Zurück   Trojaner-Board > Malware entfernen > Plagegeister aller Art und deren Bekämpfung

Plagegeister aller Art und deren Bekämpfung: gefälschte Windows Scan-Software "Security Protection"

Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen.

Antwort
Alt 06.06.2011, 20:22   #1
plastefuchs1
 
gefälschte Windows Scan-Software "Security Protection" - Standard

gefälschte Windows Scan-Software "Security Protection"



Hallo,

habe folgendes Problem mit meinem Computer (=PC meiner Freundin):
Es hat sich eine gefälschte Malware Protection-Software Namens "Security Protection" im System festgesetzt. Es kommt von dieser Software (in der Sprechblase rechts unten) die Meldung
TCrdMain.exe can not start
File TCrdMain.exe is infected by W32/Blaster.worm
Please activate Security Protection to protect your computer.

Manchmal blinkt auch kurz noch eine weitere vermeintliche Virenmeldung auf.
Außerdem versucht die Software nach dem Hochfahren von Windows einen Scan durchzuführen mit dem Ziel, dass man die Software "aktiviert".

Installiertes System: Windows Vista
Virenprogramm: Avira AntiVir Personal

Bereits installierte Software lässt sich nicht öffnen. Auch AntiVir kann ich nicht öffnen, sodass ich auch keinen Scan durchführen kann. Habe versucht, AntiVir zu deinstallieren um es erneut aufspielen zu können, doch bereits die Deinstallation war nicht möglich.
Habe dann den hier im Board angebotenen "Defogger" auf den Desktop heruntergeladen und versucht, ihn (als Administrator) auszuführen, doch auch das ist nicht möglich.

Sollte ich versuchen, OTL zu starten? Oder wie sollte ich weiter vorgehen?

Vielen Dank schon jetzt für die Hilfe!

SR

Alt 06.06.2011, 21:16   #2
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
gefälschte Windows Scan-Software "Security Protection" - Standard

gefälschte Windows Scan-Software "Security Protection"



Hallo und

Bitte routinemäßig einen Vollscan mit Malwarebytes machen und Log posten.
Denk daran, dass Malwarebytes vor jedem Scan manuell aktualisiert werden muss!

Falls Logs aus älteren Scans mit Malwarebytes vorhanden sind, bitte auch davon alle posten!


Danach OTL-Custom:


CustomScan mit OTL

Falls noch nicht vorhanden, lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop
  • Starte bitte die OTL.exe.
    Vista und Win7 User mit Rechtsklick "als Administrator starten"
  • Kopiere nun den Inhalt in die Textbox.
Code:
ATTFilter
netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%ALLUSERSPROFILE%\Application Data\*.
%ALLUSERSPROFILE%\Application Data\*.exe /s
%APPDATA%\*.
%APPDATA%\*.exe /s
%SYSTEMDRIVE%\*.exe
/md5start
wininit.exe
userinit.exe
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
ws2ifsl.sys
sceclt.dll
ntelogon.dll
winlogon.exe
logevent.dll
user32.DLL
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
/md5stop
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
CREATERESTOREPOINT
         
  • Schliesse bitte nun alle Programme. (Wichtig)
  • Klicke nun bitte auf den Quick Scan Button.
  • Klick auf .
  • Kopiere nun den Inhalt aus OTL.txt hier in Deinen Thread
__________________

__________________

Alt 06.06.2011, 21:36   #3
plastefuchs1
 
gefälschte Windows Scan-Software "Security Protection" - Standard

gefälschte Windows Scan-Software "Security Protection"



Leider kann ich auch Malwarebytes nicht korrekt ausführen. Beim Ausführen (als Admin) kommt noch kurz das Fenster mit der Sprachauswahl und dann wird es auch schon abgeblockt. Rechts unten in der Taskleiste kommt kurz die Meldung:
mbam-setup-1.51.0.1200.tmp can not start
File mbam-setup-1.51.0.1200.tmp is infected by W32/Blaster.worm
Please activate Security Protection to protect your computer.

Danach kommt wieder die o.g. Sprechblase mit
TCrdMain.exe can not start
__________________

Alt 06.06.2011, 21:42   #4
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
gefälschte Windows Scan-Software "Security Protection" - Standard

gefälschte Windows Scan-Software "Security Protection"



Das schon probiert => http://www.trojaner-board.de/82699-m...tet-nicht.html
Ggf im Zusammenhang mit dem random installer probieren, falls man schon Probleme bei der Installation bzw. beim Download hat => http://malwarebytes.org/mbam-download-exe-random.php
__________________
Logs bitte immer in CODE-Tags posten

Alt 06.06.2011, 22:14   #5
plastefuchs1
 
gefälschte Windows Scan-Software "Security Protection" - Standard

gefälschte Windows Scan-Software "Security Protection"



Hab das mit der empfohlenen Anleitung probiert - leider ohne Erfolg. Habe die mbam-setup-1.51.0.1200.exe auf dem Desktop umbenannt in .com, aber kann die Datei unter C:\Programme (bzw. einem ähnlichen Programme-Ordner) nicht finden, da ja bereits die Installation von Malwarebyte nicht möglich war.
Beim Versuch, den random installer auszuführen, kam nur die Fehlermeldung
C:\Users\***\Desktop\czoxovlu00.exe ist keine zulässige Win32-Anwendung.
Oder hab ich da in der Handhabung was falsch gemacht?!?

Unter der Anleitung "Was tun wenn MalwareBytes Anti-Malware nicht startet" war ein weiterführender Link zu "OTH - OTHelper - Kill All Processes". Soll ich dies auch versuchen oder nicht?

SR


Alt 07.06.2011, 11:19   #6
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
gefälschte Windows Scan-Software "Security Protection" - Standard

gefälschte Windows Scan-Software "Security Protection"



Dann mach bitte erst das OTL-Log
__________________
--> gefälschte Windows Scan-Software "Security Protection"

Alt 07.06.2011, 13:04   #7
plastefuchs1
 
gefälschte Windows Scan-Software "Security Protection" - Standard

gefälschte Windows Scan-Software "Security Protection"



Danke für deine Hilfe bisher!

Auch OTL lässt sich nicht ausführen. Es erscheint sehr kurz das Startfenster und dann lässt sich nichts mehr machen. Hab auch versucht, beim kurzen Erscheinen des Fensters gleich "Enter" zu drücken, da im Startfenster der "Scan"-Button angewählt ist - in der Hoffnung, er startet den Scan. Auch das ging nicht.

Alt 07.06.2011, 14:07   #8
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
gefälschte Windows Scan-Software "Security Protection" - Standard

gefälschte Windows Scan-Software "Security Protection"



Dann sind uns schon fast alle Analysemöglichkeiten schon verbaut.
Willst du noch weitermachen - mit erheblich mehr Aufwand - oder gleich formatieren und eine Neuinstallation durchführen.
__________________
Logs bitte immer in CODE-Tags posten

Alt 07.06.2011, 18:53   #9
plastefuchs1
 
gefälschte Windows Scan-Software "Security Protection" - Standard

gefälschte Windows Scan-Software "Security Protection"



O.K., dann wohl doch Neuinstallation.
Ist dann eigentlich sichergestellt, dass der Virus weg ist? (Ich hatte mal gelesen, dass ein Virus auch nach Neuinstallation noch auf dem Rechner sein kann - weiß aber nicht mehr wo). Oder dient das nur dazu, dass wir besser analysieren können?
Kleiner Haken ist nur, dass die Windows-CD momentan grad bei den Eltern ist, sodass wir erst in einer guten Woche ran kommen. Ist dieses Thema hier dann noch offen?

Alt 07.06.2011, 22:31   #10
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
gefälschte Windows Scan-Software "Security Protection" - Standard

gefälschte Windows Scan-Software "Security Protection"



Ja ist dann noch offen hier. Folge dann einfach dem Artikel zur Neuinstallation von Windows. Falls du noch Daten retten willst, folge dem 2. Link in meiner Signatur.
__________________
Logs bitte immer in CODE-Tags posten

Alt 30.06.2011, 18:00   #11
plastefuchs1
 
gefälschte Windows Scan-Software "Security Protection" - Standard

gefälschte Windows Scan-Software "Security Protection"



Hi,

sorry, hat bissl länger gedauert.

Hier nun die Log-Files:
OTL.txt:
Code:
ATTFilter
OTL logfile created on: 29.06.2011 22:48:56 - Run 1
OTL by OldTimer - Version 3.2.24.1     Folder = C:\Users\Doro\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
2,96 Gb Total Physical Memory | 2,08 Gb Available Physical Memory | 70,17% Memory free
6,13 Gb Paging File | 5,17 Gb Available in Paging File | 84,34% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 186,52 Gb Total Space | 166,75 Gb Free Space | 89,40% Space Free | Partition Type: NTFS
Drive D: | 7,41 Gb Total Space | 3,17 Gb Free Space | 42,85% Space Free | Partition Type: FAT32
Drive E: | 184,62 Gb Total Space | 170,89 Gb Free Space | 92,56% Space Free | Partition Type: NTFS
 
Computer Name: DORO-PC | User Name: Doro | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2011.06.20 17:22:30 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Users\Doro\Desktop\OTL.exe
PRC - [2009.05.12 21:26:42 | 000,299,008 | ---- | M] (TOSHIBA CORPORATION) -- C:\Programme\TOSHIBA\ConfigFree\NDSTray.exe
PRC - [2009.04.24 10:40:38 | 000,176,128 | ---- | M] (TOSHIBA Corporation) -- C:\Programme\TOSHIBA\TECO\TecoService.exe
PRC - [2009.04.24 10:40:08 | 001,323,008 | ---- | M] (TOSHIBA Corporation) -- C:\Programme\TOSHIBA\TECO\TEco.exe
PRC - [2009.04.23 19:01:24 | 001,011,712 | ---- | M] (TOSHIBA Corporation) -- C:\Programme\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
PRC - [2009.04.21 21:07:32 | 000,303,104 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
PRC - [2009.04.21 21:07:04 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
PRC - [2009.04.16 17:42:58 | 000,020,544 | ---- | M] (TOSHIBA) -- C:\Programme\TOSHIBA\TOSHIBA Web Camera Application\TWebCameraSrv.exe
PRC - [2009.04.15 16:04:02 | 000,570,736 | ---- | M] (TOSHIBA Corporation) -- C:\Programme\TOSHIBA\TPHM\TPCHWMsg.exe
PRC - [2009.04.15 16:03:40 | 000,656,752 | ---- | M] (TOSHIBA Corporation) -- C:\Programme\TOSHIBA\TPHM\TPCHSrv.exe
PRC - [2009.04.01 17:11:06 | 001,283,384 | ---- | M] (TOSHIBA Corporation) -- C:\Programme\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
PRC - [2009.04.01 17:10:58 | 000,062,776 | ---- | M] (TOSHIBA Corporation) -- C:\Programme\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
PRC - [2009.03.31 09:33:52 | 000,503,808 | ---- | M] (TOSHIBA Corporation) -- C:\Programme\TOSHIBA\SmoothView\SmoothView.exe
PRC - [2009.03.30 15:57:22 | 000,083,312 | ---- | M] (TOSHIBA Corporation) -- C:\Programme\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
PRC - [2009.03.23 13:30:52 | 001,045,904 | ---- | M] (Toshiba Europe GmbH) -- C:\Programme\Toshiba TEMPRO\TemproTray.exe
PRC - [2009.03.23 13:30:36 | 000,116,104 | ---- | M] (Toshiba Europe GmbH) -- C:\Programme\Toshiba TEMPRO\TemproSvc.exe
PRC - [2009.03.23 10:50:40 | 000,729,088 | ---- | M] (TOSHIBA Corporation) -- C:\Programme\TOSHIBA\FlashCards\TCrdMain.exe
PRC - [2009.03.17 10:49:04 | 000,073,728 | ---- | M] (TOSHIBA Corporation) -- C:\Programme\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
PRC - [2009.03.16 18:54:18 | 006,158,240 | ---- | M] (TOSHIBA) -- C:\Programme\TOSHIBA\Toshiba Online Product Information\TOPI.exe
PRC - [2009.03.10 17:51:20 | 000,046,448 | ---- | M] (TOSHIBA CORPORATION) -- C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
PRC - [2009.03.10 17:50:36 | 000,062,848 | ---- | M] (TOSHIBA CORPORATION) -- C:\Programme\TOSHIBA\ConfigFree\CFSwMgr.exe
PRC - [2009.03.06 17:29:16 | 000,464,224 | ---- | M] (TOSHIBA Corporation) -- C:\Programme\TOSHIBA\Power Saver\TosCoSrv.exe
PRC - [2009.03.06 17:29:04 | 000,468,320 | ---- | M] (TOSHIBA Corporation) -- C:\Programme\TOSHIBA\Power Saver\TPwrMain.exe
PRC - [2009.03.04 14:53:34 | 000,096,144 | ---- | M] (Toshiba Europe GmbH) -- C:\Programme\TOSHIBA\Registration\ToshibaReminder.exe
PRC - [2009.01.13 20:33:40 | 000,034,088 | ---- | M] (TOSHIBA CORPORATION) -- C:\Programme\TOSHIBA\Utilities\KeNotify.exe
PRC - [2008.10.29 07:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008.09.26 19:00:32 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Programme\McAfee\VirusScan\Mcshield.exe
PRC - [2008.09.26 18:23:58 | 000,606,736 | ---- | M] (McAfee, Inc.) -- C:\Programme\McAfee\VirusScan\mcsysmon.exe
PRC - [2008.09.23 12:48:18 | 000,792,184 | ---- | M] (McAfee, Inc.) -- C:\Programme\McAfee\MSC\mcmscsvc.exe
PRC - [2008.09.23 12:48:18 | 000,781,288 | ---- | M] (McAfee, Inc.) -- c:\Programme\McAfee\MSC\mcupdmgr.exe
PRC - [2008.09.23 12:48:18 | 000,641,208 | ---- | M] (McAfee, Inc.) -- c:\Programme\McAfee.com\Agent\mcagent.exe
PRC - [2008.09.22 12:19:14 | 000,025,416 | ---- | M] (McAfee, Inc.) -- C:\Programme\McAfee\MSK\msksrver.exe
PRC - [2008.09.18 09:43:58 | 000,198,432 | ---- | M] () -- C:\Programme\McAfee\SiteAdvisor\McSACore.exe
PRC - [2008.09.12 15:54:58 | 000,884,360 | ---- | M] (McAfee, Inc.) -- C:\Programme\McAfee\MPF\MpfSrv.exe
PRC - [2008.09.12 09:19:02 | 002,482,848 | ---- | M] (McAfee, Inc.) -- c:\Programme\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2008.09.09 23:33:40 | 000,359,248 | ---- | M] (McAfee, Inc.) -- c:\Programme\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2008.01.21 03:24:13 | 000,069,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conime.exe
PRC - [2008.01.21 03:23:33 | 000,192,000 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wsqmcons.exe
PRC - [2007.11.21 17:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\TODDSrv.exe
 
 
========== Modules (SafeList) ==========
 
MOD - [2011.06.20 17:22:30 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Users\Doro\Desktop\OTL.exe
MOD - [2008.09.18 09:44:00 | 000,012,576 | ---- | M] () -- C:\Programme\McAfee\SiteAdvisor\sahook.dll
MOD - [2008.01.21 03:23:44 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll
 
 
========== Win32 Services (SafeList) ==========
 
SRV - [2009.06.09 10:27:24 | 000,111,088 | ---- | M] (Google Inc.) [On_Demand | Stopped] -- C:\ProgramData\Partner\partner.exe -- (Partner Service)
SRV - [2009.04.24 10:40:38 | 000,176,128 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\TECO\TecoService.exe -- (TOSHIBA eco Utility Service)
SRV - [2009.04.21 21:07:04 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2009.04.16 17:42:58 | 000,020,544 | ---- | M] (TOSHIBA) [Auto | Running] -- C:\Programme\TOSHIBA\TOSHIBA Web Camera Application\TWebCameraSrv.exe -- (camsvc)
SRV - [2009.04.15 16:03:40 | 000,656,752 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe -- (TPCHSrv)
SRV - [2009.04.01 17:10:58 | 000,062,776 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Programme\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe -- (TMachInfo)
SRV - [2009.03.30 15:57:22 | 000,083,312 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Programme\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe -- (TNaviSrv)
SRV - [2009.03.23 13:30:36 | 000,116,104 | ---- | M] (Toshiba Europe GmbH) [Auto | Running] -- C:\Program Files\Toshiba TEMPRO\TemproSvc.exe -- (TemproMonitoringService) Notebook Performance Tuning Service (TEMPRO)
SRV - [2009.03.17 10:49:04 | 000,073,728 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe -- (TOSHIBA HDD SSD Alert Service)
SRV - [2009.03.10 17:51:20 | 000,046,448 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (ConfigFree Service)
SRV - [2009.03.06 17:29:16 | 000,464,224 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV - [2009.02.11 12:05:16 | 000,242,424 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2008.09.26 20:43:06 | 000,363,024 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Programme\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2008.09.26 19:00:32 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Programme\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2008.09.26 18:23:58 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Programme\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2008.09.23 12:48:18 | 000,792,184 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Programme\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2008.09.22 12:19:14 | 000,025,416 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service)
SRV - [2008.09.18 09:43:58 | 000,198,432 | ---- | M] () [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2008.09.12 15:54:58 | 000,884,360 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2008.09.12 09:19:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Programme\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2008.09.09 23:33:40 | 000,359,248 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Programme\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2008.01.21 03:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007.11.21 17:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)
 
