| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: gefälschte Windows Scan-Software "Security Protection"Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
06.06.2011, 19:22
| #1 |
 |  gefälschte Windows Scan-Software "Security Protection" Hallo, habe folgendes Problem mit meinem Computer (=PC meiner Freundin): Es hat sich eine gefälschte Malware Protection-Software Namens "Security Protection" im System festgesetzt. Es kommt von dieser Software (in der Sprechblase rechts unten) die Meldung TCrdMain.exe can not start File TCrdMain.exe is infected by W32/Blaster.worm Please activate Security Protection to protect your computer. Manchmal blinkt auch kurz noch eine weitere vermeintliche Virenmeldung auf. Außerdem versucht die Software nach dem Hochfahren von Windows einen Scan durchzuführen mit dem Ziel, dass man die Software "aktiviert". Installiertes System: Windows Vista Virenprogramm: Avira AntiVir Personal Bereits installierte Software lässt sich nicht öffnen. Auch AntiVir kann ich nicht öffnen, sodass ich auch keinen Scan durchführen kann. Habe versucht, AntiVir zu deinstallieren um es erneut aufspielen zu können, doch bereits die Deinstallation war nicht möglich. Habe dann den hier im Board angebotenen "Defogger" auf den Desktop heruntergeladen und versucht, ihn (als Administrator) auszuführen, doch auch das ist nicht möglich. Sollte ich versuchen, OTL zu starten? Oder wie sollte ich weiter vorgehen?  Vielen Dank schon jetzt für die Hilfe! SR |
|
06.06.2011, 20:16
| #2 |
| /// Winkelfunktion /// TB-Süch-Tiger™   | gefälschte Windows Scan-Software "Security Protection" Hallo und
__________________ Bitte routinemäßig einen Vollscan mit Malwarebytes machen und Log posten. Denk daran, dass Malwarebytes vor jedem Scan manuell aktualisiert werden muss! Falls Logs aus älteren Scans mit Malwarebytes vorhanden sind, bitte auch davon alle posten! Danach OTL-Custom: CustomScan mit OTL Falls noch nicht vorhanden, lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop
Code:
ATTFilter netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%ALLUSERSPROFILE%\Application Data\*.
%ALLUSERSPROFILE%\Application Data\*.exe /s
%APPDATA%\*.
%APPDATA%\*.exe /s
%SYSTEMDRIVE%\*.exe
/md5start
wininit.exe
userinit.exe
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
ws2ifsl.sys
sceclt.dll
ntelogon.dll
winlogon.exe
logevent.dll
user32.DLL
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
/md5stop
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
CREATERESTOREPOINT
__________________ |
|
06.06.2011, 20:36
| #3 |
| | gefälschte Windows Scan-Software "Security Protection" Leider kann ich auch Malwarebytes nicht korrekt ausführen. Beim Ausführen (als Admin) kommt noch kurz das Fenster mit der Sprachauswahl und dann wird es auch schon abgeblockt. Rechts unten in der Taskleiste kommt kurz die Meldung:
__________________mbam-setup-1.51.0.1200.tmp can not start File mbam-setup-1.51.0.1200.tmp is infected by W32/Blaster.worm Please activate Security Protection to protect your computer. Danach kommt wieder die o.g. Sprechblase mit TCrdMain.exe can not start |
|
06.06.2011, 20:42
| #4 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | gefälschte Windows Scan-Software "Security Protection" Das schon probiert => http://www.trojaner-board.de/82699-m...tet-nicht.html Ggf im Zusammenhang mit dem random installer probieren, falls man schon Probleme bei der Installation bzw. beim Download hat => http://malwarebytes.org/mbam-download-exe-random.php
__________________ Logfiles bitte immer in CODE-Tags posten  |
|
06.06.2011, 21:14
| #5 |
| | gefälschte Windows Scan-Software "Security Protection" Hab das mit der empfohlenen Anleitung probiert - leider ohne Erfolg. Habe die mbam-setup-1.51.0.1200.exe auf dem Desktop umbenannt in .com, aber kann die Datei unter C:\Programme (bzw. einem ähnlichen Programme-Ordner) nicht finden, da ja bereits die Installation von Malwarebyte nicht möglich war. Beim Versuch, den random installer auszuführen, kam nur die Fehlermeldung C:\Users\***\Desktop\czoxovlu00.exe ist keine zulässige Win32-Anwendung. Oder hab ich da in der Handhabung was falsch gemacht?!? Unter der Anleitung "Was tun wenn MalwareBytes Anti-Malware nicht startet" war ein weiterführender Link zu "OTH - OTHelper - Kill All Processes". Soll ich dies auch versuchen oder nicht? SR |
|
07.06.2011, 10:19
| #6 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | gefälschte Windows Scan-Software "Security Protection" Dann mach bitte erst das OTL-Log
__________________ --> gefälschte Windows Scan-Software "Security Protection" |
|
07.06.2011, 12:04
| #7 |
| | gefälschte Windows Scan-Software "Security Protection" Danke für deine Hilfe bisher! Auch OTL lässt sich nicht ausführen. Es erscheint sehr kurz das Startfenster und dann lässt sich nichts mehr machen. Hab auch versucht, beim kurzen Erscheinen des Fensters gleich "Enter" zu drücken, da im Startfenster der "Scan"-Button angewählt ist - in der Hoffnung, er startet den Scan. Auch das ging nicht. |
|
07.06.2011, 13:07
| #8 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | gefälschte Windows Scan-Software "Security Protection" Dann sind uns schon fast alle Analysemöglichkeiten schon verbaut. Willst du noch weitermachen - mit erheblich mehr Aufwand - oder gleich formatieren und eine Neuinstallation durchführen.
__________________ Logfiles bitte immer in CODE-Tags posten |
|
07.06.2011, 17:53
| #9 |
| | gefälschte Windows Scan-Software "Security Protection" O.K., dann wohl doch Neuinstallation. Ist dann eigentlich sichergestellt, dass der Virus weg ist? (Ich hatte mal gelesen, dass ein Virus auch nach Neuinstallation noch auf dem Rechner sein kann - weiß aber nicht mehr wo). Oder dient das nur dazu, dass wir besser analysieren können? Kleiner Haken ist nur, dass die Windows-CD momentan grad bei den Eltern ist, sodass wir erst in einer guten Woche ran kommen. Ist dieses Thema hier dann noch offen? |
|
07.06.2011, 21:31
| #10 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | gefälschte Windows Scan-Software "Security Protection" Ja ist dann noch offen hier. Folge dann einfach dem Artikel zur Neuinstallation von Windows. Falls du noch Daten retten willst, folge dem 2. Link in meiner Signatur.
__________________ Logfiles bitte immer in CODE-Tags posten |
|
30.06.2011, 17:00
| #11 |
| | gefälschte Windows Scan-Software "Security Protection" Hi, sorry, hat bissl länger gedauert. Hier nun die Log-Files: OTL.txt: Code:
ATTFilter OTL logfile created on: 29.06.2011 22:48:56 - Run 1 OTL by OldTimer - Version 3.2.24.1 Folder = C:\Users\Doro\Desktop Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation Internet Explorer (Version = 7.0.6001.18000) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,96 Gb Total Physical Memory | 2,08 Gb Available Physical Memory | 70,17% Memory free 6,13 Gb Paging File | 5,17 Gb Available in Paging File | 84,34% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 186,52 Gb Total Space | 166,75 Gb Free Space | 89,40% Space Free | Partition Type: NTFS Drive D: | 7,41 Gb Total Space | 3,17 Gb Free Space | 42,85% Space Free | Partition Type: FAT32 Drive E: | 184,62 Gb Total Space | 170,89 Gb Free Space | 92,56% Space Free | Partition Type: NTFS Computer Name: DORO-PC | User Name: Doro | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2011.06.20 17:22:30 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Users\Doro\Desktop\OTL.exe PRC - [2009.05.12 21:26:42 | 000,299,008 | ---- | M] (TOSHIBA CORPORATION) -- C:\Programme\TOSHIBA\ConfigFree\NDSTray.exe PRC - [2009.04.24 10:40:38 | 000,176,128 | ---- | M] (TOSHIBA Corporation) -- C:\Programme\TOSHIBA\TECO\TecoService.exe PRC - [2009.04.24 10:40:08 | 001,323,008 | ---- | M] (TOSHIBA Corporation) -- C:\Programme\TOSHIBA\TECO\TEco.exe PRC - [2009.04.23 19:01:24 | 001,011,712 | ---- | M] (TOSHIBA Corporation) -- C:\Programme\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe PRC - [2009.04.21 21:07:32 | 000,303,104 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe PRC - [2009.04.21 21:07:04 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe PRC - [2009.04.16 17:42:58 | 000,020,544 | ---- | M] (TOSHIBA) -- C:\Programme\TOSHIBA\TOSHIBA Web Camera Application\TWebCameraSrv.exe PRC - [2009.04.15 16:04:02 | 000,570,736 | ---- | M] (TOSHIBA Corporation) -- C:\Programme\TOSHIBA\TPHM\TPCHWMsg.exe PRC - [2009.04.15 16:03:40 | 000,656,752 | ---- | M] (TOSHIBA Corporation) -- C:\Programme\TOSHIBA\TPHM\TPCHSrv.exe PRC - [2009.04.01 17:11:06 | 001,283,384 | ---- | M] (TOSHIBA Corporation) -- C:\Programme\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe PRC - [2009.04.01 17:10:58 | 000,062,776 | ---- | M] (TOSHIBA Corporation) -- C:\Programme\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe PRC - [2009.03.31 09:33:52 | 000,503,808 | ---- | M] (TOSHIBA Corporation) -- C:\Programme\TOSHIBA\SmoothView\SmoothView.exe PRC - [2009.03.30 15:57:22 | 000,083,312 | ---- | M] (TOSHIBA Corporation) -- C:\Programme\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe PRC - [2009.03.23 13:30:52 | 001,045,904 | ---- | M] (Toshiba Europe GmbH) -- C:\Programme\Toshiba TEMPRO\TemproTray.exe PRC - [2009.03.23 13:30:36 | 000,116,104 | ---- | M] (Toshiba Europe GmbH) -- C:\Programme\Toshiba TEMPRO\TemproSvc.exe PRC - [2009.03.23 10:50:40 | 000,729,088 | ---- | M] (TOSHIBA Corporation) -- C:\Programme\TOSHIBA\FlashCards\TCrdMain.exe PRC - [2009.03.17 10:49:04 | 000,073,728 | ---- | M] (TOSHIBA Corporation) -- C:\Programme\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe PRC - [2009.03.16 18:54:18 | 006,158,240 | ---- | M] (TOSHIBA) -- C:\Programme\TOSHIBA\Toshiba Online Product Information\TOPI.exe PRC - [2009.03.10 17:51:20 | 000,046,448 | ---- | M] (TOSHIBA CORPORATION) -- C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe PRC - [2009.03.10 17:50:36 | 000,062,848 | ---- | M] (TOSHIBA CORPORATION) -- C:\Programme\TOSHIBA\ConfigFree\CFSwMgr.exe PRC - [2009.03.06 17:29:16 | 000,464,224 | ---- | M] (TOSHIBA Corporation) -- C:\Programme\TOSHIBA\Power Saver\TosCoSrv.exe PRC - [2009.03.06 17:29:04 | 000,468,320 | ---- | M] (TOSHIBA Corporation) -- C:\Programme\TOSHIBA\Power Saver\TPwrMain.exe PRC - [2009.03.04 14:53:34 | 000,096,144 | ---- | M] (Toshiba Europe GmbH) -- C:\Programme\TOSHIBA\Registration\ToshibaReminder.exe PRC - [2009.01.13 20:33:40 | 000,034,088 | ---- | M] (TOSHIBA CORPORATION) -- C:\Programme\TOSHIBA\Utilities\KeNotify.exe PRC - [2008.10.29 07:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2008.09.26 19:00:32 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Programme\McAfee\VirusScan\Mcshield.exe PRC - [2008.09.26 18:23:58 | 000,606,736 | ---- | M] (McAfee, Inc.) -- C:\Programme\McAfee\VirusScan\mcsysmon.exe PRC - [2008.09.23 12:48:18 | 000,792,184 | ---- | M] (McAfee, Inc.) -- C:\Programme\McAfee\MSC\mcmscsvc.exe PRC - [2008.09.23 12:48:18 | 000,781,288 | ---- | M] (McAfee, Inc.) -- c:\Programme\McAfee\MSC\mcupdmgr.exe PRC - [2008.09.23 12:48:18 | 000,641,208 | ---- | M] (McAfee, Inc.) -- c:\Programme\McAfee.com\Agent\mcagent.exe PRC - [2008.09.22 12:19:14 | 000,025,416 | ---- | M] (McAfee, Inc.) -- C:\Programme\McAfee\MSK\msksrver.exe PRC - [2008.09.18 09:43:58 | 000,198,432 | ---- | M] () -- C:\Programme\McAfee\SiteAdvisor\McSACore.exe PRC - [2008.09.12 15:54:58 | 000,884,360 | ---- | M] (McAfee, Inc.) -- C:\Programme\McAfee\MPF\MpfSrv.exe PRC - [2008.09.12 09:19:02 | 002,482,848 | ---- | M] (McAfee, Inc.) -- c:\Programme\Common Files\McAfee\MNA\McNASvc.exe PRC - [2008.09.09 23:33:40 | 000,359,248 | ---- | M] (McAfee, Inc.) -- c:\Programme\Common Files\McAfee\McProxy\McProxy.exe PRC - [2008.01.21 03:24:13 | 000,069,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conime.exe PRC - [2008.01.21 03:23:33 | 000,192,000 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wsqmcons.exe PRC - [2007.11.21 17:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\TODDSrv.exe ========== Modules (SafeList) ========== MOD - [2011.06.20 17:22:30 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Users\Doro\Desktop\OTL.exe MOD - [2008.09.18 09:44:00 | 000,012,576 | ---- | M] () -- C:\Programme\McAfee\SiteAdvisor\sahook.dll MOD - [2008.01.21 03:23:44 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll ========== Win32 Services (SafeList) ========== SRV - [2009.06.09 10:27:24 | 000,111,088 | ---- | M] (Google Inc.) [On_Demand | Stopped] -- C:\ProgramData\Partner\partner.exe -- (Partner Service) SRV - [2009.04.24 10:40:38 | 000,176,128 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\TECO\TecoService.exe -- (TOSHIBA eco Utility Service) SRV - [2009.04.21 21:07:04 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility) SRV - [2009.04.16 17:42:58 | 000,020,544 | ---- | M] (TOSHIBA) [Auto | Running] -- C:\Programme\TOSHIBA\TOSHIBA Web Camera Application\TWebCameraSrv.exe -- (camsvc) SRV - [2009.04.15 16:03:40 | 000,656,752 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe -- (TPCHSrv) SRV - [2009.04.01 17:10:58 | 000,062,776 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Programme\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe -- (TMachInfo) SRV - [2009.03.30 15:57:22 | 000,083,312 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Programme\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe -- (TNaviSrv) SRV - [2009.03.23 13:30:36 | 000,116,104 | ---- | M] (Toshiba Europe GmbH) [Auto | Running] -- C:\Program Files\Toshiba TEMPRO\TemproSvc.exe -- (TemproMonitoringService) Notebook Performance Tuning Service (TEMPRO) SRV - [2009.03.17 10:49:04 | 000,073,728 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe -- (TOSHIBA HDD SSD Alert Service) SRV - [2009.03.10 17:51:20 | 000,046,448 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (ConfigFree Service) SRV - [2009.03.06 17:29:16 | 000,464,224 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe -- (TosCoSrv) SRV - [2009.02.11 12:05:16 | 000,242,424 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe -- (GameConsoleService) SRV - [2008.09.26 20:43:06 | 000,363,024 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Programme\McAfee\VirusScan\mcods.exe -- (McODS) SRV - [2008.09.26 19:00:32 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Programme\McAfee\VirusScan\Mcshield.exe -- (McShield) SRV - [2008.09.26 18:23:58 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Programme\McAfee\VirusScan\mcsysmon.exe -- (McSysmon) SRV - [2008.09.23 12:48:18 | 000,792,184 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Programme\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc) SRV - [2008.09.22 12:19:14 | 000,025,416 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service) SRV - [2008.09.18 09:43:58 | 000,198,432 | ---- | M] () [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service) SRV - [2008.09.12 15:54:58 | 000,884,360 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService) SRV - [2008.09.12 09:19:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Programme\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc) SRV - [2008.09.09 23:33:40 | 000,359,248 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Programme\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy) SRV - [2008.01.21 03:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2007.11.21 17:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv) ========== Driver Services (SafeList) ========== DRV - [2009.04.24 13:29:28 | 000,163,840 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169) DRV - [2009.04.21 22:30:14 | 004,491,264 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag) DRV - [2009.03.20 22:29:18 | 000,012,920 | ---- | M] (TOSHIBA Corporation) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\TVALZFL.sys -- (TVALZFL) DRV - [2009.03.20 20:09:52 | 000,491,008 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rtl8192se.sys -- (rtl8192se) DRV - [2009.03.18 10:44:54 | 000,022,272 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\PGEffect.sys -- (PGEffect) DRV - [2009.01.27 18:12:14 | 000,279,376 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\tos_sps32.sys -- (tos_sps32) DRV - [2008.11.11 17:29:42 | 000,154,272 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RtHDMIV.sys -- (RTHDMIAzAudService) DRV - [2008.09.26 19:01:12 | 000,212,968 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfehidk.sys -- (mfehidk) DRV - [2008.09.26 19:01:12 | 000,079,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk) DRV - [2008.09.26 19:01:12 | 000,040,488 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfesmfk.sys -- (mfesmfk) DRV - [2008.09.26 19:01:12 | 000,035,240 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk) DRV - [2008.09.26 19:00:40 | 000,034,216 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdk.sys -- (mferkdk) DRV - [2008.08.26 12:51:36 | 000,130,424 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\Mpfp.sys -- (MPFP) DRV - [2008.05.07 10:30:12 | 000,025,896 | ---- | M] (COMPAL ELECTRONIC INC.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\LPCFilter.sys -- (LPCFilter) DRV - [2007.12.14 10:53:24 | 000,024,200 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst) DRV - [2007.11.09 13:00:52 | 000,023,640 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\TVALZ_O.SYS -- (TVALZ) DRV - [2007.04.23 09:50:50 | 000,025,896 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | System | Running] -- C:\Windows\System32\drivers\RtlProt.sys -- (RtlProt) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSEG&bmod=TSEG; IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSEG&bmod=TSEG; IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com/ig/redirectdomain?brand=TSEG&bmod=TSEG; IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011.06.22 20:29:44 | 000,000,000 | ---D | M] O1 HOSTS File: ([2006.09.18 22:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - C:\Programme\McAfee\MSK\mskapbho.dll () O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Programme\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.) O2 - BHO: (Partner BHO Class) - {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\partner.dll (Google Inc.) O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Programme\Google\Google Toolbar\GoogleToolbar.dll () O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.) O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Programme\McAfee\SiteAdvisor\McIEPlg.dll () O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Programme\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll (Google Inc.) O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Programme\McAfee\SiteAdvisor\McIEPlg.dll () O3 - HKLM\..\Toolbar: (&Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Programme\Google\Google Toolbar\GoogleToolbar.dll () O4 - HKLM..\Run: [00TCrdMain] C:\Programme\TOSHIBA\FlashCards\TCrdMain.exe (TOSHIBA Corporation) O4 - HKLM..\Run: [cfFncEnabler.exe] C:\Program Files\TOSHIBA\ConfigFree\cfFncEnabler.exe (Toshiba Corporation) O4 - HKLM..\Run: [HSON] C:\Programme\TOSHIBA\TBS\HSON.exe (TOSHIBA Corporation) O4 - HKLM..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe (TOSHIBA Electronics, Inc.) O4 - HKLM..\Run: [KeNotify] C:\Programme\TOSHIBA\Utilities\KeNotify.exe (TOSHIBA CORPORATION) O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.) O4 - HKLM..\Run: [NDSTray.exe] C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe (TOSHIBA CORPORATION) O4 - HKLM..\Run: [SmartFaceVWatcher] C:\Programme\TOSHIBA\SmartFaceV\SmartFaceVWatcher.exe (TOSHIBA Corporation) O4 - HKLM..\Run: [SmoothView] C:\Programme\TOSHIBA\SmoothView\SmoothView.exe (TOSHIBA Corporation) O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.) O4 - HKLM..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe (TOSHIBA) O4 - HKLM..\Run: [Teco] C:\Program Files\TOSHIBA\TECO\Teco.exe (TOSHIBA Corporation) O4 - HKLM..\Run: [Toshiba Registration] C:\Programme\TOSHIBA\Registration\ToshibaReminder.exe (Toshiba Europe GmbH) O4 - HKLM..\Run: [Toshiba TEMPRO] C:\Programme\Toshiba TEMPRO\TemproTray.exe (Toshiba Europe GmbH) O4 - HKLM..\Run: [ToshibaServiceStation] C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe (TOSHIBA Corporation) O4 - HKLM..\Run: [TosSENotify] C:\Programme\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe (TOSHIBA Corporation) O4 - HKLM..\Run: [TPCHWMsg] C:\Programme\TOSHIBA\TPHM\TPCHWMsg.exe (TOSHIBA Corporation) O4 - HKLM..\Run: [TPwrMain] C:\Programme\TOSHIBA\Power Saver\TPwrMain.exe (TOSHIBA Corporation) O4 - HKLM..\Run: [TWebCamera] C:\Program Files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe (TOSHIBA) O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) O4 - HKCU..\Run: [TOSHIBA Online Product Information] C:\Programme\TOSHIBA\Toshiba Online Product Information\TOPI.exe (TOSHIBA) O4 - HKCU..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation) O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: eBay - {76577871-04EC-495E-A12B-91F7C3600AFA} - File not found O9 - Extra Button: Amazon.de - {8A918C1D-E123-4E36-B562-5C1519E434CE} - File not found O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O13 - gopher Prefix: missing O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11) O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11) O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation) O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Programme\McAfee\SiteAdvisor\McIEPlg.dll () O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O18 - Protocol\Filter\x-sdch {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Programme\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll (Google Inc.) O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL) - C:\Programme\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O24 - Desktop WallPaper: C:\Toshiba\WALLPAPERS\Wallpaper1.jpg O24 - Desktop BackupWallPaper: C:\Toshiba\WALLPAPERS\Wallpaper1.jpg O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.09.18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun) ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 11.0 ActiveX: {25FFAAD0-F4A3-4164-95FF-4461E9F35D51} - .NET Framework ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6 ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7 ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\system32\ie4uinit.exe -BaseSettings ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1 ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\Windows\system32\unregmp2.exe /ShowWMP ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\system32\ie4uinit.exe -UserIconConfig ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP NetSvcs: FastUserSwitchingCompatibility - File not found NetSvcs: Ias - File not found NetSvcs: Nla - File not found NetSvcs: Ntmssvc - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: SRService - File not found NetSvcs: WmdmPmSp - File not found NetSvcs: LogonHours - File not found NetSvcs: PCAudit - File not found NetSvcs: helpsvc - File not found NetSvcs: uploadmgr - File not found CREATERESTOREPOINT Restore point Set: OTL Restore Point ========== Files/Folders - Created Within 30 Days ========== [2011.06.29 22:44:18 | 000,579,072 | ---- | C] (OldTimer Tools) -- C:\Users\Doro\Desktop\OTL.exe [2011.06.29 22:43:22 | 000,000,000 | ---D | C] -- C:\Users\Doro\AppData\Roaming\Adobe [2011.06.29 22:43:22 | 000,000,000 | ---D | C] -- C:\Users\Doro\AppData\Local\Adobe [2011.06.22 20:32:16 | 000,000,000 | ---D | C] -- C:\Users\Doro\AppData\Roaming\ATI [2011.06.22 20:32:16 | 000,000,000 | ---D | C] -- C:\Users\Doro\AppData\Local\ATI [2011.06.22 20:32:02 | 000,000,000 | ---D | C] -- C:\Users\Doro\Documents\Eigene Google Gadgets [2011.06.22 20:32:00 | 000,000,000 | ---D | C] -- C:\Users\Doro\AppData\Local\Toshiba [2011.06.22 20:31:53 | 000,000,000 | ---D | C] -- C:\Users\Doro\AppData\Local\Google [2011.06.22 20:31:40 | 000,000,000 | R--D | C] -- C:\Users\Doro\Searches [2011.06.22 20:31:40 | 000,000,000 | R--D | C] -- C:\Users\Doro\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools [2011.06.22 20:31:33 | 000,000,000 | ---D | C] -- C:\Users\Doro\AppData\Roaming\Identities [2011.06.22 20:31:30 | 000,000,000 | R--D | C] -- C:\Users\Doro\Contacts [2011.06.22 20:31:26 | 000,000,000 | ---D | C] -- C:\Users\Doro\AppData\Local\VirtualStore [2011.06.22 20:28:51 | 000,000,000 | ---D | C] -- C:\ProgramData\ToshibaEurope [2011.06.22 20:28:36 | 000,000,000 | --SD | C] -- C:\Users\Doro\AppData\Roaming\Microsoft [2011.06.22 20:28:36 | 000,000,000 | R--D | C] -- C:\Users\Doro\Videos [2011.06.22 20:28:36 | 000,000,000 | R--D | C] -- C:\Users\Doro\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup [2011.06.22 20:28:36 | 000,000,000 | R--D | C] -- C:\Users\Doro\Saved Games [2011.06.22 20:28:36 | 000,000,000 | R--D | C] -- C:\Users\Doro\Pictures [2011.06.22 20:28:36 | 000,000,000 | R--D | C] -- C:\Users\Doro\Music [2011.06.22 20:28:36 | 000,000,000 | R--D | C] -- C:\Users\Doro\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance [2011.06.22 20:28:36 | 000,000,000 | R--D | C] -- C:\Users\Doro\Links [2011.06.22 20:28:36 | 000,000,000 | R--D | C] -- C:\Users\Doro\Favorites [2011.06.22 20:28:36 | 000,000,000 | R--D | C] -- C:\Users\Doro\Downloads [2011.06.22 20:28:36 | 000,000,000 | R--D | C] -- C:\Users\Doro\Documents [2011.06.22 20:28:36 | 000,000,000 | R--D | C] -- C:\Users\Doro\Desktop [2011.06.22 20:28:36 | 000,000,000 | R--D | C] -- C:\Users\Doro\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories [2011.06.22 20:28:36 | 000,000,000 | -HSD | C] -- C:\Users\Doro\Vorlagen [2011.06.22 20:28:36 | 000,000,000 | -HSD | C] -- C:\Users\Doro\AppData\Local\Verlauf [2011.06.22 20:28:36 | 000,000,000 | -HSD | C] -- C:\Users\Doro\AppData\Local\Temporary Internet Files [2011.06.22 20:28:36 | 000,000,000 | -HSD | C] -- C:\Users\Doro\Startmenü [2011.06.22 20:28:36 | 000,000,000 | -HSD | C] -- C:\Users\Doro\SendTo [2011.06.22 20:28:36 | 000,000,000 | -HSD | C] -- C:\Users\Doro\Recent [2011.06.22 20:28:36 | 000,000,000 | -HSD | C] -- C:\Users\Doro\Netzwerkumgebung [2011.06.22 20:28:36 | 000,000,000 | -HSD | C] -- C:\Users\Doro\Lokale Einstellungen [2011.06.22 20:28:36 | 000,000,000 | -HSD | C] -- C:\Users\Doro\Documents\Eigene Videos [2011.06.22 20:28:36 | 000,000,000 | -HSD | C] -- C:\Users\Doro\Documents\Eigene Musik [2011.06.22 20:28:36 | 000,000,000 | -HSD | C] -- C:\Users\Doro\Eigene Dateien [2011.06.22 20:28:36 | 000,000,000 | -HSD | C] -- C:\Users\Doro\Documents\Eigene Bilder [2011.06.22 20:28:36 | 000,000,000 | -HSD | C] -- C:\Users\Doro\Druckumgebung [2011.06.22 20:28:36 | 000,000,000 | -HSD | C] -- C:\Users\Doro\Cookies [2011.06.22 20:28:36 | 000,000,000 | -HSD | C] -- C:\Users\Doro\AppData\Local\Anwendungsdaten [2011.06.22 20:28:36 | 000,000,000 | -HSD | C] -- C:\Users\Doro\Anwendungsdaten [2011.06.22 20:28:36 | 000,000,000 | -H-D | C] -- C:\Users\Doro\AppData [2011.06.22 20:28:36 | 000,000,000 | ---D | C] -- C:\Users\Doro\AppData\Local\Temp [2011.06.22 20:28:36 | 000,000,000 | ---D | C] -- C:\Users\Doro\AppData\Local\Microsoft [2011.06.22 20:28:36 | 000,000,000 | ---D | C] -- C:\Users\Doro\AppData\Roaming\Media Center Programs [2011.06.22 20:24:57 | 000,000,000 | -HSD | C] -- C:\ProgramData\Vorlagen [2011.06.22 20:24:57 | 000,000,000 | -HSD | C] -- C:\ProgramData\Startmenü [2011.06.22 20:24:57 | 000,000,000 | -HSD | C] -- C:\Programme [2011.06.22 20:24:57 | 000,000,000 | -HSD | C] -- C:\Programme\Gemeinsame Dateien [2011.06.22 20:24:57 | 000,000,000 | -HSD | C] -- C:\ProgramData\Favoriten [2011.06.22 20:24:57 | 000,000,000 | -HSD | C] -- C:\Users\Public\Documents\Eigene Videos [2011.06.22 20:24:57 | 000,000,000 | -HSD | C] -- C:\Users\Public\Documents\Eigene Musik [2011.06.22 20:24:57 | 000,000,000 | -HSD | C] -- C:\Users\Public\Documents\Eigene Bilder [2011.06.22 20:24:57 | 000,000,000 | -HSD | C] -- C:\Dokumente und Einstellungen [2011.06.22 20:24:57 | 000,000,000 | -HSD | C] -- C:\ProgramData\Dokumente [2011.06.22 20:24:57 | 000,000,000 | -HSD | C] -- C:\ProgramData\Anwendungsdaten [2011.06.22 19:19:07 | 000,000,000 | ---D | C] -- C:\Windows\OemDrv [2011.06.22 19:18:33 | 000,000,000 | ---D | C] -- C:\ProgramData\IsolatedStorage [2011.06.22 19:15:45 | 000,000,000 | ---D | C] -- C:\Programme\Toshiba TEMPRO [2011.06.22 19:15:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Toshiba TEMPRO [2011.06.22 19:15:40 | 000,000,000 | ---D | C] -- C:\Programme\Common Files\Wise Installation Wizard [2011.06.22 19:15:02 | 000,000,000 | ---D | C] -- C:\Programme\Common Files\Toshiba Shared [2011.06.22 19:14:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TOSHIBA DVD PLAYER [2011.06.22 19:13:17 | 001,069,056 | ---- | C] (The OpenSSL Project, hxxp://www.openssl.org/) -- C:\Windows\System32\libeay32.dll [2011.06.22 19:13:17 | 000,155,648 | ---- | C] (TODO: <Company name>) -- C:\Windows\System32\IpLib.dll [2011.06.22 19:13:17 | 000,025,896 | ---- | C] (Windows (R) Codename Longhorn DDK provider) -- C:\Windows\System32\drivers\RtlProt.sys [2011.06.22 19:09:09 | 000,000,000 | ---D | C] -- C:\ProgramData\TOSHIBA [2011.06.22 19:02:58 | 000,000,000 | ---D | C] -- C:\Programme\Synaptics [2011.06.22 19:01:11 | 000,000,000 | ---D | C] -- C:\Programme\Realtek WLAN Driver [2011.06.22 18:54:53 | 000,000,000 | ---D | C] -- C:\ProgramData\ATI [2011.06.22 18:52:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Catalyst Control Center [2011.06.22 18:51:47 | 000,000,000 | ---D | C] -- C:\Programme\ATI [2011.06.22 18:51:46 | 000,000,000 | ---D | C] -- C:\Programme\ATI Technologies [2011.06.22 18:51:44 | 000,303,104 | ---- | C] (AMD) -- C:\Windows\System32\atieclxx.exe [2011.06.22 18:51:44 | 000,176,128 | ---- | C] (AMD) -- C:\Windows\System32\atiesrxx.exe [2011.06.22 18:51:44 | 000,011,776 | ---- | C] (AMD) -- C:\Windows\System32\atimuixx.dll [2011.06.22 18:50:16 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN [2011.06.22 18:48:20 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution [2011.06.22 18:46:00 | 000,000,000 | -HSD | C] -- C:\System Volume Information ========== Files - Modified Within 30 Days ========== [2011.06.29 22:45:03 | 000,618,442 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2011.06.29 22:45:03 | 000,587,178 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2011.06.29 22:45:03 | 000,122,842 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2011.06.29 22:45:03 | 000,101,250 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2011.06.29 22:44:57 | 000,000,000 | ---- | M] () -- C:\Users\Doro\defogger_reenable [2011.06.29 22:43:12 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf [2011.06.29 22:33:03 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2011.06.29 22:33:03 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2011.06.29 22:32:57 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2011.06.29 22:32:53 | 3184,394,240 | -HS- | M] () -- C:\hiberfil.sys [2011.06.28 20:29:53 | 000,003,295 | ---- | M] () -- C:\Windows\System32\Config.MPF [2011.06.22 19:22:01 | 000,060,826 | ---- | M] () -- C:\Windows\System32\license.rtf [2011.06.22 19:21:32 | 000,000,000 | RHS- | M] () -- C:\Windows\System32\drivers\TOSHIBA_Satellite L500_09758-GR_PSLJ3E-01Y01.MRK [2011.06.22 19:16:10 | 000,000,000 | ---- | M] () -- C:\Windows\NDSTray.INI [2011.06.22 19:15:45 | 000,001,812 | ---- | M] () -- C:\Users\Public\Desktop\Toshiba TEMPRO-Meldungen.lnk [2011.06.22 19:15:36 | 000,001,740 | ---- | M] () -- C:\Users\Public\Desktop\TOSHIBA Benutzerhandbuch.lnk [2011.06.22 19:03:02 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_Kernel_SynTP_01007.Wdf [2011.06.22 18:54:22 | 000,000,000 | ---- | M] () -- C:\Windows\ativpsrm.bin [2011.06.22 18:47:48 | 000,297,720 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2011.06.20 17:23:04 | 000,302,592 | ---- | M] () -- C:\Users\Doro\Desktop\g6okoo0z.exe [2011.06.20 17:22:30 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Users\Doro\Desktop\OTL.exe [2011.06.20 17:21:58 | 000,050,477 | ---- | M] () -- C:\Users\Doro\Desktop\Defogger.exe ========== Files Created - No Company Name ========== [2011.06.29 22:44:57 | 000,000,000 | ---- | C] () -- C:\Users\Doro\defogger_reenable [2011.06.29 22:44:27 | 000,302,592 | ---- | C] () -- C:\Users\Doro\Desktop\g6okoo0z.exe [2011.06.29 22:44:11 | 000,050,477 | ---- | C] () -- C:\Users\Doro\Desktop\Defogger.exe [2011.06.29 22:43:12 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf [2011.06.22 20:31:41 | 000,000,954 | ---- | C] () -- C:\Users\Doro\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk [2011.06.22 20:31:40 | 000,000,949 | ---- | C] () -- C:\Users\Doro\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk [2011.06.22 20:31:29 | 000,000,920 | ---- | C] () -- C:\Users\Doro\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Mail.lnk [2011.06.22 19:21:32 | 000,000,000 | RHS- | C] () -- C:\Windows\System32\drivers\TOSHIBA_Satellite L500_09758-GR_PSLJ3E-01Y01.MRK [2011.06.22 19:16:10 | 000,000,000 | ---- | C] () -- C:\Windows\NDSTray.INI [2011.06.22 19:15:45 | 000,001,812 | ---- | C] () -- C:\Users\Public\Desktop\Toshiba TEMPRO-Meldungen.lnk [2011.06.22 19:15:36 | 000,001,740 | ---- | C] () -- C:\Users\Public\Desktop\TOSHIBA Benutzerhandbuch.lnk [2011.06.22 19:13:17 | 000,131,072 | ---- | C] () -- C:\Windows\System32\EnumDevLib.dll [2011.06.22 19:03:02 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_Kernel_SynTP_01007.Wdf [2011.06.22 18:54:22 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin [2011.06.22 18:54:21 | 3184,394,240 | -HS- | C] () -- C:\hiberfil.sys [2011.06.22 18:51:44 | 000,294,912 | ---- | C] () -- C:\Windows\System32\ATIODE.exe [2011.06.22 18:51:44 | 000,184,751 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat [2011.06.22 18:51:44 | 000,167,952 | ---- | C] () -- C:\Windows\System32\atiumdva.cap [2011.06.22 18:51:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll [2011.06.22 18:51:44 | 000,045,056 | ---- | C] () -- C:\Windows\System32\ATIODCLI.exe [2011.06.22 18:51:44 | 000,016,032 | ---- | C] () -- C:\Windows\atiogl.xml [2009.06.09 10:02:11 | 000,045,056 | ---- | C] () -- C:\Windows\System32\HWS_Ctrl.dll [2009.06.09 09:59:07 | 000,073,728 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll [2009.06.09 08:31:39 | 000,106,605 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin [2009.06.09 08:31:39 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin [2008.09.02 01:32:38 | 000,028,672 | ---- | C] () -- C:\Windows\System32\SPCtl.dll [2008.01.21 08:15:58 | 000,618,442 | ---- | C] () -- C:\Windows\System32\perfh007.dat [2008.01.21 08:15:58 | 000,290,748 | ---- | C] () -- C:\Windows\System32\perfi007.dat [2008.01.21 08:15:58 | 000,122,842 | ---- | C] () -- C:\Windows\System32\perfc007.dat [2008.01.21 08:15:58 | 000,036,916 | ---- | C] () -- C:\Windows\System32\perfd007.dat [2006.11.02 13:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat [2006.11.02 13:47:37 | 000,297,720 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT [2006.11.02 13:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll [2006.11.02 11:33:01 | 000,587,178 | ---- | C] () -- C:\Windows\System32\perfh009.dat [2006.11.02 11:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat [2006.11.02 11:33:01 | 000,101,250 | ---- | C] () -- C:\Windows\System32\perfc009.dat [2006.11.02 11:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat [2006.11.02 11:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat [2006.11.02 09:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin [2006.11.02 09:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT [2006.11.02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini [2006.11.02 08:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat ========== LOP Check ========== [2009.06.09 10:40:34 | 000,000,378 | ---- | M] () -- C:\Windows\Tasks\McDefragTask.job [2009.06.09 10:40:34 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\McQcTask.job [2011.06.28 20:29:54 | 000,011,288 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== ========== Custom Scans ========== < > < %SYSTEMDRIVE%\*. > [2011.06.22 20:35:31 | 000,000,000 | -HSD | M] -- C:\$RECYCLE.BIN [2009.06.09 08:00:16 | 000,000,000 | -HSD | M] -- C:\Boot [2006.11.02 14:02:03 | 000,000,000 | -HSD | M] -- C:\Documents and Settings [2011.06.22 20:24:57 | 000,000,000 | -HSD | M] -- C:\Dokumente und Einstellungen [2009.06.09 10:35:09 | 000,000,000 | RH-D | M] -- C:\MSOCache [2011.06.22 20:24:57 | 000,000,000 | R--D | M] -- C:\Programme [2011.06.22 20:28:51 | 000,000,000 | -H-D | M] -- C:\ProgramData [2011.06.22 20:24:57 | 000,000,000 | -HSD | M] -- C:\Programme [2011.06.29 22:49:50 | 000,000,000 | -HSD | M] -- C:\System Volume Information [2011.06.22 20:31:19 | 000,000,000 | ---D | M] -- C:\Toshiba [2011.06.22 20:35:17 | 000,000,000 | R--D | M] -- C:\Users [2011.06.22 19:19:07 | 000,000,000 | ---D | M] -- C:\Windows [2009.06.09 10:32:47 | 000,000,000 | ---D | M] -- C:\Works < %PROGRAMFILES%\*.exe > < %LOCALAPPDATA%\*.exe > < %systemroot%\*. /mp /s > < MD5 for: EXPLORER.EXE > [2008.10.29 07:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe [2008.10.29 07:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\explorer.exe [2008.10.29 07:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe [2008.10.30 04:59:17 | 002,927,616 | ---- | M] (Microsoft Corporation) MD5=50BA5850147410CDE89C523AD3BC606E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe [2008.10.28 03:15:02 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=E7156B0B74762D9DE0E66BDCDE06E5FB -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe [2008.01.21 03:24:24 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=FFA764631CB70A30065C12EF8E174F9F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe < MD5 for: REGEDIT.EXE > [2008.01.21 03:24:53 | 000,134,656 | ---- | M] (Microsoft Corporation) MD5=467A3B03E924B7B7EDD16D34740574B0 -- C:\Windows\regedit.exe [2008.01.21 03:24:53 | 000,134,656 | ---- | M] (Microsoft Corporation) MD5=467A3B03E924B7B7EDD16D34740574B0 -- C:\Windows\winsxs\x86_microsoft-windows-registry-editor_31bf3856ad364e35_6.0.6001.18000_none_f42eb564dbd8a697\regedit.exe < MD5 for: USERINIT.EXE > [2008.01.21 03:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\System32\userinit.exe [2008.01.21 03:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe < MD5 for: WININIT.EXE > [2008.01.21 03:23:42 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\System32\wininit.exe [2008.01.21 03:23:42 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe < MD5 for: WINLOGON.EXE > [2008.01.21 03:24:49 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\System32\winlogon.exe [2008.01.21 03:24:49 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU > < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs > < > < End of report > Code:
