Zurück   Trojaner-Board > Malware entfernen > Plagegeister aller Art und deren Bekämpfung

Plagegeister aller Art und deren Bekämpfung: Online-Banking-Trojaner

Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen.

Antwort
Alt 05.03.2013, 14:14   #1
hunn3s
 
Online-Banking-Trojaner - Standard

Online-Banking-Trojaner



Hallo,
ich habe ebenfalls einen Brief von der Telekom erhalten, dass ich einen gewissen "ZeuS/Zbot" auf meinem Rechner habe.

Was muss ich nun tun? Neu installieren oder krieg ich das System wieder "sauber"?

Bitte helft mir :-(

Alt 05.03.2013, 14:15   #2
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Online-Banking-Trojaner - Standard

Online-Banking-Trojaner



Hallo

Hast du Logs (mit Funden)? Wurde jemals ein Virenscanner bei dir fündig?
Malwarebytes und/oder andere Virenscanner?

Ich frage deswegen nach => http://www.trojaner-board.de/125889-...tml#post941520

Bitte keine neuen Virenscans machen sondern erst nur schon vorhandene Logs posten!





Bevor wir uns an die Arbeit machen, möchte ich dich bitten, folgende Punkte vollständig und aufmerksam zu lesen.
  • Lies dir meine Anleitungen, die ich im Laufe dieses Strangs hier posten werde, aufmerksam durch. Frag umgehend nach, wenn dir irgendetwas unklar sein sollte, bevor du anfängst meine Anleitungen umzusetzen.

  • Solltest du bei einem Schritt Probleme haben, stoppe dort und beschreib mir das Problem so gut du kannst. Manchmal erfordert ein Schritt den vorhergehenden.

  • Bitte nur Scans durchführen zu denen du von einem Helfer aufgefordert wurdest! Installiere / Deinstalliere keine Software ohne Aufforderung!

  • Poste die Logfiles direkt in deinen Thread (bitte in CODE-Tags) und nicht als Anhang, ausser du wurdest dazu aufgefordert. Logs in Anhängen erschweren mir das Auswerten!

  • Beachte bitte auch => Löschen von Logfiles und andere Anfragen

Note:
Sollte ich drei Tage nichts von mir hören lassen, so melde dich bitte in diesem Strang => Erinnerung an meinem Thread.
Nervige "Wann geht es weiter" Nachrichten enden mit Schließung deines Themas. Auch ich habe ein Leben abseits des Trojaner-Boards.


Erstmal eine Kontrolle mit OTL bitte:
  • Doppelklick auf die OTL.exe
  • Vista User: Rechtsklick auf die OTL.exe und "als Administrator ausführen" wählen
  • Setze oben mittig den Haken bei Scanne alle Benutzer
  • Oben findest Du ein Kästchen mit Output. Wähle bitte Minimal Output
  • Unter Extra Registry, wähle bitte Use SafeList
  • Klicke nun auf Run Scan links oben
  • Wenn der Scan beendet wurde werden 2 Logfiles erstellt
  • Poste die Logfiles hier in CODE-Tags in den Thread.
__________________

__________________

Alt 05.03.2013, 14:29   #3
hunn3s
 
Online-Banking-Trojaner - Standard

Online-Banking-Trojaner



Avira meldet eine Warnung. Sonst habe ich noch nichts durchgeführt.
__________________

Alt 05.03.2013, 14:38   #4
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Online-Banking-Trojaner - Standard

Online-Banking-Trojaner



Ähm, was soll iuch damit jetzt anfangen?
Ich hatte dich gebeten alle Logs zu posten, dass Avira aufgepoppt ist, sollte ja nun völlig klar sein
__________________
"Die Wahrheit ist normalerweise nur eine Entschuldigung für einen Mangel an Fantasie." (Elim Garak)

Das Trojaner-Board unterstützen
Warum Linux besser als Windows ist!

Alt 05.03.2013, 14:44   #5
hunn3s
 
Online-Banking-Trojaner - Standard

Online-Banking-Trojaner



Achsoooo :-) entschuldige. Scan von OTL läuft noch.

OTL Logfile:
Code:
ATTFilter
OTL logfile created on: 05.03.2013 15:33:18 - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Ruth\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3,25 Gb Total Physical Memory | 2,19 Gb Available Physical Memory | 67,47% Memory free
6,71 Gb Paging File | 5,67 Gb Available in Paging File | 84,51% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 911,52 Gb Total Space | 737,31 Gb Free Space | 80,89% Space Free | Partition Type: NTFS
Drive D: | 19,98 Gb Total Space | 9,80 Gb Free Space | 49,02% Space Free | Partition Type: FAT32
Drive I: | 3,88 Gb Total Space | 3,87 Gb Free Space | 99,72% Space Free | Partition Type: FAT32
 
Computer Name: **** | User Name: **** | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Users\Ruth\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Programme\Inbox Toolbar\Inbox.exe (Inbox.com, Inc.)
PRC - C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Programme\Avira\AntiVir Desktop\avshadow.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Programme\Avira\AntiVir Desktop\avcenter.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Programme\Ask.com\Updater\Updater.exe (Ask)
PRC - C:\Programme\avmwlanstick\WLanGUI.exe (AVM Berlin)
PRC - C:\Programme\avmwlanstick\WLanNetService.exe (AVM Berlin)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
PRC - C:\Programme\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
PRC - C:\Programme\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
PRC - C:\Programme\Windows Sidebar\sidebar.exe (Microsoft Corporation)
PRC - C:\Programme\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
PRC - C:\Programme\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
PRC - C:\Windows\System32\PSIService.exe ()
 
 
========== Modules (No Company Name) ==========
 
MOD - C:\Programme\Mozilla Firefox\mozjs.dll ()
MOD - C:\Programme\Adobe\Reader 9.0\Reader\ViewerPS.dll ()
 
 
========== Services (SafeList) ==========
 
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (MozillaMaintenance) -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (AntiVirSchedulerService) -- C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG)
SRV - (AntiVirService) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG)
SRV - (AVM WLAN Connection Service) -- C:\Programme\avmwlanstick\WLanNetService.exe (AVM Berlin)
SRV - (odserv) -- C:\Programme\Common Files\microsoft shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (Microsoft Office Groove Audit Service) -- C:\Programme\Microsoft Office\Office12\GrooveAuditService.exe (Microsoft Corporation)
SRV - (WMPNetworkSvc) -- C:\Programme\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
SRV - (WinDefend) -- C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (IAANTMON) -- C:\Programme\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
SRV - (ProtexisLicensing) -- C:\Windows\System32\PSIService.exe ()
SRV - (ose) -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV - (NwlnkFwd) -- system32\DRIVERS\nwlnkfwd.sys File not found
DRV - (NwlnkFlt) -- system32\DRIVERS\nwlnkflt.sys File not found
DRV - (IpInIp) -- system32\DRIVERS\ipinip.sys File not found
DRV - (avkmgr) -- C:\Windows\System32\drivers\avkmgr.sys (Avira GmbH)
DRV - (ssmdrv) -- C:\Windows\System32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (avipbb) -- C:\Windows\System32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgntflt) -- C:\Windows\System32\drivers\avgntflt.sys (Avira GmbH)
DRV - (avmeject) -- C:\Windows\System32\drivers\avmeject.sys (AVM Berlin)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (e1express) -- C:\Windows\System32\drivers\e1e6032.sys (Intel Corporation)
DRV - (netr28u) -- C:\Windows\System32\drivers\netr28u.sys (Ralink Technology Corp.)
DRV - (FWLANUSB) -- C:\Windows\System32\drivers\fwlanusb.sys (AVM GmbH)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.aldi.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64}
IE - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7MEDC
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
IE - HKU\S-1-5-21-545296325-4284398314-600840805-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.aldi.com/
IE - HKU\S-1-5-21-545296325-4284398314-600840805-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.aldi.com/
IE - HKU\S-1-5-21-545296325-4284398314-600840805-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-545296325-4284398314-600840805-1000\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask)
IE - HKU\S-1-5-21-545296325-4284398314-600840805-1000\..\URLSearchHook: {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Programme\Wisdom-soft\tbWisd.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-545296325-4284398314-600840805-1000\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64}
IE - HKU\S-1-5-21-545296325-4284398314-600840805-1000\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = hxxp://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=crm&q={searchTerms}&locale=&apn_ptnrs=U3&apn_dtid=OSJ000YYDE&apn_uid=C22BF40B-DE36-400E-856B-06A6142E167A&apn_sauid=F0BAFD58-0AEC-4B12-9579-F42AA1B1F2EC
IE - HKU\S-1-5-21-545296325-4284398314-600840805-1000\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7MEDC_deDE378
IE - HKU\S-1-5-21-545296325-4284398314-600840805-1000\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT1059861
IE - HKU\S-1-5-21-545296325-4284398314-600840805-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.startup.homepage: "about:home"
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:19.0
FF - prefs.js..keyword.URL: "hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=ORJ&o=&locale=&apn_uid=C22BF40B-DE36-400E-856B-06A6142E167A&apn_ptnrs=U3&apn_sauid=F0BAFD58-0AEC-4B12-9579-F42AA1B1F2EC&apn_dtid=OSJ000YYDE&&q="
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_6_602_171.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa2,version=2.0.0: C:\Program Files\Picasa2\npPicasa2.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.9.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.9.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.4: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 19.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013.02.24 18:35:27 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 19.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013.02.24 18:35:23 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 19.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013.02.24 18:35:27 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 19.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013.02.24 18:35:23 | 000,000,000 | ---D | M]
 