 
========== Driver Services (SafeList) ==========
 
DRV - [2009.04.24 13:29:28 | 000,163,840 | ---- | M] (Realtek                                            ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2009.04.21 22:30:14 | 004,491,264 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2009.03.20 22:29:18 | 000,012,920 | ---- | M] (TOSHIBA Corporation) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\TVALZFL.sys -- (TVALZFL)
DRV - [2009.03.20 20:09:52 | 000,491,008 | ---- | M] (Realtek Semiconductor Corporation                           ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rtl8192se.sys -- (rtl8192se)
DRV - [2009.03.18 10:44:54 | 000,022,272 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\PGEffect.sys -- (PGEffect)
DRV - [2009.01.27 18:12:14 | 000,279,376 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\tos_sps32.sys -- (tos_sps32)
DRV - [2008.11.11 17:29:42 | 000,154,272 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RtHDMIV.sys -- (RTHDMIAzAudService)
DRV - [2008.09.26 19:01:12 | 000,212,968 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2008.09.26 19:01:12 | 000,079,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2008.09.26 19:01:12 | 000,040,488 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2008.09.26 19:01:12 | 000,035,240 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2008.09.26 19:00:40 | 000,034,216 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2008.08.26 12:51:36 | 000,130,424 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\Mpfp.sys -- (MPFP)
DRV - [2008.05.07 10:30:12 | 000,025,896 | ---- | M] (COMPAL ELECTRONIC INC.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\LPCFilter.sys -- (LPCFilter)
DRV - [2007.12.14 10:53:24 | 000,024,200 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV - [2007.11.09 13:00:52 | 000,023,640 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\TVALZ_O.SYS -- (TVALZ)
DRV - [2007.04.23 09:50:50 | 000,025,896 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | System | Running] -- C:\Windows\System32\drivers\RtlProt.sys -- (RtlProt)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSEG&bmod=TSEG;
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSEG&bmod=TSEG;
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com/ig/redirectdomain?brand=TSEG&bmod=TSEG;
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011.06.22 20:29:44 | 000,000,000 | ---D | M]
 
 
O1 HOSTS File: ([2006.09.18 22:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1             localhost
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - C:\Programme\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Programme\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Partner BHO Class) - {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\partner.dll (Google Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Programme\Google\Google Toolbar\GoogleToolbar.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Programme\McAfee\SiteAdvisor\McIEPlg.dll ()
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Programme\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Programme\McAfee\SiteAdvisor\McIEPlg.dll ()
O3 - HKLM\..\Toolbar: (&Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Programme\Google\Google Toolbar\GoogleToolbar.dll ()
O4 - HKLM..\Run: [00TCrdMain] C:\Programme\TOSHIBA\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [cfFncEnabler.exe] C:\Program Files\TOSHIBA\ConfigFree\cfFncEnabler.exe (Toshiba Corporation)
O4 - HKLM..\Run: [HSON] C:\Programme\TOSHIBA\TBS\HSON.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe (TOSHIBA Electronics, Inc.)
O4 - HKLM..\Run: [KeNotify] C:\Programme\TOSHIBA\Utilities\KeNotify.exe (TOSHIBA CORPORATION)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NDSTray.exe] C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe (TOSHIBA CORPORATION)
O4 - HKLM..\Run: [SmartFaceVWatcher] C:\Programme\TOSHIBA\SmartFaceV\SmartFaceVWatcher.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [SmoothView] C:\Programme\TOSHIBA\SmoothView\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe (TOSHIBA)
O4 - HKLM..\Run: [Teco] C:\Program Files\TOSHIBA\TECO\Teco.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Toshiba Registration] C:\Programme\TOSHIBA\Registration\ToshibaReminder.exe (Toshiba Europe GmbH)
O4 - HKLM..\Run: [Toshiba TEMPRO] C:\Programme\Toshiba TEMPRO\TemproTray.exe (Toshiba Europe GmbH)
O4 - HKLM..\Run: [ToshibaServiceStation] C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TosSENotify] C:\Programme\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TPCHWMsg] C:\Programme\TOSHIBA\TPHM\TPCHWMsg.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TPwrMain] C:\Programme\TOSHIBA\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TWebCamera] C:\Program Files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe (TOSHIBA)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [TOSHIBA Online Product Information] C:\Programme\TOSHIBA\Toshiba Online Product Information\TOPI.exe (TOSHIBA)
O4 - HKCU..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: eBay - {76577871-04EC-495E-A12B-91F7C3600AFA} -  File not found
O9 - Extra Button: Amazon.de - {8A918C1D-E123-4E36-B562-5C1519E434CE} -  File not found
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Programme\McAfee\SiteAdvisor\McIEPlg.dll ()
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O18 - Protocol\Filter\x-sdch {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Programme\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll (Google Inc.)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL) - C:\Programme\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Toshiba\WALLPAPERS\Wallpaper1.jpg
O24 - Desktop BackupWallPaper: C:\Toshiba\WALLPAPERS\Wallpaper1.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - 
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 11.0
ActiveX: {25FFAAD0-F4A3-4164-95FF-4461E9F35D51} - .NET Framework
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - 
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\Windows\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
 
NetSvcs: FastUserSwitchingCompatibility -  File not found
NetSvcs: Ias -  File not found
NetSvcs: Nla -  File not found
NetSvcs: Ntmssvc -  File not found
NetSvcs: NWCWorkstation -  File not found
NetSvcs: Nwsapagent -  File not found
NetSvcs: SRService -  File not found
NetSvcs: WmdmPmSp -  File not found
NetSvcs: LogonHours -  File not found
NetSvcs: PCAudit -  File not found
NetSvcs: helpsvc -  File not found
NetSvcs: uploadmgr -  File not found
 
 
CREATERESTOREPOINT
Restore point Set: OTL Restore Point
 
========== Files/Folders - Created Within 30 Days ==========
 
[2011.06.29 22:44:18 | 000,579,072 | ---- | C] (OldTimer Tools) -- C:\Users\Doro\Desktop\OTL.exe
[2011.06.29 22:43:22 | 000,000,000 | ---D | C] -- C:\Users\Doro\AppData\Roaming\Adobe
[2011.06.29 22:43:22 | 000,000,000 | ---D | C] -- C:\Users\Doro\AppData\Local\Adobe
[2011.06.22 20:32:16 | 000,000,000 | ---D | C] -- C:\Users\Doro\AppData\Roaming\ATI
[2011.06.22 20:32:16 | 000,000,000 | ---D | C] -- C:\Users\Doro\AppData\Local\ATI
[2011.06.22 20:32:02 | 000,000,000 | ---D | C] -- C:\Users\Doro\Documents\Eigene Google Gadgets
[2011.06.22 20:32:00 | 000,000,000 | ---D | C] -- C:\Users\Doro\AppData\Local\Toshiba
[2011.06.22 20:31:53 | 000,000,000 | ---D | C] -- C:\Users\Doro\AppData\Local\Google
[2011.06.22 20:31:40 | 000,000,000 | R--D | C] -- C:\Users\Doro\Searches
[2011.06.22 20:31:40 | 000,000,000 | R--D | C] -- C:\Users\Doro\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
[2011.06.22 20:31:33 | 000,000,000 | ---D | C] -- C:\Users\Doro\AppData\Roaming\Identities
[2011.06.22 20:31:30 | 000,000,000 | R--D | C] -- C:\Users\Doro\Contacts
[2011.06.22 20:31:26 | 000,000,000 | ---D | C] -- C:\Users\Doro\AppData\Local\VirtualStore
[2011.06.22 20:28:51 | 000,000,000 | ---D | C] -- C:\ProgramData\ToshibaEurope
[2011.06.22 20:28:36 | 000,000,000 | --SD | C] -- C:\Users\Doro\AppData\Roaming\Microsoft
[2011.06.22 20:28:36 | 000,000,000 | R--D | C] -- C:\Users\Doro\Videos
[2011.06.22 20:28:36 | 000,000,000 | R--D | C] -- C:\Users\Doro\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
[2011.06.22 20:28:36 | 000,000,000 | R--D | C] -- C:\Users\Doro\Saved Games
[2011.06.22 20:28:36 | 000,000,000 | R--D | C] -- C:\Users\Doro\Pictures
[2011.06.22 20:28:36 | 000,000,000 | R--D | C] -- C:\Users\Doro\Music
[2011.06.22 20:28:36 | 000,000,000 | R--D | C] -- C:\Users\Doro\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
[2011.06.22 20:28:36 | 000,000,000 | R--D | C] -- C:\Users\Doro\Links
[2011.06.22 20:28:36 | 000,000,000 | R--D | C] -- C:\Users\Doro\Favorites
[2011.06.22 20:28:36 | 000,000,000 | R--D | C] -- C:\Users\Doro\Downloads
[2011.06.22 20:28:36 | 000,000,000 | R--D | C] -- C:\Users\Doro\Documents
[2011.06.22 20:28:36 | 000,000,000 | R--D | C] -- C:\Users\Doro\Desktop
[2011.06.22 20:28:36 | 000,000,000 | R--D | C] -- C:\Users\Doro\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
[2011.06.22 20:28:36 | 000,000,000 | -HSD | C] -- C:\Users\Doro\Vorlagen
[2011.06.22 20:28:36 | 000,000,000 | -HSD | C] -- C:\Users\Doro\AppData\Local\Verlauf
[2011.06.22 20:28:36 | 000,000,000 | -HSD | C] -- C:\Users\Doro\AppData\Local\Temporary Internet Files
[2011.06.22 20:28:36 | 000,000,000 | -HSD | C] -- C:\Users\Doro\Startmenü
[2011.06.22 20:28:36 | 000,000,000 | -HSD | C] -- C:\Users\Doro\SendTo
[2011.06.22 20:28:36 | 000,000,000 | -HSD | C] -- C:\Users\Doro\Recent
[2011.06.22 20:28:36 | 000,000,000 | -HSD | C] -- C:\Users\Doro\Netzwerkumgebung
[2011.06.22 20:28:36 | 000,000,000 | -HSD | C] -- C:\Users\Doro\Lokale Einstellungen
[2011.06.22 20:28:36 | 000,000,000 | -HSD | C] -- C:\Users\Doro\Documents\Eigene Videos
[2011.06.22 20:28:36 | 000,000,000 | -HSD | C] -- C:\Users\Doro\Documents\Eigene Musik
[2011.06.22 20:28:36 | 000,000,000 | -HSD | C] -- C:\Users\Doro\Eigene Dateien
[2011.06.22 20:28:36 | 000,000,000 | -HSD | C] -- C:\Users\Doro\Documents\Eigene Bilder
[2011.06.22 20:28:36 | 000,000,000 | -HSD | C] -- C:\Users\Doro\Druckumgebung
[2011.06.22 20:28:36 | 000,000,000 | -HSD | C] -- C:\Users\Doro\Cookies
[2011.06.22 20:28:36 | 000,000,000 | -HSD | C] -- C:\Users\Doro\AppData\Local\Anwendungsdaten
[2011.06.22 20:28:36 | 000,000,000 | -HSD | C] -- C:\Users\Doro\Anwendungsdaten
[2011.06.22 20:28:36 | 000,000,000 | -H-D | C] -- C:\Users\Doro\AppData
[2011.06.22 20:28:36 | 000,000,000 | ---D | C] -- C:\Users\Doro\AppData\Local\Temp
[2011.06.22 20:28:36 | 000,000,000 | ---D | C] -- C:\Users\Doro\AppData\Local\Microsoft
[2011.06.22 20:28:36 | 000,000,000 | ---D | C] -- C:\Users\Doro\AppData\Roaming\Media Center Programs
[2011.06.22 20:24:57 | 000,000,000 | -HSD | C] -- C:\ProgramData\Vorlagen
[2011.06.22 20:24:57 | 000,000,000 | -HSD | C] -- C:\ProgramData\Startmenü
[2011.06.22 20:24:57 | 000,000,000 | -HSD | C] -- C:\Programme
[2011.06.22 20:24:57 | 000,000,000 | -HSD | C] -- C:\Programme\Gemeinsame Dateien
[2011.06.22 20:24:57 | 000,000,000 | -HSD | C] -- C:\ProgramData\Favoriten
[2011.06.22 20:24:57 | 000,000,000 | -HSD | C] -- C:\Users\Public\Documents\Eigene Videos
[2011.06.22 20:24:57 | 000,000,000 | -HSD | C] -- C:\Users\Public\Documents\Eigene Musik
[2011.06.22 20:24:57 | 000,000,000 | -HSD | C] -- C:\Users\Public\Documents\Eigene Bilder
[2011.06.22 20:24:57 | 000,000,000 | -HSD | C] -- C:\Dokumente und Einstellungen
[2011.06.22 20:24:57 | 000,000,000 | -HSD | C] -- C:\ProgramData\Dokumente
[2011.06.22 20:24:57 | 000,000,000 | -HSD | C] -- C:\ProgramData\Anwendungsdaten
[2011.06.22 19:19:07 | 000,000,000 | ---D | C] -- C:\Windows\OemDrv
[2011.06.22 19:18:33 | 000,000,000 | ---D | C] -- C:\ProgramData\IsolatedStorage
[2011.06.22 19:15:45 | 000,000,000 | ---D | C] -- C:\Programme\Toshiba TEMPRO
[2011.06.22 19:15:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Toshiba TEMPRO
[2011.06.22 19:15:40 | 000,000,000 | ---D | C] -- C:\Programme\Common Files\Wise Installation Wizard
[2011.06.22 19:15:02 | 000,000,000 | ---D | C] -- C:\Programme\Common Files\Toshiba Shared
[2011.06.22 19:14:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TOSHIBA DVD PLAYER
[2011.06.22 19:13:17 | 001,069,056 | ---- | C] (The OpenSSL Project, hxxp://www.openssl.org/) -- C:\Windows\System32\libeay32.dll
[2011.06.22 19:13:17 | 000,155,648 | ---- | C] (TODO: <Company name>) -- C:\Windows\System32\IpLib.dll
[2011.06.22 19:13:17 | 000,025,896 | ---- | C] (Windows (R) Codename Longhorn DDK provider) -- C:\Windows\System32\drivers\RtlProt.sys
[2011.06.22 19:09:09 | 000,000,000 | ---D | C] -- C:\ProgramData\TOSHIBA
[2011.06.22 19:02:58 | 000,000,000 | ---D | C] -- C:\Programme\Synaptics
[2011.06.22 19:01:11 | 000,000,000 | ---D | C] -- C:\Programme\Realtek WLAN Driver
[2011.06.22 18:54:53 | 000,000,000 | ---D | C] -- C:\ProgramData\ATI
[2011.06.22 18:52:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Catalyst Control Center
[2011.06.22 18:51:47 | 000,000,000 | ---D | C] -- C:\Programme\ATI
[2011.06.22 18:51:46 | 000,000,000 | ---D | C] -- C:\Programme\ATI Technologies
[2011.06.22 18:51:44 | 000,303,104 | ---- | C] (AMD) -- C:\Windows\System32\atieclxx.exe
[2011.06.22 18:51:44 | 000,176,128 | ---- | C] (AMD) -- C:\Windows\System32\atiesrxx.exe
[2011.06.22 18:51:44 | 000,011,776 | ---- | C] (AMD) -- C:\Windows\System32\atimuixx.dll
[2011.06.22 18:50:16 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011.06.22 18:48:20 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
[2011.06.22 18:46:00 | 000,000,000 | -HSD | C] -- C:\System Volume Information
 
