Zurück   Trojaner-Board > Malware entfernen > Plagegeister aller Art und deren Bekämpfung

Plagegeister aller Art und deren Bekämpfung: Mehrere Trojanerfunde nach Fake Facebook Nachricht

Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen.

Antwort
Alt 31.01.2013, 18:30   #1
Mieserwitz
 
Mehrere Trojanerfunde nach Fake Facebook Nachricht - Standard

Mehrere Trojanerfunde nach Fake Facebook Nachricht



Hallo,

nach einer Fake Nachricht auf Facebook in der ein Link angeklickt wurde, habe ich auf dem PC meiner Bekannten mit AVG folgenden Trojaner gefunden:

Generic31.AGPQ in der Datei c:\Windows\atiesrxx.exe und in zwei weiteren Dateien im Downloadordner die als Dateinamen die Namen der Facebookfreunde hatten (Endung war .exe).


Hier OTL.txt:
OTL Logfile:
Code:
ATTFilter
OTL logfile created on: 1/31/2013 6:39:03 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\***\Downloads
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3.00 Gb Total Physical Memory | 2.01 Gb Available Physical Memory | 67.00% Memory free
6.00 Gb Paging File | 4.67 Gb Available in Paging File | 77.83% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 890.41 Gb Total Space | 840.97 Gb Free Space | 94.45% Space Free | Partition Type: NTFS
Drive D: | 40.00 Gb Total Space | 23.52 Gb Free Space | 58.80% Space Free | Partition Type: NTFS
 
Computer Name: ***-PC | User Name: *** | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2013/01/31 18:36:05 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\***\Downloads\OTL.exe
PRC - [2013/01/31 18:07:09 | 000,232,784 | ---- | M] (Doctor Web, Ltd.) -- C:\Users\***\AppData\Local\Temp\125F70E-BDE74CAF-65D9CC0-37920445\snyomynx.exe
PRC - [2013/01/30 13:21:08 | 001,101,488 | ---- | M] () -- C:\Program Files\AVG Secure Search\vprot.exe
PRC - [2013/01/30 13:21:08 | 000,945,328 | ---- | M] () -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.0.1\ToolbarUpdater.exe
PRC - [2012/12/11 03:52:44 | 003,147,384 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2013\avgui.exe
PRC - [2012/11/23 03:48:41 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2012/11/15 23:34:30 | 005,814,904 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2013\avgidsagent.exe
PRC - [2012/10/30 04:59:56 | 000,726,648 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\PROGRA~1\AVG\AVG2013\avgrsx.exe
PRC - [2012/10/22 13:05:08 | 000,196,664 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2013\avgwdsvc.exe
PRC - [2012/10/22 13:04:32 | 001,116,792 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2013\avgnsx.exe
PRC - [2012/10/22 13:03:52 | 000,796,792 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2013\avgemcx.exe
PRC - [2012/10/22 13:03:46 | 000,440,440 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2013\avgcsrvx.exe
PRC - [2011/10/01 08:30:42 | 000,219,496 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
PRC - [2011/10/01 08:30:36 | 000,508,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
PRC - [2011/02/25 06:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2011/02/10 17:45:16 | 000,222,496 | ---- | M] (Acresso Corporation) -- C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
PRC - [2011/02/09 16:46:42 | 000,296,808 | ---- | M] (Nuance Communications, Inc.) -- C:\Program Files\Common Files\Nuance\dgnsvc.exe
PRC - [2010/11/05 10:28:14 | 000,083,248 | ---- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files\Sybase\SQL Anywhere 9\win32\dbsrv9.exe
PRC - [2010/05/27 17:59:54 | 000,376,832 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
PRC - [2010/05/27 17:59:30 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
PRC - [2010/03/04 04:16:06 | 000,013,336 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
PRC - [2010/03/04 04:16:04 | 000,284,696 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
PRC - [2009/11/02 22:21:26 | 000,103,720 | ---- | M] (CyberLink) -- C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
PRC - [2009/07/14 02:14:41 | 000,354,304 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\StikyNot.exe
PRC - [2007/07/24 10:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2013/01/30 13:21:08 | 001,101,488 | ---- | M] () -- C:\Program Files\AVG Secure Search\vprot.exe
MOD - [2013/01/30 13:21:08 | 000,156,848 | ---- | M] () -- C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\14.0.1\SiteSafety.dll
MOD - [2013/01/10 08:48:09 | 000,452,608 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorUtil\f7cb3ae5de64f8cbde3ccc57c780743a\IAStorUtil.ni.dll
MOD - [2013/01/10 08:44:45 | 011,833,344 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\0ac577a8ad6528ff03b50db5eeeac8be\System.Web.ni.dll
MOD - [2013/01/10 08:44:40 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\90b89f6e8032310e9ac72a309fd49e83\System.Runtime.Remoting.ni.dll
MOD - [2013/01/10 08:44:16 | 012,436,480 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\865d2bf19a7af7fab8660a42d92550fe\System.Windows.Forms.ni.dll
MOD - [2013/01/10 08:44:10 | 001,592,832 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\eead6629e384a5b69f9ae35284b7eeed\System.Drawing.ni.dll
MOD - [2013/01/10 08:43:59 | 003,347,968 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\cf827fe7bc99d9bcf0ba3621054ef527\WindowsBase.ni.dll
MOD - [2013/01/10 08:43:54 | 005,453,312 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\f687c43e9fdec031988b33ae722c4613\System.Xml.ni.dll
MOD - [2013/01/10 08:43:51 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\195a77fcc6206f8bb35d419ff2cf0d72\System.Configuration.ni.dll
MOD - [2013/01/10 08:43:50 | 007,989,760 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\369f8bdca364e2b4936d18dea582912c\System.ni.dll
MOD - [2013/01/10 08:43:44 | 011,493,376 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\7150b9136fad5b79e88f6c7f9d3d2c39\mscorlib.ni.dll
MOD - [2010/11/13 01:02:22 | 000,434,176 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Windows.Forms.resources\2.0.0.0_de_b77a5c561934e089\System.Windows.Forms.resources.dll
MOD - [2010/11/13 01:02:21 | 000,315,392 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_de_b77a5c561934e089\mscorlib.resources.dll
MOD - [2010/05/27 20:40:48 | 000,270,336 | ---- | M] () -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll
MOD - [2010/05/12 14:12:47 | 000,032,768 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting.resources\2.0.0.0_de_b77a5c561934e089\System.Runtime.Remoting.resources.dll
MOD - [2009/11/02 22:23:36 | 000,013,096 | ---- | M] () -- C:\Program Files\CyberLink\Power2Go\CLMLSvcPS.dll
MOD - [2009/11/02 22:20:10 | 000,619,816 | ---- | M] () -- C:\Program Files\CyberLink\Power2Go\CLMediaLibrary.dll
 