[2009.07.17 15:11:55 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Ruth\AppData\Roaming\mozilla\Extensions
[2013.03.03 20:21:17 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Ruth\AppData\Roaming\mozilla\Firefox\Profiles\sn04cg4u.default\extensions
[2013.03.03 20:21:17 | 000,000,000 | ---D | M] ("Inbox Toolbar") -- C:\Users\Ruth\AppData\Roaming\mozilla\Firefox\Profiles\sn04cg4u.default\extensions\inboxcomtoolbar@inbox.com
[2012.11.25 19:39:36 | 000,000,000 | ---D | M] (Ask Toolbar) -- C:\Users\Ruth\AppData\Roaming\mozilla\Firefox\Profiles\sn04cg4u.default\extensions\toolbar@ask.com
[2012.11.25 19:39:36 | 000,002,308 | ---- | M] () -- C:\Users\Ruth\AppData\Roaming\mozilla\firefox\profiles\sn04cg4u.default\searchplugins\askcom.xml
[2013.02.24 18:35:22 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions
[2013.02.24 18:35:27 | 000,263,064 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012.06.24 21:39:08 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012.11.07 08:31:23 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012.06.24 21:39:08 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2012.06.24 21:39:08 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2012.06.24 21:39:08 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2012.06.24 21:39:08 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2006.09.18 22:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1             localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Wisdom-soft toolbar) - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Programme\Wisdom-soft\tbWisd.dll (Conduit Ltd.)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Windows Live Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.)
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (Wisdom-soft toolbar) - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Programme\Wisdom-soft\tbWisd.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKU\S-1-5-21-545296325-4284398314-600840805-1000\..\Toolbar\WebBrowser: (Wisdom-soft toolbar) - {6DFC55BB-BFFF-485A-9709-90C3FDF6DB58} - C:\Programme\Wisdom-soft\tbWisd.dll (Conduit Ltd.)
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [ApnUpdater] C:\Program Files\Ask.com\Updater\Updater.exe (Ask)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [AVMWlanClient] C:\Programme\avmwlanstick\WLanGUI.exe (AVM Berlin)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [InboxToolbar] C:\Program Files\Inbox Toolbar\Inbox.exe (Inbox.com, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [Skytel] C:\Programme\Realtek\Audio\HDA\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-545296325-4284398314-600840805-1000..\Run: [{0E40E18A-4B84-AD7E-C8A1-6CABE8D94FB6}] C:\Users\Ruth\AppData\Roaming\Ewehne\kiqy.exe ()
O4 - HKU\S-1-5-21-545296325-4284398314-600840805-1000..\Run: [Feeds] C:\Windows\feeds.bat ()
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: eBay - Der weltweite Online-Marktplatz - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-37276-17534-25/4 File not found
O9 - Extra 'Tools' menuitem : eBay - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-37276-17534-25/4 File not found
O9 - Extra Button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab (Java Plug-in 10.9.2)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FD6341DC-7536-44EC-8217-3A3D0B2064A3}: DhcpNameServer = 192.168.178.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programme\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\inbox {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\Programme\Inbox Toolbar\Inbox.dll (Inbox.com, Inc.)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programme\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Ruth\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg
O24 - Desktop BackupWallPaper: C:\Users\Ruth\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{05d6999c-7225-11de-b49a-0022436bcd28}\Shell - "" = AutoRun
O33 - MountPoints2\{05d6999c-7225-11de-b49a-0022436bcd28}\Shell\AutoRun\command - "" = I:\pushinst.exe
O33 - MountPoints2\{41688aa0-7e05-11de-bb25-001f3f078489}\Shell\AutoRun\command - "" = I:\9kretct.exe
O33 - MountPoints2\{41688aa0-7e05-11de-bb25-001f3f078489}\Shell\open\Command - "" = I:\9kretct.exe
O33 - MountPoints2\{7deb485e-f7e0-11de-bb0e-001f3f078489}\Shell\AutoRun\command - "" = I:\h0.exe
O33 - MountPoints2\{7deb485e-f7e0-11de-bb0e-001f3f078489}\Shell\open\Command - "" = I:\h0.exe
O33 - MountPoints2\{813ca7de-f45f-11de-8047-001f3f078489}\Shell\AutoRun\command - "" = E:\u16sqrqn.exe
O33 - MountPoints2\{813ca7de-f45f-11de-8047-001f3f078489}\Shell\open\Command - "" = E:\u16sqrqn.exe
O33 - MountPoints2\{a011f3f1-368b-11e0-b632-001f3f078489}\Shell\¶}±Ò(&O)\command - "" = I:\RECYCLER\UcHelp.exe
O33 - MountPoints2\{a011f403-368b-11e0-b632-001f3f078489}\Shell - "" = AutoRun
O33 - MountPoints2\{a011f403-368b-11e0-b632-001f3f078489}\Shell\AutoRun\command - "" = J:\LaunchU3.exe -a
O33 - MountPoints2\{d5800bde-bc14-11de-b235-001f3f078489}\Shell\AutoRun\command - "" = E:\r2g20.exe
O33 - MountPoints2\{d5800bde-bc14-11de-b235-001f3f078489}\Shell\open\Command - "" = E:\r2g20.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013.03.05 15:30:18 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Ruth\Desktop\OTL.exe
[2013.03.03 20:21:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Inbox Toolbar
[2013.03.03 20:21:15 | 000,000,000 | ---D | C] -- C:\Program Files\Inbox Toolbar
[2013.02.24 18:35:22 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
 
========== Files - Modified Within 30 Days ==========
 
[2013.03.05 15:35:00 | 000,000,408 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{103B65BD-4798-4CA0-9487-EB211B637804}.job
[2013.03.05 15:30:22 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Ruth\Desktop\OTL.exe
[2013.03.05 15:29:46 | 000,628,504 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2013.03.05 15:29:46 | 000,595,798 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013.03.05 15:29:46 | 000,103,872 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013.03.05 15:29:45 | 000,126,248 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2013.03.05 15:23:29 | 000,003,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2013.03.05 15:23:29 | 000,003,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2013.03.05 15:23:26 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013.03.05 15:23:22 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013.03.05 15:23:16 | 3487,748,096 | -HS- | M] () -- C:\hiberfil.sys
[2013.03.04 22:27:30 | 000,002,631 | ---- | M] () -- C:\Users\Ruth\Desktop\Schreibprogramm (Word).lnk
[2013.03.04 21:22:00 | 000,001,098 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013.03.04 21:14:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013.03.04 13:32:24 | 000,002,735 | ---- | M] () -- C:\Users\Ruth\Desktop\Email.lnk
[2013.03.03 20:18:46 | 000,691,568 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2013.03.03 20:18:46 | 000,071,024 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
 
========== Files Created - No Company Name ==========
 
[2011.11.03 16:18:32 | 000,031,007 | ---- | C] () -- C:\Users\Ruth\AppData\Roaming\UserTile.png
[2009.04.07 10:40:56 | 000,009,216 | ---- | C] () -- C:\Users\Ruth\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
 
========== ZeroAccess Check ==========
 
[2006.11.02 13:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
"ThreadingModel" = Both
"" = shell32.dll -- [2011.01.21 16:46:32 | 011,582,464 | ---- | M] (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2011.01.21 16:46:32 | 011,582,464 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009.03.03 05:36:24 | 000,615,424 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008.01.21 03:24:03 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
========== LOP Check ==========
 
[2009.04.02 03:04:43 | 000,000,000 | ---D | M] -- C:\Users\Ruth\AppData\Roaming\Ewehne
 
========== Purity Check ==========
 
 

< End of report >
         
--- --- ---
[/code]

OTL EXTRAS Logfile:
Code:
ATTFilter
OTL Extras logfile created on: 05.03.2013 15:33:18 - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Ruth\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3,25 Gb Total Physical Memory | 2,19 Gb Available Physical Memory | 67,47% Memory free
6,71 Gb Paging File | 5,67 Gb Available in Paging File | 84,51% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 911,52 Gb Total Space | 737,31 Gb Free Space | 80,89% Space Free | Partition Type: NTFS
Drive D: | 19,98 Gb Total Space | 9,80 Gb Free Space | 49,02% Space Free | Partition Type: FAT32
Drive I: | 3,88 Gb Total Space | 3,87 Gb Free Space | 99,72% Space Free | Partition Type: FAT32
 