========== Files - Modified Within 30 Days ==========
 
[2011.06.29 22:45:03 | 000,618,442 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2011.06.29 22:45:03 | 000,587,178 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011.06.29 22:45:03 | 000,122,842 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2011.06.29 22:45:03 | 000,101,250 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011.06.29 22:44:57 | 000,000,000 | ---- | M] () -- C:\Users\Doro\defogger_reenable
[2011.06.29 22:43:12 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
[2011.06.29 22:33:03 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011.06.29 22:33:03 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011.06.29 22:32:57 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011.06.29 22:32:53 | 3184,394,240 | -HS- | M] () -- C:\hiberfil.sys
[2011.06.28 20:29:53 | 000,003,295 | ---- | M] () -- C:\Windows\System32\Config.MPF
[2011.06.22 19:22:01 | 000,060,826 | ---- | M] () -- C:\Windows\System32\license.rtf
[2011.06.22 19:21:32 | 000,000,000 | RHS- | M] () -- C:\Windows\System32\drivers\TOSHIBA_Satellite L500_09758-GR_PSLJ3E-01Y01.MRK
[2011.06.22 19:16:10 | 000,000,000 | ---- | M] () -- C:\Windows\NDSTray.INI
[2011.06.22 19:15:45 | 000,001,812 | ---- | M] () -- C:\Users\Public\Desktop\Toshiba TEMPRO-Meldungen.lnk
[2011.06.22 19:15:36 | 000,001,740 | ---- | M] () -- C:\Users\Public\Desktop\TOSHIBA Benutzerhandbuch.lnk
[2011.06.22 19:03:02 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_Kernel_SynTP_01007.Wdf
[2011.06.22 18:54:22 | 000,000,000 | ---- | M] () -- C:\Windows\ativpsrm.bin
[2011.06.22 18:47:48 | 000,297,720 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011.06.20 17:23:04 | 000,302,592 | ---- | M] () -- C:\Users\Doro\Desktop\g6okoo0z.exe
[2011.06.20 17:22:30 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Users\Doro\Desktop\OTL.exe
[2011.06.20 17:21:58 | 000,050,477 | ---- | M] () -- C:\Users\Doro\Desktop\Defogger.exe
 
========== Files Created - No Company Name ==========
 
[2011.06.29 22:44:57 | 000,000,000 | ---- | C] () -- C:\Users\Doro\defogger_reenable
[2011.06.29 22:44:27 | 000,302,592 | ---- | C] () -- C:\Users\Doro\Desktop\g6okoo0z.exe
[2011.06.29 22:44:11 | 000,050,477 | ---- | C] () -- C:\Users\Doro\Desktop\Defogger.exe
[2011.06.29 22:43:12 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
[2011.06.22 20:31:41 | 000,000,954 | ---- | C] () -- C:\Users\Doro\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
[2011.06.22 20:31:40 | 000,000,949 | ---- | C] () -- C:\Users\Doro\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
[2011.06.22 20:31:29 | 000,000,920 | ---- | C] () -- C:\Users\Doro\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Mail.lnk
[2011.06.22 19:21:32 | 000,000,000 | RHS- | C] () -- C:\Windows\System32\drivers\TOSHIBA_Satellite L500_09758-GR_PSLJ3E-01Y01.MRK
[2011.06.22 19:16:10 | 000,000,000 | ---- | C] () -- C:\Windows\NDSTray.INI
[2011.06.22 19:15:45 | 000,001,812 | ---- | C] () -- C:\Users\Public\Desktop\Toshiba TEMPRO-Meldungen.lnk
[2011.06.22 19:15:36 | 000,001,740 | ---- | C] () -- C:\Users\Public\Desktop\TOSHIBA Benutzerhandbuch.lnk
[2011.06.22 19:13:17 | 000,131,072 | ---- | C] () -- C:\Windows\System32\EnumDevLib.dll
[2011.06.22 19:03:02 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_Kernel_SynTP_01007.Wdf
[2011.06.22 18:54:22 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2011.06.22 18:54:21 | 3184,394,240 | -HS- | C] () -- C:\hiberfil.sys
[2011.06.22 18:51:44 | 000,294,912 | ---- | C] () -- C:\Windows\System32\ATIODE.exe
[2011.06.22 18:51:44 | 000,184,751 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2011.06.22 18:51:44 | 000,167,952 | ---- | C] () -- C:\Windows\System32\atiumdva.cap
[2011.06.22 18:51:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2011.06.22 18:51:44 | 000,045,056 | ---- | C] () -- C:\Windows\System32\ATIODCLI.exe
[2011.06.22 18:51:44 | 000,016,032 | ---- | C] () -- C:\Windows\atiogl.xml
[2009.06.09 10:02:11 | 000,045,056 | ---- | C] () -- C:\Windows\System32\HWS_Ctrl.dll
[2009.06.09 09:59:07 | 000,073,728 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
[2009.06.09 08:31:39 | 000,106,605 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009.06.09 08:31:39 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008.09.02 01:32:38 | 000,028,672 | ---- | C] () -- C:\Windows\System32\SPCtl.dll
[2008.01.21 08:15:58 | 000,618,442 | ---- | C] () -- C:\Windows\System32\perfh007.dat
[2008.01.21 08:15:58 | 000,290,748 | ---- | C] () -- C:\Windows\System32\perfi007.dat
[2008.01.21 08:15:58 | 000,122,842 | ---- | C] () -- C:\Windows\System32\perfc007.dat
[2008.01.21 08:15:58 | 000,036,916 | ---- | C] () -- C:\Windows\System32\perfd007.dat
[2006.11.02 13:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006.11.02 13:47:37 | 000,297,720 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006.11.02 13:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006.11.02 11:33:01 | 000,587,178 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006.11.02 11:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006.11.02 11:33:01 | 000,101,250 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006.11.02 11:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006.11.02 11:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006.11.02 09:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006.11.02 09:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006.11.02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006.11.02 08:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
 
========== LOP Check ==========
 
[2009.06.09 10:40:34 | 000,000,378 | ---- | M] () -- C:\Windows\Tasks\McDefragTask.job
[2009.06.09 10:40:34 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\McQcTask.job
[2011.06.28 20:29:54 | 000,011,288 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 
 
========== Custom Scans ==========
 
 
<  >
 
< %SYSTEMDRIVE%\*. >
[2011.06.22 20:35:31 | 000,000,000 | -HSD | M] -- C:\$RECYCLE.BIN
[2009.06.09 08:00:16 | 000,000,000 | -HSD | M] -- C:\Boot
[2006.11.02 14:02:03 | 000,000,000 | -HSD | M] -- C:\Documents and Settings
[2011.06.22 20:24:57 | 000,000,000 | -HSD | M] -- C:\Dokumente und Einstellungen
[2009.06.09 10:35:09 | 000,000,000 | RH-D | M] -- C:\MSOCache
[2011.06.22 20:24:57 | 000,000,000 | R--D | M] -- C:\Programme
[2011.06.22 20:28:51 | 000,000,000 | -H-D | M] -- C:\ProgramData
[2011.06.22 20:24:57 | 000,000,000 | -HSD | M] -- C:\Programme
[2011.06.29 22:49:50 | 000,000,000 | -HSD | M] -- C:\System Volume Information
[2011.06.22 20:31:19 | 000,000,000 | ---D | M] -- C:\Toshiba
[2011.06.22 20:35:17 | 000,000,000 | R--D | M] -- C:\Users
[2011.06.22 19:19:07 | 000,000,000 | ---D | M] -- C:\Windows
[2009.06.09 10:32:47 | 000,000,000 | ---D | M] -- C:\Works
 
< %PROGRAMFILES%\*.exe >
 
< %LOCALAPPDATA%\*.exe >
 
< %systemroot%\*. /mp /s >
 
 
< MD5 for: EXPLORER.EXE  >
[2008.10.29 07:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
[2008.10.29 07:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\explorer.exe
[2008.10.29 07:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
[2008.10.30 04:59:17 | 002,927,616 | ---- | M] (Microsoft Corporation) MD5=50BA5850147410CDE89C523AD3BC606E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
[2008.10.28 03:15:02 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=E7156B0B74762D9DE0E66BDCDE06E5FB -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
[2008.01.21 03:24:24 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=FFA764631CB70A30065C12EF8E174F9F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe
 
< MD5 for: REGEDIT.EXE  >
[2008.01.21 03:24:53 | 000,134,656 | ---- | M] (Microsoft Corporation) MD5=467A3B03E924B7B7EDD16D34740574B0 -- C:\Windows\regedit.exe
[2008.01.21 03:24:53 | 000,134,656 | ---- | M] (Microsoft Corporation) MD5=467A3B03E924B7B7EDD16D34740574B0 -- C:\Windows\winsxs\x86_microsoft-windows-registry-editor_31bf3856ad364e35_6.0.6001.18000_none_f42eb564dbd8a697\regedit.exe
 
< MD5 for: USERINIT.EXE  >
[2008.01.21 03:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\System32\userinit.exe
[2008.01.21 03:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe
 
< MD5 for: WININIT.EXE  >
[2008.01.21 03:23:42 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\System32\wininit.exe
[2008.01.21 03:23:42 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe
 
< MD5 for: WINLOGON.EXE  >
[2008.01.21 03:24:49 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\System32\winlogon.exe
[2008.01.21 03:24:49 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe
 
< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
 
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
 
<           >

< End of report >
         
Extras.txt:
Code:
ATTFilter
OTL Extras logfile created on: 29.06.2011 22:48:56 - Run 1
OTL by OldTimer - Version 3.2.24.1     Folder = C:\Users\Doro\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
2,96 Gb Total Physical Memory | 2,08 Gb Available Physical Memory | 70,17% Memory free
6,13 Gb Paging File | 5,17 Gb Available in Paging File | 84,34% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 186,52 Gb Total Space | 166,75 Gb Free Space | 89,40% Space Free | Partition Type: NTFS
Drive D: | 7,41 Gb Total Space | 3,17 Gb Free Space | 42,85% Space Free | Partition Type: FAT32
Drive E: | 184,62 Gb Total Space | 170,89 Gb Free Space | 92,56% Space Free | Partition Type: NTFS
 
Computer Name: DORO-PC | User Name: Doro | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
 
========== Authorized Applications List ==========
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0D392AF4-E02D-4840-9748-95279A89D034}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | 
"{76E16E04-8DFF-4C27-A0BF-03C6BE3E78D2}" = dir=in | app=c:\program files\common files\mcafee\mna\mcnasvc.exe | 
"{B8C8DBE5-A08E-41A0-8EBD-360346214769}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02CA24DD-C8B0-4280-BE53-7862869C2EB1}" = Realtek WiFi Protected Setup Library
"{06223EA1-8977-4A44-B2AB-30FD78B7DCC1}" = CCC Help Thai
"{0CF37D58-38A8-E03F-8DD8-B01B55C09615}" = CCC Help English
"{0FB630AB-7BD8-40AE-B223-60397D57C3C9}" = Realtek WLAN Driver
"{12688FD7-CB92-4A5B-BEE4-5C8E0574434F}" = Utility Common Driver
"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1C971EE3-B4C4-4367-9676-57549919C6CE}" = TOSHIBA Benutzerhandbücher
"{2290A680-4083-410A-ADCC-7092C67FC052}" = Toshiba Online Product Information
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 11
"{27349465-3521-8214-5311-286D806C86C3}" = CCC Help Dutch
"{32762866-8C6E-437E-1E79-4506FEB7323A}" = Catalyst Control Center Graphics Full Existing
"{39D0E034-1042-4905-BECB-5502909FCB7C}" = Microsoft Works
"{3CAF2B2D-0DA3-7BD6-6701-E3D71992DB78}" = Catalyst Control Center Localization All
"{3D0DC563-4C99-4AB1-8C22-514940666938}" = Catalyst Control Center - Branding
"{4324E4DD-C67C-A413-5C12-5DC694A99AF6}" = ATI Catalyst Install Manager
"{45633D5F-76CE-B1D7-325B-A3F329AA99DB}" = Catalyst Control Center InstallProxy
"{4786E500-4FA0-C30F-D4E8-0E3D70D86227}" = CCC Help Swedish
"{4F147AEF-790D-DBE2-5830-94D90C02AC24}" = Catalyst Control Center Graphics Full New
"{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE}" = TOSHIBA Supervisor Password
"{5279374D-87FE-4879-9385-F17278EBB9D3}" = TOSHIBA Hardware Setup
"{53536479-DFB0-47ED-9D10-43F3708C222D}" = TOSHIBA eco Utility
"{5985DD7D-67F4-DD15-8589-B3F43C4A111D}" = CCC Help Chinese Traditional
"{5D264375-3E92-7D10-F219-3536F5BAE7BA}" = CCC Help Japanese
"{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator
"{5E6F6CF3-BACC-4144-868C-E14622C658F3}" = TOSHIBA Web Camera Application
"{5F98C4EE-879F-232C-3F44-0BBFAB6A29D4}" = CCC Help Polish
"{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"{61F8A9EC-5CB4-0001-FF88-C469156BA14C}" = CCC Help German
"{620BBA5E-F848-4D56-8BDA-584E44584C5E}" = TOSHIBA Flash Cards Support Utility
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{67830C2E-0345-7CE7-3829-8AB3D34E3AEB}" = CCC Help Turkish
"{6A9B4C2D-E651-6DD7-EC1D-AF331F250AB8}" = ccc-core-static
"{6C5F3BDC-0A1B-4436-A696-5939629D5C31}" = TOSHIBA DVD PLAYER
"{6DEEDB89-D449-B985-4E0E-91D45AF66DFF}" = CCC Help Spanish
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7513A376-16F0-7E53-5CA1-7DA10A6216BC}" = CCC Help Danish
"{773970F1-5EBA-4474-ADEE-1EA3B0A59492}" = TOSHIBA Recovery Disk Creator Reminder
"{7C30283C-8DC7-4FBB-805E-52BEA5F580E8}" = Toshiba TEMPRO
"{811EF3A7-0861-0B8F-5432-3052E8230DC0}" = Catalyst Control Center Graphics Light
"{8259E348-50E8-A3C8-52B8-699DFDD31BA8}" = CCC Help Finnish
"{85E4952C-8C85-A58D-B9D9-783D1FADB775}" = Skins
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8136 8168 8169 Ethernet Driver
"{8921F4ED-A696-D629-45E6-45A43A0F4FF0}" = CCC Help Czech
"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-0020-0407-0000-0000000FF1CE}" = Compatibility Pack für 2007 Office System
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{95120000-00AF-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (German)
"{98C70B57-4930-7088-22F4-93FC196938D0}" = CCC Help Chinese Standard
"{9DECD0F9-D3E8-48B0-A390-1CF09F54E3A4}" = TOSHIBA PC Health Monitor
"{A6137721-B2D0-1DAF-0B19-12AB0D065C45}" = Catalyst Control Center Core Implementation
"{AC1A4255-0EC8-585B-2D1A-8306C07F2B91}" = CCC Help Hungarian
"{AC6569FA-6919-442A-8552-073BE69E247A}" = TOSHIBA Service Station
"{AC76BA86-7AD7-1031-7B44-A90000000001}" = Adobe Reader 9 - Deutsch
"{AEE65D6C-EDF4-B3E1-00CD-B17A6FC6BC6A}" = CCC Help Italian
"{B0E5D7E7-A106-458F-BA7B-2F8CAEA3BF16}" = PlayReady PC runtime
"{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}" = TOSHIBA Recovery Disc Creator
"{B9F119C0-6886-A250-BF18-3ABEAA26F6A5}" = CCC Help Korean
"{C730E42C-935A-45BB-A0C5-37E5234D111B}" = TOSHIBA Face Recognition
"{D4322448-B6AF-4316-B859-D8A0E84DCB38}" = TOSHIBA HDD/SSD Alert
"{DB64C016-1705-36E9-1AEA-C2D4738BDE9A}" = CCC Help Norwegian
"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader
"{DE2E45A2-31B1-7D26-2701-B1244763DE10}" = CCC Help Portuguese
"{E16087F4-3CE3-B644-A5F5-503F55F34CC0}" = CCC Help Russian
"{E4FD13E2-1638-A5B8-E28A-54D39F13D747}" = Catalyst Control Center Graphics Previews Vista
"{E65C7D8E-186D-484B-BEA8-DEF0331CE600}" = TRORDCLauncher
"{EBFF48F5-3CFA-436F-8FD5-94FB01D3A0A7}" = TOSHIBA SD Memory Utilities
"{F0A386D2-6E15-4A8F-A04E-87CE9BED0D48}" = TOSHIBA ConfigFree
"{F0E4A500-34B5-E8B7-FC2C-3726A0577AAD}" = CCC Help French
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F34009E9-6EA5-F0D2-4D7D-A9CE421908B6}" = CCC Help Greek
"{F69114BE-EFDC-C756-1B38-ABD1E4873113}" = ccc-utility
"{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Google Desktop" = Google Desktop
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"InstallShield_{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE}" = TOSHIBA Supervisorkennwort
"InstallShield_{5279374D-87FE-4879-9385-F17278EBB9D3}" = TOSHIBA Hardware Setup
"InstallShield_{53536479-DFB0-47ED-9D10-43F3708C222D}" = TOSHIBA eco Utility
"InstallShield_{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"InstallShield_{620BBA5E-F848-4D56-8BDA-584E44584C5E}" = TOSHIBA Flash Cards Support Utility
"InstallShield_{773970F1-5EBA-4474-ADEE-1EA3B0A59492}" = TOSHIBA Recovery Disk Creator Reminder
"InstallShield_{C730E42C-935A-45BB-A0C5-37E5234D111B}" = TOSHIBA Face Recognition
"InstallShield_{D4322448-B6AF-4316-B859-D8A0E84DCB38}" = TOSHIBA HDD/SSD Alert
"InstallShield_{E65C7D8E-186D-484B-BEA8-DEF0331CE600}" = TRORDCLauncher
"InstallShield_{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"MSC" = McAfee SecurityCenter
"myphotobook" = myphotobook 3.65
"Picasa2" = Picasa 2
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"WildTangent toshiba Master Uninstall" = WildTangent-Spiele
 