ATTFilter OTL Extras logfile created on: 29.06.2011 22:48:56 - Run 1
OTL by OldTimer - Version 3.2.24.1 Folder = C:\Users\Doro\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
2,96 Gb Total Physical Memory | 2,08 Gb Available Physical Memory | 70,17% Memory free
6,13 Gb Paging File | 5,17 Gb Available in Paging File | 84,34% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 186,52 Gb Total Space | 166,75 Gb Free Space | 89,40% Space Free | Partition Type: NTFS
Drive D: | 7,41 Gb Total Space | 3,17 Gb Free Space | 42,85% Space Free | Partition Type: FAT32
Drive E: | 184,62 Gb Total Space | 170,89 Gb Free Space | 92,56% Space Free | Partition Type: NTFS
Computer Name: DORO-PC | User Name: Doro | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
========== Authorized Applications List ==========
========== Vista Active Open Ports Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
========== Vista Active Application Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0D392AF4-E02D-4840-9748-95279A89D034}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{76E16E04-8DFF-4C27-A0BF-03C6BE3E78D2}" = dir=in | app=c:\program files\common files\mcafee\mna\mcnasvc.exe |
"{B8C8DBE5-A08E-41A0-8EBD-360346214769}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02CA24DD-C8B0-4280-BE53-7862869C2EB1}" = Realtek WiFi Protected Setup Library
"{06223EA1-8977-4A44-B2AB-30FD78B7DCC1}" = CCC Help Thai
"{0CF37D58-38A8-E03F-8DD8-B01B55C09615}" = CCC Help English
"{0FB630AB-7BD8-40AE-B223-60397D57C3C9}" = Realtek WLAN Driver
"{12688FD7-CB92-4A5B-BEE4-5C8E0574434F}" = Utility Common Driver
"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1C971EE3-B4C4-4367-9676-57549919C6CE}" = TOSHIBA Benutzerhandbücher
"{2290A680-4083-410A-ADCC-7092C67FC052}" = Toshiba Online Product Information
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 11
"{27349465-3521-8214-5311-286D806C86C3}" = CCC Help Dutch
"{32762866-8C6E-437E-1E79-4506FEB7323A}" = Catalyst Control Center Graphics Full Existing
"{39D0E034-1042-4905-BECB-5502909FCB7C}" = Microsoft Works
"{3CAF2B2D-0DA3-7BD6-6701-E3D71992DB78}" = Catalyst Control Center Localization All
"{3D0DC563-4C99-4AB1-8C22-514940666938}" = Catalyst Control Center - Branding
"{4324E4DD-C67C-A413-5C12-5DC694A99AF6}" = ATI Catalyst Install Manager
"{45633D5F-76CE-B1D7-325B-A3F329AA99DB}" = Catalyst Control Center InstallProxy
"{4786E500-4FA0-C30F-D4E8-0E3D70D86227}" = CCC Help Swedish
"{4F147AEF-790D-DBE2-5830-94D90C02AC24}" = Catalyst Control Center Graphics Full New
"{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE}" = TOSHIBA Supervisor Password
"{5279374D-87FE-4879-9385-F17278EBB9D3}" = TOSHIBA Hardware Setup
"{53536479-DFB0-47ED-9D10-43F3708C222D}" = TOSHIBA eco Utility
"{5985DD7D-67F4-DD15-8589-B3F43C4A111D}" = CCC Help Chinese Traditional
"{5D264375-3E92-7D10-F219-3536F5BAE7BA}" = CCC Help Japanese
"{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator
"{5E6F6CF3-BACC-4144-868C-E14622C658F3}" = TOSHIBA Web Camera Application
"{5F98C4EE-879F-232C-3F44-0BBFAB6A29D4}" = CCC Help Polish
"{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"{61F8A9EC-5CB4-0001-FF88-C469156BA14C}" = CCC Help German
"{620BBA5E-F848-4D56-8BDA-584E44584C5E}" = TOSHIBA Flash Cards Support Utility
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{67830C2E-0345-7CE7-3829-8AB3D34E3AEB}" = CCC Help Turkish
"{6A9B4C2D-E651-6DD7-EC1D-AF331F250AB8}" = ccc-core-static
"{6C5F3BDC-0A1B-4436-A696-5939629D5C31}" = TOSHIBA DVD PLAYER
"{6DEEDB89-D449-B985-4E0E-91D45AF66DFF}" = CCC Help Spanish
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7513A376-16F0-7E53-5CA1-7DA10A6216BC}" = CCC Help Danish
"{773970F1-5EBA-4474-ADEE-1EA3B0A59492}" = TOSHIBA Recovery Disk Creator Reminder
"{7C30283C-8DC7-4FBB-805E-52BEA5F580E8}" = Toshiba TEMPRO
"{811EF3A7-0861-0B8F-5432-3052E8230DC0}" = Catalyst Control Center Graphics Light
"{8259E348-50E8-A3C8-52B8-699DFDD31BA8}" = CCC Help Finnish
"{85E4952C-8C85-A58D-B9D9-783D1FADB775}" = Skins
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8136 8168 8169 Ethernet Driver
"{8921F4ED-A696-D629-45E6-45A43A0F4FF0}" = CCC Help Czech
"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-0020-0407-0000-0000000FF1CE}" = Compatibility Pack für 2007 Office System
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{95120000-00AF-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (German)
"{98C70B57-4930-7088-22F4-93FC196938D0}" = CCC Help Chinese Standard
"{9DECD0F9-D3E8-48B0-A390-1CF09F54E3A4}" = TOSHIBA PC Health Monitor
"{A6137721-B2D0-1DAF-0B19-12AB0D065C45}" = Catalyst Control Center Core Implementation
"{AC1A4255-0EC8-585B-2D1A-8306C07F2B91}" = CCC Help Hungarian
"{AC6569FA-6919-442A-8552-073BE69E247A}" = TOSHIBA Service Station
"{AC76BA86-7AD7-1031-7B44-A90000000001}" = Adobe Reader 9 - Deutsch
"{AEE65D6C-EDF4-B3E1-00CD-B17A6FC6BC6A}" = CCC Help Italian
"{B0E5D7E7-A106-458F-BA7B-2F8CAEA3BF16}" = PlayReady PC runtime
"{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}" = TOSHIBA Recovery Disc Creator
"{B9F119C0-6886-A250-BF18-3ABEAA26F6A5}" = CCC Help Korean
"{C730E42C-935A-45BB-A0C5-37E5234D111B}" = TOSHIBA Face Recognition
"{D4322448-B6AF-4316-B859-D8A0E84DCB38}" = TOSHIBA HDD/SSD Alert
"{DB64C016-1705-36E9-1AEA-C2D4738BDE9A}" = CCC Help Norwegian
"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader
"{DE2E45A2-31B1-7D26-2701-B1244763DE10}" = CCC Help Portuguese
"{E16087F4-3CE3-B644-A5F5-503F55F34CC0}" = CCC Help Russian
"{E4FD13E2-1638-A5B8-E28A-54D39F13D747}" = Catalyst Control Center Graphics Previews Vista
"{E65C7D8E-186D-484B-BEA8-DEF0331CE600}" = TRORDCLauncher
"{EBFF48F5-3CFA-436F-8FD5-94FB01D3A0A7}" = TOSHIBA SD Memory Utilities
"{F0A386D2-6E15-4A8F-A04E-87CE9BED0D48}" = TOSHIBA ConfigFree
"{F0E4A500-34B5-E8B7-FC2C-3726A0577AAD}" = CCC Help French
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F34009E9-6EA5-F0D2-4D7D-A9CE421908B6}" = CCC Help Greek
"{F69114BE-EFDC-C756-1B38-ABD1E4873113}" = ccc-utility
"{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Google Desktop" = Google Desktop
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"InstallShield_{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE}" = TOSHIBA Supervisorkennwort
"InstallShield_{5279374D-87FE-4879-9385-F17278EBB9D3}" = TOSHIBA Hardware Setup
"InstallShield_{53536479-DFB0-47ED-9D10-43F3708C222D}" = TOSHIBA eco Utility
"InstallShield_{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"InstallShield_{620BBA5E-F848-4D56-8BDA-584E44584C5E}" = TOSHIBA Flash Cards Support Utility
"InstallShield_{773970F1-5EBA-4474-ADEE-1EA3B0A59492}" = TOSHIBA Recovery Disk Creator Reminder
"InstallShield_{C730E42C-935A-45BB-A0C5-37E5234D111B}" = TOSHIBA Face Recognition
"InstallShield_{D4322448-B6AF-4316-B859-D8A0E84DCB38}" = TOSHIBA HDD/SSD Alert
"InstallShield_{E65C7D8E-186D-484B-BEA8-DEF0331CE600}" = TRORDCLauncher
"InstallShield_{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"MSC" = McAfee SecurityCenter
"myphotobook" = myphotobook 3.65
"Picasa2" = Picasa 2
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"WildTangent toshiba Master Uninstall" = WildTangent-Spiele
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 29.06.2011 17:35:11 | Computer Name = Doro-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =
Error - 29.06.2011 17:35:11 | Computer Name = Doro-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =
Error - 29.06.2011 17:35:11 | Computer Name = Doro-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =
Error - 29.06.2011 17:35:11 | Computer Name = Doro-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =
Error - 29.06.2011 17:35:11 | Computer Name = Doro-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =
Error - 29.06.2011 17:35:11 | Computer Name = Doro-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =
Error - 29.06.2011 17:35:12 | Computer Name = Doro-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =
Error - 29.06.2011 17:35:12 | Computer Name = Doro-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =
Error - 29.06.2011 17:35:12 | Computer Name = Doro-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =
Error - 29.06.2011 17:35:12 | Computer Name = Doro-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =
[ System Events ]
Error - 22.06.2011 14:24:39 | Computer Name = Doro-PC | Source = Service Control Manager | ID = 7000
Description =
Error - 22.06.2011 14:24:38 | Computer Name = Doro-PC | Source = HTTP | ID = 15016
Description =
Error - 24.06.2011 14:22:33 | Computer Name = Doro-PC | Source = HTTP | ID = 15016
Description =
Error - 24.06.2011 14:24:09 | Computer Name = Doro-PC | Source = Service Control Manager | ID = 7000
Description =
Error - 27.06.2011 12:41:58 | Computer Name = Doro-PC | Source = HTTP | ID = 15016
Description =
Error - 27.06.2011 12:43:36 | Computer Name = Doro-PC | Source = Service Control Manager | ID = 7000
Description =
Error - 28.06.2011 15:25:53 | Computer Name = Doro-PC | Source = HTTP | ID = 15016
Description =
Error - 28.06.2011 15:27:37 | Computer Name = Doro-PC | Source = Service Control Manager | ID = 7000
Description =
Error - 29.06.2011 17:32:59 | Computer Name = Doro-PC | Source = HTTP | ID = 15016
Description =
Error - 29.06.2011 17:34:43 | Computer Name = Doro-PC | Source = Service Control Manager | ID = 7000
Description =
< End of report >
|
|
30.06.2011, 17:04
| #12 |
| | gefälschte Windows Scan-Software "Security Protection" ... Und noch Gmer.txt: Code:
ATTFilter GMER 1.0.15.15640 - hxxp://www.gmer.net
Rootkit scan 2011-06-30 17:49:51
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.FG01
Running: g6okoo0z.exe; Driver: C:\Users\Doro\AppData\Local\Temp\kwtdapog.sys
---- System - GMER 1.0.15 ----
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8EC202CE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8EC20268]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8EC2027C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8EC2030C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8EC2034F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8EC20240]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8EC20254]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8EC202E2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x8EC20377]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x8EC20363]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8EC202BA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8EC202A6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8EC2033B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8EC20322]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8EC202F8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8EC20292]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwYieldExecution 8203318C 5 Bytes JMP 8EC202FC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 821CD17C 5 Bytes JMP 8EC20353 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateUserProcess 821D4DCA 5 Bytes JMP 8EC20296 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 821EEF80 5 Bytes JMP 8EC2033F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 8220E1CA 5 Bytes JMP 8EC20258 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 8221DB06 5 Bytes JMP 8EC20244 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 8223071E 7 Bytes JMP 8EC20310 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 82230D75 5 Bytes JMP 8EC20326 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 82232F86 5 Bytes JMP 8EC202D2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 82240644 5 Bytes JMP 8EC202AA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 8224289E 7 Bytes JMP 8EC202E6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 82261402 5 Bytes JMP 8EC20367 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8226244E 5 Bytes JMP 8EC2037B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 822A0171 5 Bytes JMP 8EC2026C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 822A01BC 7 Bytes JMP 8EC20280 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 822A0C7B 5 Bytes JMP 8EC202BE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x82F4F480, 0x3C939, 0xE8000020]
.dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x82F90900, 0x3CA, 0x48000040]
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8DC09000, 0x263970, 0xE8000020]
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\system32\svchost.exe[284] kernel32.dll!GetStartupInfoW 76D71929 5 Bytes JMP 00280F3E
.text C:\Windows\system32\svchost.exe[284] kernel32.dll!GetStartupInfoA 76D719C9 5 Bytes JMP 0028008E
.text C:\Windows\system32\svchost.exe[284] kernel32.dll!CreateProcessW 76D71C01 5 Bytes JMP 002800A9
.text C:\Windows\system32\svchost.exe[284] kernel32.dll!CreateProcessA 76D71C36 5 Bytes JMP 00280F1C
.text C:\Windows\system32\svchost.exe[284] kernel32.dll!VirtualProtect 76D71DD1 5 Bytes JMP 00280F6A
.text C:\Windows\system32\svchost.exe[284] kernel32.dll!CreateNamedPipeW 76D75C44 5 Bytes JMP 00280033
.text C:\Windows\system32\svchost.exe[284] kernel32.dll!LoadLibraryExW 76D930C3 5 Bytes JMP 00280F91
.text C:\Windows\system32\svchost.exe[284] kernel32.dll!LoadLibraryW 76D9361F 5 Bytes JMP 00280FBD
.text C:\Windows\system32\svchost.exe[284] kernel32.dll!VirtualProtectEx 76D98D7E 5 Bytes JMP 00280F59
.text C:\Windows\system32\svchost.exe[284] kernel32.dll!LoadLibraryExA 76D99469 5 Bytes JMP 00280FA2
.text C:\Windows\system32\svchost.exe[284] kernel32.dll!LoadLibraryA 76D99491 5 Bytes JMP 0028004E
.text C:\Windows\system32\svchost.exe[284] kernel32.dll!CreatePipe 76DA0284 5 Bytes JMP 00280073
.text C:\Windows\system32\svchost.exe[284] kernel32.dll!GetProcAddress 76DBB8B6 5 Bytes JMP 00280F01
.text C:\Windows\system32\svchost.exe[284] kernel32.dll!CreateFileW 76DBCC4E 5 Bytes JMP 00280011
.text C:\Windows\system32\svchost.exe[284] kernel32.dll!CreateFileA 76DBCF71 5 Bytes JMP 00280000
.text C:\Windows\system32\svchost.exe[284] kernel32.dll!CreateNamedPipeA 76E0430E 5 Bytes JMP 00280022
.text C:\Windows\system32\svchost.exe[284] kernel32.dll!WinExec 76E054FF 5 Bytes JMP 00280F2D
.text C:\Windows\system32\svchost.exe[284] msvcrt.dll!_wsystem 75EF8A47 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[284] msvcrt.dll!_wsystem 75EF8A47 5 Bytes JMP 000C004B
.text C:\Windows\system32\svchost.exe[284] msvcrt.dll!system 75EF8B63 5 Bytes JMP 000C003A
.text C:\Windows\system32\svchost.exe[284] msvcrt.dll!_creat 75EFC6F1 5 Bytes JMP 000C0029
.text C:\Windows\system32\svchost.exe[284] msvcrt.dll!_open 75EFDA7E 5 Bytes JMP 000C000C
.text C:\Windows\system32\svchost.exe[284] msvcrt.dll!_wcreat 75EFDC9E 5 Bytes JMP 000C0FCA
.text C:\Windows\system32\svchost.exe[284] msvcrt.dll!_wopen 75EFDE79 5 Bytes JMP 000C0FEF
.text C:\Windows\system32\svchost.exe[284] ADVAPI32.dll!RegCreateKeyExA 76FBB5E7 5 Bytes JMP 002A0073
.text C:\Windows\system32\svchost.exe[284] ADVAPI32.dll!RegCreateKeyA 76FBB8AE 5 Bytes JMP 002A0051
.text C:\Windows\system32\svchost.exe[284] ADVAPI32.dll!RegOpenKeyA 76FC0BF5 5 Bytes JMP 002A0000
.text C:\Windows\system32\svchost.exe[284] ADVAPI32.dll!RegCreateKeyW 76FCB83D 5 Bytes JMP 002A0062
.text C:\Windows\system32\svchost.exe[284] ADVAPI32.dll!RegCreateKeyExW 76FCBCE1 5 Bytes JMP 002A0FB6
.text C:\Windows\system32\svchost.exe[284] ADVAPI32.dll!RegOpenKeyExA 76FCD4E8 5 Bytes JMP 002A0FE5
.text C:\Windows\system32\svchost.exe[284] ADVAPI32.dll!RegOpenKeyW 76FD3CB0 5 Bytes JMP 002A001B
.text C:\Windows\system32\svchost.exe[284] ADVAPI32.dll!RegOpenKeyExW 76FDF09D 5 Bytes JMP 002A0040
.text C:\Windows\system32\svchost.exe[284] WS2_32.dll!socket 773336D1 5 Bytes JMP 00880000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[480] kernel32.dll!LoadLibraryW 76D9361F 5 Bytes JMP 0041BFE0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[480] kernel32.dll!LoadLibraryA 76D99491 5 Bytes JMP 0041BF60 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Windows\system32\services.exe[720] kernel32.dll!GetStartupInfoW 76D71929 5 Bytes JMP 00110F77
.text C:\Windows\system32\services.exe[720] kernel32.dll!GetStartupInfoA 76D719C9 5 Bytes JMP 001100BD
.text C:\Windows\system32\services.exe[720] kernel32.dll!CreateProcessW 76D71C01 5 Bytes JMP 00110F4B
.text C:\Windows\system32\services.exe[720] kernel32.dll!CreateProcessA 76D71C36 5 Bytes JMP 00110F66
.text C:\Windows\system32\services.exe[720] kernel32.dll!VirtualProtect 76D71DD1 5 Bytes JMP 00110073
.text C:\Windows\system32\services.exe[720] kernel32.dll!CreateNamedPipeW 76D75C44 5 Bytes JMP 00110FB9
.text C:\Windows\system32\services.exe[720] kernel32.dll!LoadLibraryExW 76D930C3 5 Bytes JMP 00110062
.text C:\Windows\system32\services.exe[720] kernel32.dll!LoadLibraryW 76D9361F 5 Bytes JMP 00110040
.text C:\Windows\system32\services.exe[720] kernel32.dll!VirtualProtectEx 76D98D7E 5 Bytes JMP 00110F88
.text C:\Windows\system32\services.exe[720] kernel32.dll!LoadLibraryExA 76D99469 5 Bytes JMP 00110051
.text C:\Windows\system32\services.exe[720] kernel32.dll!LoadLibraryA 76D99491 5 Bytes JMP 00110025
.text C:\Windows\system32\services.exe[720] kernel32.dll!CreatePipe 76DA0284 5 Bytes JMP 00110098
.text C:\Windows\system32\services.exe[720] kernel32.dll!GetProcAddress 76DBB8B6 5 Bytes JMP 00110F3A
.text C:\Windows\system32\services.exe[720] kernel32.dll!CreateFileW 76DBCC4E 5 Bytes JMP 00110FD4
.text C:\Windows\system32\services.exe[720] kernel32.dll!CreateFileA 76DBCF71 5 Bytes JMP 00110FEF
.text C:\Windows\system32\services.exe[720] kernel32.dll!CreateNamedPipeA 76E0430E 5 Bytes JMP 0011000A
.text C:\Windows\system32\services.exe[720] kernel32.dll!WinExec 76E054FF 5 Bytes JMP 001100D8
.text C:\Windows\system32\services.exe[720] ADVAPI32.dll!RegCreateKeyExA 76FBB5E7 5 Bytes JMP 00120FB9
.text C:\Windows\system32\services.exe[720] ADVAPI32.dll!RegCreateKeyA 76FBB8AE 5 Bytes JMP 00120040
.text C:\Windows\system32\services.exe[720] ADVAPI32.dll!RegOpenKeyA 76FC0BF5 5 Bytes JMP 00120FEF
.text C:\Windows\system32\services.exe[720] ADVAPI32.dll!RegCreateKeyW 76FCB83D 5 Bytes JMP 00120051
.text C:\Windows\system32\services.exe[720] ADVAPI32.dll!RegCreateKeyExW 76FCBCE1 5 Bytes JMP 00120FA8
.text C:\Windows\system32\services.exe[720] ADVAPI32.dll!RegOpenKeyExA 76FCD4E8 5 Bytes JMP 0012002F
.text C:\Windows\system32\services.exe[720] ADVAPI32.dll!RegOpenKeyW 76FD3CB0 5 Bytes JMP 00120014
.text C:\Windows\system32\services.exe[720] ADVAPI32.dll!RegOpenKeyExW 76FDF09D 5 Bytes JMP 00120FD4
.text C:\Windows\system32\services.exe[720] msvcrt.dll!_wsystem 75EF8A47 5 Bytes JMP 0010004A
.text C:\Windows\system32\services.exe[720] msvcrt.dll!system 75EF8B63 5 Bytes JMP 00100FB5
.text C:\Windows\system32\services.exe[720] msvcrt.dll!_creat 75EFC6F1 5 Bytes JMP 0010001B
.text C:\Windows\system32\services.exe[720] msvcrt.dll!_open 75EFDA7E 5 Bytes JMP 00100FE3
.text C:\Windows\system32\services.exe[720] msvcrt.dll!_wcreat 75EFDC9E 5 Bytes JMP 00100FC6
.text C:\Windows\system32\services.exe[720] msvcrt.dll!_wopen 75EFDE79 5 Bytes JMP 00100000
.text C:\Windows\system32\services.exe[720] WS2_32.dll!socket 773336D1 5 Bytes JMP 00890FE5
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!GetStartupInfoW 76D71929 5 Bytes JMP 001900A7
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!GetStartupInfoA 76D719C9 5 Bytes JMP 00190F6B
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!CreateProcessW 76D71C01 5 Bytes JMP 00190F10
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!CreateProcessA 76D71C36 5 Bytes JMP 00190F2B
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!VirtualProtect 76D71DD1 5 Bytes JMP 00190060
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!CreateNamedPipeW 76D75C44 5 Bytes JMP 00190FB2
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!LoadLibraryExW 76D930C3 5 Bytes JMP 00190045
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!LoadLibraryW 76D9361F 5 Bytes JMP 0019001E
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!VirtualProtectEx 76D98D7E 5 Bytes JMP 0019007B
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!LoadLibraryExA 76D99469 5 Bytes JMP 00190F7C
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!LoadLibraryA 76D99491 5 Bytes JMP 00190F97
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!CreatePipe 76DA0284 5 Bytes JMP 0019008C
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!GetProcAddress 76DBB8B6 5 Bytes JMP 001900C2
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!CreateFileW 76DBCC4E 5 Bytes JMP 00190FDE
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!CreateFileA 76DBCF71 5 Bytes JMP 00190FEF
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!CreateNamedPipeA 76E0430E 5 Bytes JMP 00190FC3
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!WinExec 76E054FF 5 Bytes JMP 00190F3C
.text C:\Windows\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyExA 76FBB5E7 5 Bytes JMP 00800F83
.text C:\Windows\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyA 76FBB8AE 5 Bytes JMP 0080001B
.text C:\Windows\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyA 76FC0BF5 5 Bytes JMP 00800000
.text C:\Windows\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyW 76FCB83D 5 Bytes JMP 00800F9E
.text C:\Windows\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyExW 76FCBCE1 5 Bytes JMP 00800040
.text C:\Windows\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyExA 76FCD4E8 5 Bytes JMP 00800FCA
.text C:\Windows\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyW 76FD3CB0 5 Bytes JMP 00800FE5
.text C:\Windows\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyExW 76FDF09D 5 Bytes JMP 00800FAF
.text C:\Windows\system32\lsass.exe[732] msvcrt.dll!_wsystem 75EF8A47 5 Bytes JMP 0017005F
.text C:\Windows\system32\lsass.exe[732] msvcrt.dll!system 75EF8B63 5 Bytes JMP 00170044
.text C:\Windows\system32\lsass.exe[732] msvcrt.dll!_creat 75EFC6F1 5 Bytes JMP 00170FEF
.text C:\Windows\system32\lsass.exe[732] msvcrt.dll!_open 75EFDA7E 5 Bytes JMP 00170000
.text C:\Windows\system32\lsass.exe[732] msvcrt.dll!_wcreat 75EFDC9E 5 Bytes JMP 00170FDE
.text C:\Windows\system32\lsass.exe[732] msvcrt.dll!_wopen 75EFDE79 5 Bytes JMP 00170029
.text C:\Windows\system32\lsass.exe[732] WS2_32.dll!socket 773336D1 5 Bytes JMP 0085000A
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!GetStartupInfoW 76D71929 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!GetStartupInfoW 76D71929 5 Bytes JMP 00240F2D
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!GetStartupInfoA 76D719C9 5 Bytes JMP 00240F3E
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateProcessW 76D71C01 5 Bytes JMP 002400A2
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateProcessA 76D71C36 5 Bytes JMP 00240F0B
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!VirtualProtect 76D71DD1 5 Bytes JMP 0024005F
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateNamedPipeW 76D75C44 5 Bytes JMP 0024003D
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryExW 76D930C3 5 Bytes JMP 00240F85
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryW 76D9361F 5 Bytes JMP 00240FC7
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!VirtualProtectEx 76D98D7E 5 Bytes JMP 00240F6A
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryExA 76D99469 5 Bytes JMP 00240FAC
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryA 76D99491 5 Bytes JMP 0024004E
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreatePipe 76DA0284 5 Bytes JMP 00240F4F