Computer Name: **** | User Name: **** | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l
 
[HKEY_USERS\S-1-5-21-545296325-4284398314-600840805-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" (VideoLAN)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" (VideoLAN)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
========== Authorized Applications List ==========
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{001BEE00-47B8-4A3C-8796-1C38B49B9D0E}" = lport=2869 | protocol=6 | dir=in | app=system | 
"{B8ACB5A6-422D-457E-A1A6-5EED1065EA63}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe | 
"{E882AAA3-D43C-49CC-A0D5-00E6E2700FE0}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe | 
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{01D02C4C-30B8-487A-9396-1AEB431B5046}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe | 
"{1164C742-4982-4BA2-99C4-629F9BA91239}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe | 
"{428D2151-821C-425E-880A-56A078B4A863}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | 
"{B0F41ADA-0687-40E8-8AC8-F47E120D1EA5}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe | 
"{BC47C6B8-369F-47F5-8D9C-9ADA409270BD}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | 
"{DE6D1154-E316-4912-994A-B973722999F6}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe | 
"{FBF08BE8-DADA-4C52-901A-CD1DD6917ABB}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe | 
"{FE3CC3CF-9704-483D-A695-E0820C08F9CE}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe | 
"TCP Query User{06110145-C679-42BC-A8F0-52D569BF9B97}C:\windows\system32\taskeng.exe" = protocol=6 | dir=in | app=c:\windows\system32\taskeng.exe | 
"TCP Query User{582970C0-47E1-4347-A34A-AFEA8B28B8FB}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe | 
"TCP Query User{F21F7459-1877-4D7E-9EFA-70336FF132B7}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe | 
"UDP Query User{111301A5-D432-46AA-973F-B3ACE9806F69}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe | 
"UDP Query User{4375A983-7FA5-4E74-A1A8-C800C78E0181}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe | 
"UDP Query User{44BDAB0F-DA11-4E7A-B200-E11567572FC9}C:\windows\system32\taskeng.exe" = protocol=17 | dir=in | app=c:\windows\system32\taskeng.exe | 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"_{ADDBE07D-95B8-4789-9C76-187FFF9624B4}" = CorelDRAW Essential Edition 3
"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu
"{0E64B098-8018-4256-BA23-C316A43AD9B0}" = QuickTime
"{0F7C2E47-089E-4d23-B9F7-39BE00100776}" = Toolbox
"{11B83AD3-7A46-4C2E-A568-9505981D4C6F}" = HP Update
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{18669FF9-C8FE-407a-9F70-E674896B1DB4}" = GPBaseService
"{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}" = Google Earth
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java(TM) 6 Update 12
"{26A24AE4-039D-4CA4-87B4-2F83217009FF}" = Java 7 Update 9
"{34BFB099-07B2-4E95-A673-7362D60866A2}" = PSSWCORE
"{36FDBE6E-6684-462b-AE98-9A39A1B200CC}" = HPProductAssistant
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{39D0E034-1042-4905-BECB-5502909FCB7C}" = Microsoft Works
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{47948554-90C6-4AAC-8CFA-D23CE11C1031}" = Nero 8 Essentials
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4AB8B41B-3AF1-46BE-99B0-0ACD3B300C0A}" = Junk Mail filter update
"{4D9C7DA3-D532-432D-A556-5F6CD186B0A5}" = DJ_AIO_03_F4200_ProductContext
"{5109C064-813E-4e87-B0DE-C8AF7B5BC02B}" = SmartWebPrintingOC
"{52A69E11-7CEB-4a7d-9607-68BA4F39A89B}" = DeviceDiscovery
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5A166C0B-9557-4364-A057-F946D674E6AC}" = Windows Live Mail
"{5ACE69F0-A3E8-44eb-88C1-0A841E700180}" = TrayApp
"{612AD33D-9824-4E87-8396-92374E91C4BB}_is1" = Inbox Toolbar
"{62653245-3DC5-4019-AF6B-4E62D6150D9E}" = F4200_Help
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{67DFCE0D-BBA9-43AC-90B3-548390ECE522}" = F4200
"{687FEF8A-8597-40b4-832C-297EA3F35817}" = BufferChm
"{6B96DADA-1A27-4A04-8CB2-CC45168D05FA}" = Windows Live Fotogalerie
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{81821BF8-DA20-4F8C-AA87-F70A274828D4}" = Windows Live Writer
"{835686C5-8650-49EB-8CA0-4528B4035495}" = Windows Live Call
"{837B6259-6FF5-4E66-87C1-A5A15ED36FF4}" = Windows Live Messenger
"{83E2CFA9-E0EB-4E08-9F85-43E577FF3D60}" = Windows Live Anmelde-Assistent
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A85DEAD-7C1F-4368-881C-72AC74CB2E91}" = UnloadSupport
"{8C1E2925-14F8-45AA-B999-1E2A74BF5607}" = Windows Live Sync
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2007
"{90120000-0015-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
"{90120000-0016-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
"{90120000-0018-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2007
"{90120000-0019-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2007
"{90120000-001A-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
"{90120000-001B-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_ENTERPRISE_{A0516415-ED61-419A-981D-93596DA74165}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-001F-0410-0000-0000000FF1CE}_ENTERPRISE_{322296D4-1EAE-4030-9FBC-D2787EB25FA2}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0407-0000-0000000FF1CE}" = Compatibility Pack für 2007 Office System
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0407-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (German) 2007
"{90120000-0044-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}_ENTERPRISE_{26454C26-D259-4543-AA60-3189E09C5F76}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007
"{90120000-00A1-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0407-0000-0000000FF1CE}" = Microsoft Office Groove MUI (German) 2007
"{90120000-00BA-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel(R) Matrix Storage Manager
"{95120000-00AF-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (German)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9DBCE8C7-FE94-4D8F-9FF0-38EF3D8BC99E}" = DJ_AIO_03_F4200_Software
"{A062A15F-9CAC-4B88-98DF-87628A0BD721}" = Corel MediaOne
"{A0B9F8DF-C949-45ed-9808-7DC5C0C19C81}" = Status
"{A11409F1-CD33-4076-85CB-4EE4A8439BFE}" = Scan
"{A334F1BA-0A1D-4ED6-B4F9-4066157CA15D}" = DE
"{A5AB9D5E-52E2-440e-A3ED-9512E253C81A}" = SolutionCenter
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC54E544-3E42-443C-A91D-A00A6974C592}" = NVIDIA PhysX v8.10.13
"{AC76BA86-7AD7-1031-7B44-A90000000001}" = Adobe Reader 9 - Deutsch
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{ADDBE07D-95B8-4789-9C76-187FFF9624B4}" = CorelDRAW Essential Edition 3
"{AE9A67F9-ADF1-4a44-BAB5-C1DB302B37A2}" = HP Deskjet F4200 All-In-One Driver Software 10.0 Rel .3
"{B29B526D-F027-4122-BC7A-D9E5BC86CC40}" = DJ_AIO_03_F4200_Software_Min
"{B8DBED1E-8BC3-4d08-B94A-F9D7D88E9BBF}" = HPSSupply
"{BAC80EF3-E106-4AEA-8C57-F217F9BC7358}" = Microsoft SQL Server 2005 Compact Edition [DEU]
"{BAD0FA60-09CF-4411-AE6A-C2844C8812FA}" = HP Photosmart Essential 2.5
"{CCB9B81A-167F-4832-B305-D2A0430840B3}" = WebReg
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2E0F0CC-6BE0-490b-B08B-9267083E34C9}" = MarketResearch
"{D99A8E3A-AE5A-4692-8B19-6F16D454E240}" = Destination Component
"{DF5F687F-8018-4542-9F98-7084E9022917}" = Windows Live Essentials
"{E08DC77E-D09A-4e36-8067-D6DBBCC5F8DC}" = VideoToolkit01
"{EB879750-CCBD-4013-BFD5-0294D4DA5BD0}" = Apple Application Support
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}" = Update Manager
"{F42CD69D-E393-47c8-B2CD-B139C4ADA9A8}" = Copy
"{F69E83CF-B440-43F8-89E6-6EA80712109B}" = Windows Live Communications Platform
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"Avira AntiVir Desktop" = Avira Free Antivirus
"AVMWLANCLI" = AVM FRITZ!WLAN
"ENTERPRISE" = Microsoft Office Enterprise 2007
"Google Updater" = Google Updater
"HP Imaging Device Functions" = HP Imaging Device Functions 10.0
"HP Photosmart Essential" = HP Photosmart Essential 2.5
"HP Smart Web Printing" = HP Smart Web Printing
"HP Solution Center & Imaging Support Tools" = HP Solution Center 10.0
"HPExtendedCapabilities" = HP Customer Participation Program 10.0
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.65.1.1000
"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox 19.0 (x86 de)" = Mozilla Firefox 19.0 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"NVIDIA Drivers" = NVIDIA Drivers
"Picasa2" = Picasa 2
"Shop for HP Supplies" = Shop for HP Supplies
"VLC media player" = VLC media player 2.0.4
"WinLiveSuite_Wave3" = Windows Live Essentials
"Wisdom-soft Set up ScreenHunter 5.1 Free" = Wisdom-soft Set up ScreenHunter 5.1 Free
"Wisdom-soft Toolbar" = Wisdom-soft Toolbar
 
========== HKEY_USERS Uninstall List ==========
 
[HKEY_USERS\S-1-5-21-545296325-4284398314-600840805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{79A765E1-C399-405B-85AF-466F52E918B0}" = Ask Toolbar Updater
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 02.11.2012 07:49:27 | Computer Name = Ruth-PC | Source = Application Error | ID = 1000
Description = Fehlerhafte Anwendung FlashPlayerPlugin_11_4_402_287.exe, Version 
11.4.402.287, Zeitstempel 0x5066dda3, fehlerhaftes Modul ShimEng.dll_unloaded, Version
 0.0.0.0, Zeitstempel 0x4549bdb7, Ausnahmecode 0xc0000005, Fehleroffset 0x73454618,
Prozess-ID
 0x119c, Anwendungsstartzeit 01cdb8f01c71b1d9.
 
