . 2010-03-12 21:06 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-10 11:59 . 2010-03-12 21:06 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-10 11:59 . 2010-03-12 21:06 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-05-10 11:59 . 2010-03-12 21:06 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-03-10 17:03 . 2011-04-13 08:53 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03 . 2011-04-13 08:53 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:42 . 2011-04-13 08:52 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 15:40 . 2011-05-05 11:32 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40 . 2011-05-05 11:32 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40 . 2011-05-05 11:32 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40 . 2011-05-05 11:32 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-03 13:25 . 2011-04-13 08:52 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44 . 2011-04-13 08:52 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-02-22 13:24 . 2011-04-13 08:53 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-02-22 13:24 . 2011-04-13 08:53 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-02-22 13:23 . 2011-04-13 08:53 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-22 13:23 . 2011-04-13 08:53 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-02-18 16:38 . 2011-04-13 08:52 834048 ----a-w- c:\windows\system32\wininet.dll
2011-02-18 15:45 . 2011-04-13 08:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-02-18 14:49 . 2011-04-13 08:52 389632 ----a-w- c:\windows\system32\html.iec
2011-02-18 14:03 . 2011-04-13 08:52 305152 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-18 14:03 . 2011-04-13 08:52 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-02-18 14:03 . 2011-04-13 08:52 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-02-16 16:21 . 2011-04-13 08:52 430080 ----a-w- c:\windows\system32\vbscript.dll
2011-02-16 16:16 . 2011-04-13 08:53 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-16 14:02 . 2011-04-13 08:53 292864 ----a-w- c:\windows\system32\atmfd.dll
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-03-12 6965792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-03-12 1833504]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 10:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-03-23 12:07 1830128 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-12 135664]
R4 gupdatem;Google Update-Dienst (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-12 135664]
R4 Rezip;Rezip;c:\windows\SYSTEM32\Rezip.exe [2009-03-05 311296]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-05-10 53592]
S3 rtl8192se;Realtek Wireless LAN 802.11N PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [2009-04-20 496640]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Inhalt des "geplante Tasks" Ordners
.
2011-05-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-03-12 20:50]
.
2011-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-12 22:17]
.
2011-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-12 22:17]
.
2011-05-14 c:\windows\Tasks\User_Feed_Synchronization-{3BCA7624-8D23-4846-89EB-706B6A6EEA94}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.medion.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {{0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-37276-17534-31/4
FF - ProfilePath - c:\users\spieler\AppData\Roaming\Mozilla\Firefox\Profiles\tcvg1ym5.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\Alwil Software\Avast5\WebRep\FF
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2011-05-14 21:49
Windows 6.0.6002 Service Pack 2 NTFS
.
Scanne versteckte Prozesse...
.
Scanne versteckte Autostarteinträge...
.
Scanne versteckte Dateien...
.
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
.
**************************************************************************
.
Zeit der Fertigstellung: 2011-05-14 21:55:05
ComboFix-quarantined-files.txt 2011-05-14 19:55
.
Vor Suchlauf: 9 Verzeichnis(se), 273.841.467.392 Bytes frei
Nach Suchlauf: 11 Verzeichnis(se), 273.860.722.688 Bytes frei
.
Current=1 Default=1 Failed=0 LastKnownGood=1 Sets=1,2,3,4,5
- - End Of File - - 31EF71E44128CD2465EFF8AC6DA9866F
|
|
15.05.2011, 10:40
| #6 |
| /// Malware-holic | win32:zbot-ncp und trojan fakeav
__________________ --> win32:zbot-ncp und trojan fakeav |
|
15.05.2011, 13:36
| #7 |
| | win32:zbot-ncp und trojan fakeav GMER 1.0.15.15627 - hxxp://www.gmer.net Rootkit scan 2011-05-15 14:32:19 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 Hitachi_HDT721032SLA360 rev.ST2OA31B Running: g5fylyik.exe; Driver: C:\Users\spieler\AppData\Local\Temp\uwdiqpob.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8E0AF202] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8E0B181C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8E0B1874] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8E0B198A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8E0B1772] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x8E0B18C4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8E0B17C6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8E0B1938] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8E0AF226] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8E0AEFF0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8E0AF24A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8E0B1D82] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8E0AFCDA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8E0B184C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8E0B189C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8E0B19B4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8E0B179E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8E0B1904] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8E0B17F4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8E0B1962] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8E0AFBA0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8E0AF26E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8E0AF292] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8E0AF04A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8E0AF186] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8E0AF162] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8E0AF1AA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8E0AF2B6] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8E67C902] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!KeSetEvent + 10D 82AB7890 4 Bytes [02, F2, 0A, 8E] .text ntkrnlpa.exe!KeSetEvent + 1D1 82AB7954 8 Bytes [1C, 18, 0B, 8E, 74, 18, 0B, ...] {SBB AL, 0x18; OR ECX, [ESI-0x71f4e78c]} .text ntkrnlpa.exe!KeSetEvent + 1DD 82AB7960 4 Bytes [8A, 19, 0B, 8E] .text ntkrnlpa.exe!KeSetEvent + 1F5 82AB7978 4 Bytes [72, 17, 0B, 8E] .text ntkrnlpa.exe!KeSetEvent + 215 82AB7998 8 Bytes [C4, 18, 0B, 8E, C6, 17, 0B, ...] {LES EBX, DWORD [EAX]; OR ECX, [ESI-0x71f4e83a]} .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82BE25C7 5 Bytes JMP 8E6782BE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject 82C3B4F3 5 Bytes JMP 8E679D5C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 82C44E18 4 Bytes CALL 8E0B034B \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 82C48A8C 4 Bytes CALL 8E0B0361 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 82C9CDAE 7 Bytes JMP 8E67C906 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8D60B000, 0x2585E6, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\system32\svchost.exe[12] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 000501F8 .text C:\Windows\system32\svchost.exe[12] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 000503FC .text C:\Windows\system32\svchost.exe[12] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\system32\svchost.exe[12] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[12] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 00070600 .text C:\Windows\system32\svchost.exe[12] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\svchost.exe[12] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\svchost.exe[12] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\svchost.exe[12] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 00070C0C .text C:\Windows\system32\svchost.exe[12] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\svchost.exe[12] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\svchost.exe[12] USER32.dll!SetWindowsHookExA 75E86322 5 Bytes JMP 000C0600 .text C:\Windows\system32\svchost.exe[12] USER32.dll!SetWindowsHookExW 75E887AD 5 Bytes JMP 000C0804 .text C:\Windows\system32\svchost.exe[12] USER32.dll!UnhookWindowsHookEx 75E898DB 5 Bytes JMP 000C0A08 .text C:\Windows\system32\svchost.exe[12] USER32.dll!SetWinEventHook 75E89F3A 5 Bytes JMP 000C01F8 .text C:\Windows\system32\svchost.exe[12] USER32.dll!UnhookWinEvent 75E8C06F 5 Bytes JMP 000C03FC .text