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!GetProcAddress 76DBB8B6 5 Bytes JMP 00240EF0
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateFileW 76DBCC4E 5 Bytes JMP 00240011
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateFileA 76DBCF71 5 Bytes JMP 00240000
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateNamedPipeA 76E0430E 5 Bytes JMP 0024002C
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!WinExec 76E054FF 5 Bytes JMP 00240F1C
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_wsystem 75EF8A47 5 Bytes JMP 00230051
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!system 75EF8B63 5 Bytes JMP 00230FBC
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_creat 75EFC6F1 5 Bytes JMP 00230FDE
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_open 75EFDA7E 5 Bytes JMP 00230000
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_wcreat 75EFDC9E 5 Bytes JMP 00230FCD
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_wopen 75EFDE79 5 Bytes JMP 00230FEF
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyExA 76FBB5E7 5 Bytes JMP 006F007D
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyA 76FBB8AE 5 Bytes JMP 006F0051
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyA 76FC0BF5 5 Bytes JMP 006F0000
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyW 76FCB83D 5 Bytes JMP 006F006C
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyExW 76FCBCE1 5 Bytes JMP 006F0FC0
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyExA 76FCD4E8 5 Bytes JMP 006F0FEF
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyW 76FD3CB0 5 Bytes JMP 006F0025
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyExW 76FDF09D 5 Bytes JMP 006F0040
.text C:\Windows\system32\svchost.exe[880] WS2_32.dll!socket 773336D1 5 Bytes JMP 00700FEF
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!GetStartupInfoW 76D71929 5 Bytes JMP 00640F63
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!GetStartupInfoA 76D719C9 5 Bytes JMP 00640F74
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!CreateProcessW 76D71C01 5 Bytes JMP 00640F2D
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!CreateProcessA 76D71C36 5 Bytes JMP 00640F3E
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!VirtualProtect 76D71DD1 5 Bytes JMP 0064008E
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!CreateNamedPipeW 76D75C44 5 Bytes JMP 00640040
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!LoadLibraryExW 76D930C3 5 Bytes JMP 00640FC0
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!LoadLibraryW 76D9361F 5 Bytes JMP 0064006C
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!VirtualProtectEx 76D98D7E 5 Bytes JMP 0064009F
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!LoadLibraryExA 76D99469 5 Bytes JMP 0064007D
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!LoadLibraryA 76D99491 5 Bytes JMP 0064005B
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!CreatePipe 76DA0284 5 Bytes JMP 00640F85
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!GetProcAddress 76DBB8B6 5 Bytes JMP 006400D5
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!CreateFileW 76DBCC4E 5 Bytes JMP 0064000A
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!CreateFileA 76DBCF71 5 Bytes JMP 00640FEF
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!CreateNamedPipeA 76E0430E 5 Bytes JMP 0064002F
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!WinExec 76E054FF 5 Bytes JMP 006400C4
.text C:\Windows\system32\svchost.exe[968] msvcrt.dll!_wsystem 75EF8A47 5 Bytes JMP 00630014
.text C:\Windows\system32\svchost.exe[968] msvcrt.dll!system 75EF8B63 5 Bytes JMP 00630F89
.text C:\Windows\system32\svchost.exe[968] msvcrt.dll!_creat 75EFC6F1 5 Bytes JMP 00630FB5
.text C:\Windows\system32\svchost.exe[968] msvcrt.dll!_open 75EFDA7E 5 Bytes JMP 00630FE3
.text C:\Windows\system32\svchost.exe[968] msvcrt.dll!_wcreat 75EFDC9E 5 Bytes JMP 00630F9A
.text C:\Windows\system32\svchost.exe[968] msvcrt.dll!_wopen 75EFDE79 5 Bytes JMP 00630FD2
.text C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyExA 76FBB5E7 5 Bytes JMP 00650F83
.text C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyA 76FBB8AE 5 Bytes JMP 00650FAF
.text C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyA 76FC0BF5 5 Bytes JMP 00650000
.text C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyW 76FCB83D 5 Bytes JMP 00650F94
.text C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyExW 76FCBCE1 5 Bytes JMP 00650F72
.text C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyExA 76FCD4E8 5 Bytes JMP 00650FE5
.text C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyW 76FD3CB0 5 Bytes JMP 0065001B
.text C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyExW 76FDF09D 5 Bytes JMP 00650FCA
.text C:\Windows\system32\svchost.exe[968] WS2_32.dll!socket 773336D1 5 Bytes JMP 006A000A
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!GetStartupInfoW 76D71929 5 Bytes JMP 00910F66
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!GetStartupInfoA 76D719C9 5 Bytes JMP 009100A2
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!CreateProcessW 76D71C01 5 Bytes JMP 009100E9
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!CreateProcessA 76D71C36 5 Bytes JMP 009100D8
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!VirtualProtect 76D71DD1 5 Bytes JMP 00910F92
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!CreateNamedPipeW 76D75C44 5 Bytes JMP 00910040
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!LoadLibraryExW 76D930C3 5 Bytes JMP 00910FA3
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!LoadLibraryW 76D9361F 5 Bytes JMP 00910062
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!VirtualProtectEx 76D98D7E 5 Bytes JMP 00910087
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!LoadLibraryExA 76D99469 5 Bytes JMP 00910FC0
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!LoadLibraryA 76D99491 5 Bytes JMP 00910051
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!CreatePipe 76DA0284 5 Bytes JMP 00910F77
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!GetProcAddress 76DBB8B6 5 Bytes JMP 009100FA
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!CreateFileW 76DBCC4E 5 Bytes JMP 00910014
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!CreateFileA 76DBCF71 5 Bytes JMP 00910FEF
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!CreateNamedPipeA 76E0430E 5 Bytes JMP 0091002F
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!WinExec 76E054FF 5 Bytes JMP 009100C7
.text C:\Windows\System32\svchost.exe[1124] msvcrt.dll!_wsystem 75EF8A47 5 Bytes JMP 0090004E
.text C:\Windows\System32\svchost.exe[1124] msvcrt.dll!system 75EF8B63 5 Bytes JMP 00900FC3
.text C:\Windows\System32\svchost.exe[1124] msvcrt.dll!_creat 75EFC6F1 5 Bytes JMP 00900FEF
.text C:\Windows\System32\svchost.exe[1124] msvcrt.dll!_open 75EFDA7E 5 Bytes JMP 0090000C
.text C:\Windows\System32\svchost.exe[1124] msvcrt.dll!_wcreat 75EFDC9E 5 Bytes JMP 00900FD4
.text C:\Windows\System32\svchost.exe[1124] msvcrt.dll!_wopen 75EFDE79 5 Bytes JMP 0090001D
.text C:\Windows\System32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyExA 76FBB5E7 5 Bytes JMP 00920040
.text C:\Windows\System32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyA 76FBB8AE 5 Bytes JMP 00920025
.text C:\Windows\System32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyA 76FC0BF5 5 Bytes JMP 00920FE5
.text C:\Windows\System32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyW 76FCB83D 5 Bytes JMP 00920F94
.text C:\Windows\System32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyExW 76FCBCE1 5 Bytes JMP 00920051
.text C:\Windows\System32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyExA 76FCD4E8 5 Bytes JMP 00920FD4
.text C:\Windows\System32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyW 76FD3CB0 5 Bytes JMP 0092000A
.text C:\Windows\System32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyExW 76FDF09D 5 Bytes JMP 00920FC3
.text C:\Windows\System32\svchost.exe[1124] WS2_32.dll!socket 773336D1 5 Bytes JMP 0093000A
.text C:\Windows\System32\svchost.exe[1172] kernel32.dll!GetStartupInfoW 76D71929 5 Bytes JMP 016400AE
.text C:\Windows\System32\svchost.exe[1172] kernel32.dll!GetStartupInfoA 76D719C9 5 Bytes JMP 0164009D
.text C:\Windows\System32\svchost.exe[1172] kernel32.dll!CreateProcessW 76D71C01 5 Bytes JMP 016400E4
.text C:\Windows\System32\svchost.exe[1172] kernel32.dll!CreateProcessA 76D71C36 5 Bytes JMP 016400C9
.text C:\Windows\System32\svchost.exe[1172] kernel32.dll!VirtualProtect 76D71DD1 5 Bytes JMP 01640F83
.text C:\Windows\System32\svchost.exe[1172] kernel32.dll!CreateNamedPipeW 76D75C44 5 Bytes JMP 01640036
.text C:\Windows\System32\svchost.exe[1172] kernel32.dll!LoadLibraryExW 76D930C3 5 Bytes JMP 01640F94
.text C:\Windows\System32\svchost.exe[1172] kernel32.dll!LoadLibraryW 76D9361F 5 Bytes JMP 01640051
.text C:\Windows\System32\svchost.exe[1172] kernel32.dll!VirtualProtectEx 76D98D7E 5 Bytes JMP 01640078
.text C:\Windows\System32\svchost.exe[1172] kernel32.dll!LoadLibraryExA 76D99469 5 Bytes JMP 01640FA5
.text C:\Windows\System32\svchost.exe[1172] kernel32.dll!LoadLibraryA 76D99491 5 Bytes JMP 01640FCA
.text C:\Windows\System32\svchost.exe[1172] kernel32.dll!CreatePipe 76DA0284 5 Bytes JMP 01640F72
.text C:\Windows\System32\svchost.exe[1172] kernel32.dll!GetProcAddress 76DBB8B6 5 Bytes JMP 01640F32
.text C:\Windows\System32\svchost.exe[1172] kernel32.dll!CreateFileW 76DBCC4E 5 Bytes JMP 01640014
.text C:\Windows\System32\svchost.exe[1172] kernel32.dll!CreateFileA 76DBCF71 5 Bytes JMP 01640FEF
.text C:\Windows\System32\svchost.exe[1172] kernel32.dll!CreateNamedPipeA 76E0430E 5 Bytes JMP 01640025
.text C:\Windows\System32\svchost.exe[1172] kernel32.dll!WinExec 76E054FF 5 Bytes JMP 01640F4D
.text C:\Windows\System32\svchost.exe[1172] msvcrt.dll!_wsystem 75EF8A47 5 Bytes JMP 00DF0040
.text C:\Windows\System32\svchost.exe[1172] msvcrt.dll!system 75EF8B63 5 Bytes JMP 00DF0FB5
.text C:\Windows\System32\svchost.exe[1172] msvcrt.dll!_creat 75EFC6F1 5 Bytes JMP 00DF0FC6
.text C:\Windows\System32\svchost.exe[1172] msvcrt.dll!_open 75EFDA7E 5 Bytes JMP 00DF0FEF
.text C:\Windows\System32\svchost.exe[1172] msvcrt.dll!_wcreat 75EFDC9E 5 Bytes JMP 00DF001B
.text C:\Windows\System32\svchost.exe[1172] msvcrt.dll!_wopen 75EFDE79 5 Bytes JMP 00DF0000
.text C:\Windows\System32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyExA 76FBB5E7 5 Bytes JMP 01650F9E
.text C:\Windows\System32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyA 76FBB8AE 5 Bytes JMP 01650025
.text C:\Windows\System32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyA 76FC0BF5 5 Bytes JMP 01650000
.text C:\Windows\System32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyW 76FCB83D 5 Bytes JMP 01650036
.text C:\Windows\System32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyExW 76FCBCE1 5 Bytes JMP 01650F8D
.text C:\Windows\System32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyExA 76FCD4E8 5 Bytes JMP 01650FD4
.text C:\Windows\System32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyW 76FD3CB0 5 Bytes JMP 01650FEF
.text C:\Windows\System32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyExW 76FDF09D 5 Bytes JMP 01650FB9
.text C:\Windows\System32\svchost.exe[1172] WS2_32.dll!socket 773336D1 5 Bytes JMP 01660FEF
.text C:\Windows\system32\svchost.exe[1208] kernel32.dll!GetStartupInfoW 76D71929 5 Bytes JMP 00D8007D
.text C:\Windows\system32\svchost.exe[1208] kernel32.dll!GetStartupInfoA 76D719C9 5 Bytes JMP 00D80F37
.text C:\Windows\system32\svchost.exe[1208] kernel32.dll!CreateProcessW 76D71C01 5 Bytes JMP 00D8009F
.text C:\Windows\system32\svchost.exe[1208] kernel32.dll!CreateProcessA 76D71C36 5 Bytes JMP 00D8008E
.text C:\Windows\system32\svchost.exe[1208] kernel32.dll!VirtualProtect 76D71DD1 5 Bytes JMP 00D80036
.text C:\Windows\system32\svchost.exe[1208] kernel32.dll!CreateNamedPipeW 76D75C44 5 Bytes JMP 00D80FAF
.text C:\Windows\system32\svchost.exe[1208] kernel32.dll!LoadLibraryExW 76D930C3 5 Bytes JMP 00D80025
.text C:\Windows\system32\svchost.exe[1208] kernel32.dll!LoadLibraryW 76D9361F 5 Bytes JMP 00D80F79
.text C:\Windows\system32\svchost.exe[1208] kernel32.dll!VirtualProtectEx 76D98D7E 5 Bytes JMP 00D80051
.text C:\Windows\system32\svchost.exe[1208] kernel32.dll!LoadLibraryExA 76D99469 5 Bytes JMP 00D80F68
.text C:\Windows\system32\svchost.exe[1208] kernel32.dll!LoadLibraryA 76D99491 5 Bytes JMP 00D80F9E