 
========== Services (SafeList) ==========
 
SRV - [2013/01/30 13:21:08 | 000,945,328 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.0.1\ToolbarUpdater.exe -- (vToolbarUpdater14.0.1)
SRV - [2013/01/24 15:28:29 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013/01/09 16:27:15 | 000,251,400 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/11/15 23:34:30 | 005,814,904 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2013\avgidsagent.exe -- (AVGIDSAgent)
SRV - [2012/10/22 13:05:08 | 000,196,664 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2013\avgwdsvc.exe -- (avgwd)
SRV - [2011/11/10 14:17:31 | 000,167,264 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)
SRV - [2011/10/26 19:10:27 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2011/10/01 08:30:42 | 000,219,496 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe -- (sftvsa)
SRV - [2011/10/01 08:30:36 | 000,508,776 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe -- (sftlist)
SRV - [2011/05/26 13:34:34 | 000,191,752 | ---- | M] (Microsoft Corporation.) [On_Demand | Stopped] -- C:\Program Files\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
SRV - [2011/03/10 19:57:04 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE -- (BBUpdate)
SRV - [2011/02/09 16:46:42 | 000,296,808 | ---- | M] (Nuance Communications, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Nuance\dgnsvc.exe -- (DragonSvc)
SRV - [2010/11/05 10:28:14 | 000,083,248 | ---- | M] (iAnywhere Solutions, Inc.) [Auto | Running] -- C:\Program Files\Sybase\SQL Anywhere 9\win32\dbsrv9.exe -- (Lexware_Datenbank_Plus)
SRV - [2010/05/27 17:59:30 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2010/03/04 04:16:06 | 000,013,336 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe -- (IAStorDataMgrSvc)
SRV - [2009/07/14 02:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/14 02:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\mpsvc.dll -- (WinDefend)
SRV - [2007/07/24 10:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) [Auto | Running] -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | Disabled | Unknown] -- system32\DRIVERS\avgfwd6x.sys -- (Avgfwfd)
DRV - [2013/01/30 13:21:08 | 000,031,576 | ---- | M] (AVG Technologies) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtpx86.sys -- (avgtp)
DRV - [2012/11/15 23:33:26 | 000,094,048 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\System32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2012/10/22 13:02:46 | 000,179,936 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgidsdriverx.sys -- (AVGIDSDriver)
DRV - [2012/10/15 03:48:52 | 000,055,776 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\avgidshx.sys -- (AVGIDSHX)
DRV - [2012/10/02 03:30:38 | 000,159,712 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2012/09/21 03:46:06 | 000,164,832 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2012/09/21 03:46:00 | 000,177,376 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\avglogx.sys -- (Avglogx)
DRV - [2012/09/21 03:45:54 | 000,019,936 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgidsshimx.sys -- (AVGIDSShim)
DRV - [2012/09/14 03:05:20 | 000,035,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\System32\drivers\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/10/15 12:55:17 | 000,101,248 | ---- | M] (AVM Berlin) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\avmaudio.sys -- (avmaudio)
DRV - [2011/10/01 08:30:42 | 000,019,304 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Sftvollh.sys -- (Sftvol)
DRV - [2011/10/01 08:30:40 | 000,021,864 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\Sftredirlh.sys -- (Sftredir)
DRV - [2011/10/01 08:30:38 | 000,194,408 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Sftplaylh.sys -- (Sftplay)
DRV - [2011/10/01 08:30:36 | 000,579,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Sftfslh.sys -- (Sftfs)
DRV - [2010/11/20 13:30:18 | 000,296,064 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\vpcvmm.sys -- (vpcvmm)
DRV - [2010/11/20 13:30:18 | 000,172,416 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vpchbus.sys -- (vpcbus)
DRV - [2010/11/20 11:50:40 | 000,078,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vpcusb.sys -- (vpcusb)
DRV - [2010/11/20 11:50:38 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\vpcnfltr.sys -- (vpcnfltr)
DRV - [2010/11/20 11:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 10:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUSB)
DRV - [2010/05/27 18:38:24 | 005,586,432 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (amdkmdag)
DRV - [2010/05/27 17:25:18 | 000,209,920 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmpag.sys -- (amdkmdap)
DRV - [2010/05/06 10:21:42 | 000,108,560 | ---- | M] (ATI Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV - [2009/11/09 12:54:10 | 000,067,072 | ---- | M] (SCM Microsystems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SPR3322K.sys -- (SPR3322K)
DRV - [2009/09/22 14:34:44 | 000,579,072 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTL8192su.sys -- (RTL8192su)
DRV - [2009/07/14 00:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.aldi.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://medion.msn.com [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://medion.msn.com [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.aldi.com
IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKCU\..\SearchScopes,DefaultScope = {95B7759C-8C7F-4BF1-B163-73684A933233}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{2362EC39-B5C9-42D8-8349-ACD7AE13B0B2}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&form=MEDTDF&pc=MAMD&src=IE-SearchBox
IE - HKCU\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = hxxp://isearch.avg.com/search?cid={2EEEF787-ECC1-4418-8BF0-779390D481E5}&mid=e7cbdd7d235f436b8085385d8aa7323f-7b7899ad2a16f407f9f03a99c48ec43e8ff1a36f&lang=de&ds=AVG&pr=fr&d=2013-01-28 13:53:23&v=14.0.2.14&pid=avg&sg=&sap=dsp&q={searchTerms}
IE - HKCU\..\SearchScopes\{AC78E30B-0392-45DD-86A6-F7C740103B67}: "URL" = hxxp://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=U3&apn_dtid=OSJ000YYDE&apn_uid=83D10A0D-0F95-4CDF-9832-172B6DA59AA5&apn_sauid=1CDDF3B6-FF10-4F24-B7F8-9F46334B5476
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "hxxp://isearch.avg.com/?cid={2EEEF787-ECC1-4418-8BF0-779390D481E5}&mid=e7cbdd7d235f436b8085385d8aa7323f-7b7899ad2a16f407f9f03a99c48ec43e8ff1a36f&lang=de&ds=AVG&pr=fr&d=2013-01-28 13:53:23&v=14.0.2.14&pid=avg&sg=&sap=hp"
FF - prefs.js..extensions.enabledAddons: adblockpopups%40jessehakanen.net:0.5
FF - prefs.js..extensions.enabledAddons: toolbar%40web.de:2.4
FF - prefs.js..extensions.enabledAddons: avg%40toolbar:14.0.2.14
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:18.0.1
FF - prefs.js..extensions.enabledItems: {1E73965B-8B48-48be-9C8D-68B920ABC1C4}:12.0.0.2163
FF - prefs.js..extensions.enabledItems: avg@toolbar:11.1.0.7
FF - prefs.js..extensions.enabledItems: {F53C93F1-07D5-430c-86D4-C9531B27DFAF}:12.0.0.2166
FF - prefs.js..keyword.URL: "hxxp://isearch.avg.com/search?cid={2EEEF787-ECC1-4418-8BF0-779390D481E5}&mid=e7cbdd7d235f436b8085385d8aa7323f-7b7899ad2a16f407f9f03a99c48ec43e8ff1a36f&lang=de&ds=AVG&pr=fr&d=2013-01-28 13:53:23&pid=avg&sg=&v=14.0.2.14&sap=ku&q="
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_5_502_146.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin: C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\14.0.1\\npsitesafety.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.11.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\avg@toolbar: C:\ProgramData\AVG Secure Search\FireFoxExt\14.0.2.14 [2013/01/30 13:21:32 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/01/24 15:28:29 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/01/24 15:28:27 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/01/24 15:28:29 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/01/24 15:28:27 | 000,000,000 | ---D | M]
 
[2010/10/14 17:18:24 | 000,000,000 | ---D | M] (No name found) -- C:\Users\***\AppData\Roaming\mozilla\Extensions
[2013/01/31 18:35:23 | 000,000,000 | ---D | M] (No name found) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\z14vsxa8.default\extensions
[2013/01/31 18:35:23 | 000,000,000 | ---D | M] (No name found) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\z14vsxa8.default\extensions\staged
[2012/11/16 13:06:24 | 000,124,993 | ---- | M] () (No name found) -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\z14vsxa8.default\extensions\adblockpopups@jessehakanen.net.xpi
[2013/01/17 16:25:56 | 000,538,938 | ---- | M] () (No name found) -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\z14vsxa8.default\extensions\toolbar@web.de.xpi
[2013/01/31 18:35:23 | 000,130,828 | ---- | M] () (No name found) -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\z14vsxa8.default\extensions\staged\adblockpopups@jessehakanen.net.xpi
[2013/01/17 16:25:58 | 000,000,911 | ---- | M] () -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\z14vsxa8.default\searchplugins\11-suche.xml
[2012/11/13 12:54:18 | 000,002,308 | ---- | M] () -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\z14vsxa8.default\searchplugins\askcom.xml
[2013/01/17 16:25:58 | 000,002,273 | ---- | M] () -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\z14vsxa8.default\searchplugins\englische-ergebnisse.xml
[2013/01/17 16:25:58 | 000,010,563 | ---- | M] () -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\z14vsxa8.default\searchplugins\gmx-suche.xml
[2013/01/17 16:25:58 | 000,002,432 | ---- | M] () -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\z14vsxa8.default\searchplugins\lastminute.xml
[2013/01/17 16:25:58 | 000,005,545 | ---- | M] () -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\z14vsxa8.default\searchplugins\webde-suche.xml
[2013/01/24 15:28:27 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\mozilla firefox\extensions
[2013/01/30 13:21:32 | 000,000,000 | ---D | M] (AVG Security Toolbar) -- C:\PROGRAMDATA\AVG SECURE SEARCH\FIREFOXEXT\14.0.2.14
[2013/01/24 15:28:29 | 000,262,552 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/06/01 17:33:00 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2013/01/30 13:21:08 | 000,003,592 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml
[2012/09/03 18:37:19 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/06/01 17:33:00 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2012/06/01 17:33:00 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2012/06/01 17:33:00 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2012/06/01 17:33:00 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2009/06/10 22:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll File not found
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll File not found
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll File not found
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
O4 - HKLM..\Run: [AVG_UI] C:\Program Files\AVG\AVG2013\avgui.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [CDIWTSEnabler] C:\Program Files\Cherry\CDI\cdiwtsclient.vbs ()
O4 - HKLM..\Run: [CLMLServer] C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe (CyberLink)
O4 - HKLM..\Run: [DNS7reminder] C:\Program Files\Nuance\NaturallySpeaking11\Ereg\Ereg.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [IAStorIcon] C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [vProt] C:\Program Files\AVG Secure Search\vprot.exe ()
O4 - HKCU..\Run: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe (Acresso Corporation)
O4 - HKCU..\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9 - Extra Button: eBay - Der weltweite Online-Marktplatz - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-37276-17534-31/4 File not found
O9 - Extra 'Tools' menuitem : eBay - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-37276-17534-31/4 File not found
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 10.11.2)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 10.11.2)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EF3F26A8-CAA2-45C6-9B8B-7AC9D5B5A0FF}: DhcpNameServer = 192.168.178.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll File not found
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation)
O18 - Protocol\Handler\viprotocol {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\14.0.1\ViProtocol.dll ()
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - (wlnotify.dll) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\Autostart.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013/01/31 18:08:08 | 000,000,000 | ---D | C] -- C:\Users\***\Doctor Web
[2013/01/28 13:53:23 | 000,000,000 | ---D | C] -- C:\Program Files\AVG Secure Search
[2013/01/24 15:28:26 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013/01/11 09:52:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
 
========== Files - Modified Within 30 Days ==========
 
[2013/01/31 18:37:50 | 000,000,000 | ---- | M] () -- C:\Users\***\defogger_reenable
[2013/01/31 18:27:13 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/01/31 18:04:44 | 110,453,952 | ---- | M] () -- C:\Users\***\Desktop\1ygvpjsh.exe
[2013/01/31 15:28:11 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/01/31 13:48:27 | 000,007,498 | ---- | M] () -- C:\Users\***\Desktop\r-berlog.pdf
[2013/01/31 09:00:03 | 000,010,096 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/01/31 09:00:03 | 000,010,096 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/01/31 08:57:04 | 000,666,956 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2013/01/31 08:57:04 | 000,625,802 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013/01/31 08:57:04 | 000,135,626 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2013/01/31 08:57:04 | 000,111,182 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013/01/31 08:52:50 | 000,000,342 | ---- | M] () -- C:\Windows\tasks\ROC_JAN2013_TB_rmv.job
[2013/01/31 08:52:44 | 2415,321,088 | -HS- | M] () -- C:\hiberfil.sys
[2013/01/30 13:21:08 | 000,031,576 | ---- | M] (AVG Technologies) -- C:\Windows\System32\drivers\avgtpx86.sys
[2013/01/28 16:38:47 | 000,005,219 | ---- | M] () -- C:\Users\***\Desktop\~QGF6FF9.pdf
[2013/01/28 14:26:02 | 000,004,096 | ---- | M] () -- C:\Users\Public\Documents\000031E8.LCS
[2013/01/24 15:16:33 | 000,008,970 | ---- | M] () -- C:\Users\***\Desktop\Stundennachweis.odt
[2013/01/16 18:34:22 | 004,311,037 | ---- | M] () -- C:\Users\***\Desktop\KVBW-12-022_Verordnungsforum_Q4_2012-11_ES_final.pdf
[2013/01/14 13:29:33 | 000,001,988 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2013/01/11 09:52:25 | 000,000,955 | ---- | M] () -- C:\Users\Public\Desktop\AVG 2013.lnk
[2013/01/10 08:42:55 | 000,293,456 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
 