========== Last 10 Event Log Errors ==========
 
[ Application Events ]
Error - 29.06.2011 17:35:11 | Computer Name = Doro-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 29.06.2011 17:35:11 | Computer Name = Doro-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 29.06.2011 17:35:11 | Computer Name = Doro-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 29.06.2011 17:35:11 | Computer Name = Doro-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 29.06.2011 17:35:11 | Computer Name = Doro-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 29.06.2011 17:35:11 | Computer Name = Doro-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 29.06.2011 17:35:12 | Computer Name = Doro-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 29.06.2011 17:35:12 | Computer Name = Doro-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 29.06.2011 17:35:12 | Computer Name = Doro-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 29.06.2011 17:35:12 | Computer Name = Doro-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
[ System Events ]
Error - 22.06.2011 14:24:39 | Computer Name = Doro-PC | Source = Service Control Manager | ID = 7000
Description = 
 
Error - 22.06.2011 14:24:38 | Computer Name = Doro-PC | Source = HTTP | ID = 15016
Description = 
 
Error - 24.06.2011 14:22:33 | Computer Name = Doro-PC | Source = HTTP | ID = 15016
Description = 
 
Error - 24.06.2011 14:24:09 | Computer Name = Doro-PC | Source = Service Control Manager | ID = 7000
Description = 
 
Error - 27.06.2011 12:41:58 | Computer Name = Doro-PC | Source = HTTP | ID = 15016
Description = 
 
Error - 27.06.2011 12:43:36 | Computer Name = Doro-PC | Source = Service Control Manager | ID = 7000
Description = 
 
Error - 28.06.2011 15:25:53 | Computer Name = Doro-PC | Source = HTTP | ID = 15016
Description = 
 
Error - 28.06.2011 15:27:37 | Computer Name = Doro-PC | Source = Service Control Manager | ID = 7000
Description = 
 
Error - 29.06.2011 17:32:59 | Computer Name = Doro-PC | Source = HTTP | ID = 15016
Description = 
 
Error - 29.06.2011 17:34:43 | Computer Name = Doro-PC | Source = Service Control Manager | ID = 7000
Description = 
 
 
< End of report >
         
...

Alt 30.06.2011, 18:04   #12
plastefuchs1
 
gefälschte Windows Scan-Software "Security Protection" - Standard

gefälschte Windows Scan-Software "Security Protection"



... Und noch Gmer.txt:
Code:
ATTFilter
GMER 1.0.15.15640 - hxxp://www.gmer.net
Rootkit scan 2011-06-30 17:49:51
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.FG01
Running: g6okoo0z.exe; Driver: C:\Users\Doro\AppData\Local\Temp\kwtdapog.sys