.text C:\Windows\system32\svchost.exe[1208] kernel32.dll!CreatePipe 76DA0284 5 Bytes JMP 00D8006C
.text C:\Windows\system32\svchost.exe[1208] kernel32.dll!GetProcAddress 76DBB8B6 5 Bytes JMP 00D80EED
.text C:\Windows\system32\svchost.exe[1208] kernel32.dll!CreateFileW 76DBCC4E 5 Bytes JMP 00D80FE5
.text C:\Windows\system32\svchost.exe[1208] kernel32.dll!CreateFileA 76DBCF71 5 Bytes JMP 00D80000
.text C:\Windows\system32\svchost.exe[1208] kernel32.dll!CreateNamedPipeA 76E0430E 5 Bytes JMP 00D80FD4
.text C:\Windows\system32\svchost.exe[1208] kernel32.dll!WinExec 76E054FF 5 Bytes JMP 00D80F12
.text C:\Windows\system32\svchost.exe[1208] msvcrt.dll!_wsystem 75EF8A47 5 Bytes JMP 00D70F77
.text C:\Windows\system32\svchost.exe[1208] msvcrt.dll!system 75EF8B63 5 Bytes JMP 00D70F9C
.text C:\Windows\system32\svchost.exe[1208] msvcrt.dll!_creat 75EFC6F1 5 Bytes JMP 00D7000C
.text C:\Windows\system32\svchost.exe[1208] msvcrt.dll!_open 75EFDA7E 5 Bytes JMP 00D70FEF
.text C:\Windows\system32\svchost.exe[1208] msvcrt.dll!_wcreat 75EFDC9E 5 Bytes JMP 00D70FAD
.text C:\Windows\system32\svchost.exe[1208] msvcrt.dll!_wopen 75EFDE79 5 Bytes JMP 00D70FD2
.text C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExA 76FBB5E7 5 Bytes JMP 00D90FAF
.text C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyA 76FBB8AE 5 Bytes JMP 00D9002C
.text C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyA 76FC0BF5 5 Bytes JMP 00D90FE5
.text C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyW 76FCB83D 5 Bytes JMP 00D90051
.text C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExW 76FCBCE1 5 Bytes JMP 00D90F94
.text C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExA 76FCD4E8 5 Bytes JMP 00D90011
.text C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyW 76FD3CB0 5 Bytes JMP 00D90000
.text C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExW 76FDF09D 5 Bytes JMP 00D90FC0
.text C:\Windows\system32\svchost.exe[1208] WS2_32.dll!socket 773336D1 5 Bytes JMP 00DE0FEF
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!GetStartupInfoW 76D71929 5 Bytes JMP 009C00BA
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!GetStartupInfoA 76D719C9 5 Bytes JMP 009C0F74
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!CreateProcessW 76D71C01 5 Bytes JMP 009C00CB
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!CreateProcessA 76D71C36 5 Bytes JMP 009C0F3E
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!VirtualProtect 76D71DD1 5 Bytes JMP 009C0069
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!CreateNamedPipeW 76D75C44 5 Bytes JMP 009C002C
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!LoadLibraryExW 76D930C3 5 Bytes JMP 009C0F8F
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!LoadLibraryW 76D9361F 5 Bytes JMP 009C0047
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!VirtualProtectEx 76D98D7E 5 Bytes JMP 009C007A
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!LoadLibraryExA 76D99469 5 Bytes JMP 009C0058
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!LoadLibraryA 76D99491 5 Bytes JMP 009C0FC0
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!CreatePipe 76DA0284 5 Bytes JMP 009C009F
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!GetProcAddress 76DBB8B6 5 Bytes JMP 009C0F19
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!CreateFileW 76DBCC4E 5 Bytes JMP 009C001B
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!CreateFileA 76DBCF71 5 Bytes JMP 009C0000
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!CreateNamedPipeA 76E0430E 5 Bytes JMP 009C0FDB
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!WinExec 76E054FF 5 Bytes JMP 009C0F59
.text C:\Windows\system32\svchost.exe[1380] msvcrt.dll!_wsystem 75EF8A47 5 Bytes JMP 009A0FB0
.text C:\Windows\system32\svchost.exe[1380] msvcrt.dll!system 75EF8B63 5 Bytes JMP 009A0FC1
.text C:\Windows\system32\svchost.exe[1380] msvcrt.dll!_creat 75EFC6F1 5 Bytes JMP 009A0016
.text C:\Windows\system32\svchost.exe[1380] msvcrt.dll!_open 75EFDA7E 5 Bytes JMP 009A0FEF
.text C:\Windows\system32\svchost.exe[1380] msvcrt.dll!_wcreat 75EFDC9E 5 Bytes JMP 009A0031
.text C:\Windows\system32\svchost.exe[1380] msvcrt.dll!_wopen 75EFDE79 5 Bytes JMP 009A0FD2
.text C:\Windows\system32\svchost.exe[1380] ADVAPI32.dll!RegCreateKeyExA 76FBB5E7 5 Bytes JMP 009D0F97
.text C:\Windows\system32\svchost.exe[1380] ADVAPI32.dll!RegCreateKeyA 76FBB8AE 5 Bytes JMP 009D001E
.text C:\Windows\system32\svchost.exe[1380] ADVAPI32.dll!RegOpenKeyA 76FC0BF5 5 Bytes JMP 009D0FEF
.text C:\Windows\system32\svchost.exe[1380] ADVAPI32.dll!RegCreateKeyW 76FCB83D 5 Bytes JMP 009D002F
.text C:\Windows\system32\svchost.exe[1380] ADVAPI32.dll!RegCreateKeyExW 76FCBCE1 5 Bytes JMP 009D0F7C
.text C:\Windows\system32\svchost.exe[1380] ADVAPI32.dll!RegOpenKeyExA 76FCD4E8 5 Bytes JMP 009D0FCD
.text C:\Windows\system32\svchost.exe[1380] ADVAPI32.dll!RegOpenKeyW 76FD3CB0 5 Bytes JMP 009D0FDE
.text C:\Windows\system32\svchost.exe[1380] ADVAPI32.dll!RegOpenKeyExW 76FDF09D 5 Bytes JMP 009D0FBC
.text C:\Windows\system32\svchost.exe[1380] WS2_32.dll!socket 773336D1 5 Bytes JMP 00D70FEF
.text C:\Windows\system32\svchost.exe[1380] WinInet.dll!InternetOpenA 75BE03DD 5 Bytes JMP 00210FE5
.text C:\Windows\system32\svchost.exe[1380] WinInet.dll!InternetOpenUrlA 75BE20A3 5 Bytes JMP 00210000
.text C:\Windows\system32\svchost.exe[1380] WinInet.dll!InternetOpenW 75BE2A58 5 Bytes JMP 00210FD4
.text C:\Windows\system32\svchost.exe[1380] WinInet.dll!InternetOpenUrlW 75C2B019 5 Bytes JMP 00210FAF
.text C:\Windows\system32\svchost.exe[1628] kernel32.dll!GetStartupInfoW 76D71929 5 Bytes JMP 008A0F4A
.text C:\Windows\system32\svchost.exe[1628] kernel32.dll!GetStartupInfoA 76D719C9 5 Bytes JMP 008A0F65
.text C:\Windows\system32\svchost.exe[1628] kernel32.dll!CreateProcessW 76D71C01 5 Bytes JMP 008A00B5
.text C:\Windows\system32\svchost.exe[1628] kernel32.dll!CreateProcessA 76D71C36 5 Bytes JMP 008A0F1E
.text C:\Windows\system32\svchost.exe[1628] kernel32.dll!VirtualProtect 76D71DD1 5 Bytes JMP 008A006E
.text C:\Windows\system32\svchost.exe[1628] kernel32.dll!CreateNamedPipeW 76D75C44 5 Bytes JMP 008A0036
.text C:\Windows\system32\svchost.exe[1628] kernel32.dll!LoadLibraryExW 76D930C3 5 Bytes JMP 008A0F94
.text C:\Windows\system32\svchost.exe[1628] kernel32.dll!LoadLibraryW 76D9361F 5 Bytes JMP 008A0051
.text C:\Windows\system32\svchost.exe[1628] kernel32.dll!VirtualProtectEx 76D98D7E 5 Bytes JMP 008A007F
.text C:\Windows\system32\svchost.exe[1628] kernel32.dll!LoadLibraryExA 76D99469 5 Bytes JMP 008A0FAF
.text C:\Windows\system32\svchost.exe[1628] kernel32.dll!LoadLibraryA 76D99491 5 Bytes JMP 008A0FCA
.text C:\Windows\system32\svchost.exe[1628] kernel32.dll!CreatePipe 76DA0284 5 Bytes JMP 008A009A
.text C:\Windows\system32\svchost.exe[1628] kernel32.dll!GetProcAddress 76DBB8B6 5 Bytes JMP 008A00D0
.text C:\Windows\system32\svchost.exe[1628] kernel32.dll!CreateFileW 76DBCC4E 5 Bytes JMP 008A000A
.text C:\Windows\system32\svchost.exe[1628] kernel32.dll!CreateFileA 76DBCF71 5 Bytes JMP 008A0FEF
.text C:\Windows\system32\svchost.exe[1628] kernel32.dll!CreateNamedPipeA 76E0430E 5 Bytes JMP 008A001B
.text C:\Windows\system32\svchost.exe[1628] kernel32.dll!WinExec 76E054FF 5 Bytes JMP 008A0F39
.text C:\Windows\system32\svchost.exe[1628] msvcrt.dll!_wsystem 75EF8A47 5 Bytes JMP 00890055
.text C:\Windows\system32\svchost.exe[1628] msvcrt.dll!system 75EF8B63 5 Bytes JMP 0089003A
.text C:\Windows\system32\svchost.exe[1628] msvcrt.dll!_creat 75EFC6F1 5 Bytes JMP 00890018
.text C:\Windows\system32\svchost.exe[1628] msvcrt.dll!_open 75EFDA7E 5 Bytes JMP 00890FEF
.text C:\Windows\system32\svchost.exe[1628] msvcrt.dll!_wcreat 75EFDC9E 5 Bytes JMP 00890029
.text C:\Windows\system32\svchost.exe[1628] msvcrt.dll!_wopen 75EFDE79 5 Bytes JMP 00890FDE
.text C:\Windows\system32\svchost.exe[1628] ADVAPI32.dll!RegCreateKeyExA 76FBB5E7 5 Bytes JMP 008B0073
.text C:\Windows\system32\svchost.exe[1628] ADVAPI32.dll!RegCreateKeyA 76FBB8AE 5 Bytes JMP 008B0051
.text C:\Windows\system32\svchost.exe[1628] ADVAPI32.dll!RegOpenKeyA 76FC0BF5 5 Bytes JMP 008B0FEF
.text C:\Windows\system32\svchost.exe[1628] ADVAPI32.dll!RegCreateKeyW 76FCB83D 5 Bytes JMP 008B0062
.text C:\Windows\system32\svchost.exe[1628] ADVAPI32.dll!RegCreateKeyExW 76FCBCE1 5 Bytes JMP 008B008E
.text C:\Windows\system32\svchost.exe[1628] ADVAPI32.dll!RegOpenKeyExA 76FCD4E8 5 Bytes JMP 008B0025
.text C:\Windows\system32\svchost.exe[1628] ADVAPI32.dll!RegOpenKeyW 76FD3CB0 5 Bytes JMP 008B0014
.text C:\Windows\system32\svchost.exe[1628] ADVAPI32.dll!RegOpenKeyExW 76FDF09D 5 Bytes JMP 008B0040
.text C:\Windows\system32\svchost.exe[1628] WS2_32.dll!socket 773336D1 5 Bytes JMP 00900000
.text C:\Windows\system32\svchost.exe[1844] kernel32.dll!GetStartupInfoW 76D71929 5 Bytes JMP 00720F11
.text C:\Windows\system32\svchost.exe[1844] kernel32.dll!GetStartupInfoA 76D719C9 5 Bytes JMP 00720F22
.text C:\Windows\system32\svchost.exe[1844] kernel32.dll!CreateProcessW 76D71C01 5 Bytes JMP 00720072
.text C:\Windows\system32\svchost.exe[1844] kernel32.dll!CreateProcessA 76D71C36 5 Bytes JMP 00720EE5
.text C:\Windows\system32\svchost.exe[1844] kernel32.dll!VirtualProtect 76D71DD1 5 Bytes JMP 00720F58
.text C:\Windows\system32\svchost.exe[1844] kernel32.dll!CreateNamedPipeW 76D75C44 5 Bytes JMP 0072001E
.text C:\Windows\system32\svchost.exe[1844] kernel32.dll!LoadLibraryExW 76D930C3 5 Bytes JMP 00720F75
.text C:\Windows\system32\svchost.exe[1844] kernel32.dll!LoadLibraryW 76D9361F 5 Bytes JMP 00720F97
.text C:\Windows\system32\svchost.exe[1844] kernel32.dll!VirtualProtectEx 76D98D7E 5 Bytes JMP 00720F47
.text C:\Windows\system32\svchost.exe[1844] kernel32.dll!LoadLibraryExA 76D99469 5 Bytes JMP 00720F86
.text C:\Windows\system32\svchost.exe[1844] kernel32.dll!LoadLibraryA 76D99491 5 Bytes JMP 00720FA8
.text C:\Windows\system32\svchost.exe[1844] kernel32.dll!CreatePipe 76DA0284 5 Bytes JMP 00720057
.text C:\Windows\system32\svchost.exe[1844] kernel32.dll!GetProcAddress 76DBB8B6 5 Bytes JMP 00720083
.text C:\Windows\system32\svchost.exe[1844] kernel32.dll!CreateFileW 76DBCC4E 5 Bytes JMP 00720FD4
.text C:\Windows\system32\svchost.exe[1844] kernel32.dll!CreateFileA 76DBCF71 5 Bytes JMP 00720FE5
.text C:\Windows\system32\svchost.exe[1844] kernel32.dll!CreateNamedPipeA 76E0430E 5 Bytes JMP 00720FC3
.text C:\Windows\system32\svchost.exe[1844] kernel32.dll!WinExec 76E054FF 5 Bytes JMP 00720EF6
.text C:\Windows\system32\svchost.exe[1844] msvcrt.dll!_wsystem 75EF8A47 5 Bytes JMP 006D0064
.text C:\Windows\system32\svchost.exe[1844] msvcrt.dll!system 75EF8B63 5 Bytes JMP 006D0053
.text C:\Windows\system32\svchost.exe[1844] msvcrt.dll!_creat 75EFC6F1 5 Bytes JMP 006D0027
.text C:\Windows\system32\svchost.exe[1844] msvcrt.dll!_open 75EFDA7E 5 Bytes JMP 006D0000
.text C:\Windows\system32\svchost.exe[1844] msvcrt.dll!_wcreat 75EFDC9E 5 Bytes JMP 006D0038
.text C:\Windows\system32\svchost.exe[1844] msvcrt.dll!_wopen 75EFDE79 5 Bytes JMP 006D0FE3
.text C:\Windows\system32\svchost.exe[1844] ADVAPI32.dll!RegCreateKeyExA 76FBB5E7 5 Bytes JMP 0092008E
.text C:\Windows\system32\svchost.exe[1844] ADVAPI32.dll!RegCreateKeyA 76FBB8AE 5 Bytes JMP 00920062
.text C:\Windows\system32\svchost.exe[1844] ADVAPI32.dll!RegOpenKeyA 76FC0BF5 5 Bytes JMP 00920000
.text C:\Windows\system32\svchost.exe[1844] ADVAPI32.dll!RegCreateKeyW 76FCB83D 5 Bytes JMP 00920073
.text C:\Windows\system32\svchost.exe[1844] ADVAPI32.dll!RegCreateKeyExW 76FCBCE1 5 Bytes JMP 00920FD1
.text C:\Windows\system32\svchost.exe[1844] ADVAPI32.dll!RegOpenKeyExA 76FCD4E8 5 Bytes JMP 00920022
.text C:\Windows\system32\svchost.exe[1844] ADVAPI32.dll!RegOpenKeyW 76FD3CB0 5 Bytes JMP 00920011
.text C:\Windows\system32\svchost.exe[1844] ADVAPI32.dll!RegOpenKeyExW 76FDF09D 5 Bytes JMP 00920047
.text C:\Windows\system32\svchost.exe[1844] WS2_32.dll!socket 773336D1 5 Bytes JMP 00930000
.text C:\Windows\System32\svchost.exe[2472] kernel32.dll!GetStartupInfoW 76D71929 5 Bytes JMP 00060F30
.text C:\Windows\System32\svchost.exe[2472] kernel32.dll!GetStartupInfoA 76D719C9 5 Bytes JMP 00060F41
.text C:\Windows\System32\svchost.exe[2472] kernel32.dll!CreateProcessW 76D71C01 5 Bytes JMP 00060F04
.text C:\Windows\System32\svchost.exe[2472] kernel32.dll!CreateProcessA 76D71C36 5 Bytes JMP 00060091
.text C:\Windows\System32\svchost.exe[2472] kernel32.dll!VirtualProtect 76D71DD1 5 Bytes JMP 00060062