========== Files Created - No Company Name ==========
 
[2013/01/31 18:37:50 | 000,000,000 | ---- | C] () -- C:\Users\***\defogger_reenable
[2013/01/31 18:03:29 | 110,453,952 | ---- | C] () -- C:\Users\***\Desktop\1ygvpjsh.exe
[2013/01/31 13:48:26 | 000,007,498 | ---- | C] () -- C:\Users\***\Desktop\r-berlog.pdf
[2013/01/30 13:21:32 | 000,000,342 | ---- | C] () -- C:\Windows\tasks\ROC_JAN2013_TB_rmv.job
[2013/01/28 16:38:46 | 000,005,219 | ---- | C] () -- C:\Users\***\Desktop\~QGF6FF9.pdf
[2013/01/16 18:34:22 | 004,311,037 | ---- | C] () -- C:\Users\***\Desktop\KVBW-12-022_Verordnungsforum_Q4_2012-11_ES_final.pdf
[2011/10/15 13:50:30 | 000,001,875 | ---- | C] () -- C:\Users\***\AppData\Roaming\SAS7_000.DAT
[2011/10/11 11:46:36 | 000,000,067 | ---- | C] () -- C:\Windows\SOVDWAER.INI
[2011/05/03 13:07:51 | 018,015,255 | ---- | C] () -- C:\Users\***\LxOffice20110503_140703.zip
[2011/02/22 13:18:02 | 018,012,882 | ---- | C] () -- C:\Users\***\LxOffice20110222_131726.zip
[2011/02/14 15:37:48 | 017,753,191 | ---- | C] () -- C:\Users\***\LxOffice20110214_153702.zip
[2011/02/07 15:40:36 | 017,732,787 | ---- | C] () -- C:\Users\***\LxOffice20110207_153815.zip
[2010/11/11 13:46:42 | 000,033,134 | ---- | C] () -- C:\Users\***\AppData\Roaming\UserTile.png
[2010/10/22 09:19:33 | 000,000,017 | ---- | C] () -- C:\Users\***\AppData\Local\resmon.resmoncfg
[2010/10/20 13:47:47 | 000,000,095 | ---- | C] () -- C:\Users\***\AppData\Local\fusioncache.dat
 
========== ZeroAccess Check ==========
 
[2009/07/14 05:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/09 05:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 13:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/07/14 02:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
========== LOP Check ==========
 
[2013/01/31 16:10:16 | 000,000,000 | -HSD | M] -- C:\Users\***\AppData\Roaming\.#
[2013/01/31 14:39:00 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\ALDI_SUED_Mah_Jong
[2012/12/17 13:58:04 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\AVG2013
[2011/10/15 13:09:25 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\FRITZ!
[2011/10/15 13:00:24 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\FRITZ!fax für FRITZ!Box
[2011/01/29 16:43:31 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Lexware
[2011/10/15 13:26:19 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Nuance
[2012/04/26 11:36:27 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\ProtectDISC
[2013/01/24 17:54:44 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\SoftGrid Client
[2011/10/15 14:06:05 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Softland
[2011/10/26 18:10:30 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\TeamViewer
[2011/10/15 14:20:32 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Thunderbird
[2010/10/13 19:20:34 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\TP
[2012/12/17 13:56:46 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\TuneUp Software
 
========== Purity Check ==========
 
 
 
< End of report >
         
--- --- ---


Die Extra.txt:
OTL Logfile:
Code:
ATTFilter
OTL Extras logfile created on: 1/31/2013 6:39:03 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\****\Downloads
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3.00 Gb Total Physical Memory | 2.01 Gb Available Physical Memory | 67.00% Memory free
6.00 Gb Paging File | 4.67 Gb Available in Paging File | 77.83% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 890.41 Gb Total Space | 840.97 Gb Free Space | 94.45% Space Free | Partition Type: NTFS
Drive D: | 40.00 Gb Total Space | 23.52 Gb Free Space | 58.80% Space Free | Partition Type: NTFS
 
Computer Name: ****-PC | User Name: **** | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
 