---- System - GMER 1.0.15 ----

Code            \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)    ZwCreateFile [0x8EC202CE]
Code            \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)    ZwCreateProcess [0x8EC20268]
Code            \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)    ZwCreateProcessEx [0x8EC2027C]
Code            \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)    ZwMapViewOfSection [0x8EC2030C]
Code            \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)    ZwNotifyChangeKey [0x8EC2034F]
Code            \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)    ZwOpenProcess [0x8EC20240]
Code            \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)    ZwOpenThread [0x8EC20254]
Code            \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)    ZwProtectVirtualMemory [0x8EC202E2]
Code            \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)    ZwReplaceKey [0x8EC20377]
Code            \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)    ZwRestoreKey [0x8EC20363]
Code            \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)    ZwSetContextThread [0x8EC202BA]
Code            \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)    ZwSetInformationProcess [0x8EC202A6]
Code            \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)    ZwTerminateProcess [0x8EC2033B]
Code            \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)    ZwUnmapViewOfSection [0x8EC20322]
Code            \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)    ZwYieldExecution [0x8EC202F8]
Code            \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)    ZwCreateUserProcess [0x8EC20292]
Code            \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)    NtCreateFile
Code            \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)    NtMapViewOfSection
Code            \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)    NtOpenProcess
Code            \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)    NtOpenThread
Code            \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)    NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text           ntkrnlpa.exe!ZwYieldExecution                                                                   8203318C 5 Bytes  JMP 8EC202FC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!ZwNotifyChangeKey                                                                  821CD17C 5 Bytes  JMP 8EC20353 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!ZwCreateUserProcess                                                                821D4DCA 5 Bytes  JMP 8EC20296 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!ZwTerminateProcess                                                                 821EEF80 5 Bytes  JMP 8EC2033F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!NtOpenThread                                                                       8220E1CA 5 Bytes  JMP 8EC20258 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!NtOpenProcess                                                                      8221DB06 5 Bytes  JMP 8EC20244 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!NtMapViewOfSection                                                                 8223071E 7 Bytes  JMP 8EC20310 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!ZwUnmapViewOfSection                                                               82230D75 5 Bytes  JMP 8EC20326 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!NtCreateFile                                                                       82232F86 5 Bytes  JMP 8EC202D2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!NtSetInformationProcess                                                            82240644 5 Bytes  JMP 8EC202AA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!ZwProtectVirtualMemory                                                             8224289E 7 Bytes  JMP 8EC202E6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!ZwRestoreKey                                                                       82261402 5 Bytes  JMP 8EC20367 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!ZwReplaceKey                                                                       8226244E 5 Bytes  JMP 8EC2037B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!ZwCreateProcess                                                                    822A0171 5 Bytes  JMP 8EC2026C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!ZwCreateProcessEx                                                                  822A01BC 7 Bytes  JMP 8EC20280 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE            ntkrnlpa.exe!ZwSetContextThread                                                                 822A0C7B 5 Bytes  JMP 8EC202BE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text           C:\Windows\system32\DRIVERS\tos_sps32.sys                                                       section is writeable [0x82F4F480, 0x3C939, 0xE8000020]
.dsrt           C:\Windows\system32\DRIVERS\tos_sps32.sys                                                       unknown last section [0x82F90900, 0x3CA, 0x48000040]
.text           C:\Windows\system32\DRIVERS\atikmdag.sys                                                        section is writeable [0x8DC09000, 0x263970, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text           C:\Windows\system32\svchost.exe[284] kernel32.dll!GetStartupInfoW                               76D71929 5 Bytes  JMP 00280F3E 
.text           C:\Windows\system32\svchost.exe[284] kernel32.dll!GetStartupInfoA                               76D719C9 5 Bytes  JMP 0028008E 
.text           C:\Windows\system32\svchost.exe[284] kernel32.dll!CreateProcessW                                76D71C01 5 Bytes  JMP 002800A9 
.text           C:\Windows\system32\svchost.exe[284] kernel32.dll!CreateProcessA                                76D71C36 5 Bytes  JMP 00280F1C 
.text           C:\Windows\system32\svchost.exe[284] kernel32.dll!VirtualProtect                                76D71DD1 5 Bytes  JMP 00280F6A 
.text           C:\Windows\system32\svchost.exe[284] kernel32.dll!CreateNamedPipeW                              76D75C44 5 Bytes  JMP 00280033 
.text           C:\Windows\system32\svchost.exe[284] kernel32.dll!LoadLibraryExW                                76D930C3 5 Bytes  JMP 00280F91 
.text           C:\Windows\system32\svchost.exe[284] kernel32.dll!LoadLibraryW                                  76D9361F 5 Bytes  JMP 00280FBD 
.text           C:\Windows\system32\svchost.exe[284] kernel32.dll!VirtualProtectEx                              76D98D7E 5 Bytes  JMP 00280F59 
.text           C:\Windows\system32\svchost.exe[284] kernel32.dll!LoadLibraryExA                                76D99469 5 Bytes  JMP 00280FA2 
.text           C:\Windows\system32\svchost.exe[284] kernel32.dll!LoadLibraryA                                  76D99491 5 Bytes  JMP 0028004E 
.text           C:\Windows\system32\svchost.exe[284] kernel32.dll!CreatePipe                                    76DA0284 5 Bytes  JMP 00280073 
.text           C:\Windows\system32\svchost.exe[284] kernel32.dll!GetProcAddress                                76DBB8B6 5 Bytes  JMP 00280F01 
.text           C:\Windows\system32\svchost.exe[284] kernel32.dll!CreateFileW                                   76DBCC4E 5 Bytes  JMP 00280011 
.text           C:\Windows\system32\svchost.exe[284] kernel32.dll!CreateFileA                                   76DBCF71 5 Bytes  JMP 00280000 
.text           C:\Windows\system32\svchost.exe[284] kernel32.dll!CreateNamedPipeA                              76E0430E 5 Bytes  JMP 00280022 
.text           C:\Windows\system32\svchost.exe[284] kernel32.dll!WinExec                                       76E054FF 5 Bytes  JMP 00280F2D 
.text           C:\Windows\system32\svchost.exe[284] msvcrt.dll!_wsystem                                        75EF8A47 1 Byte  [E9]
.text           C:\Windows\system32\svchost.exe[284] msvcrt.dll!_wsystem                                        75EF8A47 5 Bytes  JMP 000C004B 
.text           C:\Windows\system32\svchost.exe[284] msvcrt.dll!system                                          75EF8B63 5 Bytes  JMP 000C003A 
.text           C:\Windows\system32\svchost.exe[284] msvcrt.dll!_creat                                          75EFC6F1 5 Bytes  JMP 000C0029 
.text           C:\Windows\system32\svchost.exe[284] msvcrt.dll!_open                                           75EFDA7E 5 Bytes  JMP 000C000C 
.text           C:\Windows\system32\svchost.exe[284] msvcrt.dll!_wcreat                                         75EFDC9E 5 Bytes  JMP 000C0FCA 
.text           C:\Windows\system32\svchost.exe[284] msvcrt.dll!_wopen                                          75EFDE79 5 Bytes  JMP 000C0FEF 
.text           C:\Windows\system32\svchost.exe[284] ADVAPI32.dll!RegCreateKeyExA                               76FBB5E7 5 Bytes  JMP 002A0073 
.text           C:\Windows\system32\svchost.exe[284] ADVAPI32.dll!RegCreateKeyA                                 76FBB8AE 5 Bytes  JMP 002A0051 
.text           C:\Windows\system32\svchost.exe[284] ADVAPI32.dll!RegOpenKeyA                                   76FC0BF5 5 Bytes  JMP 002A0000 
.text           C:\Windows\system32\svchost.exe[284] ADVAPI32.dll!RegCreateKeyW                                 76FCB83D 5 Bytes  JMP 002A0062 
.text           C:\Windows\system32\svchost.exe[284] ADVAPI32.dll!RegCreateKeyExW                               76FCBCE1 5 Bytes  JMP 002A0FB6 
.text           C:\Windows\system32\svchost.exe[284] ADVAPI32.dll!RegOpenKeyExA                                 76FCD4E8 5 Bytes  JMP 002A0FE5 
.text           C:\Windows\system32\svchost.exe[284] ADVAPI32.dll!RegOpenKeyW                                   76FD3CB0 5 Bytes  JMP 002A001B 
.text           C:\Windows\system32\svchost.exe[284] ADVAPI32.dll!RegOpenKeyExW                                 76FDF09D 5 Bytes  JMP 002A0040 
.text           C:\Windows\system32\svchost.exe[284] WS2_32.dll!socket                                          773336D1 5 Bytes  JMP 00880000 
.text           c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[480] kernel32.dll!LoadLibraryW                  76D9361F 5 Bytes  JMP 0041BFE0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text           c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[480] kernel32.dll!LoadLibraryA                  76D99491 5 Bytes  JMP 0041BF60 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text           C:\Windows\system32\services.exe[720] kernel32.dll!GetStartupInfoW                              76D71929 5 Bytes  JMP 00110F77 
.text           C:\Windows\system32\services.exe[720] kernel32.dll!GetStartupInfoA                              76D719C9 5 Bytes  JMP 001100BD 
.text           C:\Windows\system32\services.exe[720] kernel32.dll!CreateProcessW                               76D71C01 5 Bytes  JMP 00110F4B 
.text           C:\Windows\system32\services.exe[720] kernel32.dll!CreateProcessA                               76D71C36 5 Bytes  JMP 00110F66 
.text           C:\Windows\system32\services.exe[720] kernel32.dll!VirtualProtect                               76D71DD1 5 Bytes  JMP 00110073 
.text           C:\Windows\system32\services.exe[720] kernel32.dll!CreateNamedPipeW                             76D75C44 5 Bytes  JMP 00110FB9 
.text           C:\Windows\system32\services.exe[720] kernel32.dll!LoadLibraryExW                               76D930C3 5 Bytes  JMP 00110062 
.text           C:\Windows\system32\services.exe[720] kernel32.dll!LoadLibraryW                                 76D9361F 5 Bytes  JMP 00110040 
.text           C:\Windows\system32\services.exe[720] kernel32.dll!VirtualProtectEx                             76D98D7E 5 Bytes  JMP 00110F88 
.text           C:\Windows\system32\services.exe[720] kernel32.dll!LoadLibraryExA                               76D99469 5 Bytes  JMP 00110051 
.text           C:\Windows\system32\services.exe[720] kernel32.dll!LoadLibraryA                                 76D99491 5 Bytes  JMP 00110025 
.text           C:\Windows\system32\services.exe[720] kernel32.dll!CreatePipe                                   76DA0284 5 Bytes  JMP 00110098 
.text           C:\Windows\system32\services.exe[720] kernel32.dll!GetProcAddress                               76DBB8B6 5 Bytes  JMP 00110F3A 
.text           C:\Windows\system32\services.exe[720] kernel32.dll!CreateFileW                                  76DBCC4E 5 Bytes  JMP 00110FD4 
.text           C:\Windows\system32\services.exe[720] kernel32.dll!CreateFileA                                  76DBCF71 5 Bytes  JMP 00110FEF 
.text           C:\Windows\system32\services.exe[720] kernel32.dll!CreateNamedPipeA                             76E0430E 5 Bytes  JMP 0011000A 
.text           C:\Windows\system32\services.exe[720] kernel32.dll!WinExec                                      76E054FF 5 Bytes  JMP 001100D8 
.text           C:\Windows\system32\services.exe[720] ADVAPI32.dll!RegCreateKeyExA                              76FBB5E7 5 Bytes  JMP 00120FB9 
.text           C:\Windows\system32\services.exe[720] ADVAPI32.dll!RegCreateKeyA                                76FBB8AE 5 Bytes  JMP 00120040 
.text           C:\Windows\system32\services.exe[720] ADVAPI32.dll!RegOpenKeyA                                  76FC0BF5 5 Bytes  JMP 00120FEF 
.text           C:\Windows\system32\services.exe[720] ADVAPI32.dll!RegCreateKeyW                                76FCB83D 5 Bytes  JMP 00120051 
.text           C:\Windows\system32\services.exe[720] ADVAPI32.dll!RegCreateKeyExW                              76FCBCE1 5 Bytes  JMP 00120FA8 
.text           C:\Windows\system32\services.exe[720] ADVAPI32.dll!RegOpenKeyExA                                76FCD4E8 5 Bytes  JMP 0012002F 
.text           C:\Windows\system32\services.exe[720] ADVAPI32.dll!RegOpenKeyW                                  76FD3CB0 5 Bytes  JMP 00120014 
.text           C:\Windows\system32\services.exe[720] ADVAPI32.dll!RegOpenKeyExW                                76FDF09D 5 Bytes  JMP 00120FD4 
.text           C:\Windows\system32\services.exe[720] msvcrt.dll!_wsystem                                       75EF8A47 5 Bytes  JMP 0010004A 
.text           C:\Windows\system32\services.exe[720] msvcrt.dll!system                                         75EF8B63 5 Bytes  JMP 00100FB5 
.text           C:\Windows\system32\services.exe[720] msvcrt.dll!_creat                                         75EFC6F1 5 Bytes  JMP 0010001B 
.text           C:\Windows\system32\services.exe[720] msvcrt.dll!_open                                          75EFDA7E 5 Bytes  JMP 00100FE3 
.text           C:\Windows\system32\services.exe[720] msvcrt.dll!_wcreat                                        75EFDC9E 5 Bytes  JMP 00100FC6 
.text           C:\Windows\system32\services.exe[720] msvcrt.dll!_wopen                                         75EFDE79 5 Bytes  JMP 00100000 
.text           C:\Windows\system32\services.exe[720] WS2_32.dll!socket                                         773336D1 5 Bytes  JMP 00890FE5 
.text           C:\Windows\system32\lsass.exe[732] kernel32.dll!GetStartupInfoW                                 76D71929 5 Bytes  JMP 001900A7 
.text           C:\Windows\system32\lsass.exe[732] kernel32.dll!GetStartupInfoA                                 76D719C9 5 Bytes  JMP 00190F6B 
.text           C:\Windows\system32\lsass.exe[732] kernel32.dll!CreateProcessW                                  76D71C01 5 Bytes  JMP 00190F10 
.text           C:\Windows\system32\lsass.exe[732] kernel32.dll!CreateProcessA                                  76D71C36 5 Bytes  JMP 00190F2B 
.text           C:\Windows\system32\lsass.exe[732] kernel32.dll!VirtualProtect                                  76D71DD1 5 Bytes  JMP 00190060 
.text           C:\Windows\system32\lsass.exe[732] kernel32.dll!CreateNamedPipeW                                76D75C44 5 Bytes  JMP 00190FB2 
.text           C:\Windows\system32\lsass.exe[732] kernel32.dll!LoadLibraryExW                                  76D930C3 5 Bytes  JMP 00190045 
.text           C:\Windows\system32\lsass.exe[732] kernel32.dll!LoadLibraryW                                    76D9361F 5 Bytes  JMP 0019001E 
.text           C:\Windows\system32\lsass.exe[732] kernel32.dll!VirtualProtectEx                                76D98D7E 5 Bytes  JMP 0019007B 
.text           C:\Windows\system32\lsass.exe[732] kernel32.dll!LoadLibraryExA                                  76D99469 5 Bytes  JMP 00190F7C 
.text           C:\Windows\system32\lsass.exe[732] kernel32.dll!LoadLibraryA                                    76D99491 5 Bytes  JMP 00190F97 
.text           C:\Windows\system32\lsass.exe[732] kernel32.dll!CreatePipe                                      76DA0284 5 Bytes  JMP 0019008C 
.text           C:\Windows\system32\lsass.exe[732] kernel32.dll!GetProcAddress                                  76DBB8B6 5 Bytes  JMP 001900C2 
.text           C:\Windows\system32\lsass.exe[732] kernel32.dll!CreateFileW                                     76DBCC4E 5 Bytes  JMP 00190FDE 
.text           C:\Windows\system32\lsass.exe[732] kernel32.dll!CreateFileA                                     76DBCF71 5 Bytes  JMP 00190FEF 
.text           C:\Windows\system32\lsass.exe[732] kernel32.dll!CreateNamedPipeA                                76E0430E 5 Bytes  JMP 00190FC3 
.text           C:\Windows\system32\lsass.exe[732] kernel32.dll!WinExec                                         76E054FF 5 Bytes  JMP 00190F3C 
.text           C:\Windows\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyExA                                 76FBB5E7 5 Bytes  JMP 00800F83 
.text           C:\Windows\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyA                                   76FBB8AE 5 Bytes  JMP 0080001B 
.text           C:\Windows\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyA                                     76FC0BF5 5 Bytes  JMP 00800000 
.text           C:\Windows\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyW                                   76FCB83D 5 Bytes  JMP 00800F9E 
.text           C:\Windows\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyExW                                 76FCBCE1 5 Bytes  JMP 00800040 
.text           C:\Windows\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyExA                                   76FCD4E8 5 Bytes  JMP 00800FCA 
.text           C:\Windows\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyW                                     76FD3CB0 5 Bytes  JMP 00800FE5 
.text           C:\Windows\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyExW                                   76FDF09D 5 Bytes  JMP 00800FAF 
.text           C:\Windows\system32\lsass.exe[732] msvcrt.dll!_wsystem                                          75EF8A47 5 Bytes  JMP 0017005F 
.text           C:\Windows\system32\lsass.exe[732] msvcrt.dll!system                                            75EF8B63 5 Bytes  JMP 00170044 
.text           C:\Windows\system32\lsass.exe[732] msvcrt.dll!_creat                                            75EFC6F1 5 Bytes  JMP 00170FEF 
.text           C:\Windows\system32\lsass.exe[732] msvcrt.dll!_open                                             75EFDA7E 5 Bytes  JMP 00170000 
.text           C:\Windows\system32\lsass.exe[732] msvcrt.dll!_wcreat                                           75EFDC9E 5 Bytes  JMP 00170FDE 
.text           C:\Windows\system32\lsass.exe[732] msvcrt.dll!_wopen                                            75EFDE79 5 Bytes  JMP 00170029 
.text           C:\Windows\system32\lsass.exe[732] WS2_32.dll!socket                                            773336D1 5 Bytes  JMP 0085000A 
.text           C:\Windows\system32\svchost.exe[880] kernel32.dll!GetStartupInfoW                               76D71929 1 Byte  [E9]
.text           C:\Windows\system32\svchost.exe[880] kernel32.dll!GetStartupInfoW                               76D71929 5 Bytes  JMP 00240F2D 
.text           C:\Windows\system32\svchost.exe[880] kernel32.dll!GetStartupInfoA                               76D719C9 5 Bytes  JMP 00240F3E 
.text           C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateProcessW                                76D71C01 5 Bytes  JMP 002400A2 
.text           C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateProcessA                                76D71C36 5 Bytes  JMP 00240F0B 
.text           C:\Windows\system32\svchost.exe[880] kernel32.dll!VirtualProtect                                76D71DD1 5 Bytes  JMP 0024005F 
.text           C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateNamedPipeW                              76D75C44 5 Bytes  JMP 0024003D 
.text           C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryExW                                76D930C3 5 Bytes  JMP 00240F85 
.text           C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryW                                  76D9361F 5 Bytes  JMP 00240FC7 
.text           C:\Windows\system32\svchost.exe[880] kernel32.dll!VirtualProtectEx                              76D98D7E 5 Bytes  JMP 00240F6A 
.text           C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryExA                                76D99469 5 Bytes  JMP 00240FAC 
.text           C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryA                                  76D99491 5 Bytes  JMP 0024004E 
.text           C:\Windows\system32\svchost.exe[880] kernel32.dll!CreatePipe                                    76DA0284 5 Bytes  JMP 00240F4F 
.text           C:\Windows\system32\svchost.exe[880] kernel32.dll!GetProcAddress                                76DBB8B6 5 Bytes  JMP 00240EF0 
.text           C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateFileW                                   76DBCC4E 5 Bytes  JMP 00240011 
.text           C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateFileA                                   76DBCF71 5 Bytes  JMP 00240000 
.text           C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateNamedPipeA                              76E0430E 5 Bytes  JMP 0024002C 
.text           C:\Windows\system32\svchost.exe[880] kernel32.dll!WinExec                                       76E054FF 5 Bytes  JMP 00240F1C 
.text           C:\Windows\system32\svchost.exe[880] msvcrt.dll!_wsystem                                        75EF8A47 5 Bytes  JMP 00230051 
.text           C:\Windows\system32\svchost.exe[880] msvcrt.dll!system                                          75EF8B63 5 Bytes  JMP 00230FBC 
.text           C:\Windows\system32\svchost.exe[880] msvcrt.dll!_creat                                          75EFC6F1 5 Bytes  JMP 00230FDE 
.text           C:\Windows\system32\svchost.exe[880] msvcrt.dll!_open                                           75EFDA7E 5 Bytes  JMP 00230000 
.text           C:\Windows\system32\svchost.exe[880] msvcrt.dll!_wcreat                                         75EFDC9E 5 Bytes  JMP 00230FCD 
.text           C:\Windows\system32\svchost.exe[880] msvcrt.dll!_wopen                                          75EFDE79 5 Bytes  JMP 00230FEF 
.text           C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyExA                               76FBB5E7 5 Bytes  JMP 006F007D 
.text           C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyA                                 76FBB8AE 5 Bytes  JMP 006F0051 
.text           C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyA                                   76FC0BF5 5 Bytes  JMP 006F0000 
.text           C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyW                                 76FCB83D 5 Bytes  JMP 006F006C 
.text           C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyExW                               76FCBCE1 5 Bytes  JMP 006F0FC0 
.text           C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyExA                                 76FCD4E8 5 Bytes  JMP 006F0FEF 