C:\Windows\system32\svchost.exe[208] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 000501F8 .text C:\Windows\system32\svchost.exe[208] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 000503FC .text C:\Windows\system32\svchost.exe[208] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\system32\svchost.exe[208] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[208] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 00070600 .text C:\Windows\system32\svchost.exe[208] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\svchost.exe[208] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\svchost.exe[208] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\svchost.exe[208] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 00070C0C .text C:\Windows\system32\svchost.exe[208] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\svchost.exe[208] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\svchost.exe[276] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 000501F8 .text C:\Windows\system32\svchost.exe[276] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 000503FC .text C:\Windows\system32\svchost.exe[276] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\system32\svchost.exe[276] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[276] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 00070600 .text C:\Windows\system32\svchost.exe[276] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\svchost.exe[276] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\svchost.exe[276] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\svchost.exe[276] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 00070C0C .text C:\Windows\system32\svchost.exe[276] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\svchost.exe[276] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\svchost.exe[276] USER32.dll!SetWindowsHookExA 75E86322 5 Bytes JMP 00220600 .text C:\Windows\system32\svchost.exe[276] USER32.dll!SetWindowsHookExW 75E887AD 5 Bytes JMP 00220804 .text C:\Windows\system32\svchost.exe[276] USER32.dll!UnhookWindowsHookEx 75E898DB 5 Bytes JMP 00220A08 .text C:\Windows\system32\svchost.exe[276] USER32.dll!SetWinEventHook 75E89F3A 5 Bytes JMP 002201F8 .text C:\Windows\system32\svchost.exe[276] USER32.dll!UnhookWinEvent 75E8C06F 5 Bytes JMP 002203FC .text C:\Windows\System32\svchost.exe[456] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 000501F8 .text C:\Windows\System32\svchost.exe[456] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 000503FC .text C:\Windows\System32\svchost.exe[456] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\System32\svchost.exe[456] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 000703FC .text C:\Windows\System32\svchost.exe[456] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 00070600 .text C:\Windows\System32\svchost.exe[456] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 00071014 .text C:\Windows\System32\svchost.exe[456] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 00070804 .text C:\Windows\System32\svchost.exe[456] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 00070A08 .text C:\Windows\System32\svchost.exe[456] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 00070C0C .text C:\Windows\System32\svchost.exe[456] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 00070E10 .text C:\Windows\System32\svchost.exe[456] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 000701F8 .text C:\Windows\System32\svchost.exe[456] USER32.dll!SetWindowsHookExA 75E86322 5 Bytes JMP 000F0600 .text C:\Windows\System32\svchost.exe[456] USER32.dll!SetWindowsHookExW 75E887AD 5 Bytes JMP 000F0804 .text C:\Windows\System32\svchost.exe[456] USER32.dll!UnhookWindowsHookEx 75E898DB 5 Bytes JMP 000F0A08 .text C:\Windows\System32\svchost.exe[456] USER32.dll!SetWinEventHook 75E89F3A 5 Bytes JMP 000F01F8 .text C:\Windows\System32\svchost.exe[456] USER32.dll!UnhookWinEvent 75E8C06F 5 Bytes JMP 000F03FC .text C:\Windows\System32\svchost.exe[480] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 000501F8 .text C:\Windows\System32\svchost.exe[480] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 000503FC .text C:\Windows\System32\svchost.exe[480] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\System32\svchost.exe[480] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 000703FC .text C:\Windows\System32\svchost.exe[480] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 00070600 .text C:\Windows\System32\svchost.exe[480] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 00071014 .text C:\Windows\System32\svchost.exe[480] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 00070804 .text C:\Windows\System32\svchost.exe[480] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 00070A08 .text C:\Windows\System32\svchost.exe[480] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 00070C0C .text C:\Windows\System32\svchost.exe[480] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 00070E10 .text C:\Windows\System32\svchost.exe[480] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\csrss.exe[508] KERNEL32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\system32\wininit.exe[576] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 000301F8 .text C:\Windows\system32\wininit.exe[576] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 000303FC .text C:\Windows\system32\wininit.exe[576] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\system32\wininit.exe[576] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 000503FC .text C:\Windows\system32\wininit.exe[576] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 00050600 .text C:\Windows\system32\wininit.exe[576] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 00051014 .text C:\Windows\system32\wininit.exe[576] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 00050804 .text C:\Windows\system32\wininit.exe[576] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 00050A08 .text C:\Windows\system32\wininit.exe[576] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 00050C0C .text C:\Windows\system32\wininit.exe[576] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 00050E10 .text C:\Windows\system32\wininit.exe[576] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 000501F8 .text C:\Windows\system32\wininit.exe[576] USER32.dll!SetWindowsHookExA 75E86322 5 Bytes JMP 00060600 .text C:\Windows\system32\wininit.exe[576] USER32.dll!SetWindowsHookExW 75E887AD 5 Bytes JMP 00060804 .text C:\Windows\system32\wininit.exe[576] USER32.dll!UnhookWindowsHookEx 75E898DB 5 Bytes JMP 00060A08 .text C:\Windows\system32\wininit.exe[576] USER32.dll!SetWinEventHook 75E89F3A 5 Bytes JMP 000601F8 .text C:\Windows\system32\wininit.exe[576] USER32.dll!UnhookWinEvent 75E8C06F 5 Bytes JMP 000603FC .text C:\Windows\system32\csrss.exe[584] KERNEL32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\system32\svchost.exe[612] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 000501F8 .text C:\Windows\system32\svchost.exe[612] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 000503FC .text C:\Windows\system32\svchost.exe[612] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\system32\svchost.exe[612] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 000803FC .text C:\Windows\system32\svchost.exe[612] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 00080600 .text C:\Windows\system32\svchost.exe[612] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 00081014 .text C:\Windows\system32\svchost.exe[612] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 00080804 .text C:\Windows\system32\svchost.exe[612] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 00080A08 .text C:\Windows\system32\svchost.exe[612] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 00080C0C .text C:\Windows\system32\svchost.exe[612] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 00080E10 .text C:\Windows\system32\svchost.exe[612] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 000801F8 .text C:\Windows\system32\services.exe[620] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 000501F8 .text C:\Windows\system32\services.exe[620] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 000503FC .text C:\Windows\system32\services.exe[620] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\system32\services.exe[620] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\services.exe[620] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 00070600 .text C:\Windows\system32\services.exe[620] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\services.exe[620] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\services.exe[620] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\services.exe[620] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 00070C0C .text C:\Windows\system32\services.exe[620] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\services.exe[620] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\services.exe[620] USER32.dll!SetWindowsHookExA 