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
========== Authorized Applications List ==========
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{137F66FA-14FD-45C7-9377-D3A7F2DACF85}" = lport=2869 | protocol=6 | dir=in | app=system | 
"{16E4E780-8A46-4CA9-97A1-698FCAA7BF2D}" = lport=139 | protocol=6 | dir=in | app=system | 
"{266CF141-F65F-4362-B3D0-249171507C03}" = lport=445 | protocol=6 | dir=in | app=system | 
"{29498139-B5A1-4A81-9E90-F041CC04FA02}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{36624F1C-1CD2-4FCB-BDC6-8862C005461C}" = rport=137 | protocol=17 | dir=out | app=system | 
"{38F3F5D5-5426-4514-A757-A01DAAFCCF71}" = lport=137 | protocol=17 | dir=in | app=system | 
"{423DD988-C326-498F-8DD7-056BB7AF72AB}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{48A06080-B7BC-4297-BC66-7903DC16E39C}" = lport=138 | protocol=17 | dir=in | app=system | 
"{6F861FDB-EF4A-4E86-86CC-318263CAFA25}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{6FEC8F7A-B0B7-4AAD-A8AB-8E5C4FC13863}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{742909EF-10DB-4B72-84E3-B08C6E706991}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | 
"{764F3ACA-D52C-4DD9-9E71-4683526A9C44}" = rport=139 | protocol=6 | dir=out | app=system | 
"{7E603DBB-FF67-41C9-882D-AD6D7D7BCC5F}" = lport=10243 | protocol=6 | dir=in | app=system | 
"{7F99096C-5FF6-44A6-90FC-DB147D26ACA5}" = lport=2869 | protocol=6 | dir=in | app=system | 
"{88962BAF-2810-4DA7-ABB1-41FD7B17790E}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{AAE82D1B-4B0A-4F12-A13F-BEBAB0C7640D}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{B0BF6670-10E0-4D87-B68B-26BC388B4093}" = rport=138 | protocol=17 | dir=out | app=system | 
"{B4CD8ABD-0933-41C7-B3B4-FDEF15D394E1}" = rport=445 | protocol=6 | dir=out | app=system | 
"{CADEF6B5-6FB4-463D-B7F5-11C42B8A57CA}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{D0F49B0D-F8BA-4DC1-800E-5E0C81304F11}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe | 
"{DC74208C-43AF-4189-89E2-9CDC22756DF5}" = rport=10243 | protocol=6 | dir=out | app=system | 
"{E45F5B5B-FFAE-4840-B113-C69DAC45A5EC}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{E998F0BB-E7B6-4DAD-AF27-E83BB796FA82}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{F12A0F0E-A69E-4C37-885B-20197486B6C0}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | 
"{FFD56CD9-DFED-4796-A904-51A364A74196}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | 
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0F1C2331-2A43-435C-9113-69CDDE6E4120}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe | 
"{120BCDD3-5C2C-4A98-BA97-07CB684FE269}" = protocol=6 | dir=in | app=c:\program files\avg\avg10\avgemcx.exe | 
"{1A957FED-7FA1-45B7-9826-10801107E5C6}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{1D93724F-4DD3-480D-91E1-0CE01022318E}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 
"{20B70143-09CE-4352-9637-92CEDDDBA9F9}" = protocol=6 | dir=in | app=c:\program files\cherry\egk_kvk_software\demos\readegk\readegk32.exe | 
"{32D3265E-E75D-49C6-B92C-6D737CDABCA1}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{364D1FD5-8640-4693-8E13-E00AC017DECA}" = protocol=17 | dir=in | app=c:\program files\avg\avg10\avgemcx.exe | 
"{3BEF0185-43E0-42AE-A449-696C7568ECE5}" = protocol=17 | dir=in | app=c:\program files\cherry\egk_kvk_software\demos\readegk\readegk32.exe | 
"{418D7874-E088-4644-964D-76CB60CB244A}" = protocol=17 | dir=in | app=c:\program files\avg\avg10\avgdiagex.exe | 
"{4BB7E7C9-A520-4A01-9637-D938301F8E2B}" = protocol=17 | dir=in | app=c:\program files\avg\avg10\avgmfapx.exe | 
"{58AD7180-5290-4D89-BC95-8AB8FF3768F7}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | 
"{5A379DC1-58B2-45B9-8A41-AD0B440BFAEC}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 
"{5B02C5EE-C38A-4931-B2C4-37BEDEBBFDE0}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | 
"{5F750E60-E6CF-470F-9C55-4913C5319B95}" = protocol=17 | dir=in | app=c:\program files\fritz!\igd_finder.exe | 
"{60DDE8C5-40B4-4578-8505-822077155D67}" = protocol=17 | dir=in | app=c:\program files\avg\avg10\avgnsx.exe | 
"{643D3C46-E4A2-4615-9259-C2660B4EDCCA}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{6D609D4E-89A5-4739-AF6C-09F8BA43A2F5}" = protocol=17 | dir=in | app=c:\program files\avg\avg2012\avgmfapx.exe | 
"{6DB1A28B-D251-4354-B417-A573449FF9C9}" = protocol=17 | dir=in | app=c:\program files\avg\avg2013\avgmfapx.exe | 
"{71FFDAD7-4305-4303-BFBD-F4B9DFA1810F}" = protocol=6 | dir=in | app=c:\users\****\appdata\local\apps\2.0\ax61t63h.nmy\7xnx04d1.558\frit..tion_8488884cfbcefd60_0002.0002_8541bf1f4a1c673d\fritzbox-usb-fernanschluss.exe | 
"{75B3378B-0F18-4EA5-B95D-FE94DB2684E6}" = protocol=6 | dir=in | app=c:\program files\avg\avg10\avgmfapx.exe | 
"{79B24EA9-38F9-40B2-AD1F-BCDD8668FEB3}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{7BFF1CA5-BFCE-4122-8078-D4B55D2F48FB}" = protocol=6 | dir=out | app=system | 
"{80EA011D-B72E-447E-B252-7E82586ACAC7}" = protocol=6 | dir=in | app=c:\users\****\appdata\local\apps\2.0\ax61t63h.nmy\7xnx04d1.558\frit..tion_8488884cfbcefd60_0002.0002_8541bf1f4a1c673d\fritzbox-usb-fernanschluss.exe | 
"{8E3DDCFC-B062-4FE9-A8D7-59E6734A27D8}" = protocol=17 | dir=in | app=c:\program files\avg\avg2013\avgnsx.exe | 
"{90A3D0BB-2793-4FF2-AFCC-B6ACE46C263B}" = protocol=6 | dir=in | app=c:\program files\fritz!\igd_finder.exe | 
"{91564407-C0B5-43B0-985B-B4DA7FC378B5}" = protocol=17 | dir=in | app=c:\program files\avg\avg2013\avgdiagex.exe | 
"{92A2B092-5B51-4BE5-AD46-BC7AB296E29C}" = protocol=17 | dir=in | app=c:\users\****\appdata\local\apps\2.0\ax61t63h.nmy\7xnx04d1.558\frit..tion_8488884cfbcefd60_0002.0002_8541bf1f4a1c673d\fritzbox-usb-fernanschluss.exe | 
"{92E9E857-DF77-4491-B7CD-20D2DD14C52B}" = protocol=6 | dir=in | app=c:\program files\avg\avg2013\avgdiagex.exe | 
"{93674054-BF29-42AA-8145-A109736F020B}" = protocol=17 | dir=in | app=c:\program files\sybase\sql anywhere 9\win32\dbsrv9.exe | 
"{98EA9B5C-C1B1-4150-B250-E3C6F487DBEA}" = protocol=6 | dir=in | app=c:\program files\avg\avg2013\avgemcx.exe | 
"{98EF5185-5394-4A5A-8963-167402E14AA4}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{99A4BC85-2A8C-45C3-AE99-E89D2D8FAD98}" = protocol=6 | dir=in | app=c:\program files\avg\avg10\avgnsx.exe | 
"{A66424EC-8083-47BD-A897-6B832003B979}" = protocol=6 | dir=in | app=c:\program files\avg\avg2012\avgmfapx.exe | 
"{A860589B-9FFE-4ADB-9530-49AC4140D396}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | 
"{AC0D89B1-5B13-4BE9-B9AB-8CBDB248AB09}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe | 
"{B236DC6C-5959-4A8A-99BB-EBF408E65696}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | 
"{B7FFA839-F2AF-4AC3-9868-D9501ADB7C4B}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | 
"{BD8D5B87-A3F8-4DDD-B4FF-5F867A3345D4}" = protocol=17 | dir=in | app=c:\program files\avg\avg10\avgmfapx.exe | 
"{C17C1C59-F37D-4EE6-B169-83A5847E9C16}" = protocol=6 | dir=in | app=c:\program files\sybase\sql anywhere 9\win32\dbsrv9.exe | 
"{C4E730C9-8A8F-48E7-BDAF-8BAEE1A6197A}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{D0438552-187A-42DB-9CF3-EE4E97C24835}" = protocol=6 | dir=in | app=c:\program files\avg\avg2013\avgnsx.exe | 
"{D924BDBA-86CD-4B6F-892F-57656BB6A6EF}" = protocol=6 | dir=in | app=c:\program files\avg\avg10\avgdiagex.exe | 
"{DB098158-BBC3-4DE0-9BCA-F44F1E14A475}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{DB91E5AB-7E97-4254-8686-7ECD7B5ABD10}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe | 
"{E8925792-8ECB-4886-9AFE-3C8669A671F1}" = protocol=6 | dir=in | app=c:\program files\avg\avg10\avgmfapx.exe | 
"{ED2B9F35-9A37-49FE-8AE5-822805E939D0}" = protocol=6 | dir=in | app=c:\program files\avg\avg2013\avgmfapx.exe | 
"{EF7F35BD-6608-4919-9643-509FB75C21DC}" = protocol=17 | dir=in | app=c:\users\****\appdata\local\apps\2.0\ax61t63h.nmy\7xnx04d1.558\frit..tion_8488884cfbcefd60_0002.0002_8541bf1f4a1c673d\fritzbox-usb-fernanschluss.exe | 
"{FC2997FD-70A5-432B-AE70-00FD9FFC050F}" = protocol=17 | dir=in | app=c:\program files\avg\avg2013\avgemcx.exe | 
"{FF2CE0AE-BFC0-41F3-9EF8-069CF9378D47}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | 
"TCP Query User{26012E34-5E37-48DA-ACDF-7101131801A9}C:\program files\fritz!\frifax32.exe" = protocol=6 | dir=in | app=c:\program files\fritz!\frifax32.exe | 
"TCP Query User{AB0F2276-D288-4D63-A49C-C7E64FAA3F2E}C:\users\****\appdata\local\temp\_istmp1.dir\_ins5576._mp" = protocol=6 | dir=in | app=c:\users\****\appdata\local\temp\_istmp1.dir\_ins5576._mp | 
"TCP Query User{AC4B17F8-6416-4455-933A-3B4BF1C3A151}C:\users\****\appdata\local\temp\_istmp1.dir\_istmp0.dir\igd_finder.exe" = protocol=6 | dir=in | app=c:\users\****\appdata\local\temp\_istmp1.dir\_istmp0.dir\igd_finder.exe | 
"TCP Query User{BFA4F929-B5B9-4B58-A402-13FD77C7148D}C:\program files\fritz!\frifax32.exe" = protocol=6 | dir=in | app=c:\program files\fritz!\frifax32.exe | 
"UDP Query User{578F92DA-2AAB-4041-89F3-05311938D13C}C:\program files\fritz!\frifax32.exe" = protocol=17 | dir=in | app=c:\program files\fritz!\frifax32.exe | 
"UDP Query User{A3C0F544-53FF-48B8-AEA1-3E5DEDD03C1B}C:\program files\fritz!\frifax32.exe" = protocol=17 | dir=in | app=c:\program files\fritz!\frifax32.exe | 
"UDP Query User{ACA78EC2-902B-4A3C-9FAA-62FAFF83B28C}C:\users\****\appdata\local\temp\_istmp1.dir\_ins5576._mp" = protocol=17 | dir=in | app=c:\users\****\appdata\local\temp\_istmp1.dir\_ins5576._mp | 
"UDP Query User{C7F40A8D-2FDA-4E8F-ABBD-5027D38BAD0B}C:\users\****\appdata\local\temp\_istmp1.dir\_istmp0.dir\igd_finder.exe" = protocol=17 | dir=in | app=c:\users\****\appdata\local\temp\_istmp1.dir\_istmp0.dir\igd_finder.exe | 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"_{C0237AA4-1BFB-46EA-860D-7B0EB365CA13}" = CorelDRAW Essentials 4
"_{CF0ADC18-6D8F-4353-8EAA-DF45456B7853}" = CorelDRAW Essentials 4 - Windows Shell Extension
"{005E2D03-8002-4574-A0E7-A63D3F2A033C}" = Cherry eGK/KVK Software V3.0 Build 2
"{07B62101-7EBD-434A-94B1-B38063BE5516}" = CorelDRAW Essentials 4 - PHOTO-PAINT
"{093561FF-BC54-CD42-77BD-4885F16C60B7}" = CCC Help Danish
"{0ED4216F-3540-4D6B-8199-1C8DDEA3924B}" = CorelDRAW Essentials 4 - Lang DE
"{15B2BC56-D179-4450-84B9-7A8D7F4CE1B9}" = Lexware Info Service
"{17D39326-BF2B-FCE9-DE84-58EE76F945CD}" = CCC Help French
"{19AC095C-3520-4999-AA15-93B6D0248A50}" = CorelDRAW Essentials 4 - Content
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 20
"{26A24AE4-039D-4CA4-87B4-2F83217009FF}" = Java 7 Update 11
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{2B286DEF-6E5C-4A86-A141-5755FE963719}" = Lernen Deutsch 3
"{2CCC5C78-20FF-478E-8B65-46B58CC5781B}" = AVG 2013
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{34A9406E-1994-4C20-AC72-04CFA2B24545}" = CorelDRAW Essentials 4 - Lang EN
"{3576C335-958D-4D60-A812-F68F9A2796AF}" = CorelDRAW Essentials 4 - Lang IT
"{360D1835-8BFC-445E-BFF3-1AF81B86576B}" = Lernen Deutsch 2
"{37BC8FCE-15B1-456E-A62C-EEB175B71340}" = Lexware reisekosten plus 2011
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}" = Intel(R) Rapid Storage Technology
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A4940D6-418E-867B-F214-2B0C58E7961D}" = CCC Help Swedish
"{4A5A427F-BA39-4BF0-9999-9A47FBE60C9F}" = Visual C++ 9.0 Runtime for Dragon NaturallySpeaking
"{52B97218-98CB-4B8B-9283-D213C85E1AA4}" = Windows Live Anmelde-Assistent
"{5500BB35-1C21-4328-9F16-F894B860FADE}" = CorelDRAW Essentials 4 - Lang NL
"{586509F0-350D-48B5-B763-9CC2F8D96C4C}" = Windows Live Sync
"{701BDB1B-8D00-8C67-6F64-BDD3B58EC827}" = CCC Help Norwegian
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{731E713B-C13E-4527-B624-8A6DF2D33DAF}" = AVG 2013
"{76DDC618-7658-4A65-ADBF-0D362281FC2F}" = MA33 Software 2.11.4
"{76E852ED-1B06-4BC8-9D6A-625DB95FB7E5}" = CorelDRAW Essentials 4 - IPM - No VBA
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{814080A4-2988-456E-A7B9-D0074D76C72D}" = MA33 Software 2.11.4
"{850C7BD3-9F3F-46AD-9396-E7985B38C55E}" = Windows Live Fotogalerie
"{89196F9A-2E0B-4197-A3DF-6EF78731EB35}" = Lexware online banking
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8DBBABF7-15C7-4B1A-AE40-E95D3DB8EBCC}" = Fresh Minder 2
"{8E5233E1-7495-44FB-8DEB-4BE906D59619}" = Junk Mail filter update
"{90140000-006D-0407-0000-0000000FF1CE}" = Microsoft Office Klick-und-Los 2010
"{90140011-0066-0407-0000-0000000FF1CE}" = Microsoft Office Starter 2010 - Deutsch
"{9043B9A0-9505-405B-8202-E7167A38A89C}" = CorelDRAW Essentials 4
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95140000-0070-0000-0000-0000000FF1CE}" = Microsoft Office 2010
"{96681F3F-BD3E-4871-A47C-7065888C01D1}" = MAICO Datenbank 2.24
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A7496F46-78AE-4DB2-BCF5-95F210FA6F96}" = Windows Live Movie Maker
"{AB770FDE-8087-4C98-9A85-BD64262C104C}" = Medion Home Cinema
"{ABD8B955-1C69-4AF3-949B-13CD587C175F}" = CorelDRAW Essentials 4 - Lang BR
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AC76BA86-7AD7-FFFF-7B44-A91000000001}" = Adobe Reader 9.5.3 MUI
"{AED2DD42-9853-407E-A6BC-8A1D6B715909}" = Windows Live Messenger
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{B355AD55-ED88-4A46-015D-51AAD00EB57D}" = CCC Help Japanese
"{B95FB6E3-8373-52BC-C824-8DDB1D6DD049}" = CCC Help Dutch
"{B9FA9F15-A1F3-4DB1-AD49-0B9351843FAA}" = CorelDRAW Essentials 4 - Draw
"{BA9319FE-BCEF-4C99-8039-F464648D046E}" = CorelDRAW Essentials 4 - Lang FR
"{BAC80EF3-E106-4AEA-8C57-F217F9BC7358}" = Microsoft SQL Server 2005 Compact Edition [DEU]
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{BE4AE3A7-190D-BCB8-A953-A708C9E8E8AA}" = ATI Catalyst Install Manager
"{C0237AA4-1BFB-46EA-860D-7B0EB365CA13}" = CorelDRAW Essentials 4 - ICA
"{C09C15F5-DDB7-3820-CF1A-798051174EC7}" = CCC Help Italian
"{C2214950-8342-4878-1286-31D0F07FDC34}" = Catalyst Control Center Localization All
"{C39F6C00-142E-48AC-633F-15E6AA7E24D8}" = Catalyst Control Center Graphics Previews Vista
"{C47D990B-5D5C-B6A6-A04D-676379D39170}" = CCC Help English
"{C4D738F7-996A-4C81-B8FA-C4E26D767E41}" = Windows Live Mail
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = CyberLink LabelPrint
"{C682F3F0-00A6-4379-B083-4F3273624D7B}" = CorelDRAW Essentials 4 - Lang ES
"{C7105B49-9E6E-C93C-74E6-858B0863F604}" = Catalyst Control Center InstallProxy
"{C88196BE-31A0-456B-9756-16B06E294AFF}" = Lernen Deutsch 1
"{CAFA57E8-8927-4912-AFCF-B0AA3837E989}" = Windows Live Essentials
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}" = PlayReady PC Runtime x86
"{CF0ADC18-6D8F-4353-8EAA-DF45456B7853}" = CorelDRAW Essentials 4 - Windows Shell Extension
"{CF52C7EA-BDEF-A58F-6F33-0431076766C8}" = ccc-utility
"{D2041A37-5FEC-49F0-AE5C-3F2FFDFAA4F4}" = Windows Live Call
"{D34A78EB-78F2-48ab-8CAE-5D4DC255A491}" = Lexware reisekosten plus 2011
"{D7C7EA35-4C51-F874-3AB7-95DC40DDA494}" = CCC Help German
"{D81845B4-5239-AD56-39A5-9FCFE528330F}" = ccc-core-static
"{DAF15921-FA90-4427-82A2-1852A9BAC99A}" = Lexware Datenbank plus 2011
"{DFD284CD-501F-B36C-67D9-05D4D7D590AB}" = CCC Help Spanish
"{E0A4805D-280A-4DD7-9E74-3A5F85E302A1}" = Windows Live Writer
"{E3D04529-6EDB-11D8-A372-0050BAE317E1}" = CyberLink PowerDVD Copy
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{EAC1A606-1D31-AC37-90DD-5684A6E7D2E8}" = CCC Help Finnish
"{EFFA53BC-8C04-2E21-3D90-A13B1697B0CA}" = Dragon NaturallySpeaking 11
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F16841F6-5F0F-4DBE-B318-63CEB916F21D}" = CorelDRAW Essentials 4 - Filters
"{F6A6DFF9-F71C-4BA6-B437-F18872866D3D}" = Bing Bar
"{F6D9F1D2-7256-43D2-888F-AE3404E89A89}" = Lernen Deutsch 4
"{F8151A23-1B3D-4D6E-9904-30D279AABB47}" = Stadtrallye
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"ALDI SÜD Mah Jong" = ALDI SÜD Mah Jong
"AVG" = AVG 2013
"AVG Secure Search" = AVG Security Toolbar
"Diktattrainer plus 3-4_is1" = Diktattrainer plus 3-4
"doPDF 7 printer_is1" = doPDF 7.2 printer
"freddyDeutsch56" = Freddy:Deutsch5/Deutsch6
"FRITZ! 2.0" = AVM FRITZ!fax für FRITZ!Box
"GUT1 Demoversion" = GUT1 , Demoversion 2012
"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go
"InstallShield_{AB770FDE-8087-4C98-9A85-BD64262C104C}" = Medion Home Cinema
"InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = CyberLink LabelPrint
"InstallShield_{E3D04529-6EDB-11D8-A372-0050BAE317E1}" = CyberLink PowerDVD Copy
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox 18.0.1 (x86 de)" = Mozilla Firefox 18.0.1 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Office14.Click2Run" = Microsoft Office Klick-und-Los 2010
"PC-Kids Deutsch 1_is1" = PC-Kids Deutsch 1
"PC-Kids Deutsch 2_is1" = PC-Kids Deutsch 2
"PC-Kids Deutsch 3_is1" = PC-Kids Deutsch 3
"PC-Kids Deutsch 4_is1" = PC-Kids Deutsch 4
"QuickTime" = QuickTime
"WinLiveSuite_Wave3" = Windows Live Essentials
 