.text           C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyW                                   76FD3CB0 5 Bytes  JMP 006F0025 
.text           C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyExW                                 76FDF09D 5 Bytes  JMP 006F0040 
.text           C:\Windows\system32\svchost.exe[880] WS2_32.dll!socket                                          773336D1 5 Bytes  JMP 00700FEF 
.text           C:\Windows\system32\svchost.exe[968] kernel32.dll!GetStartupInfoW                               76D71929 5 Bytes  JMP 00640F63 
.text           C:\Windows\system32\svchost.exe[968] kernel32.dll!GetStartupInfoA                               76D719C9 5 Bytes  JMP 00640F74 
.text           C:\Windows\system32\svchost.exe[968] kernel32.dll!CreateProcessW                                76D71C01 5 Bytes  JMP 00640F2D 
.text           C:\Windows\system32\svchost.exe[968] kernel32.dll!CreateProcessA                                76D71C36 5 Bytes  JMP 00640F3E 
.text           C:\Windows\system32\svchost.exe[968] kernel32.dll!VirtualProtect                                76D71DD1 5 Bytes  JMP 0064008E 
.text           C:\Windows\system32\svchost.exe[968] kernel32.dll!CreateNamedPipeW                              76D75C44 5 Bytes  JMP 00640040 
.text           C:\Windows\system32\svchost.exe[968] kernel32.dll!LoadLibraryExW                                76D930C3 5 Bytes  JMP 00640FC0 
.text           C:\Windows\system32\svchost.exe[968] kernel32.dll!LoadLibraryW                                  76D9361F 5 Bytes  JMP 0064006C 
.text           C:\Windows\system32\svchost.exe[968] kernel32.dll!VirtualProtectEx                              76D98D7E 5 Bytes  JMP 0064009F 
.text           C:\Windows\system32\svchost.exe[968] kernel32.dll!LoadLibraryExA                                76D99469 5 Bytes  JMP 0064007D 
.text           C:\Windows\system32\svchost.exe[968] kernel32.dll!LoadLibraryA                                  76D99491 5 Bytes  JMP 0064005B 
.text           C:\Windows\system32\svchost.exe[968] kernel32.dll!CreatePipe                                    76DA0284 5 Bytes  JMP 00640F85 
.text           C:\Windows\system32\svchost.exe[968] kernel32.dll!GetProcAddress                                76DBB8B6 5 Bytes  JMP 006400D5 
.text           C:\Windows\system32\svchost.exe[968] kernel32.dll!CreateFileW                                   76DBCC4E 5 Bytes  JMP 0064000A 
.text           C:\Windows\system32\svchost.exe[968] kernel32.dll!CreateFileA                                   76DBCF71 5 Bytes  JMP 00640FEF 
.text           C:\Windows\system32\svchost.exe[968] kernel32.dll!CreateNamedPipeA                              76E0430E 5 Bytes  JMP 0064002F 
.text           C:\Windows\system32\svchost.exe[968] kernel32.dll!WinExec                                       76E054FF 5 Bytes  JMP 006400C4 
.text           C:\Windows\system32\svchost.exe[968] msvcrt.dll!_wsystem                                        75EF8A47 5 Bytes  JMP 00630014 
.text           C:\Windows\system32\svchost.exe[968] msvcrt.dll!system                                          75EF8B63 5 Bytes  JMP 00630F89 
.text           C:\Windows\system32\svchost.exe[968] msvcrt.dll!_creat                                          75EFC6F1 5 Bytes  JMP 00630FB5 
.text           C:\Windows\system32\svchost.exe[968] msvcrt.dll!_open                                           75EFDA7E 5 Bytes  JMP 00630FE3 
.text           C:\Windows\system32\svchost.exe[968] msvcrt.dll!_wcreat                                         75EFDC9E 5 Bytes  JMP 00630F9A 
.text           C:\Windows\system32\svchost.exe[968] msvcrt.dll!_wopen                                          75EFDE79 5 Bytes  JMP 00630FD2 
.text           C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyExA                               76FBB5E7 5 Bytes  JMP 00650F83 
.text           C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyA                                 76FBB8AE 5 Bytes  JMP 00650FAF 
.text           C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyA                                   76FC0BF5 5 Bytes  JMP 00650000 
.text           C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyW                                 76FCB83D 5 Bytes  JMP 00650F94 
.text           C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyExW                               76FCBCE1 5 Bytes  JMP 00650F72 
.text           C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyExA                                 76FCD4E8 5 Bytes  JMP 00650FE5 
.text           C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyW                                   76FD3CB0 5 Bytes  JMP 0065001B 
.text           C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyExW                                 76FDF09D 5 Bytes  JMP 00650FCA 
.text           C:\Windows\system32\svchost.exe[968] WS2_32.dll!socket                                          773336D1 5 Bytes  JMP 006A000A 
.text           C:\Windows\System32\svchost.exe[1124] kernel32.dll!GetStartupInfoW                              76D71929 5 Bytes  JMP 00910F66 
.text           C:\Windows\System32\svchost.exe[1124] kernel32.dll!GetStartupInfoA                              76D719C9 5 Bytes  JMP 009100A2 
.text           C:\Windows\System32\svchost.exe[1124] kernel32.dll!CreateProcessW                               76D71C01 5 Bytes  JMP 009100E9 
.text           C:\Windows\System32\svchost.exe[1124] kernel32.dll!CreateProcessA                               76D71C36 5 Bytes  JMP 009100D8 
.text           C:\Windows\System32\svchost.exe[1124] kernel32.dll!VirtualProtect                               76D71DD1 5 Bytes  JMP 00910F92 
.text           C:\Windows\System32\svchost.exe[1124] kernel32.dll!CreateNamedPipeW                             76D75C44 5 Bytes  JMP 00910040 
.text           C:\Windows\System32\svchost.exe[1124] kernel32.dll!LoadLibraryExW                               76D930C3 5 Bytes  JMP 00910FA3 
.text           C:\Windows\System32\svchost.exe[1124] kernel32.dll!LoadLibraryW                                 76D9361F 5 Bytes  JMP 00910062 
.text           C:\Windows\System32\svchost.exe[1124] kernel32.dll!VirtualProtectEx                             76D98D7E 5 Bytes  JMP 00910087 
.text           C:\Windows\System32\svchost.exe[1124] kernel32.dll!LoadLibraryExA                               76D99469 5 Bytes  JMP 00910FC0 
.text           C:\Windows\System32\svchost.exe[1124] kernel32.dll!LoadLibraryA                                 76D99491 5 Bytes  JMP 00910051 
.text           C:\Windows\System32\svchost.exe[1124] kernel32.dll!CreatePipe                                   76DA0284 5 Bytes  JMP 00910F77 
.text           C:\Windows\System32\svchost.exe[1124] kernel32.dll!GetProcAddress                               76DBB8B6 5 Bytes  JMP 009100FA 
.text           C:\Windows\System32\svchost.exe[1124] kernel32.dll!CreateFileW                                  76DBCC4E 5 Bytes  JMP 00910014 
.text           C:\Windows\System32\svchost.exe[1124] kernel32.dll!CreateFileA                                  76DBCF71 5 Bytes  JMP 00910FEF 
.text           C:\Windows\System32\svchost.exe[1124] kernel32.dll!CreateNamedPipeA                             76E0430E 5 Bytes  JMP 0091002F 
.text           C:\Windows\System32\svchost.exe[1124] kernel32.dll!WinExec                                      76E054FF 5 Bytes  JMP 009100C7 
.text           C:\Windows\System32\svchost.exe[1124] msvcrt.dll!_wsystem                                       75EF8A47 5 Bytes  JMP 0090004E 
.text           C:\Windows\System32\svchost.exe[1124] msvcrt.dll!system                                         75EF8B63 5 Bytes  JMP 00900FC3 
.text           C:\Windows\System32\svchost.exe[1124] msvcrt.dll!_creat                                         75EFC6F1 5 Bytes  JMP 00900FEF 
.text           C:\Windows\System32\svchost.exe[1124] msvcrt.dll!_open                                          75EFDA7E 5 Bytes  JMP 0090000C 
.text           C:\Windows\System32\svchost.exe[1124] msvcrt.dll!_wcreat                                        75EFDC9E 5 Bytes  JMP 00900FD4 
.text           C:\Windows\System32\svchost.exe[1124] msvcrt.dll!_wopen                                         75EFDE79 5 Bytes  JMP 0090001D 
.text           C:\Windows\System32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyExA                              76FBB5E7 5 Bytes  JMP 00920040 
.text           C:\Windows\System32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyA                                76FBB8AE 5 Bytes  JMP 00920025 
.text           C:\Windows\System32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyA                                  76FC0BF5 5 Bytes  JMP 00920FE5 
.text           C:\Windows\System32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyW                                76FCB83D 5 Bytes  JMP 00920F94 
.text           C:\Windows\System32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyExW                              76FCBCE1 5 Bytes  JMP 00920051 
.text           C:\Windows\System32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyExA                                76FCD4E8 5 Bytes  JMP 00920FD4 
.text           C:\Windows\System32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyW                                  76FD3CB0 5 Bytes  JMP 0092000A 
.text           C:\Windows\System32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyExW                                76FDF09D 5 Bytes  JMP 00920FC3 
.text           C:\Windows\System32\svchost.exe[1124] WS2_32.dll!socket                                         773336D1 5 Bytes  JMP 0093000A 
.text           C:\Windows\System32\svchost.exe[1172] kernel32.dll!GetStartupInfoW                              76D71929 5 Bytes  JMP 016400AE 
.text           C:\Windows\System32\svchost.exe[1172] kernel32.dll!GetStartupInfoA                              76D719C9 5 Bytes  JMP 0164009D 
.text           C:\Windows\System32\svchost.exe[1172] kernel32.dll!CreateProcessW                               76D71C01 5 Bytes  JMP 016400E4 
.text           C:\Windows\System32\svchost.exe[1172] kernel32.dll!CreateProcessA                               76D71C36 5 Bytes  JMP 016400C9 
.text           C:\Windows\System32\svchost.exe[1172] kernel32.dll!VirtualProtect                               76D71DD1 5 Bytes  JMP 01640F83 
.text           C:\Windows\System32\svchost.exe[1172] kernel32.dll!CreateNamedPipeW                             76D75C44 5 Bytes  JMP 01640036 
.text           C:\Windows\System32\svchost.exe[1172] kernel32.dll!LoadLibraryExW                               76D930C3 5 Bytes  JMP 01640F94 
.text           C:\Windows\System32\svchost.exe[1172] kernel32.dll!LoadLibraryW                                 76D9361F 5 Bytes  JMP 01640051 
.text           C:\Windows\System32\svchost.exe[1172] kernel32.dll!VirtualProtectEx                             76D98D7E 5 Bytes  JMP 01640078 
.text           C:\Windows\System32\svchost.exe[1172] kernel32.dll!LoadLibraryExA                               76D99469 5 Bytes  JMP 01640FA5 
.text           C:\Windows\System32\svchost.exe[1172] kernel32.dll!LoadLibraryA                                 76D99491 5 Bytes  JMP 01640FCA 
.text           C:\Windows\System32\svchost.exe[1172] kernel32.dll!CreatePipe                                   76DA0284 5 Bytes  JMP 01640F72 
.text           C:\Windows\System32\svchost.exe[1172] kernel32.dll!GetProcAddress                               76DBB8B6 5 Bytes  JMP 01640F32 
.text           C:\Windows\System32\svchost.exe[1172] kernel32.dll!CreateFileW                                  76DBCC4E 5 Bytes  JMP 01640014 
.text           C:\Windows\System32\svchost.exe[1172] kernel32.dll!CreateFileA                                  76DBCF71 5 Bytes  JMP 01640FEF 
.text           C:\Windows\System32\svchost.exe[1172] kernel32.dll!CreateNamedPipeA                             76E0430E 5 Bytes  JMP 01640025 
.text           C:\Windows\System32\svchost.exe[1172] kernel32.dll!WinExec                                      76E054FF 5 Bytes  JMP 01640F4D 
.text           C:\Windows\System32\svchost.exe[1172] msvcrt.dll!_wsystem                                       75EF8A47 5 Bytes  JMP 00DF0040 
.text           C:\Windows\System32\svchost.exe[1172] msvcrt.dll!system                                         75EF8B63 5 Bytes  JMP 00DF0FB5 
.text           C:\Windows\System32\svchost.exe[1172] msvcrt.dll!_creat                                         75EFC6F1 5 Bytes  JMP 00DF0FC6 
.text           C:\Windows\System32\svchost.exe[1172] msvcrt.dll!_open                                          75EFDA7E 5 Bytes  JMP 00DF0FEF 
.text           C:\Windows\System32\svchost.exe[1172] msvcrt.dll!_wcreat                                        75EFDC9E 5 Bytes  JMP 00DF001B 
.text           C:\Windows\System32\svchost.exe[1172] msvcrt.dll!_wopen                                         75EFDE79 5 Bytes  JMP 00DF0000 
.text           C:\Windows\System32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyExA                              76FBB5E7 5 Bytes  JMP 01650F9E 
.text           C:\Windows\System32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyA                                76FBB8AE 5 Bytes  JMP 01650025 
.text           C:\Windows\System32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyA                                  76FC0BF5 5 Bytes  JMP 01650000 
.text           C:\Windows\System32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyW                                76FCB83D 5 Bytes  JMP 01650036 
.text           C:\Windows\System32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyExW                              76FCBCE1 5 Bytes  JMP 01650F8D 
.text           C:\Windows\System32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyExA                                76FCD4E8 5 Bytes  JMP 01650FD4 
.text           C:\Windows\System32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyW                                  76FD3CB0 5 Bytes  JMP 01650FEF 
.text           C:\Windows\System32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyExW                                76FDF09D 5 Bytes  JMP 01650FB9 
.text           C:\Windows\System32\svchost.exe[1172] WS2_32.dll!socket                                         773336D1 5 Bytes  JMP 01660FEF 
.text           C:\Windows\system32\svchost.exe[1208] kernel32.dll!GetStartupInfoW                              76D71929 5 Bytes  JMP 00D8007D 
.text           C:\Windows\system32\svchost.exe[1208] kernel32.dll!GetStartupInfoA                              76D719C9 5 Bytes  JMP 00D80F37 
.text           C:\Windows\system32\svchost.exe[1208] kernel32.dll!CreateProcessW                               76D71C01 5 Bytes  JMP 00D8009F 
.text           C:\Windows\system32\svchost.exe[1208] kernel32.dll!CreateProcessA                               76D71C36 5 Bytes  JMP 00D8008E 
.text           C:\Windows\system32\svchost.exe[1208] kernel32.dll!VirtualProtect                               76D71DD1 5 Bytes  JMP 00D80036 
.text           C:\Windows\system32\svchost.exe[1208] kernel32.dll!CreateNamedPipeW                             76D75C44 5 Bytes  JMP 00D80FAF 
.text           C:\Windows\system32\svchost.exe[1208] kernel32.dll!LoadLibraryExW                               76D930C3 5 Bytes  JMP 00D80025 
.text           C:\Windows\system32\svchost.exe[1208] kernel32.dll!LoadLibraryW                                 76D9361F 5 Bytes  JMP 00D80F79 
.text           C:\Windows\system32\svchost.exe[1208] kernel32.dll!VirtualProtectEx                             76D98D7E 5 Bytes  JMP 00D80051 
.text           C:\Windows\system32\svchost.exe[1208] kernel32.dll!LoadLibraryExA                               76D99469 5 Bytes  JMP 00D80F68 
.text           C:\Windows\system32\svchost.exe[1208] kernel32.dll!LoadLibraryA                                 76D99491 5 Bytes  JMP 00D80F9E 
.text           C:\Windows\system32\svchost.exe[1208] kernel32.dll!CreatePipe                                   76DA0284 5 Bytes  JMP 00D8006C 
.text           C:\Windows\system32\svchost.exe[1208] kernel32.dll!GetProcAddress                               76DBB8B6 5 Bytes  JMP 00D80EED 
.text           C:\Windows\system32\svchost.exe[1208] kernel32.dll!CreateFileW                                  76DBCC4E 5 Bytes  JMP 00D80FE5 
.text           C:\Windows\system32\svchost.exe[1208] kernel32.dll!CreateFileA                                  76DBCF71 5 Bytes  JMP 00D80000 
.text           C:\Windows\system32\svchost.exe[1208] kernel32.dll!CreateNamedPipeA                             76E0430E 5 Bytes  JMP 00D80FD4 
.text           C:\Windows\system32\svchost.exe[1208] kernel32.dll!WinExec                                      76E054FF 5 Bytes  JMP 00D80F12 
.text           C:\Windows\system32\svchost.exe[1208] msvcrt.dll!_wsystem                                       75EF8A47 5 Bytes  JMP 00D70F77 
.text           C:\Windows\system32\svchost.exe[1208] msvcrt.dll!system                                         75EF8B63 5 Bytes  JMP 00D70F9C 
.text           C:\Windows\system32\svchost.exe[1208] msvcrt.dll!_creat                                         75EFC6F1 5 Bytes  JMP 00D7000C 
.text           C:\Windows\system32\svchost.exe[1208] msvcrt.dll!_open                                          75EFDA7E 5 Bytes  JMP 00D70FEF 
.text           C:\Windows\system32\svchost.exe[1208] msvcrt.dll!_wcreat                                        75EFDC9E 5 Bytes  JMP 00D70FAD 
.text           C:\Windows\system32\svchost.exe[1208] msvcrt.dll!_wopen                                         75EFDE79 5 Bytes  JMP 00D70FD2 
.text           C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExA                              76FBB5E7 5 Bytes  JMP 00D90FAF 
.text           C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyA                                76FBB8AE 5 Bytes  JMP 00D9002C 
.text           C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyA                                  76FC0BF5 5 Bytes  JMP 00D90FE5 
.text           C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyW                                76FCB83D 5 Bytes  JMP 00D90051 
.text           C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExW                              76FCBCE1 5 Bytes  JMP 00D90F94 
.text           C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExA                                76FCD4E8 5 Bytes  JMP 00D90011 
.text           C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyW                                  76FD3CB0 5 Bytes  JMP 00D90000 
.text           C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExW                                76FDF09D 5 Bytes  JMP 00D90FC0 
.text           C:\Windows\system32\svchost.exe[1208] WS2_32.dll!socket                                         773336D1 5 Bytes  JMP 00DE0FEF 
.text           C:\Windows\system32\svchost.exe[1380] kernel32.dll!GetStartupInfoW                              76D71929 5 Bytes  JMP 009C00BA 
.text           C:\Windows\system32\svchost.exe[1380] kernel32.dll!GetStartupInfoA                              76D719C9 5 Bytes  JMP 009C0F74 
.text           C:\Windows\system32\svchost.exe[1380] kernel32.dll!CreateProcessW                               76D71C01 5 Bytes  JMP 009C00CB 
.text           C:\Windows\system32\svchost.exe[1380] kernel32.dll!CreateProcessA                               76D71C36 5 Bytes  JMP 009C0F3E 
.text           C:\Windows\system32\svchost.exe[1380] kernel32.dll!VirtualProtect                               76D71DD1 5 Bytes  JMP 009C0069 
.text           C:\Windows\system32\svchost.exe[1380] kernel32.dll!CreateNamedPipeW                             76D75C44 5 Bytes  JMP 009C002C 
.text           C:\Windows\system32\svchost.exe[1380] kernel32.dll!LoadLibraryExW                               76D930C3 5 Bytes  JMP 009C0F8F 
.text           C:\Windows\system32\svchost.exe[1380] kernel32.dll!LoadLibraryW                                 76D9361F 5 Bytes  JMP 009C0047 
.text           C:\Windows\system32\svchost.exe[1380] kernel32.dll!VirtualProtectEx                             76D98D7E 5 Bytes  JMP 009C007A 
.text           C:\Windows\system32\svchost.exe[1380] kernel32.dll!LoadLibraryExA                               76D99469 5 Bytes  JMP 009C0058 
.text           C:\Windows\system32\svchost.exe[1380] kernel32.dll!LoadLibraryA                                 76D99491 5 Bytes  JMP 009C0FC0 
.text           C:\Windows\system32\svchost.exe[1380] kernel32.dll!CreatePipe                                   76DA0284 5 Bytes  JMP 009C009F 
.text           C:\Windows\system32\svchost.exe[1380] kernel32.dll!GetProcAddress                               76DBB8B6 5 Bytes  JMP 009C0F19 
.text           C:\Windows\system32\svchost.exe[1380] kernel32.dll!CreateFileW                                  76DBCC4E 5 Bytes  JMP 009C001B 
.text           C:\Windows\system32\svchost.exe[1380] kernel32.dll!CreateFileA                                  76DBCF71 5 Bytes  JMP 009C0000 
.text           C:\Windows\system32\svchost.exe[1380] kernel32.dll!CreateNamedPipeA                             76E0430E 5 Bytes  JMP 009C0FDB 
.text           C:\Windows\system32\svchost.exe[1380] kernel32.dll!WinExec                                      76E054FF 5 Bytes  JMP 009C0F59 
.text           C:\Windows\system32\svchost.exe[1380] msvcrt.dll!_wsystem                                       75EF8A47 5 Bytes  JMP 009A0FB0 
.text           C:\Windows\system32\svchost.exe[1380] msvcrt.dll!system                                         75EF8B63 5 Bytes  JMP 009A0FC1 
.text           C:\Windows\system32\svchost.exe[1380] msvcrt.dll!_creat                                         75EFC6F1 5 Bytes  JMP 009A0016 
.text           C:\Windows\system32\svchost.exe[1380] msvcrt.dll!_open                                          75EFDA7E 5 Bytes  JMP 009A0FEF 
.text           C:\Windows\system32\svchost.exe[1380] msvcrt.dll!_wcreat                                        75EFDC9E 5 Bytes  JMP 009A0031 
.text           C:\Windows\system32\svchost.exe[1380] msvcrt.dll!_wopen                                         75EFDE79 5 Bytes  JMP 009A0FD2 
.text           C:\Windows\system32\svchost.exe[1380] ADVAPI32.dll!RegCreateKeyExA                              76FBB5E7 5 Bytes  JMP 009D0F97 
.text           C:\Windows\system32\svchost.exe[1380] ADVAPI32.dll!RegCreateKeyA                                76FBB8AE 5 Bytes  JMP 009D001E 
.text           C:\Windows\system32\svchost.exe[1380] ADVAPI32.dll!RegOpenKeyA                                  76FC0BF5 5 Bytes  JMP 009D0FEF 
.text           C:\Windows\system32\svchost.exe[1380] ADVAPI32.dll!RegCreateKeyW                                76FCB83D 5 Bytes  JMP 009D002F 
.text           C:\Windows\system32\svchost.exe[1380] ADVAPI32.dll!RegCreateKeyExW                              76FCBCE1 5 Bytes  JMP 009D0F7C 
.text           C:\Windows\system32\svchost.exe[1380] ADVAPI32.dll!RegOpenKeyExA                                76FCD4E8 5 Bytes  JMP 009D0FCD 
.text           C:\Windows\system32\svchost.exe[1380] ADVAPI32.dll!RegOpenKeyW                                  76FD3CB0 5 Bytes  JMP 009D0FDE 
.text           C:\Windows\system32\svchost.exe[1380] ADVAPI32.dll!RegOpenKeyExW                                76FDF09D 5 Bytes  JMP 009D0FBC 
.text           C:\Windows\system32\svchost.exe[1380] WS2_32.dll!socket                                         773336D1 5 Bytes  JMP 00D70FEF 
.text           C:\Windows\system32\svchost.exe[1380] WinInet.dll!InternetOpenA                                 75BE03DD 5 Bytes  JMP 00210FE5 
.text           C:\Windows\system32\svchost.exe[1380] WinInet.dll!InternetOpenUrlA                              75BE20A3 5 Bytes  JMP 00210000 
.text           C:\Windows\system32\svchost.exe[1380] WinInet.dll!InternetOpenW                                 75BE2A58 5 Bytes  JMP 00210FD4 
.text           C:\Windows\system32\svchost.exe[1380] WinInet.dll!InternetOpenUrlW                              75C2B019 5 Bytes  JMP 00210FAF 