75E86322 5 Bytes JMP 00080600 .text C:\Windows\system32\services.exe[620] USER32.dll!SetWindowsHookExW 75E887AD 5 Bytes JMP 00080804 .text C:\Windows\system32\services.exe[620] USER32.dll!UnhookWindowsHookEx 75E898DB 5 Bytes JMP 00080A08 .text C:\Windows\system32\services.exe[620] USER32.dll!SetWinEventHook 75E89F3A 5 Bytes JMP 000801F8 .text C:\Windows\system32\services.exe[620] USER32.dll!UnhookWinEvent 75E8C06F 5 Bytes JMP 000803FC .text C:\Windows\system32\lsass.exe[632] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 000A01F8 .text C:\Windows\system32\lsass.exe[632] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 000A03FC .text C:\Windows\system32\lsass.exe[632] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\system32\lsass.exe[632] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 000C03FC .text C:\Windows\system32\lsass.exe[632] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 000C0600 .text C:\Windows\system32\lsass.exe[632] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 000C1014 .text C:\Windows\system32\lsass.exe[632] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 000C0804 .text C:\Windows\system32\lsass.exe[632] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 000C0A08 .text C:\Windows\system32\lsass.exe[632] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 000C0C0C .text C:\Windows\system32\lsass.exe[632] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 000C0E10 .text C:\Windows\system32\lsass.exe[632] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 000C01F8 .text C:\Windows\system32\lsass.exe[632] USER32.dll!SetWindowsHookExA 75E86322 5 Bytes JMP 000D0600 .text C:\Windows\system32\lsass.exe[632] USER32.dll!SetWindowsHookExW 75E887AD 5 Bytes JMP 000D0804 .text C:\Windows\system32\lsass.exe[632] USER32.dll!UnhookWindowsHookEx 75E898DB 5 Bytes JMP 000D0A08 .text C:\Windows\system32\lsass.exe[632] USER32.dll!SetWinEventHook 75E89F3A 5 Bytes JMP 000D01F8 .text C:\Windows\system32\lsass.exe[632] USER32.dll!UnhookWinEvent 75E8C06F 5 Bytes JMP 000D03FC .text C:\Windows\system32\lsm.exe[640] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 000501F8 .text C:\Windows\system32\lsm.exe[640] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 000503FC .text C:\Windows\system32\lsm.exe[640] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\system32\lsm.exe[640] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\lsm.exe[640] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 00070600 .text C:\Windows\system32\lsm.exe[640] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\lsm.exe[640] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\lsm.exe[640] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\lsm.exe[640] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 00070C0C .text C:\Windows\system32\lsm.exe[640] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\lsm.exe[640] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\winlogon.exe[688] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 000301F8 .text C:\Windows\system32\winlogon.exe[688] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 000303FC .text C:\Windows\system32\winlogon.exe[688] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\system32\winlogon.exe[688] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 000503FC .text C:\Windows\system32\winlogon.exe[688] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 00050600 .text C:\Windows\system32\winlogon.exe[688] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 00051014 .text C:\Windows\system32\winlogon.exe[688] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 00050804 .text C:\Windows\system32\winlogon.exe[688] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 00050A08 .text C:\Windows\system32\winlogon.exe[688] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 00050C0C .text C:\Windows\system32\winlogon.exe[688] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 00050E10 .text C:\Windows\system32\winlogon.exe[688] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 000501F8 .text C:\Windows\system32\winlogon.exe[688] USER32.dll!SetWindowsHookExA 75E86322 5 Bytes JMP 00060600 .text C:\Windows\system32\winlogon.exe[688] USER32.dll!SetWindowsHookExW 75E887AD 5 Bytes JMP 00060804 .text C:\Windows\system32\winlogon.exe[688] USER32.dll!UnhookWindowsHookEx 75E898DB 5 Bytes JMP 00060A08 .text C:\Windows\system32\winlogon.exe[688] USER32.dll!SetWinEventHook 75E89F3A 5 Bytes JMP 000601F8 .text C:\Windows\system32\winlogon.exe[688] USER32.dll!UnhookWinEvent 75E8C06F 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[848] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 000501F8 .text C:\Windows\system32\svchost.exe[848] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 000503FC .text C:\Windows\system32\svchost.exe[848] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\system32\svchost.exe[848] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[848] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 00070600 .text C:\Windows\system32\svchost.exe[848] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\svchost.exe[848] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\svchost.exe[848] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\svchost.exe[848] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 00070C0C .text C:\Windows\system32\svchost.exe[848] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\svchost.exe[848] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\svchost.exe[920] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 000501F8 .text C:\Windows\system32\svchost.exe[920] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 000503FC .text C:\Windows\system32\svchost.exe[920] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\system32\svchost.exe[920] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[920] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 00070600 .text C:\Windows\system32\svchost.exe[920] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\svchost.exe[920] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\svchost.exe[920] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\svchost.exe[920] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 00070C0C .text C:\Windows\system32\svchost.exe[920] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\svchost.exe[920] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\svchost.exe[920] USER32.dll!SetWindowsHookExA 75E86322 5 Bytes JMP 000C0600 .text C:\Windows\system32\svchost.exe[920] USER32.dll!SetWindowsHookExW 75E887AD 5 Bytes JMP 000C0804 .text C:\Windows\system32\svchost.exe[920] USER32.dll!UnhookWindowsHookEx 75E898DB 5 Bytes JMP 000C0A08 .text C:\Windows\system32\svchost.exe[920] USER32.dll!SetWinEventHook 75E89F3A 5 Bytes JMP 000C01F8 .text C:\Windows\system32\svchost.exe[920] USER32.dll!UnhookWinEvent 75E8C06F 5 Bytes JMP 000C03FC .text C:\Windows\System32\svchost.exe[956] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 000501F8 .text C:\Windows\System32\svchost.exe[956] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 000503FC .text C:\Windows\System32\svchost.exe[956] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\System32\svchost.exe[956] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 000703FC .text C:\Windows\System32\svchost.exe[956] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 00070600 .text C:\Windows\System32\svchost.exe[956] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 00071014 .text C:\Windows\System32\svchost.exe[956] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 00070804 .text C:\Windows\System32\svchost.exe[956] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 00070A08 .text C:\Windows\System32\svchost.exe[956] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 00070C0C .text C:\Windows\System32\svchost.exe[956] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 00070E10 .text C:\Windows\System32\svchost.exe[956] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 000701F8 .text C:\Windows\System32\svchost.exe[956] USER32.dll!SetWindowsHookExA 75E86322 5 Bytes JMP 003A0600 .text C:\Windows\System32\svchost.exe[956] USER32.dll!SetWindowsHookExW 75E887AD 5 Bytes JMP 003A0804 .text C:\Windows\System32\svchost.exe[956] USER32.dll!UnhookWindowsHookEx 75E898DB 5 Bytes JMP 003A0A08 .text C:\Windows\System32\svchost.exe[956] USER32.dll!SetWinEventHook 75E89F3A 5 Bytes JMP 003A01F8 .text C:\Windows\System32\svchost.exe[956] USER32.dll!UnhookWinEvent 75E8C06F 5 Bytes JMP 003A03FC .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[988] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 001501F8 .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[988] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 001503FC .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[988] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[988] USER32.dll!SetWindowsHookExA 75E86322 5 Bytes JMP 00190600 .