Error - 02.11.2012 10:02:29 | Computer Name = Ruth-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 03.11.2012 18:42:29 | Computer Name = Ruth-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 04.11.2012 08:13:02 | Computer Name = Ruth-PC | Source = Application Error | ID = 1000
Description = Fehlerhafte Anwendung HpqSRmon.exe, Version 10.0.0.202, Zeitstempel
 0x46c64b4e, fehlerhaftes Modul HpqSRmon.exe, Version 10.0.0.202, Zeitstempel 0x46c64b4e,
 Ausnahmecode 0xc0000005, Fehleroffset 0x000032db,  Prozess-ID 0xbc0, Anwendungsstartzeit
 01cdba85bc632d50.
 
Error - 04.11.2012 08:14:35 | Computer Name = Ruth-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 05.11.2012 15:23:53 | Computer Name = Ruth-PC | Source = Application Error | ID = 1000
Description = Fehlerhafte Anwendung HpqSRmon.exe, Version 10.0.0.202, Zeitstempel
 0x46c64b4e, fehlerhaftes Modul HpqSRmon.exe, Version 10.0.0.202, Zeitstempel 0x46c64b4e,
 Ausnahmecode 0xc0000005, Fehleroffset 0x000032db,  Prozess-ID 0xb30, Anwendungsstartzeit
 01cdbb8b15f3277e.
 
Error - 05.11.2012 15:25:22 | Computer Name = Ruth-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 05.11.2012 16:52:03 | Computer Name = Ruth-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 07.11.2012 12:22:45 | Computer Name = Ruth-PC | Source = Application Error | ID = 1000
Description = Fehlerhafte Anwendung HpqSRmon.exe, Version 10.0.0.202, Zeitstempel
 0x46c64b4e, fehlerhaftes Modul HpqSRmon.exe, Version 10.0.0.202, Zeitstempel 0x46c64b4e,
 Ausnahmecode 0xc0000005, Fehleroffset 0x000032db,  Prozess-ID 0x83c, Anwendungsstartzeit
 01cdbd041d490b1d.
 
Error - 07.11.2012 12:24:15 | Computer Name = Ruth-PC | Source = WinMgmt | ID = 10
Description = 
 
[ OSession Events ]
Error - 18.10.2009 14:54:27 | Computer Name = Ruth-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
 12.0.4518.1014, Microsoft Office Version: 12.0.6215.1000. This session lasted 23
 seconds with 0 seconds of active time.  This session ended with a crash.
 
Error - 18.10.2009 14:55:32 | Computer Name = Ruth-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
 12.0.4518.1014, Microsoft Office Version: 12.0.6215.1000. This session lasted 42
 seconds with 0 seconds of active time.  This session ended with a crash.
 
Error - 18.10.2009 14:57:43 | Computer Name = Ruth-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
 12.0.4518.1014, Microsoft Office Version: 12.0.6215.1000. This session lasted 103
 seconds with 60 seconds of active time.  This session ended with a crash.
 
[ System Events ]
Error - 04.03.2013 14:51:44 | Computer Name = Ruth-PC | Source = Service Control Manager | ID = 7026
Description = 
 
Error - 04.03.2013 16:04:23 | Computer Name = Ruth-PC | Source = HTTP | ID = 15016
Description = 
 
Error - 04.03.2013 16:05:57 | Computer Name = Ruth-PC | Source = Service Control Manager | ID = 7022
Description = 
 
Error - 04.03.2013 16:05:58 | Computer Name = Ruth-PC | Source = Service Control Manager | ID = 7026
Description = 
 
Error - 04.03.2013 17:27:16 | Computer Name = Ruth-PC | Source = HTTP | ID = 15016
Description = 
 
Error - 04.03.2013 17:29:04 | Computer Name = Ruth-PC | Source = Service Control Manager | ID = 7022
Description = 
 
Error - 04.03.2013 17:29:05 | Computer Name = Ruth-PC | Source = Service Control Manager | ID = 7026
Description = 
 
Error - 05.03.2013 10:23:23 | Computer Name = Ruth-PC | Source = HTTP | ID = 15016
Description = 
 
Error - 05.03.2013 10:25:00 | Computer Name = Ruth-PC | Source = Service Control Manager | ID = 7022
Description = 
 
Error - 05.03.2013 10:25:00 | Computer Name = Ruth-PC | Source = Service Control Manager | ID = 7026
Description = 
 
 
< End of report >
         
--- --- ---

Hab ichs richtig gemacht oder fehlt noch was?


Alt 05.03.2013, 15:26   #6
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Online-Banking-Trojaner - Standard

Online-Banking-Trojaner



Es geht auch um das Log von Avira!!
Steht doch extra da verlinkt in meinem Posting! Dick und fett hier nochmal

__________________
--> Online-Banking-Trojaner

Alt 05.03.2013, 15:28   #7
hunn3s
 
Online-Banking-Trojaner - Standard

Online-Banking-Trojaner



aber jetzt :-)

Code:
ATTFilter
Exportierte Ereignisse:

05.03.2013 15:36 [Echtzeit Scanner] Malware gefunden
      In der Datei 'C:\Users\Ruth\AppData\Roaming\Ewehne\kiqy.exe'
      wurde ein Virus oder unerwünschtes Programm 'TR/PSW.Zbot.mek' [trojan] gefunden.
      Ausgeführte Aktion: Zugriff verweigern

24.02.2013 19:08 [Echtzeit Scanner] Malware gefunden
      In der Datei 'C:\Users\Ruth\AppData\Roaming\Ewehne\kiqy.exe'
      wurde ein Virus oder unerwünschtes Programm 'TR/PSW.Zbot.mek' [trojan] gefunden.
      Ausgeführte Aktion: Zugriff verweigern

11.02.2013 19:21 [Echtzeit Scanner] Malware gefunden
      In der Datei 'C:\Users\Ruth\AppData\Roaming\Ewehne\kiqy.exe'
      wurde ein Virus oder unerwünschtes Programm 'TR/PSW.Zbot.mek' [trojan] gefunden.
      Ausgeführte Aktion: Zugriff verweigern

10.02.2013 09:29 [Echtzeit Scanner] Malware gefunden
      In der Datei 'C:\Users\Ruth\AppData\Local\Temp\tmp6201aaab.tmp'
      wurde ein Virus oder unerwünschtes Programm 'TR/PSW.Zbot.1903' [trojan] 
      gefunden.
      Ausgeführte Aktion: Zugriff verweigern
         

Alt 05.03.2013, 15:41   #8
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Online-Banking-Trojaner - Standard

Online-Banking-Trojaner



Bitte nun Logs mit GMER (<<< klick für Anleitung) und MBAR (Anleitung etwas weiter unten) erstellen und posten.
GMER stürzt häufiger ab, wenn das Tool auch beim zweiten Mal nicht will, lass es einfach weg und führ nur MBAR aus.

Anleitung MBAR:

Downloade dir bitte Malwarebytes Anti-Rootkit Malwarebytes Anti-Rootkit und speichere es auf deinem Desktop.
  • Starte bitte die mbar.exe.
  • Folge den Anweisungen auf deinem Bildschirm gemäß Anleitung zu Malwarebytes Anti-Rootkit
  • Aktualisiere unbedingt die Datenbank und erlaube dem Tool, dein System zu scannen.
  • Klicke auf den CleanUp Button und erlaube den Neustart.
  • Während dem Neustart wird MBAR die gefundenen Objekte entfernen, also bleib geduldig.
  • Nach dem Neustart starte die mbar.exe erneut.
  • Sollte nochmal was gefunden werden, wiederhole den CleanUp Prozess.
Das Tool wird im erstellten Ordner eine Logfile ( mbar-log-<Jahr-Monat-Tag>.txt ) erzeugen. Bitte poste diese hier.