.text           C:\Windows\system32\svchost.exe[1628] kernel32.dll!GetStartupInfoW                              76D71929 5 Bytes  JMP 008A0F4A 
.text           C:\Windows\system32\svchost.exe[1628] kernel32.dll!GetStartupInfoA                              76D719C9 5 Bytes  JMP 008A0F65 
.text           C:\Windows\system32\svchost.exe[1628] kernel32.dll!CreateProcessW                               76D71C01 5 Bytes  JMP 008A00B5 
.text           C:\Windows\system32\svchost.exe[1628] kernel32.dll!CreateProcessA                               76D71C36 5 Bytes  JMP 008A0F1E 
.text           C:\Windows\system32\svchost.exe[1628] kernel32.dll!VirtualProtect                               76D71DD1 5 Bytes  JMP 008A006E 
.text           C:\Windows\system32\svchost.exe[1628] kernel32.dll!CreateNamedPipeW                             76D75C44 5 Bytes  JMP 008A0036 
.text           C:\Windows\system32\svchost.exe[1628] kernel32.dll!LoadLibraryExW                               76D930C3 5 Bytes  JMP 008A0F94 
.text           C:\Windows\system32\svchost.exe[1628] kernel32.dll!LoadLibraryW                                 76D9361F 5 Bytes  JMP 008A0051 
.text           C:\Windows\system32\svchost.exe[1628] kernel32.dll!VirtualProtectEx                             76D98D7E 5 Bytes  JMP 008A007F 
.text           C:\Windows\system32\svchost.exe[1628] kernel32.dll!LoadLibraryExA                               76D99469 5 Bytes  JMP 008A0FAF 
.text           C:\Windows\system32\svchost.exe[1628] kernel32.dll!LoadLibraryA                                 76D99491 5 Bytes  JMP 008A0FCA 
.text           C:\Windows\system32\svchost.exe[1628] kernel32.dll!CreatePipe                                   76DA0284 5 Bytes  JMP 008A009A 
.text           C:\Windows\system32\svchost.exe[1628] kernel32.dll!GetProcAddress                               76DBB8B6 5 Bytes  JMP 008A00D0 
.text           C:\Windows\system32\svchost.exe[1628] kernel32.dll!CreateFileW                                  76DBCC4E 5 Bytes  JMP 008A000A 
.text           C:\Windows\system32\svchost.exe[1628] kernel32.dll!CreateFileA                                  76DBCF71 5 Bytes  JMP 008A0FEF 
.text           C:\Windows\system32\svchost.exe[1628] kernel32.dll!CreateNamedPipeA                             76E0430E 5 Bytes  JMP 008A001B 
.text           C:\Windows\system32\svchost.exe[1628] kernel32.dll!WinExec                                      76E054FF 5 Bytes  JMP 008A0F39 
.text           C:\Windows\system32\svchost.exe[1628] msvcrt.dll!_wsystem                                       75EF8A47 5 Bytes  JMP 00890055 
.text           C:\Windows\system32\svchost.exe[1628] msvcrt.dll!system                                         75EF8B63 5 Bytes  JMP 0089003A 
.text           C:\Windows\system32\svchost.exe[1628] msvcrt.dll!_creat                                         75EFC6F1 5 Bytes  JMP 00890018 
.text           C:\Windows\system32\svchost.exe[1628] msvcrt.dll!_open                                          75EFDA7E 5 Bytes  JMP 00890FEF 
.text           C:\Windows\system32\svchost.exe[1628] msvcrt.dll!_wcreat                                        75EFDC9E 5 Bytes  JMP 00890029 
.text           C:\Windows\system32\svchost.exe[1628] msvcrt.dll!_wopen                                         75EFDE79 5 Bytes  JMP 00890FDE 
.text           C:\Windows\system32\svchost.exe[1628] ADVAPI32.dll!RegCreateKeyExA                              76FBB5E7 5 Bytes  JMP 008B0073 
.text           C:\Windows\system32\svchost.exe[1628] ADVAPI32.dll!RegCreateKeyA                                76FBB8AE 5 Bytes  JMP 008B0051 
.text           C:\Windows\system32\svchost.exe[1628] ADVAPI32.dll!RegOpenKeyA                                  76FC0BF5 5 Bytes  JMP 008B0FEF 
.text           C:\Windows\system32\svchost.exe[1628] ADVAPI32.dll!RegCreateKeyW                                76FCB83D 5 Bytes  JMP 008B0062 
.text           C:\Windows\system32\svchost.exe[1628] ADVAPI32.dll!RegCreateKeyExW                              76FCBCE1 5 Bytes  JMP 008B008E 
.text           C:\Windows\system32\svchost.exe[1628] ADVAPI32.dll!RegOpenKeyExA                                76FCD4E8 5 Bytes  JMP 008B0025 
.text           C:\Windows\system32\svchost.exe[1628] ADVAPI32.dll!RegOpenKeyW                                  76FD3CB0 5 Bytes  JMP 008B0014 
.text           C:\Windows\system32\svchost.exe[1628] ADVAPI32.dll!RegOpenKeyExW                                76FDF09D 5 Bytes  JMP 008B0040 
.text           C:\Windows\system32\svchost.exe[1628] WS2_32.dll!socket                                         773336D1 5 Bytes  JMP 00900000 
.text           C:\Windows\system32\svchost.exe[1844] kernel32.dll!GetStartupInfoW                              76D71929 5 Bytes  JMP 00720F11 
.text           C:\Windows\system32\svchost.exe[1844] kernel32.dll!GetStartupInfoA                              76D719C9 5 Bytes  JMP 00720F22 
.text           C:\Windows\system32\svchost.exe[1844] kernel32.dll!CreateProcessW                               76D71C01 5 Bytes  JMP 00720072 
.text           C:\Windows\system32\svchost.exe[1844] kernel32.dll!CreateProcessA                               76D71C36 5 Bytes  JMP 00720EE5 
.text           C:\Windows\system32\svchost.exe[1844] kernel32.dll!VirtualProtect                               76D71DD1 5 Bytes  JMP 00720F58 
.text           C:\Windows\system32\svchost.exe[1844] kernel32.dll!CreateNamedPipeW                             76D75C44 5 Bytes  JMP 0072001E 
.text           C:\Windows\system32\svchost.exe[1844] kernel32.dll!LoadLibraryExW                               76D930C3 5 Bytes  JMP 00720F75 
.text           C:\Windows\system32\svchost.exe[1844] kernel32.dll!LoadLibraryW                                 76D9361F 5 Bytes  JMP 00720F97 
.text           C:\Windows\system32\svchost.exe[1844] kernel32.dll!VirtualProtectEx                             76D98D7E 5 Bytes  JMP 00720F47 
.text           C:\Windows\system32\svchost.exe[1844] kernel32.dll!LoadLibraryExA                               76D99469 5 Bytes  JMP 00720F86 
.text           C:\Windows\system32\svchost.exe[1844] kernel32.dll!LoadLibraryA                                 76D99491 5 Bytes  JMP 00720FA8 
.text           C:\Windows\system32\svchost.exe[1844] kernel32.dll!CreatePipe                                   76DA0284 5 Bytes  JMP 00720057 
.text           C:\Windows\system32\svchost.exe[1844] kernel32.dll!GetProcAddress                               76DBB8B6 5 Bytes  JMP 00720083 
.text           C:\Windows\system32\svchost.exe[1844] kernel32.dll!CreateFileW                                  76DBCC4E 5 Bytes  JMP 00720FD4 
.text           C:\Windows\system32\svchost.exe[1844] kernel32.dll!CreateFileA                                  76DBCF71 5 Bytes  JMP 00720FE5 
.text           C:\Windows\system32\svchost.exe[1844] kernel32.dll!CreateNamedPipeA                             76E0430E 5 Bytes  JMP 00720FC3 
.text           C:\Windows\system32\svchost.exe[1844] kernel32.dll!WinExec                                      76E054FF 5 Bytes  JMP 00720EF6 
.text           C:\Windows\system32\svchost.exe[1844] msvcrt.dll!_wsystem                                       75EF8A47 5 Bytes  JMP 006D0064 
.text           C:\Windows\system32\svchost.exe[1844] msvcrt.dll!system                                         75EF8B63 5 Bytes  JMP 006D0053 
.text           C:\Windows\system32\svchost.exe[1844] msvcrt.dll!_creat                                         75EFC6F1 5 Bytes  JMP 006D0027 
.text           C:\Windows\system32\svchost.exe[1844] msvcrt.dll!_open                                          75EFDA7E 5 Bytes  JMP 006D0000 
.text           C:\Windows\system32\svchost.exe[1844] msvcrt.dll!_wcreat                                        75EFDC9E 5 Bytes  JMP 006D0038 
.text           C:\Windows\system32\svchost.exe[1844] msvcrt.dll!_wopen                                         75EFDE79 5 Bytes  JMP 006D0FE3 
.text           C:\Windows\system32\svchost.exe[1844] ADVAPI32.dll!RegCreateKeyExA                              76FBB5E7 5 Bytes  JMP 0092008E 
.text           C:\Windows\system32\svchost.exe[1844] ADVAPI32.dll!RegCreateKeyA                                76FBB8AE 5 Bytes  JMP 00920062 
.text           C:\Windows\system32\svchost.exe[1844] ADVAPI32.dll!RegOpenKeyA                                  76FC0BF5 5 Bytes  JMP 00920000 
.text           C:\Windows\system32\svchost.exe[1844] ADVAPI32.dll!RegCreateKeyW                                76FCB83D 5 Bytes  JMP 00920073 
.text           C:\Windows\system32\svchost.exe[1844] ADVAPI32.dll!RegCreateKeyExW                              76FCBCE1 5 Bytes  JMP 00920FD1 
.text           C:\Windows\system32\svchost.exe[1844] ADVAPI32.dll!RegOpenKeyExA                                76FCD4E8 5 Bytes  JMP 00920022 
.text           C:\Windows\system32\svchost.exe[1844] ADVAPI32.dll!RegOpenKeyW                                  76FD3CB0 5 Bytes  JMP 00920011 
.text           C:\Windows\system32\svchost.exe[1844] ADVAPI32.dll!RegOpenKeyExW                                76FDF09D 5 Bytes  JMP 00920047 
.text           C:\Windows\system32\svchost.exe[1844] WS2_32.dll!socket                                         773336D1 5 Bytes  JMP 00930000 
.text           C:\Windows\System32\svchost.exe[2472] kernel32.dll!GetStartupInfoW                              76D71929 5 Bytes  JMP 00060F30 
.text           C:\Windows\System32\svchost.exe[2472] kernel32.dll!GetStartupInfoA                              76D719C9 5 Bytes  JMP 00060F41 
.text           C:\Windows\System32\svchost.exe[2472] kernel32.dll!CreateProcessW                               76D71C01 5 Bytes  JMP 00060F04 
.text           C:\Windows\System32\svchost.exe[2472] kernel32.dll!CreateProcessA                               76D71C36 5 Bytes  JMP 00060091 
.text           C:\Windows\System32\svchost.exe[2472] kernel32.dll!VirtualProtect                               76D71DD1 5 Bytes  JMP 00060062 
.text           C:\Windows\System32\svchost.exe[2472] kernel32.dll!CreateNamedPipeW                             76D75C44 5 Bytes  JMP 00060FB9 
.text           C:\Windows\System32\svchost.exe[2472] kernel32.dll!LoadLibraryExW                               76D930C3 5 Bytes  JMP 00060047 
.text           C:\Windows\System32\svchost.exe[2472] kernel32.dll!LoadLibraryW                                 76D9361F 5 Bytes  JMP 00060036 
.text           C:\Windows\System32\svchost.exe[2472] kernel32.dll!VirtualProtectEx                             76D98D7E 5 Bytes  JMP 00060F6D 
.text           C:\Windows\System32\svchost.exe[2472] kernel32.dll!LoadLibraryExA                               76D99469 5 Bytes  JMP 00060F8A 
.text           C:\Windows\System32\svchost.exe[2472] kernel32.dll!LoadLibraryA                                 76D99491 5 Bytes  JMP 00060025 
.text           C:\Windows\System32\svchost.exe[2472] kernel32.dll!CreatePipe                                   76DA0284 5 Bytes  JMP 00060F52 
.text           C:\Windows\System32\svchost.exe[2472] kernel32.dll!GetProcAddress                               76DBB8B6 5 Bytes  JMP 000600C0 
.text           C:\Windows\System32\svchost.exe[2472] kernel32.dll!CreateFileW                                  76DBCC4E 5 Bytes  JMP 00060FE5 
.text           C:\Windows\System32\svchost.exe[2472] kernel32.dll!CreateFileA                                  76DBCF71 5 Bytes  JMP 00060000 
.text           C:\Windows\System32\svchost.exe[2472] kernel32.dll!CreateNamedPipeA                             76E0430E 5 Bytes  JMP 00060FCA 
.text           C:\Windows\System32\svchost.exe[2472] kernel32.dll!WinExec                                      76E054FF 5 Bytes  JMP 00060F15 
.text           C:\Windows\System32\svchost.exe[2472] msvcrt.dll!_wsystem                                       75EF8A47 5 Bytes  JMP 00050FB2 
.text           C:\Windows\System32\svchost.exe[2472] msvcrt.dll!system                                         75EF8B63 5 Bytes  JMP 00050FC3 
.text           C:\Windows\System32\svchost.exe[2472] msvcrt.dll!_creat                                         75EFC6F1 5 Bytes  JMP 00050022 
.text           C:\Windows\System32\svchost.exe[2472] msvcrt.dll!_open                                          75EFDA7E 5 Bytes  JMP 00050000 
.text           C:\Windows\System32\svchost.exe[2472] msvcrt.dll!_wcreat                                        75EFDC9E 5 Bytes  JMP 00050033 
.text           C:\Windows\System32\svchost.exe[2472] msvcrt.dll!_wopen                                         75EFDE79 5 Bytes  JMP 00050011 
.text           C:\Windows\System32\svchost.exe[2472] ADVAPI32.dll!RegCreateKeyExA                              76FBB5E7 5 Bytes  JMP 00070047 
.text           C:\Windows\System32\svchost.exe[2472] ADVAPI32.dll!RegCreateKeyA                                76FBB8AE 5 Bytes  JMP 00070FAF 
.text           C:\Windows\System32\svchost.exe[2472] ADVAPI32.dll!RegOpenKeyA                                  76FC0BF5 5 Bytes  JMP 00070FEF 
.text           C:\Windows\System32\svchost.exe[2472] ADVAPI32.dll!RegCreateKeyW                                76FCB83D 5 Bytes  JMP 0007002C 
.text           C:\Windows\System32\svchost.exe[2472] ADVAPI32.dll!RegCreateKeyExW                              76FCBCE1 5 Bytes  JMP 00070F8A 
.text           C:\Windows\System32\svchost.exe[2472] ADVAPI32.dll!RegOpenKeyExA                                76FCD4E8 5 Bytes  JMP 0007001B 
.text           C:\Windows\System32\svchost.exe[2472] ADVAPI32.dll!RegOpenKeyW                                  76FD3CB0 5 Bytes  JMP 0007000A 
.text           C:\Windows\System32\svchost.exe[2472] ADVAPI32.dll!RegOpenKeyExW                                76FDF09D 5 Bytes  JMP 00070FCA 
.text           C:\Windows\Explorer.EXE[3752] kernel32.dll!GetStartupInfoW                                      76D71929 5 Bytes  JMP 00010F4D 
.text           C:\Windows\Explorer.EXE[3752] kernel32.dll!GetStartupInfoA                                      76D719C9 5 Bytes  JMP 00010093 
.text           C:\Windows\Explorer.EXE[3752] kernel32.dll!CreateProcessW                                       76D71C01 5 Bytes  JMP 000100C2 
.text           C:\Windows\Explorer.EXE[3752] kernel32.dll!CreateProcessA                                       76D71C36 5 Bytes  JMP 00010F2B 
.text           C:\Windows\Explorer.EXE[3752] kernel32.dll!VirtualProtect                                       76D71DD1 5 Bytes  JMP 00010067 
.text           C:\Windows\Explorer.EXE[3752] kernel32.dll!CreateNamedPipeW                                     76D75C44 5 Bytes  JMP 00010FC3 
.text           C:\Windows\Explorer.EXE[3752] kernel32.dll!LoadLibraryExW                                       76D930C3 5 Bytes  JMP 00010F8D 
.text           C:\Windows\Explorer.EXE[3752] kernel32.dll!LoadLibraryW                                         76D9361F 5 Bytes  JMP 00010039 
.text           C:\Windows\Explorer.EXE[3752] kernel32.dll!VirtualProtectEx                                     76D98D7E 5 Bytes  JMP 00010F68 
.text           C:\Windows\Explorer.EXE[3752] kernel32.dll!LoadLibraryExA                                       76D99469 5 Bytes  JMP 0001004A 
.text           C:\Windows\Explorer.EXE[3752] kernel32.dll!LoadLibraryA                                         76D99491 5 Bytes  JMP 00010FB2 
.text           C:\Windows\Explorer.EXE[3752] kernel32.dll!CreatePipe                                           76DA0284 5 Bytes  JMP 00010078 
.text           C:\Windows\Explorer.EXE[3752] kernel32.dll!GetProcAddress                                       76DBB8B6 5 Bytes  JMP 000100DD 
.text           C:\Windows\Explorer.EXE[3752] kernel32.dll!CreateFileW                                          76DBCC4E 5 Bytes  JMP 0001000A 
.text           C:\Windows\Explorer.EXE[3752] kernel32.dll!CreateFileA                                          76DBCF71 5 Bytes  JMP 00010FEF 
.text           C:\Windows\Explorer.EXE[3752] kernel32.dll!CreateNamedPipeA                                     76E0430E 5 Bytes  JMP 00010FD4 
.text           C:\Windows\Explorer.EXE[3752] kernel32.dll!WinExec                                              76E054FF 5 Bytes  JMP 00010F3C 
.text           C:\Windows\Explorer.EXE[3752] ADVAPI32.dll!RegCreateKeyExA                                      76FBB5E7 5 Bytes  JMP 00090FA5 
.text           C:\Windows\Explorer.EXE[3752] ADVAPI32.dll!RegCreateKeyA                                        76FBB8AE 5 Bytes  JMP 00090047 
.text           C:\Windows\Explorer.EXE[3752] ADVAPI32.dll!RegOpenKeyA                                          76FC0BF5 5 Bytes  JMP 00090000 
.text           C:\Windows\Explorer.EXE[3752] ADVAPI32.dll!RegCreateKeyW                                        76FCB83D 5 Bytes  JMP 00090FC0 
.text           C:\Windows\Explorer.EXE[3752] ADVAPI32.dll!RegCreateKeyExW                                      76FCBCE1 5 Bytes  JMP 00090062 
.text           C:\Windows\Explorer.EXE[3752] ADVAPI32.dll!RegOpenKeyExA                                        76FCD4E8 5 Bytes  JMP 00090FDB 
.text           C:\Windows\Explorer.EXE[3752] ADVAPI32.dll!RegOpenKeyW                                          76FD3CB0 5 Bytes  JMP 00090011 
.text           C:\Windows\Explorer.EXE[3752] ADVAPI32.dll!RegOpenKeyExW                                        76FDF09D 5 Bytes  JMP 0009002C 
.text           C:\Windows\Explorer.EXE[3752] msvcrt.dll!_wsystem                                               75EF8A47 5 Bytes  JMP 000A0F86 
.text           C:\Windows\Explorer.EXE[3752] msvcrt.dll!system                                                 75EF8B63 5 Bytes  JMP 000A0011 
.text           C:\Windows\Explorer.EXE[3752] msvcrt.dll!_creat                                                 75EFC6F1 5 Bytes  JMP 000A0FBC 
.text           C:\Windows\Explorer.EXE[3752] msvcrt.dll!_open                                                  75EFDA7E 5 Bytes  JMP 000A0000 
.text           C:\Windows\Explorer.EXE[3752] msvcrt.dll!_wcreat                                                75EFDC9E 5 Bytes  JMP 000A0FAB 
.text           C:\Windows\Explorer.EXE[3752] msvcrt.dll!_wopen                                                 75EFDE79 5 Bytes  JMP 000A0FE3 
.text           C:\Windows\Explorer.EXE[3752] WS2_32.dll!socket                                                 773336D1 5 Bytes  JMP 000D000A 
.text           C:\Windows\Explorer.EXE[3752] WININET.dll!InternetOpenA                                         75BE03DD 5 Bytes  JMP 02DE0FEF 
.text           C:\Windows\Explorer.EXE[3752] WININET.dll!InternetOpenUrlA                                      75BE20A3 5 Bytes  JMP 02DE0025 
.text           C:\Windows\Explorer.EXE[3752] WININET.dll!InternetOpenW                                         75BE2A58 5 Bytes  JMP 02DE0014 
.text           C:\Windows\Explorer.EXE[3752] WININET.dll!InternetOpenUrlW                                      75C2B019 5 Bytes  JMP 02DE0FDE 
.text           C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[4904] kernel32.dll!ExitProcess  76D93B54 5 Bytes  JMP 050520B4 C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)
.text           C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[4904] USER32.dll!MessageBoxA    75FFD619 5 Bytes  JMP 0505205E C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)
.text           C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[4904] USER32.dll!MessageBoxW    75FFD667 5 Bytes  JMP 05052089 C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)
.text           C:\Windows\system32\svchost.exe[5916] kernel32.dll!GetStartupInfoW                              76D71929 5 Bytes  JMP 000100A7 
.text           C:\Windows\system32\svchost.exe[5916] kernel32.dll!GetStartupInfoA                              76D719C9 5 Bytes  JMP 00010096 
.text           C:\Windows\system32\svchost.exe[5916] kernel32.dll!CreateProcessW                               76D71C01 5 Bytes  JMP 00010F24 
.text           C:\Windows\system32\svchost.exe[5916] kernel32.dll!CreateProcessA                               76D71C36 5 Bytes  JMP 00010F35 
.text           C:\Windows\system32\svchost.exe[5916] kernel32.dll!VirtualProtect                               76D71DD1 5 Bytes  JMP 00010067 
.text           C:\Windows\system32\svchost.exe[5916] kernel32.dll!CreateNamedPipeW                             76D75C44 5 Bytes  JMP 00010FB2 
.text           C:\Windows\system32\svchost.exe[5916] kernel32.dll!LoadLibraryExW                               76D930C3 5 Bytes  JMP 0001004A 
.text           C:\Windows\system32\svchost.exe[5916] kernel32.dll!LoadLibraryW                                 76D9361F 5 Bytes  JMP 0001002F 
.text           C:\Windows\system32\svchost.exe[5916] kernel32.dll!VirtualProtectEx                             76D98D7E 5 Bytes  JMP 00010F72 
.text           C:\Windows\system32\svchost.exe[5916] kernel32.dll!LoadLibraryExA                               76D99469 5 Bytes  JMP 00010F97 
.text           C:\Windows\system32\svchost.exe[5916] kernel32.dll!LoadLibraryA                                 76D99491 5 Bytes  JMP 0001001E 
.text           C:\Windows\system32\svchost.exe[5916] kernel32.dll!CreatePipe                                   76DA0284 5 Bytes  JMP 00010F61 
.text           C:\Windows\system32\svchost.exe[5916] kernel32.dll!GetProcAddress                               76DBB8B6 5 Bytes  JMP 000100CC 
.text           C:\Windows\system32\svchost.exe[5916] kernel32.dll!CreateFileW                                  76DBCC4E 5 Bytes  JMP 00010FDE 
.text           C:\Windows\system32\svchost.exe[5916] kernel32.dll!CreateFileA                                  76DBCF71 5 Bytes  JMP 00010FEF 
.text           C:\Windows\system32\svchost.exe[5916] kernel32.dll!CreateNamedPipeA                             76E0430E 5 Bytes  JMP 00010FC3 
.text           C:\Windows\system32\svchost.exe[5916] kernel32.dll!WinExec                                      76E054FF 5 Bytes  JMP 00010F50 
.text           C:\Windows\system32\svchost.exe[5916] msvcrt.dll!_wsystem                                       75EF8A47 5 Bytes  JMP 00050FB9 
.text           C:\Windows\system32\svchost.exe[5916] msvcrt.dll!system                                         75EF8B63 5 Bytes  JMP 00050044 
.text           C:\Windows\system32\svchost.exe[5916] msvcrt.dll!_creat                                         75EFC6F1 5 Bytes  JMP 00050FDE 
.text           C:\Windows\system32\svchost.exe[5916] msvcrt.dll!_open                                          75EFDA7E 5 Bytes  JMP 00050FEF 
.text           C:\Windows\system32\svchost.exe[5916] msvcrt.dll!_wcreat                                        75EFDC9E 5 Bytes  JMP 00050033 
.text           C:\Windows\system32\svchost.exe[5916] msvcrt.dll!_wopen                                         75EFDE79 5 Bytes  JMP 00050018 
.text           C:\Windows\system32\svchost.exe[5916] ADVAPI32.dll!RegCreateKeyExA                              76FBB5E7 5 Bytes  JMP 00060051 
.text           C:\Windows\system32\svchost.exe[5916] ADVAPI32.dll!RegCreateKeyA                                76FBB8AE 5 Bytes  JMP 00060FC0 
.text           C:\Windows\system32\svchost.exe[5916] ADVAPI32.dll!RegOpenKeyA                                  76FC0BF5 5 Bytes  JMP 00060000 
.text           C:\Windows\system32\svchost.exe[5916] ADVAPI32.dll!RegCreateKeyW                                76FCB83D 5 Bytes  JMP 00060FAF 
.text           C:\Windows\system32\svchost.exe[5916] ADVAPI32.dll!RegCreateKeyExW                              76FCBCE1 5 Bytes  JMP 00060F94 
.text           C:\Windows\system32\svchost.exe[5916] ADVAPI32.dll!RegOpenKeyExA                                76FCD4E8 5 Bytes  JMP 00060FDB 
.text           C:\Windows\system32\svchost.exe[5916] ADVAPI32.dll!RegOpenKeyW                                  76FD3CB0 5 Bytes  JMP 00060011 
.text           C:\Windows\system32\svchost.exe[5916] ADVAPI32.dll!RegOpenKeyExW                                76FDF09D 5 Bytes  JMP 0006002C 
.text           C:\Windows\system32\svchost.exe[5916] WS2_32.dll!socket                                         773336D1 5 Bytes  JMP 00190FE5 