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[988] USER32.dll!SetWindowsHookExW 75E887AD 5 Bytes JMP 00190804 .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[988] USER32.dll!UnhookWindowsHookEx 75E898DB 5 Bytes JMP 00190A08 .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[988] USER32.dll!SetWinEventHook 75E89F3A 5 Bytes JMP 001901F8 .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[988] USER32.dll!UnhookWinEvent 75E8C06F 5 Bytes JMP 001903FC .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[988] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 001A03FC .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[988] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 001A0600 .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[988] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 001A1014 .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[988] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 001A0804 .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[988] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 001A0A08 .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[988] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 001A0C0C .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[988] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 001A0E10 .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[988] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 001A01F8 .text C:\Windows\system32\Ati2evxx.exe[1040] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 001501F8 .text C:\Windows\system32\Ati2evxx.exe[1040] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 001503FC .text C:\Windows\system32\Ati2evxx.exe[1040] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\system32\Ati2evxx.exe[1040] USER32.dll!SetWindowsHookExA 75E86322 5 Bytes JMP 00270600 .text C:\Windows\system32\Ati2evxx.exe[1040] USER32.dll!SetWindowsHookExW 75E887AD 5 Bytes JMP 00270804 .text C:\Windows\system32\Ati2evxx.exe[1040] USER32.dll!UnhookWindowsHookEx 75E898DB 5 Bytes JMP 00270A08 .text C:\Windows\system32\Ati2evxx.exe[1040] USER32.dll!SetWinEventHook 75E89F3A 5 Bytes JMP 002701F8 .text C:\Windows\system32\Ati2evxx.exe[1040] USER32.dll!UnhookWinEvent 75E8C06F 5 Bytes JMP 002703FC .text C:\Windows\system32\Ati2evxx.exe[1040] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 002803FC .text C:\Windows\system32\Ati2evxx.exe[1040] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 00280600 .text C:\Windows\system32\Ati2evxx.exe[1040] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 00281014 .text C:\Windows\system32\Ati2evxx.exe[1040] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 00280804 .text C:\Windows\system32\Ati2evxx.exe[1040] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 00280A08 .text C:\Windows\system32\Ati2evxx.exe[1040] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 00280C0C .text C:\Windows\system32\Ati2evxx.exe[1040] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 00280E10 .text C:\Windows\system32\Ati2evxx.exe[1040] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 002801F8 .text C:\Windows\System32\svchost.exe[1060] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 000501F8 .text C:\Windows\System32\svchost.exe[1060] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 000503FC .text C:\Windows\System32\svchost.exe[1060] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 000703FC .text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 00070600 .text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 00071014 .text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 00070804 .text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 00070A08 .text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 00070C0C .text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 00070E10 .text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 000701F8 .text C:\Windows\System32\svchost.exe[1060] USER32.dll!SetWindowsHookExA 75E86322 5 Bytes JMP 00110600 .text C:\Windows\System32\svchost.exe[1060] USER32.dll!SetWindowsHookExW 75E887AD 5 Bytes JMP 00110804 .text C:\Windows\System32\svchost.exe[1060] USER32.dll!UnhookWindowsHookEx 75E898DB 5 Bytes JMP 00110A08 .text C:\Windows\System32\svchost.exe[1060] USER32.dll!SetWinEventHook 75E89F3A 5 Bytes JMP 001101F8 .text C:\Windows\System32\svchost.exe[1060] USER32.dll!UnhookWinEvent 75E8C06F 5 Bytes JMP 001103FC .text C:\Windows\System32\svchost.exe[1112] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 000501F8 .text C:\Windows\System32\svchost.exe[1112] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 000503FC .text C:\Windows\System32\svchost.exe[1112] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 000703FC .text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 00070600 .text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 00071014 .text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 00070804 .text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 00070A08 .text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 00070C0C .text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 00070E10 .text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 000701F8 .text C:\Windows\System32\svchost.exe[1112] USER32.dll!SetWindowsHookExA 75E86322 5 Bytes JMP 00C90600 .text C:\Windows\System32\svchost.exe[1112] USER32.dll!SetWindowsHookExW 75E887AD 5 Bytes JMP 00C90804 .text C:\Windows\System32\svchost.exe[1112] USER32.dll!UnhookWindowsHookEx 75E898DB 5 Bytes JMP 00C90A08 .text C:\Windows\System32\svchost.exe[1112] USER32.dll!SetWinEventHook 75E89F3A 5 Bytes JMP 00C901F8 .text C:\Windows\System32\svchost.exe[1112] USER32.dll!UnhookWinEvent 75E8C06F 5 Bytes JMP 00C903FC .text C:\Windows\system32\svchost.exe[1124] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 000901F8 .text C:\Windows\system32\svchost.exe[1124] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 000903FC .text C:\Windows\system32\svchost.exe[1124] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\system32\svchost.exe[1124] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 000B03FC .text C:\Windows\system32\svchost.exe[1124] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 000B0600 .text C:\Windows\system32\svchost.exe[1124] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 000B1014 .text C:\Windows\system32\svchost.exe[1124] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 000B0804 .text C:\Windows\system32\svchost.exe[1124] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 000B0A08 |
|
15.05.2011, 13:36
| #8 |
| | win32:zbot-ncp und trojan fakeav .text C:\Windows\system32\svchost.exe[1124] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 000B0C0C .text C:\Windows\system32\svchost.exe[1124] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 000B0E10 .text C:\Windows\system32\svchost.exe[1124] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 000B01F8 .text C:\Windows\system32\svchost.exe[1124] USER32.dll!SetWindowsHookExA 75E86322 5 Bytes JMP 002D0600 .text C:\Windows\system32\svchost.exe[1124] USER32.dll!SetWindowsHookExW 75E887AD 5 Bytes JMP 002D0804 .text C:\Windows\system32\svchost.exe[1124] USER32.dll!UnhookWindowsHookEx 75E898DB 5 Bytes JMP 002D0A08 .text C:\Windows\system32\svchost.exe[1124] USER32.dll!SetWinEventHook 75E89F3A 5 Bytes JMP 002D01F8 .text C:\Windows\system32\svchost.exe[1124] USER32.dll!UnhookWinEvent 75E8C06F 5 Bytes JMP 002D03FC .text C:\Windows\system32\AUDIODG.EXE[1196] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\system32\SLsvc.exe[1244] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\system32\svchost.exe[1296] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 000501F8 .text C:\Windows\system32\svchost.exe[1296] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 000503FC .