========== HKEY_CURRENT_USER Uninstall List ==========
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"f018cf21c0452c64" = AVM FRITZ!Box USB-Fernanschluss
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 12/20/2012 4:01:07 AM | Computer Name = ****-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: svchost.exe_LanmanServer, Version:
6.1.7600.16385, Zeitstempel: 0x4a5bc100 Name des fehlerhaften Moduls: unknown, Version:
0.0.0.0, Zeitstempel: 0x00000000 Ausnahmecode: 0xc0000005 Fehleroffset: 0x00000000
ID
des fehlerhaften Prozesses: 0x51c Startzeit der fehlerhaften Anwendung: 0x01cdde881dadec80
Pfad
der fehlerhaften Anwendung: C:\Windows\system32\svchost.exe Pfad des fehlerhaften
Moduls: unknown Berichtskennung: 682447d7-4a7b-11e2-9296-6c626d5cf51d
 
Error - 12/21/2012 9:44:05 AM | Computer Name = ****-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: AcroRd32.exe, Version: 9.5.2.295,
Zeitstempel: 0x5017c048 Name des fehlerhaften Moduls: MSVCR80.dll, Version: 8.0.50727.6195,
Zeitstempel: 0x4dcddbf3 Ausnahmecode: 0x40000015 Fehleroffset: 0x000046b4 ID des fehlerhaften
Prozesses: 0x848 Startzeit der fehlerhaften Anwendung: 0x01cddf813ab073b1 Pfad der
fehlerhaften Anwendung: C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe Pfad
des fehlerhaften Moduls: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\MSVCR80.dll
Berichtskennung:
7c0371c0-4b74-11e2-91cc-6c626d5cf51d
 
Error - 12/22/2012 4:01:38 AM | Computer Name = ****-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: AcroRd32.exe, Version: 9.5.2.295,
Zeitstempel: 0x5017c048 Name des fehlerhaften Moduls: MSVCR80.dll, Version: 8.0.50727.6195,
Zeitstempel: 0x4dcddbf3 Ausnahmecode: 0x40000015 Fehleroffset: 0x000046b4 ID des fehlerhaften
Prozesses: 0x10d8 Startzeit der fehlerhaften Anwendung: 0x01cde01a8e8128d5 Pfad der
fehlerhaften Anwendung: C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe Pfad
des fehlerhaften Moduls: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\MSVCR80.dll
Berichtskennung:
cf919f9c-4c0d-11e2-ad29-6c626d5cf51d
 
Error - 1/4/2013 9:15:12 AM | Computer Name = ****-PC | Source = Windows Backup | ID = 4103
Description = 
 
Error - 1/7/2013 8:24:49 AM | Computer Name = ****-PC | Source = Windows Backup | ID = 4103
Description = 
 
Error - 1/8/2013 4:15:52 AM | Computer Name = ****-PC | Source = CVHSVC | ID = 100
Description = Nur zur Information. Error: BITS connection error Type: 150::InternetConnectionFailure.
 