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                          mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice  \Driver\kbdclass \Device\KeyboardClass0                                                         Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice  \Driver\kbdclass \Device\KeyboardClass1                                                         Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice  \Driver\tdx \Device\Tcp                                                                         Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice  \Driver\tdx \Device\Udp                                                                         Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice  \Driver\tdx \Device\RawIp                                                                       Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice  \FileSystem\fastfat \Fat                                                                        fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)
AttachedDevice  \FileSystem\fastfat \Fat                                                                        mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----
         

Ja, ich weiß. Um das System sicherer zu machen, muss ich noch einige Maßnahmen treffen. Das werde ich auch noch tun, bevor er wieder "ans Netz" geht.
Die Frage ist jetzt erstmal, ob die Neuinstallation den PC schon bereinigen konnte oder ob er noch "befallen" ist.
Danke schon jetzt für die Antwort!

Alt 30.06.2011, 20:28   #13
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
gefälschte Windows Scan-Software "Security Protection" - Standard

gefälschte Windows Scan-Software "Security Protection"



nach der Neuinstallation - wenn man sie komplett richtig ausgeführt hat nach Anleitung - ist eine weitere Analyse eigentlich unnötig.

Hast du recovert und die ganze Software wie McAfee und zB Office war alles schon drauf? Meistens muss man nach dem Recovern noch ne gnze Menge unnötigen Kram per Hand deinstallieren, also über die Systemsteuerung.
__________________
Logs bitte immer in CODE-Tags posten

Alt 05.07.2011, 20:11   #14
plastefuchs1
 
gefälschte Windows Scan-Software "Security Protection" - Standard

gefälschte Windows Scan-Software "Security Protection"



Die Deinstallation kommt noch.

Ich bin gerade dabei, die Anleitung durchzuarbeiten: "Anleitung: Maßnahmen zur Absicherung des Rechners". - Muss ich bei Vista auch den InternetExplorer mit der Reg-Datei (die es unter hxxp://oschad.de/wiki/InternetExplorer gibt) deaktivieren? Oder gilt das nur für XP? (Habe nämlich auch erst meinen XP-Rechner neuinstalliert)

Alt 06.07.2011, 10:26   #15
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
gefälschte Windows Scan-Software "Security Protection" - Standard

gefälschte Windows Scan-Software "Security Protection"



Wenn du den IE "aussperren" willst - kann man machen. Für Windowsupdates und andere Seiten darf der IE ja raus. Steht auch so in dieser explorer.reg von O. Schad, hier ein Auszug:

Code:
ATTFilter
; Ausnahmeliste - die Ausnahmeliste muss jeder unter Umständen selbst definieren. 
; Erlaubt ist hier nur Windowsupdate.
; weitere mögliche Einträge
; ein LAN 192.168.240.0/24:  192.168.240.* 
; Kaspersky:                 kaspersky-labs.com;*.kaspersky-labs.com
; MS Messenger:              passport.com;*.passport.com
"ProxyOverride"="*.windowsupdate.com;windowsupdate.microsoft.com;*.windowsupdate.microsoft.com;wustat.microsoft.com;*.microsoft.nsatc.net;update.microsoft.com;*.update.microsoft.com;*.activex.microsoft.com;*.codecs.microsoft.com;*.c.microsoft.com;*.genuine.microsoft.com"
; Adresse des Proxys. Die Adress 127.0.0.1:9 bewirkt, dass Anfragen des IE nicht mehr beantwortet werden
; und somit der IE faktisch stillgelegt ist. Für lokale Anwendungen jedoch ist der
; IE weiter nutzbar, wie zum Beispiel die Windows-Hilfe.
"ProxyServer"="127.0.0.1:9"
         
__________________
Logs bitte immer in CODE-Tags posten

Antwort

Themen zu gefälschte Windows Scan-Software "Security Protection"
administrator, antivir, aufspielen, avira, avira antivir, bli, blinkt, board, computer, deinstallation, desktop, folge, freundin, gefÄlscht, hochfahren, infected, keine installation möglich, malware, malware protection, not, problem, programm, scan, scan-software, security, security protection, starten, system, windows



Ähnliche Themen: gefälschte Windows Scan-Software "Security Protection"


  1. Plötzlich Software "picexa.exe" installiert, "delta-homes.com" als Startseite in sämtlichen Browsern
    Log-Analyse und Auswertung - 10.04.2015 (11)
  2. Beim Treiber Update "wiederspenstige" Software eingefangen. "SpeedUpMyComputer"
    Plagegeister aller Art und deren Bekämpfung - 27.05.2014 (3)
  3. "AppsHat", "DeltaToolbar" und div. andere Software nach Download von mcpatcher
    Plagegeister aller Art und deren Bekämpfung - 02.10.2013 (23)
  4. "System Progressive Protection" / "BDS/ZeroAccess.Gen"
    Log-Analyse und Auswertung - 11.01.2013 (12)
  5. Security Center - Gefälschte Windows Software - 100 € Lizens
    Log-Analyse und Auswertung - 15.03.2012 (1)
  6. "Security Protection" bezahlt ...
    Plagegeister aller Art und deren Bekämpfung - 19.07.2011 (1)
  7. w32/Blaster.worm und "Security Protection"
    Plagegeister aller Art und deren Bekämpfung - 19.06.2011 (1)
  8. gefälschte Windows Scan-Software "Security Protection"
    Log-Analyse und Auswertung - 19.06.2011 (51)
  9. "Malware Protection" entfernt und nun "Windows Vista Restore" und diverse Festplattenwarnungen
    Plagegeister aller Art und deren Bekämpfung - 17.06.2011 (28)
  10. "System Tool", Scan gestartet hat bei "Scanning Useres StartMenue..." hängen
    Plagegeister aller Art und deren Bekämpfung - 14.01.2011 (1)
  11. "Microsoft Security Essential Alert" blockiert WinXP nach Neustart trotz MalwareBytes-Scan
    Plagegeister aller Art und deren Bekämpfung - 13.09.2010 (2)
  12. "YOUR PROTECTION" und "TDSS" volkommen gelöscht?
    Plagegeister aller Art und deren Bekämpfung - 21.04.2010 (13)
  13. Mc Afee Security Scan zeigt Bedrohung durch Trojaner "Artemis!7A810C195AF5" an
    Plagegeister aller Art und deren Bekämpfung - 11.03.2010 (5)
  14. Antivir-Fund in "C:\Windows\myproc.dll" und "C:\Windows\security\services.exe"
    Plagegeister aller Art und deren Bekämpfung - 22.04.2009 (4)
  15. "error cleaner" "privacy protector" "spyware&malware protection"
    Plagegeister aller Art und deren Bekämpfung - 28.06.2008 (7)
  16. "error cleaner" "privacy protector" "spyware und malware protection"
    Plagegeister aller Art und deren Bekämpfung - 28.06.2008 (2)
  17. "security software"
    Plagegeister aller Art und deren Bekämpfung - 12.04.2006 (5)

Zum Thema gefälschte Windows Scan-Software "Security Protection" - Hallo, habe folgendes Problem mit meinem Computer (=PC meiner Freundin): Es hat sich eine gefälschte Malware Protection-Software Namens "Security Protection" im System festgesetzt. Es kommt von dieser Software (in der - gefälschte Windows Scan-Software "Security Protection"...
Archiv
Du betrachtest: gefälschte Windows Scan-Software "Security Protection" auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.