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 000803FC .text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 00080600 .text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 00081014 .text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 00080804 .text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 00080A08 .text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 00080C0C .text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 00080E10 .text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 000801F8 .text C:\Windows\system32\svchost.exe[1296] USER32.dll!SetWindowsHookExA 75E86322 5 Bytes JMP 00C60600 .text C:\Windows\system32\svchost.exe[1296] USER32.dll!SetWindowsHookExW 75E887AD 5 Bytes JMP 00C60804 .text C:\Windows\system32\svchost.exe[1296] USER32.dll!UnhookWindowsHookEx 75E898DB 5 Bytes JMP 00C60A08 .text C:\Windows\system32\svchost.exe[1296] USER32.dll!SetWinEventHook 75E89F3A 5 Bytes JMP 00C601F8 .text C:\Windows\system32\svchost.exe[1296] USER32.dll!UnhookWinEvent 75E8C06F 5 Bytes JMP 00C603FC .text C:\Windows\system32\svchost.exe[1416] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 000501F8 .text C:\Windows\system32\svchost.exe[1416] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 000503FC .text C:\Windows\system32\svchost.exe[1416] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\system32\svchost.exe[1416] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 000803FC .text C:\Windows\system32\svchost.exe[1416] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 00080600 .text C:\Windows\system32\svchost.exe[1416] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 00081014 .text C:\Windows\system32\svchost.exe[1416] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 00080804 .text C:\Windows\system32\svchost.exe[1416] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 00080A08 .text C:\Windows\system32\svchost.exe[1416] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 00080C0C .text C:\Windows\system32\svchost.exe[1416] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 00080E10 .text C:\Windows\system32\svchost.exe[1416] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 000801F8 .text C:\Windows\system32\svchost.exe[1416] USER32.dll!SetWindowsHookExA 75E86322 5 Bytes JMP 00460600 .text C:\Windows\system32\svchost.exe[1416] USER32.dll!SetWindowsHookExW 75E887AD 5 Bytes JMP 00460804 .text C:\Windows\system32\svchost.exe[1416] USER32.dll!UnhookWindowsHookEx 75E898DB 5 Bytes JMP 00460A08 .text C:\Windows\system32\svchost.exe[1416] USER32.dll!SetWinEventHook 75E89F3A 5 Bytes JMP 004601F8 .text C:\Windows\system32\svchost.exe[1416] USER32.dll!UnhookWinEvent 75E8C06F 5 Bytes JMP 004603FC .text C:\Windows\System32\svchost.exe[1464] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 000501F8 .text C:\Windows\System32\svchost.exe[1464] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 000503FC .text C:\Windows\System32\svchost.exe[1464] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\System32\svchost.exe[1464] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 000703FC .text C:\Windows\System32\svchost.exe[1464] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 00070600 .text C:\Windows\System32\svchost.exe[1464] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 00071014 .text C:\Windows\System32\svchost.exe[1464] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 00070804 .text C:\Windows\System32\svchost.exe[1464] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 00070A08 .text C:\Windows\System32\svchost.exe[1464] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 00070C0C .text C:\Windows\System32\svchost.exe[1464] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 00070E10 .text C:\Windows\System32\svchost.exe[1464] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\SearchIndexer.exe[1488] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 000501F8 .text C:\Windows\system32\SearchIndexer.exe[1488] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 000503FC .text C:\Windows\system32\SearchIndexer.exe[1488] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\system32\SearchIndexer.exe[1488] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\SearchIndexer.exe[1488] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 00070600 .text C:\Windows\system32\SearchIndexer.exe[1488] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\SearchIndexer.exe[1488] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\SearchIndexer.exe[1488] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\SearchIndexer.exe[1488] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 00070C0C .text C:\Windows\system32\SearchIndexer.exe[1488] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\SearchIndexer.exe[1488] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\SearchIndexer.exe[1488] USER32.dll!SetWindowsHookExA 75E86322 5 Bytes JMP 00080600 .text C:\Windows\system32\SearchIndexer.exe[1488] USER32.dll!SetWindowsHookExW 75E887AD 5 Bytes JMP 00080804 .text C:\Windows\system32\SearchIndexer.exe[1488] USER32.dll!UnhookWindowsHookEx 75E898DB 5 Bytes JMP 00080A08 .text C:\Windows\system32\SearchIndexer.exe[1488] USER32.dll!SetWinEventHook 75E89F3A 5 Bytes JMP 000801F8 .text C:\Windows\system32\SearchIndexer.exe[1488] USER32.dll!UnhookWinEvent 75E8C06F 5 Bytes JMP 000803FC .text C:\Windows\system32\Ati2evxx.exe[1520] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 001501F8 .text C:\Windows\system32\Ati2evxx.exe[1520] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 001503FC .text C:\Windows\system32\Ati2evxx.exe[1520] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\system32\Ati2evxx.exe[1520] USER32.dll!SetWindowsHookExA 75E86322 5 Bytes JMP 00170600 .text C:\Windows\system32\Ati2evxx.exe[1520] USER32.dll!SetWindowsHookExW 75E887AD 5 Bytes JMP 00170804 .text C:\Windows\system32\Ati2evxx.exe[1520] USER32.dll!UnhookWindowsHookEx 75E898DB 5 Bytes JMP 00170A08 .text C:\Windows\system32\Ati2evxx.exe[1520] USER32.dll!SetWinEventHook 75E89F3A 5 Bytes JMP 001701F8 .text C:\Windows\system32\Ati2evxx.exe[1520] USER32.dll!UnhookWinEvent 75E8C06F 5 Bytes JMP 001703FC .text C:\Windows\system32\Ati2evxx.exe[1520] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 001803FC .text C:\Windows\system32\Ati2evxx.exe[1520] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 00180600 .text C:\Windows\system32\Ati2evxx.exe[1520] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 00181014 .text C:\Windows\system32\Ati2evxx.exe[1520] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 00180804 .text C:\Windows\system32\Ati2evxx.exe[1520] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 00180A08 .text C:\Windows\system32\Ati2evxx.exe[1520] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 00180C0C .text C:\Windows\system32\Ati2evxx.exe[1520] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 00180E10 .text C:\Windows\system32\Ati2evxx.exe[1520] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 001801F8 .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1572] kernel32.dll!SetUnhandledExceptionFilter 757CA84F 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1572] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Users\Alfred\Downloads\g5fylyik.exe[1640] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[1896] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 000501F8 .text C:\Windows\System32\spoolsv.exe[1896] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 000503FC .text C:\Windows\System32\spoolsv.exe[1896] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[1896] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 000703FC .text C:\Windows\System32\spoolsv.exe[1896] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 00070600 .text C:\Windows\System32\spoolsv.exe[1896] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 00071014 .text C:\Windows\System32\spoolsv.exe[1896] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 00070804 .text C:\Windows\System32\spoolsv.exe[1896] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 00070A08 .text C:\Windows\System32\spoolsv.exe[1896] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 00070C0C .text C:\Windows\System32\spoolsv.exe[1896] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 00070E10 .text C:\Windows\System32\spoolsv.exe[1896] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 000701F8 .text C:\Windows\System32\spoolsv.exe[1896] USER32.dll!SetWindowsHookExA 75E86322 5 Bytes JMP 000F0600 .text C:\Windows\System32\spoolsv.exe[1896] USER32.dll!SetWindowsHookExW 75E887AD 5 Bytes JMP 000F0804 .text C:\Windows\System32\spoolsv.exe[1896] USER32.dll!UnhookWindowsHookEx 75E898DB 5 Bytes JMP 000F0A08 .text C:\Windows\System32\spoolsv.exe[1896] USER32.dll!SetWinEventHook 75E89F3A 5 Bytes JMP 000F01F8 .text C:\Windows\System32\spoolsv.exe[1896] USER32.dll!UnhookWinEvent 75E8C06F 5 Bytes JMP 000F03FC .text C:\Windows\system32\svchost.exe[1920] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 000501F8 .text C:\Windows\system32\svchost.exe[1920] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 000503FC .text C:\Windows\system32\svchost.exe[1920] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\system32\svchost.exe[1920] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[1920] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 00070600 .text C:\Windows\system32\svchost.exe[1920] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\svchost.exe[1920] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\svchost.exe[1920] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\svchost.exe[1920] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 00070C0C .text C:\Windows\system32\svchost.exe[1920] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\svchost.exe[1920] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\svchost.exe[1920] USER32.dll!SetWindowsHookExA 75E86322 5 Bytes JMP 001B0600 .text C:\Windows\system32\svchost.exe[1920] USER32.dll!SetWindowsHookExW 75E887AD 5 Bytes JMP 001B0804 .text C:\Windows\system32\svchost.exe[1920] USER32.dll!UnhookWindowsHookEx 75E898DB 5 Bytes JMP 001B0A08 .text C:\Windows\system32\svchost.exe[1920] USER32.dll!SetWinEventHook 75E89F3A 5 Bytes JMP 001B01F8 .text C:\Windows\system32\svchost.exe[1920] USER32.dll!UnhookWinEvent 75E8C06F 5 Bytes JMP 001B03FC .