 
Error - 1/14/2013 8:41:11 AM | Computer Name = ****-PC | Source = Windows Backup | ID = 4103
Description = 
 
Error - 1/17/2013 10:12:43 AM | Computer Name = ****-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: AcroRd32.exe, Version: 9.5.3.305,
Zeitstempel: 0x50d1d170 Name des fehlerhaften Moduls: MSVCR80.dll, Version: 8.0.50727.6195,
Zeitstempel: 0x4dcddbf3 Ausnahmecode: 0x40000015 Fehleroffset: 0x000046b4 ID des fehlerhaften
Prozesses: 0xb98 Startzeit der fehlerhaften Anwendung: 0x01cdf4bcb38782c3 Pfad der
fehlerhaften Anwendung: C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe Pfad
des fehlerhaften Moduls: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\MSVCR80.dll
Berichtskennung:
f528049e-60af-11e2-9745-6c626d5cf51d
 
Error - 1/22/2013 4:13:16 AM | Computer Name = ****-PC | Source = Windows Backup | ID = 4103
Description = 
 
Error - 1/28/2013 8:27:08 AM | Computer Name = ****-PC | Source = Windows Backup | ID = 4103
Description = 
 
 
< End of report >
         
--- --- ---



und die gmer.txt:


GMER Logfile:
Code:
ATTFilter
GMER 2.0.18454 - hxxp://www.gmer.net
Rootkit scan 2013-01-31 19:11:37
Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.JP4O 931,51GB
Running: gmer_2.0.18454.exe; Driver: C:\Users\****\AppData\Local\Temp\fwlirfow.sys
 
 
---- System - GMER 2.0 ----
 
SSDT \??\C:\Users\****\AppData\Local\Temp\16AFCA8390.sys ZwAllocateVirtualMemory [0xA0F18E18]
SSDT \??\C:\Users\****\AppData\Local\Temp\16AFCA8390.sys ZwCreateThread [0xA0F1B04C]
SSDT \??\C:\Users\****\AppData\Local\Temp\16AFCA8390.sys ZwCreateThreadEx [0xA0F1B188]
SSDT \??\C:\Users\****\AppData\Local\Temp\16AFCA8390.sys ZwFreeVirtualMemory [0xA0F19196]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeKey [0x91A4C14A]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeMultipleKeys [0x91A4C21A]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0x91A4BD7C]
SSDT \??\C:\Users\****\AppData\Local\Temp\16AFCA8390.sys ZwQueueApcThread [0xA0F1B1DE]
SSDT \??\C:\Users\****\AppData\Local\Temp\16AFCA8390.sys ZwQueueApcThreadEx [0xA0F1B22E]
SSDT \??\C:\Users\****\AppData\Local\Temp\16AFCA8390.sys ZwSetContextThread [0xA0F1B27E]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwSuspendProcess [0x91A4BF6A]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwSuspendThread [0x91A4C000]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0x91A4BE32]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0x91A4BECE]
SSDT \??\C:\Users\****\AppData\Local\Temp\16AFCA8390.sys ZwWriteVirtualMemory [0xA0F192DA]
 
---- Kernel code sections - GMER 2.0 ----
 
.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 8324FA49 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 832894D2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 83290528 4 Bytes [18, 8E, F1, A0]
.text ntkrnlpa.exe!KeRemoveQueueEx + 1203 83290638 8 Bytes [4C, B0, F1, A0, 88, B1, F1, ...] {DEC ESP; MOV AL, 0xf1; MOV AL, [0xa0f1b188]}
.text ntkrnlpa.exe!KeRemoveQueueEx + 12B3 832906E8 4 Bytes [96, 91, F1, A0]
.text ntkrnlpa.exe!KeRemoveQueueEx + 1357 8329078C 8 Bytes [4A, C1, A4, 91, 1A, C2, A4, ...]
.text ntkrnlpa.exe!KeRemoveQueueEx + 139F 832907D4 4 Bytes [7C, BD, A4, 91] {JL 0xffffffbf; MOVSB ; XCHG ECX, EAX}
.text ... 
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x91E31000, 0x2FBAB4, 0xE8000020]
? C:\Users\****\AppData\Local\Temp\16AFCA8390.sys Das System kann die angegebene Datei nicht finden. !
? C:\Users\****\AppData\Local\Temp\16C1CD056B.sys Das System kann die angegebene Datei nicht finden. !
 
---- User code sections - GMER 2.0 ----
 
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1108] USER32.dll!GetWindowInfo 76C04B5E 5 Bytes JMP 5885B5C8 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1108] USER32.dll!ToUnicodeEx + 71 76C12223 7 Bytes JMP 5885BB81 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtCreateFile + 6 77D755CE 4 Bytes [28, 00, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtCreateFile + B 77D755D3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtCreateKey + 6 77D7560E 4 Bytes [68, 01, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtCreateKey + B 77D75613 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtCreateMutant + 6 77D7564E 4 Bytes [68, 02, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtCreateMutant + B 77D75653 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtCreateSection + 6 77D756EE 4 Bytes [A8, 02, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtCreateSection + B 77D756F3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtMapViewOfSection + B 77D75C33 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtOpenFile + 6 77D75CDE 4 Bytes [68, 00, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtOpenFile + B 77D75CE3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtOpenKey + 6 77D75D0E 4 Bytes [A8, 01, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtOpenKey + B 77D75D13 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtOpenKeyEx + B 77D75D23 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtOpenMutant + 6 77D75D5E 4 Bytes [28, 02, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtOpenMutant + B 77D75D63 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtOpenProcess + 6 77D75D8E 1 Byte [68]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtOpenProcess + 6 77D75D8E 4 Bytes [68, 03, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtOpenProcess + B 77D75D93 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtOpenProcessToken + 6 77D75D9E 1 Byte [A8]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtOpenProcessToken + 6 77D75D9E 4 Bytes [A8, 03, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtOpenProcessToken + B 77D75DA3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtOpenProcessTokenEx + 6 77D75DAE 4 Bytes [68, 04, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtOpenProcessTokenEx + B 77D75DB3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtOpenSection + B 77D75DD3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtOpenThread + 6 77D75E0E 1 Byte [28]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtOpenThread + 6 77D75E0E 4 Bytes [28, 03, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtOpenThread + B 77D75E13 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtOpenThreadToken + 6 77D75E1E 4 Bytes [28, 04, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtOpenThreadToken + B 77D75E23 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtOpenThreadTokenEx + 6 77D75E2E 4 Bytes [A8, 04, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtOpenThreadTokenEx + B 77D75E33 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtQueryAttributesFile + 6 77D75F3E 4 Bytes [A8, 00, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtQueryAttributesFile + B 77D75F43 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtQueryFullAttributesFile + B 77D75FF3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtSetInformationFile + 6 77D7663E 4 Bytes [28, 01, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtSetInformationFile + B 77D76643 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtSetInformationThread + 6 77D7669E 1 Byte [E8]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtSetInformationThread + B 77D766A3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtUnmapViewOfSection + 6 77D769BE 4 Bytes [28, 05, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ntdll.dll!NtUnmapViewOfSection + B 77D769C3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] kernel32.dll!CreateProcessW 7722204D 5 Bytes JMP 00010030 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] kernel32.dll!CreateProcessA 77222082 5 Bytes JMP 00010070 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!DeleteObject 77395F14 5 Bytes JMP 001501B0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!SelectObject 77396640 5 Bytes JMP 001505F0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!SetTextColor 77396906 5 Bytes JMP 00150A30 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!SetBkMode 773969B1 5 Bytes JMP 001508F0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!DeleteDC 77396EAA 5 Bytes JMP 00150170 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!GetDeviceCaps 77396F7F 5 Bytes JMP 001503B0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!ExtSelectClipRgn 77397114 5 Bytes JMP 001502F0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!SelectClipRgn 77397242 5 Bytes JMP 001505B0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!SetStretchBltMode 77397705 5 Bytes JMP 001506B0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!GetCurrentObject 77397917 5 Bytes JMP 00150370 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!GetTextMetricsW 77397B8F 5 Bytes JMP 00150E30 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!GetTextAlign 77397DAF 5 Bytes JMP 00150D70 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!IntersectClipRect 77397DFE 5 Bytes JMP 001503F0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!ExtTextOutW 77398192 5 Bytes JMP 00150970 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!SetTextAlign 7739828E 5 Bytes JMP 001509F0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!GetClipBox 77398525 5 Bytes JMP 00150330 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!MoveToEx 77398C21 5 Bytes JMP 00150470 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!StretchDIBits 7739A53E 5 Bytes JMP 00150770 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!RestoreDC 7739A67B 5 Bytes JMP 00150530 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!SaveDC 7739A74B 5 Bytes JMP 00150570 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!GetTextExtentPoint32W 7739B4B5 5 Bytes JMP 00150670 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!GetTextFaceW 7739B73A 2 Bytes JMP 00150D30 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!GetTextFaceW + 3 7739B73D 2 Bytes [DB, 88]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!GetFontData 7739BCC4 5 Bytes JMP 00150C70 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!SetWorldTransform 7739C90A 5 Bytes JMP 001506F0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!CreateDCA 7739CCA9 5 Bytes JMP 001500B0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!CreateDCW 7739CF79 5 Bytes JMP 001500F0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!CreateICW 7739CFD0 5 Bytes JMP 00150130 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!GetTextMetricsA 7739D0F2 5 Bytes JMP 00150DF0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!Rectangle 7739F1FF 5 Bytes JMP 001509B0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!LineTo 7739F59B 5 Bytes JMP 00150430 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!SetICMMode 7739FAA4 5 Bytes JMP 00150DB0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!ExtTextOutA 773A03F9 5 Bytes JMP 00150930 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!GetTextExtentPoint32A 773A07B0 5 Bytes JMP 00150630 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!ExtEscape 773A2949 5 Bytes JMP 001502B0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!Escape 773A3939 5 Bytes JMP 00150270 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!GetTextFaceA 773A3E6A 5 Bytes JMP 00150CF0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!SetPolyFillMode 773AD851 5 Bytes JMP 00150B30 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!SetMiterLimit 773ADA0D 5 Bytes JMP 00150B70 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!EndPage 773B00D7 5 Bytes JMP 00150230 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!ResetDCW 773B050D 5 Bytes JMP 00150AB0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!GetGlyphOutlineW 773BC1BA 5 Bytes JMP 00150CB0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!CreateScalableFontResourceW 773BE817 5 Bytes JMP 00150BB0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!AddFontResourceW 773BEC13 5 Bytes JMP 00150BF0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!RemoveFontResourceW 773BF109 5 Bytes JMP 00150C30 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!AbortDoc 773C4C63 5 Bytes JMP 00150030 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!EndDoc 773C50AA 5 Bytes JMP 001501F0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!StartPage 773C5195 5 Bytes JMP 00150730 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!StartDocW 773C5BB0 5 Bytes JMP 001507F0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!BeginPath 773C635D 5 Bytes JMP 00150830 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!SelectClipPath 773C63B4 5 Bytes JMP 00150AF0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!CloseFigure 773C640F 5 Bytes JMP 00150070 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!EndPath 773C6466 5 Bytes JMP 00150A70 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!StrokePath 773C6699 5 Bytes JMP 001507B0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!FillPath 773C6726 5 Bytes JMP 00150870 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!PolylineTo 773C6B94 5 Bytes JMP 001504F0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!PolyBezierTo 773C6C25 5 Bytes JMP 001504B0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] GDI32.dll!PolyDraw 773C6CD7 5 Bytes JMP 001508B0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] USER32.dll!ActivateKeyboardLayout 76BF8203 5 Bytes JMP 002604F0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] USER32.dll!ScreenToClient 76BFA506 7 Bytes JMP 00260670 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] USER32.dll!RegisterClipboardFormatA 76BFC091 5 Bytes JMP 002602F0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] USER32.dll!RegisterClipboardFormatW 76BFDF8D 5 Bytes JMP 002602B0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] USER32.dll!SetCursor 76C03075 5 Bytes JMP 00260530 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] USER32.dll!MonitorFromWindow 76C03622 7 Bytes JMP 00260630 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] USER32.dll!PostMessageW 76C0447B 5 Bytes JMP 002605F0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] USER32.dll!IsWindowVisible 76C04D69 7 Bytes JMP 002606B0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] USER32.dll!GetClientRect 76C054DD 7 Bytes JMP 002605B0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] USER32.dll!MapWindowPoints 76C05CAA 5 Bytes JMP 00260570 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] USER32.dll!GetParent 76C06029 7 Bytes JMP 002606F0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] USER32.dll!EmptyClipboard 76C1290C 5 Bytes JMP 00260130 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] USER32.dll!SetClipboardData 76C12962 5 Bytes JMP 00260170 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] USER32.dll!GetClipboardData 76C12BA7 5 Bytes JMP 00260030 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] USER32.dll!GetClipboardFormatNameW 76C15FD2 5 Bytes JMP 00260230 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] USER32.dll!SetClipboardViewer 76C16FF6 5 Bytes JMP 002604B0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] USER32.dll!GetClipboardFormatNameA 76C1700A 5 Bytes JMP 00260270 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] USER32.dll!ChangeClipboardChain 76C2147C 5 Bytes JMP 00260430 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] USER32.dll!GetTopWindow 76C224D9 7 Bytes JMP 00260730 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] USER32.dll!CloseClipboard 76C2446C 5 Bytes JMP 002600B0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] USER32.dll!OpenClipboard 76C2447E 5 Bytes JMP 00260070 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] USER32.dll!IsClipboardFormatAvailable 76C244FF 5 Bytes JMP 002600F0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] USER32.dll!GetClipboardSequenceNumber 76C24513 5 Bytes JMP 00260330 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] USER32.dll!GetClipboardOwner 76C24525 5 Bytes JMP 00260370 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] USER32.dll!CountClipboardFormats 76C2470A 5 Bytes JMP 002601F0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] USER32.dll!EnumClipboardFormats 76C247EC 5 Bytes JMP 002601B0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] USER32.dll!GetOpenClipboardWindow 76C2480B 5 Bytes JMP 002603F0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] USER32.dll!SetCursorPos 76C3C1B0 5 Bytes JMP 00260770 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] USER32.dll!GetClipboardViewer 76C54AF7 5 Bytes JMP 00260470 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] USER32.dll!GetPriorityClipboardFormat 76C54BF9 5 Bytes JMP 002603B0 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ole32.dll!OleSetClipboard 758E0045 5 Bytes JMP 00270030 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ole32.dll!OleIsCurrentClipboard 758E36B2 5 Bytes JMP 00270070 
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[1276] ole32.dll!OleGetClipboard 7590FDCD 5 Bytes JMP 002700B0 
.text C:\Program Files\Mozilla Firefox\firefox.exe[4268] ntdll.dll!LdrGetProcedureAddress + 26 77D92239 3 Bytes JMP 5869C5B0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4268] ntdll.dll!LdrGetProcedureAddress + 2A 77D9223D 3 Bytes [E0, EB, F9] {LOOPNZ 0xffffffed; STC }
.text C:\Program Files\Mozilla Firefox\firefox.exe[4268] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 7726941E 7 Bytes JMP 589E61A4 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4268] kernel32.dll!QueryPerformanceCounter + 13 7726C435 7 Bytes JMP 589E61C7 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4268] kernel32.dll!LoadAppInitDlls + 355 7726F4F6 7 Bytes JMP 586B544E C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4268] GDI32.dll!GetViewportOrgEx + 26C 7739884B 7 Bytes JMP 589E6125 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Users\****\AppData\Local\Temp\125F70E-BDE74CAF-65D9CC0-37920445\snyomynx.exe[5448] ntdll.dll!KiUserApcDispatcher 77D76F38 5 Bytes JMP 00031EE2 
.text C:\Users\****\AppData\Local\Temp\125F70E-BDE74CAF-65D9CC0-37920445\snyomynx.exe[5448] ntdll.dll!RtlAllocateActivationContextStack + 12D 77D935D4 7 Bytes JMP 00031ED0 
.text C:\Users\****\AppData\Local\Temp\125F70E-BDE74CAF-65D9CC0-37920445\snyomynx.exe[5448] USER32.dll!NotifyWinEvent + 6AE 76C0D66C 4 Bytes [39, 13, 03, 00] {CMP [EBX], EDX; ADD EAX, [EAX]}
 