Starte keine andere Datei in diesem Ordner ohne Anweisung eines Helfers
__________________
"Die Wahrheit ist normalerweise nur eine Entschuldigung für einen Mangel an Fantasie." (Elim Garak)

Das Trojaner-Board unterstützen
Warum Linux besser als Windows ist!

Alt 05.03.2013, 16:11   #9
hunn3s
 
Online-Banking-Trojaner - Standard

Online-Banking-Trojaner



gmer:
GMER Logfile:
Code:
ATTFilter
GMER 2.1.19155 - hxxp://www.gmer.net
Rootkit scan 2013-03-05 17:09:15
Windows 6.0.6001 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST310003 rev.BD15 931,51GB
Running: gmer_2.1.19155.exe; Driver: C:\Users\Ruth\AppData\Local\Temp\pwldrpow.sys


---- System - GMER 2.1 ----

SSDT     8D726D96                                                                                                              ZwCreateSection
SSDT     8D726DA0                                                                                                              ZwRequestWaitReplyPort
SSDT     8D726D9B                                                                                                              ZwSetContextThread
SSDT     8D726DA5                                                                                                              ZwSetSecurityObject
SSDT     8D726DAA                                                                                                              ZwSystemDebugControl
SSDT     8D726D37                                                                                                              ZwTerminateProcess

---- Kernel code sections - GMER 2.1 ----

.text    ntkrnlpa.exe!KeSetTimerEx + 448                                                                                       820C8A6C 4 Bytes  [96, 6D, 72, 8D] {XCHG ESI, EAX; INS DWORD [ES:EDI], DX; JB 0xffffff91}
.text    ntkrnlpa.exe!KeSetTimerEx + 76C                                                                                       820C8D90 4 Bytes  [A0, 6D, 72, 8D]
.text    ntkrnlpa.exe!KeSetTimerEx + 7A0                                                                                       820C8DC4 4 Bytes  [9B, 6D, 72, 8D] {WAIT ; INS DWORD [ES:EDI], DX; JB 0xffffff91}
.text    ntkrnlpa.exe!KeSetTimerEx + 804                                                                                       820C8E28 4 Bytes  [A5, 6D, 72, 8D] {MOVSD ; INS DWORD [ES:EDI], DX; JB 0xffffff91}
.text    ntkrnlpa.exe!KeSetTimerEx + 84C                                                                                       820C8E70 4 Bytes  [AA, 6D, 72, 8D] {STOSB ; INS DWORD [ES:EDI], DX; JB 0xffffff91}
.text    ...                                                                                                                   
.text    C:\Windows\system32\DRIVERS\nvlddmkm.sys                                                                              section is writeable [0x8F606340, 0x411467, 0xE8000020]