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[2068] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\system32\taskeng.exe[2408] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 000501F8 .text C:\Windows\system32\taskeng.exe[2408] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 000503FC .text C:\Windows\system32\taskeng.exe[2408] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\system32\taskeng.exe[2408] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\taskeng.exe[2408] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 00070600 .text C:\Windows\system32\taskeng.exe[2408] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\taskeng.exe[2408] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\taskeng.exe[2408] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\taskeng.exe[2408] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 00070C0C .text C:\Windows\system32\taskeng.exe[2408] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\taskeng.exe[2408] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\taskeng.exe[2408] USER32.dll!SetWindowsHookExA 75E86322 5 Bytes JMP 00090600 .text C:\Windows\system32\taskeng.exe[2408] USER32.dll!SetWindowsHookExW 75E887AD 5 Bytes JMP 00090804 .text C:\Windows\system32\taskeng.exe[2408] USER32.dll!UnhookWindowsHookEx 75E898DB 5 Bytes JMP 00090A08 .text C:\Windows\system32\taskeng.exe[2408] USER32.dll!SetWinEventHook 75E89F3A 5 Bytes JMP 000901F8 .text C:\Windows\system32\taskeng.exe[2408] USER32.dll!UnhookWinEvent 75E8C06F 5 Bytes JMP 000903FC .text C:\Windows\system32\ctfmon.exe[2600] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[2864] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 000501F8 .text C:\Program Files\Windows Sidebar\sidebar.exe[2864] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 000503FC .text C:\Program Files\Windows Sidebar\sidebar.exe[2864] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[2864] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 000803FC .text C:\Program Files\Windows Sidebar\sidebar.exe[2864] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 00080600 .text C:\Program Files\Windows Sidebar\sidebar.exe[2864] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 00081014 .text C:\Program Files\Windows Sidebar\sidebar.exe[2864] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 00080804 .text C:\Program Files\Windows Sidebar\sidebar.exe[2864] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 00080A08 .text C:\Program Files\Windows Sidebar\sidebar.exe[2864] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 00080C0C .text C:\Program Files\Windows Sidebar\sidebar.exe[2864] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 00080E10 .text C:\Program Files\Windows Sidebar\sidebar.exe[2864] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 000801F8 .text C:\Program Files\Windows Sidebar\sidebar.exe[2864] USER32.dll!SetWindowsHookExA 75E86322 5 Bytes JMP 00090600 .text C:\Program Files\Windows Sidebar\sidebar.exe[2864] USER32.dll!SetWindowsHookExW 75E887AD 5 Bytes JMP 00090804 .text C:\Program Files\Windows Sidebar\sidebar.exe[2864] USER32.dll!UnhookWindowsHookEx 75E898DB 5 Bytes JMP 00090A08 .text C:\Program Files\Windows Sidebar\sidebar.exe[2864] USER32.dll!SetWinEventHook 75E89F3A 5 Bytes JMP 000901F8 .text C:\Program Files\Windows Sidebar\sidebar.exe[2864] USER32.dll!UnhookWinEvent 75E8C06F 5 Bytes JMP 000903FC .text C:\Windows\system32\taskeng.exe[2948] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 000901F8 .text C:\Windows\system32\taskeng.exe[2948] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 000903FC .text C:\Windows\system32\taskeng.exe[2948] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\system32\taskeng.exe[2948] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 000B03FC .text C:\Windows\system32\taskeng.exe[2948] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 000B0600 .text C:\Windows\system32\taskeng.exe[2948] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 000B1014 .text C:\Windows\system32\taskeng.exe[2948] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 000B0804 .text C:\Windows\system32\taskeng.exe[2948] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 000B0A08 .text C:\Windows\system32\taskeng.exe[2948] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 000B0C0C .text C:\Windows\system32\taskeng.exe[2948] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 000B0E10 .text C:\Windows\system32\taskeng.exe[2948] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 000B01F8 .text C:\Windows\system32\taskeng.exe[2948] USER32.dll!SetWindowsHookExA 75E86322 5 Bytes JMP 000C0600 .text C:\Windows\system32\taskeng.exe[2948] USER32.dll!SetWindowsHookExW 75E887AD 5 Bytes JMP 000C0804 .text C:\Windows\system32\taskeng.exe[2948] USER32.dll!UnhookWindowsHookEx 75E898DB 5 Bytes JMP 000C0A08 .text C:\Windows\system32\taskeng.exe[2948] USER32.dll!SetWinEventHook 75E89F3A 5 Bytes JMP 000C01F8 .text C:\Windows\system32\taskeng.exe[2948] USER32.dll!UnhookWinEvent 75E8C06F 5 Bytes JMP 000C03FC .text C:\Windows\system32\Dwm.exe[2956] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 000501F8 .text C:\Windows\system32\Dwm.exe[2956] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 000503FC .text C:\Windows\system32\Dwm.exe[2956] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\system32\Dwm.exe[2956] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 000803FC .text C:\Windows\system32\Dwm.exe[2956] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 00080600 .text C:\Windows\system32\Dwm.exe[2956] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 00081014 .text C:\Windows\system32\Dwm.exe[2956] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 00080804 .text C:\Windows\system32\Dwm.exe[2956] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 00080A08 .text C:\Windows\system32\Dwm.exe[2956] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 00080C0C .text C:\Windows\system32\Dwm.exe[2956] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 00080E10 .text C:\Windows\system32\Dwm.exe[2956] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 000801F8 .text C:\Windows\system32\Dwm.exe[2956] USER32.dll!SetWindowsHookExA 75E86322 5 Bytes JMP 00090600 .text C:\Windows\system32\Dwm.exe[2956] USER32.dll!SetWindowsHookExW 75E887AD 5 Bytes JMP 00090804 .text C:\Windows\system32\Dwm.exe[2956] USER32.dll!UnhookWindowsHookEx 75E898DB 5 Bytes JMP 00090A08 .text C:\Windows\system32\Dwm.exe[2956] USER32.dll!SetWinEventHook 75E89F3A 5 Bytes JMP 000901F8 .text C:\Windows\system32\Dwm.exe[2956] USER32.dll!UnhookWinEvent 75E8C06F 5 Bytes JMP 000903FC .text C:\Windows\Explorer.EXE[3020] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 000501F8 .text C:\Windows\Explorer.EXE[3020] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 000503FC .text C:\Windows\Explorer.EXE[3020] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\Explorer.EXE[3020] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 000B03FC .text C:\Windows\Explorer.EXE[3020] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 000B0600 .text C:\Windows\Explorer.EXE[3020] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 000B1014 .text C:\Windows\Explorer.EXE[3020] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 000B0804 .text C:\Windows\Explorer.EXE[3020] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 000B0A08 .text C:\Windows\Explorer.EXE[3020] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 000B0C0C .text C:\Windows\Explorer.EXE[3020] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 000B0E10 .text C:\Windows\Explorer.EXE[3020] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 000B01F8 .text C:\Windows\Explorer.EXE[3020] USER32.dll!SetWindowsHookExA 75E86322 5 Bytes JMP 000C0600 .text C:\Windows\Explorer.EXE[3020] USER32.dll!SetWindowsHookExW 75E887AD 5 Bytes JMP 000C0804 .text C:\Windows\Explorer.EXE[3020] USER32.dll!UnhookWindowsHookEx 75E898DB 5 Bytes JMP 000C0A08 .text C:\Windows\Explorer.EXE[3020] USER32.dll!SetWinEventHook 75E89F3A 5 Bytes JMP 000C01F8 .text C:\Windows\Explorer.EXE[3020] USER32.dll!UnhookWinEvent 75E8C06F 5 Bytes JMP 000C03FC .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3312] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 001501F8 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3312] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 001503FC .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3312] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3312] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 001703FC .