.text C:\Windows\System32\svchost.exe[2472] kernel32.dll!CreateNamedPipeW 76D75C44 5 Bytes JMP 00060FB9
.text C:\Windows\System32\svchost.exe[2472] kernel32.dll!LoadLibraryExW 76D930C3 5 Bytes JMP 00060047
.text C:\Windows\System32\svchost.exe[2472] kernel32.dll!LoadLibraryW 76D9361F 5 Bytes JMP 00060036
.text C:\Windows\System32\svchost.exe[2472] kernel32.dll!VirtualProtectEx 76D98D7E 5 Bytes JMP 00060F6D
.text C:\Windows\System32\svchost.exe[2472] kernel32.dll!LoadLibraryExA 76D99469 5 Bytes JMP 00060F8A
.text C:\Windows\System32\svchost.exe[2472] kernel32.dll!LoadLibraryA 76D99491 5 Bytes JMP 00060025
.text C:\Windows\System32\svchost.exe[2472] kernel32.dll!CreatePipe 76DA0284 5 Bytes JMP 00060F52
.text C:\Windows\System32\svchost.exe[2472] kernel32.dll!GetProcAddress 76DBB8B6 5 Bytes JMP 000600C0
.text C:\Windows\System32\svchost.exe[2472] kernel32.dll!CreateFileW 76DBCC4E 5 Bytes JMP 00060FE5
.text C:\Windows\System32\svchost.exe[2472] kernel32.dll!CreateFileA 76DBCF71 5 Bytes JMP 00060000
.text C:\Windows\System32\svchost.exe[2472] kernel32.dll!CreateNamedPipeA 76E0430E 5 Bytes JMP 00060FCA
.text C:\Windows\System32\svchost.exe[2472] kernel32.dll!WinExec 76E054FF 5 Bytes JMP 00060F15
.text C:\Windows\System32\svchost.exe[2472] msvcrt.dll!_wsystem 75EF8A47 5 Bytes JMP 00050FB2
.text C:\Windows\System32\svchost.exe[2472] msvcrt.dll!system 75EF8B63 5 Bytes JMP 00050FC3
.text C:\Windows\System32\svchost.exe[2472] msvcrt.dll!_creat 75EFC6F1 5 Bytes JMP 00050022
.text C:\Windows\System32\svchost.exe[2472] msvcrt.dll!_open 75EFDA7E 5 Bytes JMP 00050000
.text C:\Windows\System32\svchost.exe[2472] msvcrt.dll!_wcreat 75EFDC9E 5 Bytes JMP 00050033
.text C:\Windows\System32\svchost.exe[2472] msvcrt.dll!_wopen 75EFDE79 5 Bytes JMP 00050011
.text C:\Windows\System32\svchost.exe[2472] ADVAPI32.dll!RegCreateKeyExA 76FBB5E7 5 Bytes JMP 00070047
.text C:\Windows\System32\svchost.exe[2472] ADVAPI32.dll!RegCreateKeyA 76FBB8AE 5 Bytes JMP 00070FAF
.text C:\Windows\System32\svchost.exe[2472] ADVAPI32.dll!RegOpenKeyA 76FC0BF5 5 Bytes JMP 00070FEF
.text C:\Windows\System32\svchost.exe[2472] ADVAPI32.dll!RegCreateKeyW 76FCB83D 5 Bytes JMP 0007002C
.text C:\Windows\System32\svchost.exe[2472] ADVAPI32.dll!RegCreateKeyExW 76FCBCE1 5 Bytes JMP 00070F8A
.text C:\Windows\System32\svchost.exe[2472] ADVAPI32.dll!RegOpenKeyExA 76FCD4E8 5 Bytes JMP 0007001B
.text C:\Windows\System32\svchost.exe[2472] ADVAPI32.dll!RegOpenKeyW 76FD3CB0 5 Bytes JMP 0007000A
.text C:\Windows\System32\svchost.exe[2472] ADVAPI32.dll!RegOpenKeyExW 76FDF09D 5 Bytes JMP 00070FCA
.text C:\Windows\Explorer.EXE[3752] kernel32.dll!GetStartupInfoW 76D71929 5 Bytes JMP 00010F4D
.text C:\Windows\Explorer.EXE[3752] kernel32.dll!GetStartupInfoA 76D719C9 5 Bytes JMP 00010093
.text C:\Windows\Explorer.EXE[3752] kernel32.dll!CreateProcessW 76D71C01 5 Bytes JMP 000100C2
.text C:\Windows\Explorer.EXE[3752] kernel32.dll!CreateProcessA 76D71C36 5 Bytes JMP 00010F2B
.text C:\Windows\Explorer.EXE[3752] kernel32.dll!VirtualProtect 76D71DD1 5 Bytes JMP 00010067
.text C:\Windows\Explorer.EXE[3752] kernel32.dll!CreateNamedPipeW 76D75C44 5 Bytes JMP 00010FC3
.text C:\Windows\Explorer.EXE[3752] kernel32.dll!LoadLibraryExW 76D930C3 5 Bytes JMP 00010F8D
.text C:\Windows\Explorer.EXE[3752] kernel32.dll!LoadLibraryW 76D9361F 5 Bytes JMP 00010039
.text C:\Windows\Explorer.EXE[3752] kernel32.dll!VirtualProtectEx 76D98D7E 5 Bytes JMP 00010F68
.text C:\Windows\Explorer.EXE[3752] kernel32.dll!LoadLibraryExA 76D99469 5 Bytes JMP 0001004A
.text C:\Windows\Explorer.EXE[3752] kernel32.dll!LoadLibraryA 76D99491 5 Bytes JMP 00010FB2
.text C:\Windows\Explorer.EXE[3752] kernel32.dll!CreatePipe 76DA0284 5 Bytes JMP 00010078
.text C:\Windows\Explorer.EXE[3752] kernel32.dll!GetProcAddress 76DBB8B6 5 Bytes JMP 000100DD
.text C:\Windows\Explorer.EXE[3752] kernel32.dll!CreateFileW 76DBCC4E 5 Bytes JMP 0001000A
.text C:\Windows\Explorer.EXE[3752] kernel32.dll!CreateFileA 76DBCF71 5 Bytes JMP 00010FEF
.text C:\Windows\Explorer.EXE[3752] kernel32.dll!CreateNamedPipeA 76E0430E 5 Bytes JMP 00010FD4
.text C:\Windows\Explorer.EXE[3752] kernel32.dll!WinExec 76E054FF 5 Bytes JMP 00010F3C
.text C:\Windows\Explorer.EXE[3752] ADVAPI32.dll!RegCreateKeyExA 76FBB5E7 5 Bytes JMP 00090FA5
.text C:\Windows\Explorer.EXE[3752] ADVAPI32.dll!RegCreateKeyA 76FBB8AE 5 Bytes JMP 00090047
.text C:\Windows\Explorer.EXE[3752] ADVAPI32.dll!RegOpenKeyA 76FC0BF5 5 Bytes JMP 00090000
.text C:\Windows\Explorer.EXE[3752] ADVAPI32.dll!RegCreateKeyW 76FCB83D 5 Bytes JMP 00090FC0
.text C:\Windows\Explorer.EXE[3752] ADVAPI32.dll!RegCreateKeyExW 76FCBCE1 5 Bytes JMP 00090062
.text C:\Windows\Explorer.EXE[3752] ADVAPI32.dll!RegOpenKeyExA 76FCD4E8 5 Bytes JMP 00090FDB
.text C:\Windows\Explorer.EXE[3752] ADVAPI32.dll!RegOpenKeyW 76FD3CB0 5 Bytes JMP 00090011
.text C:\Windows\Explorer.EXE[3752] ADVAPI32.dll!RegOpenKeyExW 76FDF09D 5 Bytes JMP 0009002C
.text C:\Windows\Explorer.EXE[3752] msvcrt.dll!_wsystem 75EF8A47 5 Bytes JMP 000A0F86
.text C:\Windows\Explorer.EXE[3752] msvcrt.dll!system 75EF8B63 5 Bytes JMP 000A0011
.text C:\Windows\Explorer.EXE[3752] msvcrt.dll!_creat 75EFC6F1 5 Bytes JMP 000A0FBC
.text C:\Windows\Explorer.EXE[3752] msvcrt.dll!_open 75EFDA7E 5 Bytes JMP 000A0000
.text C:\Windows\Explorer.EXE[3752] msvcrt.dll!_wcreat 75EFDC9E 5 Bytes JMP 000A0FAB
.text C:\Windows\Explorer.EXE[3752] msvcrt.dll!_wopen 75EFDE79 5 Bytes JMP 000A0FE3
.text C:\Windows\Explorer.EXE[3752] WS2_32.dll!socket 773336D1 5 Bytes JMP 000D000A
.text C:\Windows\Explorer.EXE[3752] WININET.dll!InternetOpenA 75BE03DD 5 Bytes JMP 02DE0FEF
.text C:\Windows\Explorer.EXE[3752] WININET.dll!InternetOpenUrlA 75BE20A3 5 Bytes JMP 02DE0025
.text C:\Windows\Explorer.EXE[3752] WININET.dll!InternetOpenW 75BE2A58 5 Bytes JMP 02DE0014
.text C:\Windows\Explorer.EXE[3752] WININET.dll!InternetOpenUrlW 75C2B019 5 Bytes JMP 02DE0FDE
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[4904] kernel32.dll!ExitProcess 76D93B54 5 Bytes JMP 050520B4 C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[4904] USER32.dll!MessageBoxA 75FFD619 5 Bytes JMP 0505205E C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[4904] USER32.dll!MessageBoxW 75FFD667 5 Bytes JMP 05052089 C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)
.text C:\Windows\system32\svchost.exe[5916] kernel32.dll!GetStartupInfoW 76D71929 5 Bytes JMP 000100A7
.text C:\Windows\system32\svchost.exe[5916] kernel32.dll!GetStartupInfoA 76D719C9 5 Bytes JMP 00010096
.text C:\Windows\system32\svchost.exe[5916] kernel32.dll!CreateProcessW 76D71C01 5 Bytes JMP 00010F24
.text C:\Windows\system32\svchost.exe[5916] kernel32.dll!CreateProcessA 76D71C36 5 Bytes JMP 00010F35
.text C:\Windows\system32\svchost.exe[5916] kernel32.dll!VirtualProtect 76D71DD1 5 Bytes JMP 00010067
.text C:\Windows\system32\svchost.exe[5916] kernel32.dll!CreateNamedPipeW 76D75C44 5 Bytes JMP 00010FB2
.text C:\Windows\system32\svchost.exe[5916] kernel32.dll!LoadLibraryExW 76D930C3 5 Bytes JMP 0001004A
.text C:\Windows\system32\svchost.exe[5916] kernel32.dll!LoadLibraryW 76D9361F 5 Bytes JMP 0001002F
.text C:\Windows\system32\svchost.exe[5916] kernel32.dll!VirtualProtectEx 76D98D7E 5 Bytes JMP 00010F72
.text C:\Windows\system32\svchost.exe[5916] kernel32.dll!LoadLibraryExA 76D99469 5 Bytes JMP 00010F97
.text C:\Windows\system32\svchost.exe[5916] kernel32.dll!LoadLibraryA 76D99491 5 Bytes JMP 0001001E
.text C:\Windows\system32\svchost.exe[5916] kernel32.dll!CreatePipe 76DA0284 5 Bytes JMP 00010F61
.text C:\Windows\system32\svchost.exe[5916] kernel32.dll!GetProcAddress 76DBB8B6 5 Bytes JMP 000100CC
.text C:\Windows\system32\svchost.exe[5916] kernel32.dll!CreateFileW 76DBCC4E 5 Bytes JMP 00010FDE
.text C:\Windows\system32\svchost.exe[5916] kernel32.dll!CreateFileA 76DBCF71 5 Bytes JMP 00010FEF
.text C:\Windows\system32\svchost.exe[5916] kernel32.dll!CreateNamedPipeA 76E0430E 5 Bytes JMP 00010FC3
.text C:\Windows\system32\svchost.exe[5916] kernel32.dll!WinExec 76E054FF 5 Bytes JMP 00010F50
.text C:\Windows\system32\svchost.exe[5916] msvcrt.dll!_wsystem 75EF8A47 5 Bytes JMP 00050FB9
.text C:\Windows\system32\svchost.exe[5916] msvcrt.dll!system 75EF8B63 5 Bytes JMP 00050044
.text C:\Windows\system32\svchost.exe[5916] msvcrt.dll!_creat 75EFC6F1 5 Bytes JMP 00050FDE
.text C:\Windows\system32\svchost.exe[5916] msvcrt.dll!_open 75EFDA7E 5 Bytes JMP 00050FEF
.text C:\Windows\system32\svchost.exe[5916] msvcrt.dll!_wcreat 75EFDC9E 5 Bytes JMP 00050033
.text C:\Windows\system32\svchost.exe[5916] msvcrt.dll!_wopen 75EFDE79 5 Bytes JMP 00050018
.text C:\Windows\system32\svchost.exe[5916] ADVAPI32.dll!RegCreateKeyExA 76FBB5E7 5 Bytes JMP 00060051
.text C:\Windows\system32\svchost.exe[5916] ADVAPI32.dll!RegCreateKeyA 76FBB8AE 5 Bytes JMP 00060FC0
.text C:\Windows\system32\svchost.exe[5916] ADVAPI32.dll!RegOpenKeyA 76FC0BF5 5 Bytes JMP 00060000
.text C:\Windows\system32\svchost.exe[5916] ADVAPI32.dll!RegCreateKeyW 76FCB83D 5 Bytes JMP 00060FAF
.text C:\Windows\system32\svchost.exe[5916] ADVAPI32.dll!RegCreateKeyExW 76FCBCE1 5 Bytes JMP 00060F94
.text C:\Windows\system32\svchost.exe[5916] ADVAPI32.dll!RegOpenKeyExA 76FCD4E8 5 Bytes JMP 00060FDB
.text C:\Windows\system32\svchost.exe[5916] ADVAPI32.dll!RegOpenKeyW 76FD3CB0 5 Bytes JMP 00060011
.text C:\Windows\system32\svchost.exe[5916] ADVAPI32.dll!RegOpenKeyExW 76FDF09D 5 Bytes JMP 0006002C
.text C:\Windows\system32\svchost.exe[5916] WS2_32.dll!socket 773336D1 5 Bytes JMP 00190FE5
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
---- EOF - GMER 1.0.15 ----
Ja, ich weiß. Um das System sicherer zu machen, muss ich noch einige Maßnahmen treffen. Das werde ich auch noch tun, bevor er wieder "ans Netz" geht. Die Frage ist jetzt erstmal, ob die Neuinstallation den PC schon bereinigen konnte oder ob er noch "befallen" ist. Danke schon jetzt für die Antwort! |
|
30.06.2011, 19:28
| #13 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | gefälschte Windows Scan-Software "Security Protection" nach der Neuinstallation - wenn man sie komplett richtig ausgeführt hat nach Anleitung - ist eine weitere Analyse eigentlich unnötig. Hast du recovert und die ganze Software wie McAfee und zB Office war alles schon drauf? Meistens muss man nach dem Recovern noch ne gnze Menge unnötigen Kram per Hand deinstallieren, also über die Systemsteuerung.
__________________ Logfiles bitte immer in CODE-Tags posten |
|
05.07.2011, 19:11
| #14 |
| | gefälschte Windows Scan-Software "Security Protection" Die Deinstallation kommt noch. Ich bin gerade dabei, die Anleitung durchzuarbeiten: "Anleitung: Maßnahmen zur Absicherung des Rechners". - Muss ich bei Vista auch den InternetExplorer mit der Reg-Datei (die es unter hxxp://oschad.de/wiki/InternetExplorer gibt) deaktivieren? Oder gilt das nur für XP? (Habe nämlich auch erst meinen XP-Rechner neuinstalliert) |
|
06.07.2011, 09:26
| #15 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | gefälschte Windows Scan-Software "Security Protection" Wenn du den IE "aussperren" willst - kann man machen. Für Windowsupdates und andere Seiten darf der IE ja raus. Steht auch so in dieser explorer.reg von O. Schad, hier ein Auszug: Code:
ATTFilter ; Ausnahmeliste - die Ausnahmeliste muss jeder unter Umständen selbst definieren.
; Erlaubt ist hier nur Windowsupdate.
; weitere mögliche Einträge
; ein LAN 192.168.240.0/24: 192.168.240.*
; Kaspersky: kaspersky-labs.com;*.kaspersky-labs.com
; MS Messenger: passport.com;*.passport.com
"ProxyOverride"="*.windowsupdate.com;windowsupdate.microsoft.com;*.windowsupdate.microsoft.com;wustat.microsoft.com;*.microsoft.nsatc.net;update.microsoft.com;*.update.microsoft.com;*.activex.microsoft.com;*.codecs.microsoft.com;*.c.microsoft.com;*.genuine.microsoft.com"
; Adresse des Proxys. Die Adress 127.0.0.1:9 bewirkt, dass Anfragen des IE nicht mehr beantwortet werden
; und somit der IE faktisch stillgelegt ist. Für lokale Anwendungen jedoch ist der
; IE weiter nutzbar, wie zum Beispiel die Windows-Hilfe.
"ProxyServer"="127.0.0.1:9"
__________________ Logfiles bitte immer in CODE-Tags posten |
|
| Themen zu gefälschte Windows Scan-Software "Security Protection" |
| administrator, antivir, aufspielen, avira, avira antivir, bli, blinkt, board, computer, deinstallation, desktop, folge, freundin, gefÄlscht, hochfahren, infected, keine installation möglich, malware, malware protection, not, problem, programm, scan, scan-software, security, security protection, starten, system, windows |
Textbox.
.