---- User code sections - GMER 2.1 ----

.text    C:\Windows\Explorer.EXE[352] ntdll.dll!LdrLoadDll                                                                     779279B3 5 Bytes  JMP 040D8946 
.text    C:\Windows\Explorer.EXE[352] ntdll.dll!NtCreateUserProcess                                                            779590A8 5 Bytes  JMP 040D87A8 
.text    C:\Windows\Explorer.EXE[352] USER32.dll!TranslateMessage                                                              77680069 5 Bytes  JMP 040D16F1 
.text    C:\Windows\Explorer.EXE[352] USER32.dll!GetClipboardData                                                              776A70B2 5 Bytes  JMP 040D1737 
.text    C:\Windows\Explorer.EXE[352] WININET.dll!HttpSendRequestA                                                             766D0F35 5 Bytes  JMP 040CD061 
.text    C:\Windows\Explorer.EXE[352] WININET.dll!HttpQueryInfoA                                                               766D93B9 5 Bytes  JMP 040CD8CD 
.text    C:\Windows\Explorer.EXE[352] WININET.dll!InternetCloseHandle                                                          766DAE0B 5 Bytes  JMP 040CC5AA 
.text    C:\Windows\Explorer.EXE[352] WININET.dll!InternetReadFile                                                             766DEE5F 5 Bytes  JMP 040CD7C0 
.text    C:\Windows\Explorer.EXE[352] WININET.dll!HttpQueryInfoW                                                               766E3DCB 5 Bytes  JMP 040CD8F1 
.text    C:\Windows\Explorer.EXE[352] WININET.dll!InternetQueryDataAvailable                                                   766E4773 5 Bytes  JMP 040CD832 
.text    C:\Windows\Explorer.EXE[352] WININET.dll!HttpSendRequestExW                                                           766E62C4 5 Bytes  JMP 040CD0CA 
.text    C:\Windows\Explorer.EXE[352] WININET.dll!InternetWriteFile                                                            766E63C3 5 Bytes  JMP 040CD24D 
.text    C:\Windows\Explorer.EXE[352] WININET.dll!HttpSendRequestW                                                             766EBBCC 5 Bytes  JMP 040CD084 
.text    C:\Windows\Explorer.EXE[352] WININET.dll!InternetReadFileExW                                                          766F0E54 5 Bytes  JMP 040CD80C 
.text    C:\Windows\Explorer.EXE[352] WININET.dll!InternetReadFileExA                                                          766F0E8C 5 Bytes  JMP 040CD7E6 
.text    C:\Windows\Explorer.EXE[352] WININET.dll!HttpSendRequestExA                                                           7673B1E6 5 Bytes  JMP 040CD0A7 
.text    C:\Windows\Explorer.EXE[352] CRYPT32.dll!PFXImportCertStore                                                           75B3914C 5 Bytes  JMP 040D3357 
.text    C:\Windows\Explorer.EXE[352] Secur32.dll!DeleteSecurityContext                                                        76002ABF 5 Bytes  JMP 040F22B6 
.text    C:\Windows\Explorer.EXE[352] Secur32.dll!EncryptMessage                                                               76004BDE 5 Bytes  JMP 040F2300 
.text    C:\Windows\Explorer.EXE[352] Secur32.dll!DecryptMessage                                                               76004CAB 5 Bytes  JMP 040F2344 
.text    C:\Windows\Explorer.EXE[352] WS2_32.dll!closesocket                                                                   7617330C 5 Bytes  JMP 040D8A3F 
.text    C:\Windows\Explorer.EXE[352] WS2_32.dll!recv                                                                          7617343A 5 Bytes  JMP 040D8A96 
.text    C:\Windows\Explorer.EXE[352] WS2_32.dll!WSASend                                                                       76174496 5 Bytes  JMP 040D8C7C 
.text    C:\Windows\Explorer.EXE[352] WS2_32.dll!send                                                                          7617659B 5 Bytes  JMP 040D8C2A 
.text    C:\Windows\Explorer.EXE[352] WS2_32.dll!WSAGetOverlappedResult                                                        76178143 5 Bytes  JMP 040D8D25 
.text    C:\Windows\Explorer.EXE[352] WS2_32.dll!WSARecv                                                                       76178400 5 Bytes  JMP 040D8AEE 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1600] ntdll.dll!LdrLoadDll                                       779279B3 5 Bytes  JMP 00218946 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1600] ntdll.dll!NtCreateUserProcess                              779590A8 5 Bytes  JMP 002187A8 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1600] USER32.dll!TranslateMessage                                77680069 5 Bytes  JMP 002116F1 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1600] USER32.dll!GetClipboardData                                776A70B2 5 Bytes  JMP 00211737 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1600] Secur32.dll!DeleteSecurityContext                          76002ABF 5 Bytes  JMP 002322B6 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1600] Secur32.dll!EncryptMessage                                 76004BDE 5 Bytes  JMP 00232300 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1600] Secur32.dll!DecryptMessage                                 76004CAB 5 Bytes  JMP 00232344 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1600] WS2_32.dll!closesocket                                     7617330C 5 Bytes  JMP 00218A3F 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1600] WS2_32.dll!recv                                            7617343A 5 Bytes  JMP 00218A96 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1600] WS2_32.dll!WSASend                                         76174496 5 Bytes  JMP 00218C7C 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1600] WS2_32.dll!send                                            7617659B 5 Bytes  JMP 00218C2A 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1600] WS2_32.dll!WSAGetOverlappedResult                          76178143 5 Bytes  JMP 00218D25 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1600] WS2_32.dll!WSARecv                                         76178400 5 Bytes  JMP 00218AEE 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1600] CRYPT32.dll!PFXImportCertStore                             75B3914C 5 Bytes  JMP 00213357 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1600] WININET.dll!HttpSendRequestA                               766D0F35 5 Bytes  JMP 0020D061 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1600] WININET.dll!HttpQueryInfoA                                 766D93B9 5 Bytes  JMP 0020D8CD 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1600] WININET.dll!InternetCloseHandle                            766DAE0B 5 Bytes  JMP 0020C5AA 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1600] WININET.dll!InternetReadFile                               766DEE5F 5 Bytes  JMP 0020D7C0 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1600] WININET.dll!HttpQueryInfoW                                 766E3DCB 5 Bytes  JMP 0020D8F1 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1600] WININET.dll!InternetQueryDataAvailable                     766E4773 5 Bytes  JMP 0020D832 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1600] WININET.dll!HttpSendRequestExW                             766E62C4 5 Bytes  JMP 0020D0CA 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1600] WININET.dll!InternetWriteFile                              766E63C3 5 Bytes  JMP 0020D24D 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1600] WININET.dll!HttpSendRequestW                               766EBBCC 5 Bytes  JMP 0020D084 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1600] WININET.dll!InternetReadFileExW                            766F0E54 5 Bytes  JMP 0020D80C 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1600] WININET.dll!InternetReadFileExA                            766F0E8C 5 Bytes  JMP 0020D7E6 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[1600] WININET.dll!HttpSendRequestExA                             7673B1E6 5 Bytes  JMP 0020D0A7 
.text    C:\Windows\system32\Dwm.exe[1996] ntdll.dll!LdrLoadDll                                                                779279B3 5 Bytes  JMP 04D68946 
.text    C:\Windows\system32\Dwm.exe[1996] ntdll.dll!NtCreateUserProcess                                                       779590A8 5 Bytes  JMP 04D687A8 
.text    C:\Windows\system32\Dwm.exe[1996] USER32.dll!TranslateMessage                                                         77680069 5 Bytes  JMP 04D616F1 
.text    C:\Windows\system32\Dwm.exe[1996] USER32.dll!GetClipboardData                                                         776A70B2 5 Bytes  JMP 04D61737 
.text    C:\Windows\system32\Dwm.exe[1996] WS2_32.dll!closesocket                                                              7617330C 5 Bytes  JMP 04D68A3F 
.text    C:\Windows\system32\Dwm.exe[1996] WS2_32.dll!recv                                                                     7617343A 5 Bytes  JMP 04D68A96 
.text    C:\Windows\system32\Dwm.exe[1996] WS2_32.dll!WSASend                                                                  76174496 5 Bytes  JMP 04D68C7C 
.text    C:\Windows\system32\Dwm.exe[1996] WS2_32.dll!send                                                                     7617659B 5 Bytes  JMP 04D68C2A 
.text    C:\Windows\system32\Dwm.exe[1996] WS2_32.dll!WSAGetOverlappedResult                                                   76178143 5 Bytes  JMP 04D68D25 
.text    C:\Windows\system32\Dwm.exe[1996] WS2_32.dll!WSARecv                                                                  76178400 5 Bytes  JMP 04D68AEE 
.text    C:\Windows\system32\Dwm.exe[1996] Secur32.dll!DeleteSecurityContext                                                   76002ABF 5 Bytes  JMP 04D822B6 
.text    C:\Windows\system32\Dwm.exe[1996] Secur32.dll!EncryptMessage                                                          76004BDE 5 Bytes  JMP 04D82300 
.text    C:\Windows\system32\Dwm.exe[1996] Secur32.dll!DecryptMessage                                                          76004CAB 5 Bytes  JMP 04D82344 
.text    C:\Windows\system32\Dwm.exe[1996] CRYPT32.dll!PFXImportCertStore                                                      75B3914C 5 Bytes  JMP 04D63357 
.text    C:\Windows\system32\Dwm.exe[1996] WININET.dll!HttpSendRequestA                                                        766D0F35 5 Bytes  JMP 04D5D061 
.text    C:\Windows\system32\Dwm.exe[1996] WININET.dll!HttpQueryInfoA                                                          766D93B9 5 Bytes  JMP 04D5D8CD 
.text    C:\Windows\system32\Dwm.exe[1996] WININET.dll!InternetCloseHandle                                                     766DAE0B 5 Bytes  JMP 04D5C5AA 
.text    C:\Windows\system32\Dwm.exe[1996] WININET.dll!InternetReadFile                                                        766DEE5F 5 Bytes  JMP 04D5D7C0 
.text    C:\Windows\system32\Dwm.exe[1996] WININET.dll!HttpQueryInfoW                                                          766E3DCB 5 Bytes  JMP 04D5D8F1 
.text    C:\Windows\system32\Dwm.exe[1996] WININET.dll!InternetQueryDataAvailable                                              766E4773 5 Bytes  JMP 04D5D832 
.text    C:\Windows\system32\Dwm.exe[1996] WININET.dll!HttpSendRequestExW                                                      766E62C4 5 Bytes  JMP 04D5D0CA 
.text    C:\Windows\system32\Dwm.exe[1996] WININET.dll!InternetWriteFile                                                       766E63C3 5 Bytes  JMP 04D5D24D 
.text    C:\Windows\system32\Dwm.exe[1996] WININET.dll!HttpSendRequestW                                                        766EBBCC 5 Bytes  JMP 04D5D084 
.text    C:\Windows\system32\Dwm.exe[1996] WININET.dll!InternetReadFileExW                                                     766F0E54 5 Bytes  JMP 04D5D80C 
.text    C:\Windows\system32\Dwm.exe[1996] WININET.dll!InternetReadFileExA                                                     766F0E8C 5 Bytes  JMP 04D5D7E6 
.text    C:\Windows\system32\Dwm.exe[1996] WININET.dll!HttpSendRequestExA                                                      7673B1E6 5 Bytes  JMP 04D5D0A7 