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3312] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 00170600 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3312] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 00171014 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3312] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 00170804 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3312] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 00170A08 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3312] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 00170C0C .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3312] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 00170E10 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3312] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 001701F8 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3312] USER32.dll!SetWindowsHookExA 75E86322 5 Bytes JMP 00180600 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3312] USER32.dll!SetWindowsHookExW 75E887AD 5 Bytes JMP 00180804 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3312] USER32.dll!UnhookWindowsHookEx 75E898DB 5 Bytes JMP 00180A08 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3312] USER32.dll!SetWinEventHook 75E89F3A 5 Bytes JMP 001801F8 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3312] USER32.dll!UnhookWinEvent 75E8C06F 5 Bytes JMP 001803FC .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3328] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 001601F8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3328] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 001603FC .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3328] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3328] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 001703FC .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3328] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 00170600 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3328] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 00171014 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3328] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 00170804 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3328] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 00170A08 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3328] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 00170C0C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3328] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 00170E10 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3328] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 001701F8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3328] USER32.dll!SetWindowsHookExA 75E86322 5 Bytes JMP 00180600 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3328] USER32.dll!SetWindowsHookExW 75E887AD 5 Bytes JMP 00180804 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3328] USER32.dll!UnhookWindowsHookEx 75E898DB 5 Bytes JMP 00180A08 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3328] USER32.dll!SetWinEventHook 75E89F3A 5 Bytes JMP 001801F8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3328] USER32.dll!UnhookWinEvent 75E8C06F 5 Bytes JMP 001803FC .text C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[3376] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 001401F8 .text C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[3376] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 001403FC .text C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[3376] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[3376] USER32.dll!SetWindowsHookExA 75E86322 5 Bytes JMP 00160600 .text C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[3376] USER32.dll!SetWindowsHookExW 75E887AD 5 Bytes JMP 00160804 .text C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[3376] USER32.dll!UnhookWindowsHookEx 75E898DB 5 Bytes JMP 00160A08 .text C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[3376] USER32.dll!SetWinEventHook 75E89F3A 5 Bytes JMP 001601F8 .text C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[3376] USER32.dll!UnhookWinEvent 75E8C06F 5 Bytes JMP 001603FC .text C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[3376] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 001703FC .text C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[3376] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 00170600 .text C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[3376] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 00171014 .text C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[3376] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 00170804 .text C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[3376] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 00170A08 .text C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[3376] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 00170C0C .text C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[3376] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 00170E10 .text C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[3376] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 001701F8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3492] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 000501F8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3492] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 000503FC .text C:\Program Files\Windows Sidebar\sidebar.exe[3492] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[3492] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 000803FC .text C:\Program Files\Windows Sidebar\sidebar.exe[3492] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 00080600 .text C:\Program Files\Windows Sidebar\sidebar.exe[3492] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 00081014 .text C:\Program Files\Windows Sidebar\sidebar.exe[3492] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 00080804 .text C:\Program Files\Windows Sidebar\sidebar.exe[3492] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 00080A08 .text C:\Program Files\Windows Sidebar\sidebar.exe[3492] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 00080C0C .text C:\Program Files\Windows Sidebar\sidebar.exe[3492] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 00080E10 .text C:\Program Files\Windows Sidebar\sidebar.exe[3492] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 000801F8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3492] USER32.dll!SetWindowsHookExA 75E86322 5 Bytes JMP 00090600 .text C:\Program Files\Windows Sidebar\sidebar.exe[3492] USER32.dll!SetWindowsHookExW 75E887AD 5 Bytes JMP 00090804 .text C:\Program Files\Windows Sidebar\sidebar.exe[3492] USER32.dll!UnhookWindowsHookEx 75E898DB 5 Bytes JMP 00090A08 .text C:\Program Files\Windows Sidebar\sidebar.exe[3492] USER32.dll!SetWinEventHook 75E89F3A 5 Bytes JMP 000901F8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3492] USER32.dll!UnhookWinEvent 75E8C06F 5 Bytes JMP 000903FC .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3508] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 001501F8 .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3508] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 001503FC .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3508] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3508] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 001703FC .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3508] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 00170600 .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3508] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 00171014 .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3508] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 00170804 .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3508] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 00170A08 .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3508] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 00170C0C .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3508] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 00170E10 .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3508] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 001701F8 .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3508] USER32.dll!SetWindowsHookExA 75E86322 5 Bytes JMP 00BB0600 .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3508] USER32.dll!SetWindowsHookExW 75E887AD 5 Bytes JMP 00BB0804 .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3508] USER32.dll!UnhookWindowsHookEx 75E898DB 5 Bytes JMP 00BB0A08 .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3508] USER32.dll!SetWinEventHook 75E89F3A 5 Bytes JMP 00BB01F8 .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3508] USER32.dll!UnhookWinEvent 75E8C06F 5 Bytes JMP 00BB03FC .