---- Registry - GMER 2.0 ----
 
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ????C:??????\S???m?0??????????????4?? ?????????? ??????????????? ??????????? ??????????? ??????????? ????????????????????????????????????? ??????? ????????? ??????????? ????????????????????????????????????? ??????? ?????????????????????????B-??? ???????,??????????????????????????????????????? ??????????????????????? ??????????????????????????????N????????????????????????e??16C1CD056B???(???????????????????????????????0?????s0-???????????0??s0??LegacyDriver??????N?????????????????{8ECC055D-047F-11D1-A537-0000F8753ED1}??????? ??????????????????16C1CD056B???????????????????????????0????????????4?? ?????????? ?????????????????????????????9????? ??????????? ?????9????? ??????????? ??????? ??????? ?????????9????? ??????????? ?????9????? ??????????? ??????? ??????? ???????isatap.fritz.box?nterface {0B5372EA-D400-49BE-82B5-E6A0063A77B5}????????????????????????????????????????????\??\C:\Users\****\AppData\Local\Temp\125F70E-BDE74CAF-65D9CC0-37920445\024h5pxb??\??\C:\Users\****\AppData\Local\Temp\125F70E-BDE74CA
 
---- EOF - GMER 2.0 ----
         
--- --- ---


Ist der PC verseucht oder ist alles nochmal gut ausgegangen???


Danke im vorraus



Mieserwitz

Alt 31.01.2013, 19:04   #2
markusg
/// Malware-holic
 
Mehrere Trojanerfunde nach Fake Facebook Nachricht - Standard

Mehrere Trojanerfunde nach Fake Facebook Nachricht



hi
1. hast du den Link noch? dann als private nachicht an mich.
2. Öffne AVG, und poste die Meldungen mit Pfadangabe als Text
__________________

__________________

Alt 31.01.2013, 19:47   #3
Mieserwitz
 
Mehrere Trojanerfunde nach Fake Facebook Nachricht - Standard

Mehrere Trojanerfunde nach Fake Facebook Nachricht



zu:

1. Weiß ich nicht, muß ich meine Bekannte fragen
2. Kann ich morgen erst machen da ich z.Zt. nicht vor Ort bin
__________________

Alt 31.01.2013, 19:47   #4
markusg
/// Malware-holic
 
Mehrere Trojanerfunde nach Fake Facebook Nachricht - Standard

Mehrere Trojanerfunde nach Fake Facebook Nachricht



währe es dann nicht einfacher gewesen, wenn sie sich selbst anmeldet, na, müsst ihr wissen :-)
__________________
-Verdächtige mails bitte an uns zur Analyse weiterleiten:
markusg.trojaner-board@web.de
Weiterleiten
Anleitung:
http://markusg.trojaner-board.de
Mails bitte vorerst nach obiger Anleitung an
markusg.trojaner-board@web.de
Weiterleiten
Wenn Ihr uns unterstützen möchtet

Alt 31.01.2013, 19:50   #5
Mieserwitz
 
Mehrere Trojanerfunde nach Fake Facebook Nachricht - Standard

Mehrere Trojanerfunde nach Fake Facebook Nachricht



Sie könnte jetzt auch nichts dazu sagen, da der PC in Ihrer (eigenen) Praxis steht und Sie zuhause ist.


Alt 31.01.2013, 19:52   #6
markusg
/// Malware-holic
 
Mehrere Trojanerfunde nach Fake Facebook Nachricht - Standard

Mehrere Trojanerfunde nach Fake Facebook Nachricht



hmm, warum man mit seinem arbeits pc auf facebook sein muss, kann ich sowieso nicht verstehen, häufig liegen auf solchen pcs sensible Daten, kundendaten zb, und man geht leichtsinnig damit um, wenn man mit solch einem Gerät durchs netz surft auf seiten, die nicht sein müssen.
je nach dem was wir da finden, ist neu aufsetzen nötig.
__________________
--> Mehrere Trojanerfunde nach Fake Facebook Nachricht

Alt 31.01.2013, 20:03   #7
Mieserwitz
 
Mehrere Trojanerfunde nach Fake Facebook Nachricht - Standard

Mehrere Trojanerfunde nach Fake Facebook Nachricht



Bin Deiner Meinung. Neuaufsetzen ist kein Problem da Sicherung Ihrer Kundendaten vorhanden. Aber erstmal abwarten was und ob Ihr was findet.