.text    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2072] ntdll.dll!LdrLoadDll                           779279B3 5 Bytes  JMP 01968946 
.text    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2072] ntdll.dll!NtCreateUserProcess                  779590A8 3 Bytes  JMP 019687A8 
.text    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2072] ntdll.dll!NtCreateUserProcess + 4              779590AC 1 Byte  [8A]
.text    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2072] USER32.dll!TranslateMessage                    77680069 5 Bytes  JMP 019616F1 
.text    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2072] USER32.dll!GetClipboardData                    776A70B2 5 Bytes  JMP 01961737 
.text    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2072] Secur32.dll!DeleteSecurityContext              76002ABF 5 Bytes  JMP 019822B6 
.text    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2072] Secur32.dll!EncryptMessage                     76004BDE 5 Bytes  JMP 01982300 
.text    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2072] Secur32.dll!DecryptMessage                     76004CAB 5 Bytes  JMP 01982344 
.text    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2072] WS2_32.dll!closesocket                         7617330C 5 Bytes  JMP 01968A3F 
.text    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2072] WS2_32.dll!recv                                7617343A 5 Bytes  JMP 01968A96 
.text    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2072] WS2_32.dll!WSASend                             76174496 5 Bytes  JMP 01968C7C 
.text    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2072] WS2_32.dll!send                                7617659B 5 Bytes  JMP 01968C2A 
.text    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2072] WS2_32.dll!WSAGetOverlappedResult              76178143 5 Bytes  JMP 01968D25 
.text    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2072] WS2_32.dll!WSARecv                             76178400 5 Bytes  JMP 01968AEE 
.text    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2072] CRYPT32.dll!PFXImportCertStore                 75B3914C 5 Bytes  JMP 01963357 
.text    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2072] WININET.dll!HttpSendRequestA                   766D0F35 5 Bytes  JMP 0195D061 
.text    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2072] WININET.dll!HttpQueryInfoA                     766D93B9 5 Bytes  JMP 0195D8CD 
.text    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2072] WININET.dll!InternetCloseHandle                766DAE0B 5 Bytes  JMP 0195C5AA 
.text    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2072] WININET.dll!InternetReadFile                   766DEE5F 5 Bytes  JMP 0195D7C0 
.text    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2072] WININET.dll!HttpQueryInfoW                     766E3DCB 5 Bytes  JMP 0195D8F1 
.text    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2072] WININET.dll!InternetQueryDataAvailable         766E4773 5 Bytes  JMP 0195D832 
.text    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2072] WININET.dll!HttpSendRequestExW                 766E62C4 5 Bytes  JMP 0195D0CA 
.text    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2072] WININET.dll!InternetWriteFile                  766E63C3 5 Bytes  JMP 0195D24D 
.text    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2072] WININET.dll!HttpSendRequestW                   766EBBCC 5 Bytes  JMP 0195D084 
.text    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2072] WININET.dll!InternetReadFileExW                766F0E54 5 Bytes  JMP 0195D80C 
.text    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2072] WININET.dll!InternetReadFileExA                766F0E8C 5 Bytes  JMP 0195D7E6 
.text    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2072] WININET.dll!HttpSendRequestExA                 7673B1E6 5 Bytes  JMP 0195D0A7 
.text    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2084] ntdll.dll!LdrLoadDll                                            779279B3 5 Bytes  JMP 02168946 
.text    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2084] ntdll.dll!NtCreateUserProcess                                   779590A8 5 Bytes  JMP 021687A8 
.text    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2084] USER32.dll!TranslateMessage                                     77680069 5 Bytes  JMP 021616F1 
.text    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2084] USER32.dll!GetClipboardData                                     776A70B2 5 Bytes  JMP 02161737 
.text    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2084] Secur32.dll!DeleteSecurityContext                               76002ABF 5 Bytes  JMP 021822B6 
.text    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2084] Secur32.dll!EncryptMessage                                      76004BDE 5 Bytes  JMP 02182300 
.text    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2084] Secur32.dll!DecryptMessage                                      76004CAB 5 Bytes  JMP 02182344 
.text    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2084] WS2_32.dll!closesocket                                          7617330C 5 Bytes  JMP 02168A3F 
.text    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2084] WS2_32.dll!recv                                                 7617343A 5 Bytes  JMP 02168A96 
.text    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2084] WS2_32.dll!WSASend                                              76174496 5 Bytes  JMP 02168C7C 
.text    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2084] WS2_32.dll!send                                                 7617659B 5 Bytes  JMP 02168C2A 
.text    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2084] WS2_32.dll!WSAGetOverlappedResult                               76178143 5 Bytes  JMP 02168D25 
.text    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2084] WS2_32.dll!WSARecv                                              76178400 5 Bytes  JMP 02168AEE 
.text    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2084] CRYPT32.dll!PFXImportCertStore                                  75B3914C 5 Bytes  JMP 02163357 
.text    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2084] WININET.dll!HttpSendRequestA                                    766D0F35 5 Bytes  JMP 0215D061 
.text    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2084] WININET.dll!HttpQueryInfoA                                      766D93B9 5 Bytes  JMP 0215D8CD 
.text    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2084] WININET.dll!InternetCloseHandle                                 766DAE0B 5 Bytes  JMP 0215C5AA 
.text    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2084] WININET.dll!InternetReadFile                                    766DEE5F 5 Bytes  JMP 0215D7C0 
.text    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2084] WININET.dll!HttpQueryInfoW                                      766E3DCB 5 Bytes  JMP 0215D8F1 
.text    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2084] WININET.dll!InternetQueryDataAvailable                          766E4773 5 Bytes  JMP 0215D832 
.text    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2084] WININET.dll!HttpSendRequestExW                                  766E62C4 5 Bytes  JMP 0215D0CA 
.text    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2084] WININET.dll!InternetWriteFile                                   766E63C3 5 Bytes  JMP 0215D24D 
.text    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2084] WININET.dll!HttpSendRequestW                                    766EBBCC 5 Bytes  JMP 0215D084 
.text    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2084] WININET.dll!InternetReadFileExW                                 766F0E54 5 Bytes  JMP 0215D80C 
.text    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2084] WININET.dll!InternetReadFileExA                                 766F0E8C 5 Bytes  JMP 0215D7E6 
.text    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2084] WININET.dll!HttpSendRequestExA                                  7673B1E6 5 Bytes  JMP 0215D0A7 
.text    C:\Windows\System32\rundll32.exe[2128] ntdll.dll!LdrLoadDll                                                           779279B3 5 Bytes  JMP 00868946 
.text    C:\Windows\System32\rundll32.exe[2128] ntdll.dll!NtCreateUserProcess                                                  779590A8 5 Bytes  JMP 008687A8 
.text    C:\Windows\System32\rundll32.exe[2128] USER32.dll!TranslateMessage                                                    77680069 5 Bytes  JMP 008616F1 
.text    C:\Windows\System32\rundll32.exe[2128] USER32.dll!GetClipboardData                                                    776A70B2 5 Bytes  JMP 00861737 
.text    C:\Windows\System32\rundll32.exe[2128] Secur32.dll!DeleteSecurityContext                                              76002ABF 5 Bytes  JMP 008822B6 
.text    C:\Windows\System32\rundll32.exe[2128] Secur32.dll!EncryptMessage                                                     76004BDE 5 Bytes  JMP 00882300 
.text    C:\Windows\System32\rundll32.exe[2128] Secur32.dll!DecryptMessage                                                     76004CAB 5 Bytes  JMP 00882344 
.text    C:\Windows\System32\rundll32.exe[2128] WS2_32.dll!closesocket                                                         7617330C 5 Bytes  JMP 00868A3F 
.text    C:\Windows\System32\rundll32.exe[2128] WS2_32.dll!recv                                                                7617343A 5 Bytes  JMP 00868A96 
.text    C:\Windows\System32\rundll32.exe[2128] WS2_32.dll!WSASend                                                             76174496 5 Bytes  JMP 00868C7C 
.text    C:\Windows\System32\rundll32.exe[2128] WS2_32.dll!send                                                                7617659B 5 Bytes  JMP 00868C2A 
.text    C:\Windows\System32\rundll32.exe[2128] WS2_32.dll!WSAGetOverlappedResult                                              76178143 5 Bytes  JMP 00868D25 
.text    C:\Windows\System32\rundll32.exe[2128] WS2_32.dll!WSARecv                                                             76178400 5 Bytes  JMP 00868AEE 
.text    C:\Windows\System32\rundll32.exe[2128] CRYPT32.dll!PFXImportCertStore                                                 75B3914C 5 Bytes  JMP 00863357 
.text    C:\Windows\System32\rundll32.exe[2128] WININET.dll!HttpSendRequestA                                                   766D0F35 5 Bytes  JMP 0085D061 
.text    C:\Windows\System32\rundll32.exe[2128] WININET.dll!HttpQueryInfoA                                                     766D93B9 5 Bytes  JMP 0085D8CD 
.text    C:\Windows\System32\rundll32.exe[2128] WININET.dll!InternetCloseHandle                                                766DAE0B 5 Bytes  JMP 0085C5AA 
.text    C:\Windows\System32\rundll32.exe[2128] WININET.dll!InternetReadFile                                                   766DEE5F 5 Bytes  JMP 0085D7C0 
.text    C:\Windows\System32\rundll32.exe[2128] WININET.dll!HttpQueryInfoW                                                     766E3DCB 5 Bytes  JMP 0085D8F1 
.text    C:\Windows\System32\rundll32.exe[2128] WININET.dll!InternetQueryDataAvailable                                         766E4773 5 Bytes  JMP 0085D832 
.text    C:\Windows\System32\rundll32.exe[2128] WININET.dll!HttpSendRequestExW                                                 766E62C4 5 Bytes  JMP 0085D0CA 
.text    C:\Windows\System32\rundll32.exe[2128] WININET.dll!InternetWriteFile                                                  766E63C3 5 Bytes  JMP 0085D24D 
.text    C:\Windows\System32\rundll32.exe[2128] WININET.dll!HttpSendRequestW                                                   766EBBCC 5 Bytes  JMP 0085D084 
.text    C:\Windows\System32\rundll32.exe[2128] WININET.dll!InternetReadFileExW                                                766F0E54 5 Bytes  JMP 0085D80C 
.text    C:\Windows\System32\rundll32.exe[2128] WININET.dll!InternetReadFileExA                                                766F0E8C 5 Bytes  JMP 0085D7E6 