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3516] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 001501F8 .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3516] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 001503FC .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3516] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3516] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 001703FC .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3516] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 00170600 .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3516] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 00171014 .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3516] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 00170804 .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3516] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 00170A08 .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3516] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 00170C0C .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3516] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 00170E10 .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3516] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 001701F8 .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3516] USER32.dll!SetWindowsHookExA 75E86322 5 Bytes JMP 00180600 .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3516] USER32.dll!SetWindowsHookExW 75E887AD 5 Bytes JMP 00180804 .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3516] USER32.dll!UnhookWindowsHookEx 75E898DB 5 Bytes JMP 00180A08 .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3516] USER32.dll!SetWinEventHook 75E89F3A 5 Bytes JMP 001801F8 .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3516] USER32.dll!UnhookWinEvent 75E8C06F 5 Bytes JMP 001803FC .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3528] KERNEL32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\system32\svchost.exe[4008] ntdll.dll!LdrLoadDll 76EE93A8 5 Bytes JMP 000501F8 .text C:\Windows\system32\svchost.exe[4008] ntdll.dll!LdrUnloadDll 76EFB740 5 Bytes JMP 000503FC .text C:\Windows\system32\svchost.exe[4008] kernel32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] .text C:\Windows\system32\svchost.exe[4008] ADVAPI32.dll!CreateServiceW 75FC9EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[4008] ADVAPI32.dll!DeleteService 75FCA07E 5 Bytes JMP 00070600 .text C:\Windows\system32\svchost.exe[4008] ADVAPI32.dll!SetServiceObjectSecurity 76006CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\svchost.exe[4008] ADVAPI32.dll!ChangeServiceConfigA 76006DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\svchost.exe[4008] ADVAPI32.dll!ChangeServiceConfigW 76006F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\svchost.exe[4008] ADVAPI32.dll!ChangeServiceConfig2A 76007099 5 Bytes JMP 00070C0C .text C:\Windows\system32\svchost.exe[4008] ADVAPI32.dll!ChangeServiceConfig2W 760071E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\svchost.exe[4008] ADVAPI32.dll!CreateServiceA 760072A1 5 Bytes JMP 000701F8 .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4072] KERNEL32.dll!GetBinaryTypeW + 70 757F2247 1 Byte [62] ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\system32\services.exe[620] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 001D0002 IAT C:\Windows\system32\services.exe[620] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 001D0000 IAT C:\Windows\Explorer.EXE[3020] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74087817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3020] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [740DA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3020] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7408BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3020] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7407F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3020] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [740875E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3020] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7407E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3020] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [740B8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3020] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7408DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3020] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7407FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3020] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7407FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3020] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [740771CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3020] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7410CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3020] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [740AC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3020] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7407D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3020] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74076853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3020] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7407687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3020] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74082AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0023540e79f3 Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0023540e79f3 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0023540e79f3 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\0023540e79f3 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet005\Services\BTHPORT\Parameters\Keys\0023540e79f3 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet006\Services\BTHPORT\Parameters\Keys\0023540e79f3 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet007\Services\BTHPORT\Parameters\Keys\0023540e79f3 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet008\Services\BTHPORT\Parameters\Keys\0023540e79f3 (not active ControlSet) ---- EOF - GMER 1.0.15 ---- |
|
15.05.2011, 13:37
| #9 |
| | win32:zbot-ncp und trojan fakeav hier war ein doppelposting, daher gelöscht. |
|
15.05.2011, 14:35
| #10 |
| /// Malware-holic | win32:zbot-ncp und trojan fakeav läuft der pc noch fehlerfrei oder ist noch ein problem aufgetreten?
__________________ -Verdächtige mails bitte an uns zur Analyse weiterleiten: markusg.trojaner-board@web.de Weiterleiten Anleitung: http://markusg.trojaner-board.de Mails bitte vorerst nach obiger Anleitung an markusg.trojaner-board@web.de Weiterleiten Wenn Ihr uns unterstützen möchtet |
|
15.05.2011, 18:12
| #11 |
| | win32:zbot-ncp und trojan fakeav hallo marcus, das einzige, was noch nicht wieder da ist ist folgendes: wenn ich auf windows/start gehe erscheinen normalerweise die zuletzt benutzen progs in der sich önnenden leiste. diese ist leer und füllt sich erst mit allen progs wenn ich entsprechend auf "alle programme" klicke (weiß nicht wie ich das besser beschreiben soll. eben unten links das windows logo...) sonst keine fehler mehr aufgetreten, alle dateien und funktionen sind da. gruß |
|
15.05.2011, 18:40
| #12 |
| /// Malware-holic | win32:zbot-ncp und trojan fakeav hmm da weis ich im mom auch keine lösung. lade den CCleaner slim: Piriform - Builds falls der CCleaner bereits instaliert, überspringen. instalieren, öffnen, extras, liste der instalierten programme, als txt speichern. öffnen. hinter, jedes von dir benötigte programm, schreibe notwendig. hinter, jedes, von dir nicht benötigte, unnötig. hinter, dir unbekannte, unbekannt. liste posten.
__________________ -Verdächtige mails bitte an uns zur Analyse weiterleiten: markusg.trojaner-board@web.de Weiterleiten Anleitung: http://markusg.trojaner-board.de Mails bitte vorerst nach obiger Anleitung an markusg.trojaner-board@web.de Weiterleiten Wenn Ihr uns unterstützen möchtet |
|
15.05.2011, 21:51
| #13 |
| | win32:zbot-ncp und trojan fakeav ich bin zufrieden, habe nicht das gefühl, dass da im augenblick noch was dramatisches im hintergrund arbeitet. ich muss jetzt wieder nach hause und werden meinen vater erst einmal so mit dem rechner arbeiten lassen. in 14 tagen bin ich wieder vor ort und werde dann die liste posten. ersteinmal vielen, vielen dank und bis in 2 wochen. gruß |
|
| Themen zu win32:zbot-ncp und trojan fakeav |
| 32 bit, antivirus, autorun, avast!, bho, desktop, error, excel, firefox, flash player, google, home, homepage, iexplore.exe, install.exe, location, logfile, microsoft office word, mozilla, notepad.exe, officejet, oldtimer, picasa, plug-in, problem, realtek, registry, scan, searchplugins, security, security update, senden, shell32.dll, shortcut, software, start menu, svchost.exe, trojan, vista, wscript.exe |
Linear-Darstellung