Alt 31.01.2013, 20:19   #8
markusg
/// Malware-holic
 
Mehrere Trojanerfunde nach Fake Facebook Nachricht - Standard

Mehrere Trojanerfunde nach Fake Facebook Nachricht



so solls sein, schönen abend
und gib ihr eins auf die Finger, von mir auch noch einen mit :d
__________________
-Verdächtige mails bitte an uns zur Analyse weiterleiten:
markusg.trojaner-board@web.de
Weiterleiten
Anleitung:
http://markusg.trojaner-board.de
Mails bitte vorerst nach obiger Anleitung an
markusg.trojaner-board@web.de
Weiterleiten
Wenn Ihr uns unterstützen möchtet

Alt 01.02.2013, 16:15   #9
Mieserwitz
 
Mehrere Trojanerfunde nach Fake Facebook Nachricht - Standard

Mehrere Trojanerfunde nach Fake Facebook Nachricht



hier die Daten:


Residenter Schutz
Erkennungsname;"Ergebnis";"Erkennungszeit";"Objekttyp";"Prozess"
Trojaner: Generic31.AGPQ, c:\Users\****\Downloads\Bernd ****.exe;"In Virenquarantäne verschoben";"31.01.2013, 18:05:35";"Datei oder Verzeichnis";""
Trojaner: Generic31.AGPQ, c:\Users\****\Downloads\Waltraud ****.exe;"In Virenquarantäne verschoben";"31.01.2013, 18:05:36";"Datei oder Verzeichnis";""
Trojaner: Generic31.AGPQ, c:\Users\****\Downloads\Bernd ****.exe;"Gesichert";"31.01.2013, 18:06:06";"Datei oder Verzeichnis";""
Trojaner: Generic31.AGPQ, c:\Windows\atiesrxx.exe;"In Virenquarantäne verschoben";"31.01.2013, 18:08:45";"Datei oder Verzeichnis";""
Trojaner: Generic31.AGPQ, c:\Windows\atiesrxx.exe;"Gesichert";"31.01.2013, 18:09:17";"Datei oder Verzeichnis";""
Trojaner: Generic31.AGPQ, c:\Windows\atiesrxx.exe;"Gesichert";"31.01.2013, 18:11:51";"Datei oder Verzeichnis";""
Trojaner: Generic31.AGPQ, c:\Windows\atiesrxx.exe;"Gesichert";"31.01.2013, 18:12:23";"Datei oder Verzeichnis";""
Trojaner: Generic31.AGPQ, c:\Windows\atiesrxx.exe;"Gesichert";"31.01.2013, 18:19:55";"Datei oder Verzeichnis";""
Trojaner: Generic31.AGPQ, c:\Windows\atiesrxx.exe;"Gesichert";"31.01.2013, 18:20:33";"Datei oder Verzeichnis";""
Trojaner: Generic31.AGPQ, c:\Windows\atiesrxx.exe;"Gesichert";"31.01.2013, 18:23:19";"Datei oder Verzeichnis";""
Trojaner: Generic31.AGPQ, c:\Windows\atiesrxx.exe;"Gesichert";"31.01.2013, 18:24:07";"Datei oder Verzeichnis";""


und dann noch die Facebook-Nachricht:

"Das ist doch nicht dein ernst oder!? h**p://NSISUCCB.fb-skandal-video.de/Renate%20Scharf.exe"

Alt 02.02.2013, 18:29   #10
markusg
/// Malware-holic
 
Mehrere Trojanerfunde nach Fake Facebook Nachricht - Standard

Mehrere Trojanerfunde nach Fake Facebook Nachricht



wieso sind dateien mit *** beschrieben?
da das ein Firmen PC is rate ich tatsächlich zum neu aufsetzen:
1. Datenrettung:2. Formatieren, Windows neu instalieren:3. PC absichern: http://www.trojaner-board.de/96344-a...-rechners.html
ich werde außerdem noch weitere punkte dazu posten.
4. alle Passwörter ändern!
5. nach PC Absicherung, die gesicherten Daten prüfen und falls sauber: zurückspielen.
6. werde ich dann noch was zum absichern von Onlinebanking mit Chip Card Reader + Star Money sagen.
__________________
-Verdächtige mails bitte an uns zur Analyse weiterleiten:
markusg.trojaner-board@web.de
Weiterleiten
Anleitung:
http://markusg.trojaner-board.de
Mails bitte vorerst nach obiger Anleitung an
markusg.trojaner-board@web.de
Weiterleiten
Wenn Ihr uns unterstützen möchtet

Alt 03.02.2013, 11:27   #11
Mieserwitz
 
Mehrere Trojanerfunde nach Fake Facebook Nachricht - Standard

Mehrere Trojanerfunde nach Fake Facebook Nachricht



die Dateien sind mit **** gekenzeichnet da es sich um vollständige Name handelte.
Zitat:
zwei weiteren Dateien im Downloadordner die als Dateinamen die Namen der Facebookfreunde hatten (Endung war .exe).
Neuinstallation nur weil es ein "Firmen-PC" ist? Oder hast Du irgendetwas gefunden?

Alt 04.02.2013, 10:21   #12
markusg
/// Malware-holic
 
Mehrere Trojanerfunde nach Fake Facebook Nachricht - Standard

Mehrere Trojanerfunde nach Fake Facebook Nachricht



hi
da diese Malware Daten klauen kann, und das ein Firmen PC ist, genau.
Denn als Firma sollte man nun mal den Anspruch haben, wichtige Daten auf nem sauberen System abzuspeichern,
deswegen hat man als Firma ja eigendlich auch regelmäßige Backups, um im Falle von Schadsoftware keine Zeit zu verlieren und das gleich zurück zu spielen.
__________________
-Verdächtige mails bitte an uns zur Analyse weiterleiten:
markusg.trojaner-board@web.de
Weiterleiten
Anleitung:
http://markusg.trojaner-board.de
Mails bitte vorerst nach obiger Anleitung an
markusg.trojaner-board@web.de
Weiterleiten
Wenn Ihr uns unterstützen möchtet

Antwort

Themen zu Mehrere Trojanerfunde nach Fake Facebook Nachricht
autorun, avg, avg secure search, avg security toolbar, bho, bingbar, cid, cursor, desktop, driver./avg, error, firefox, flash player, format, google, helper, home, install.exe, logfile, microsoft office starter 2010, mozilla, msvcr80.dll, ntdll.dll, ntopenkeyex, realtek, registry, rundll, scan, secure search, security, software, svchost.exe, trojaner, udp, vtoolbarupdater, windows



Ähnliche Themen: Mehrere Trojanerfunde nach Fake Facebook Nachricht


  1. iOS: Facebook blockiert "Nachricht des Todes"
    Nachrichten - 05.06.2015 (0)
  2. Aufforderung zum Facebook Passwort Wechsel - Echt oder Fake?
    Diskussionsforum - 01.04.2015 (16)
  3. Virusalarm nach Besuch von Facebook (nach Klicken auf einen geteilten Beitrag)
    Plagegeister aller Art und deren Bekämpfung - 01.04.2015 (23)
  4. PC ungewöhnlich langsam, mehrere Viren-/Trojanerfunde!
    Log-Analyse und Auswertung - 12.01.2015 (23)
  5. Nach Neustart:Weisser Bildschirm mit Nachricht: Die Navigation zur Webseite wurde abgebrochen.
    Log-Analyse und Auswertung - 25.10.2013 (32)
  6. Windows Vista: Fake-nachricht Bundespolizei - jetzt weißer Bildschirm beim hochfahren
    Log-Analyse und Auswertung - 07.08.2013 (15)
  7. Nach Neustart nur weißer Bildschirm mit der Nachricht "Die Navigation zu der Webseite wurde abgebrochen
    Plagegeister aller Art und deren Bekämpfung - 10.04.2013 (15)
  8. Trojan Fake Alert nach E-Mail
    Plagegeister aller Art und deren Bekämpfung - 25.01.2013 (3)
  9. Telekom Nachricht: Port 25 geschlossen nach Spam Versand
    Plagegeister aller Art und deren Bekämpfung - 16.12.2012 (14)
  10. facebook fake- profil
    Überwachung, Datenschutz und Spam - 09.01.2012 (1)
  11. Mehrere Trojaner auf meinen PC durch Facebook
    Log-Analyse und Auswertung - 07.12.2011 (18)
  12. Facebook Nachricht mit amazon.zip
    Plagegeister aller Art und deren Bekämpfung - 05.12.2011 (35)
  13. Ein oder mehrere Trojanaer (Ursprung Facebook)
    Plagegeister aller Art und deren Bekämpfung - 14.11.2011 (27)
  14. Bundespolizei nach Facebook Nachricht
    Log-Analyse und Auswertung - 04.11.2011 (1)
  15. Fake HDD. Schwarzer Bildschirm, Nachricht festplatte beschädight private Daten in Gefahr.
    Plagegeister aller Art und deren Bekämpfung - 10.07.2011 (11)
  16. Mehrere Trojaner nach - Anti Spy Soft - Fake!
    Plagegeister aller Art und deren Bekämpfung - 20.10.2010 (23)
  17. Msn -> neuer virus mit fake facebook photos.
    Plagegeister aller Art und deren Bekämpfung - 15.03.2010 (3)

Zum Thema Mehrere Trojanerfunde nach Fake Facebook Nachricht - Hallo, nach einer Fake Nachricht auf Facebook in der ein Link angeklickt wurde, habe ich auf dem PC meiner Bekannten mit AVG folgenden Trojaner gefunden: Generic31.AGPQ in der Datei c:\Windows\atiesrxx.exe - Mehrere Trojanerfunde nach Fake Facebook Nachricht...
Archiv
Du betrachtest: Mehrere Trojanerfunde nach Fake Facebook Nachricht auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.