.text    C:\Windows\System32\rundll32.exe[2128] WININET.dll!HttpSendRequestExA                                                 7673B1E6 5 Bytes  JMP 0085D0A7 
.text    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2152] ntdll.dll!LdrLoadDll                               779279B3 5 Bytes  JMP 00548946 
.text    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2152] ntdll.dll!NtCreateUserProcess                      779590A8 5 Bytes  JMP 005487A8 
.text    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2152] USER32.dll!TranslateMessage                        77680069 5 Bytes  JMP 005416F1 
.text    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2152] USER32.dll!GetClipboardData                        776A70B2 5 Bytes  JMP 00541737 
.text    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2152] WININET.dll!HttpSendRequestA                       766D0F35 5 Bytes  JMP 0053D061 
.text    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2152] WININET.dll!HttpQueryInfoA                         766D93B9 5 Bytes  JMP 0053D8CD 
.text    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2152] WININET.dll!InternetCloseHandle                    766DAE0B 5 Bytes  JMP 0053C5AA 
.text    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2152] WININET.dll!InternetReadFile                       766DEE5F 5 Bytes  JMP 0053D7C0 
.text    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2152] WININET.dll!HttpQueryInfoW                         766E3DCB 5 Bytes  JMP 0053D8F1 
.text    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2152] WININET.dll!InternetQueryDataAvailable             766E4773 5 Bytes  JMP 0053D832 
.text    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2152] WININET.dll!HttpSendRequestExW                     766E62C4 5 Bytes  JMP 0053D0CA 
.text    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2152] WININET.dll!InternetWriteFile                      766E63C3 5 Bytes  JMP 0053D24D 
.text    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2152] WININET.dll!HttpSendRequestW                       766EBBCC 5 Bytes  JMP 0053D084 
.text    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2152] WININET.dll!InternetReadFileExW                    766F0E54 5 Bytes  JMP 0053D80C 
.text    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2152] WININET.dll!InternetReadFileExA                    766F0E8C 5 Bytes  JMP 0053D7E6 
.text    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2152] WININET.dll!HttpSendRequestExA                     7673B1E6 5 Bytes  JMP 0053D0A7 
.text    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2152] CRYPT32.dll!PFXImportCertStore                     75B3914C 5 Bytes  JMP 00543357 
.text    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2152] Secur32.dll!DeleteSecurityContext                  76002ABF 5 Bytes  JMP 005622B6 
.text    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2152] Secur32.dll!EncryptMessage                         76004BDE 5 Bytes  JMP 00562300 
.text    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2152] Secur32.dll!DecryptMessage                         76004CAB 5 Bytes  JMP 00562344 
.text    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2152] WS2_32.dll!closesocket                             7617330C 5 Bytes  JMP 00548A3F 
.text    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2152] WS2_32.dll!recv                                    7617343A 5 Bytes  JMP 00548A96 
.text    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2152] WS2_32.dll!WSASend                                 76174496 5 Bytes  JMP 00548C7C 
.text    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2152] WS2_32.dll!send                                    7617659B 5 Bytes  JMP 00548C2A 
.text    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2152] WS2_32.dll!WSAGetOverlappedResult                  76178143 5 Bytes  JMP 00548D25 
.text    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2152] WS2_32.dll!WSARecv                                 76178400 5 Bytes  JMP 00548AEE 
.text    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2188] ntdll.dll!LdrLoadDll                                       779279B3 5 Bytes  JMP 00378946 
.text    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2188] ntdll.dll!NtCreateUserProcess                              779590A8 5 Bytes  JMP 003787A8 
.text    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2188] USER32.dll!TranslateMessage                                77680069 5 Bytes  JMP 003716F1 
.text    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2188] USER32.dll!GetClipboardData                                776A70B2 5 Bytes  JMP 00371737 
.text    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2188] Secur32.dll!DeleteSecurityContext                          76002ABF 5 Bytes  JMP 003922B6 
.text    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2188] Secur32.dll!EncryptMessage                                 76004BDE 5 Bytes  JMP 00392300 
.text    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2188] Secur32.dll!DecryptMessage                                 76004CAB 5 Bytes  JMP 00392344 
.text    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2188] WS2_32.dll!closesocket                                     7617330C 5 Bytes  JMP 00378A3F 
.text    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2188] WS2_32.dll!recv                                            7617343A 5 Bytes  JMP 00378A96 
.text    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2188] WS2_32.dll!WSASend                                         76174496 5 Bytes  JMP 00378C7C 
.text    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2188] WS2_32.dll!send                                            7617659B 5 Bytes  JMP 00378C2A 
.text    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2188] WS2_32.dll!WSAGetOverlappedResult                          76178143 5 Bytes  JMP 00378D25 
.text    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2188] WS2_32.dll!WSARecv                                         76178400 5 Bytes  JMP 00378AEE 
.text    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2188] CRYPT32.dll!PFXImportCertStore                             75B3914C 5 Bytes  JMP 00373357 
.text    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2188] WININET.dll!HttpSendRequestA                               766D0F35 5 Bytes  JMP 0036D061 
.text    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2188] WININET.dll!HttpQueryInfoA                                 766D93B9 5 Bytes  JMP 0036D8CD 
.text    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2188] WININET.dll!InternetCloseHandle                            766DAE0B 5 Bytes  JMP 0036C5AA 
.text    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2188] WININET.dll!InternetReadFile                               766DEE5F 5 Bytes  JMP 0036D7C0 
.text    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2188] WININET.dll!HttpQueryInfoW                                 766E3DCB 5 Bytes  JMP 0036D8F1 
.text    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2188] WININET.dll!InternetQueryDataAvailable                     766E4773 5 Bytes  JMP 0036D832 
.text    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2188] WININET.dll!HttpSendRequestExW                             766E62C4 5 Bytes  JMP 0036D0CA 
.text    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2188] WININET.dll!InternetWriteFile                              766E63C3 5 Bytes  JMP 0036D24D 
.text    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2188] WININET.dll!HttpSendRequestW                               766EBBCC 5 Bytes  JMP 0036D084 
.text    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2188] WININET.dll!InternetReadFileExW                            766F0E54 5 Bytes  JMP 0036D80C 
.text    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2188] WININET.dll!InternetReadFileExA                            766F0E8C 5 Bytes  JMP 0036D7E6 
.text    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2188] WININET.dll!HttpSendRequestExA                             7673B1E6 5 Bytes  JMP 0036D0A7 
.text    C:\Program Files\avmwlanstick\WLanGUI.exe[2224] ntdll.dll!LdrLoadDll                                                  779279B3 5 Bytes  JMP 016F8946 
.text    C:\Program Files\avmwlanstick\WLanGUI.exe[2224] ntdll.dll!NtCreateUserProcess                                         779590A8 5 Bytes  JMP 016F87A8 
.text    C:\Program Files\avmwlanstick\WLanGUI.exe[2224] USER32.dll!TranslateMessage                                           77680069 5 Bytes  JMP 016F16F1 
.text    C:\Program Files\avmwlanstick\WLanGUI.exe[2224] USER32.dll!GetClipboardData                                           776A70B2 5 Bytes  JMP 016F1737 
.text    C:\Program Files\avmwlanstick\WLanGUI.exe[2224] WS2_32.dll!closesocket                                                7617330C 5 Bytes  JMP 016F8A3F 
.text    C:\Program Files\avmwlanstick\WLanGUI.exe[2224] WS2_32.dll!recv                                                       7617343A 5 Bytes  JMP 016F8A96 
.text    C:\Program Files\avmwlanstick\WLanGUI.exe[2224] WS2_32.dll!WSASend                                                    76174496 5 Bytes  JMP 016F8C7C 
.text    C:\Program Files\avmwlanstick\WLanGUI.exe[2224] WS2_32.dll!send                                                       7617659B 5 Bytes  JMP 016F8C2A 
.text    C:\Program Files\avmwlanstick\WLanGUI.exe[2224] WS2_32.dll!WSAGetOverlappedResult                                     76178143 5 Bytes  JMP 016F8D25 
.text    C:\Program Files\avmwlanstick\WLanGUI.exe[2224] WS2_32.dll!WSARecv                                                    76178400 5 Bytes  JMP 016F8AEE 
.text    C:\Program Files\avmwlanstick\WLanGUI.exe[2224] WININET.dll!HttpSendRequestA                                          766D0F35 5 Bytes  JMP 016ED061 
.text    C:\Program Files\avmwlanstick\WLanGUI.exe[2224] WININET.dll!HttpQueryInfoA                                            766D93B9 5 Bytes  JMP 016ED8CD 
.text    C:\Program Files\avmwlanstick\WLanGUI.exe[2224] WININET.dll!InternetCloseHandle                                       766DAE0B 5 Bytes  JMP 016EC5AA 
.text    C:\Program Files\avmwlanstick\WLanGUI.exe[2224] WININET.dll!InternetReadFile                                          766DEE5F 5 Bytes  JMP 016ED7C0 
.text    C:\Program Files\avmwlanstick\WLanGUI.exe[2224] WININET.dll!HttpQueryInfoW                                            766E3DCB 5 Bytes  JMP 016ED8F1 
.text    C:\Program Files\avmwlanstick\WLanGUI.exe[2224] WININET.dll!InternetQueryDataAvailable                                766E4773 5 Bytes  JMP 016ED832 
.text    C:\Program Files\avmwlanstick\WLanGUI.exe[2224] WININET.dll!HttpSendRequestExW                                        766E62C4 5 Bytes  JMP 016ED0CA 
.text    C:\Program Files\avmwlanstick\WLanGUI.exe[2224] WININET.dll!InternetWriteFile                                         766E63C3 5 Bytes  JMP 016ED24D 
.text    C:\Program Files\avmwlanstick\WLanGUI.exe[2224] WININET.dll!HttpSendRequestW                                          766EBBCC 5 Bytes  JMP 016ED084 
.text    C:\Program Files\avmwlanstick\WLanGUI.exe[2224] WININET.dll!InternetReadFileExW                                       766F0E54 5 Bytes  JMP 016ED80C 
.text    C:\Program Files\avmwlanstick\WLanGUI.exe[2224] WININET.dll!InternetReadFileExA                                       766F0E8C 5 Bytes  JMP 016ED7E6 
.text    C:\Program Files\avmwlanstick\WLanGUI.exe[2224] WININET.dll!HttpSendRequestExA                                        7673B1E6 5 Bytes  JMP 016ED0A7 
.text    C:\Program Files\avmwlanstick\WLanGUI.exe[2224] Secur32.dll!DeleteSecurityContext                                     76002ABF 5 Bytes  JMP 017122B6 
.text    C:\Program Files\avmwlanstick\WLanGUI.exe[2224] Secur32.dll!EncryptMessage                                            76004BDE 5 Bytes  JMP 01712300 
.text    C:\Program Files\avmwlanstick\WLanGUI.exe[2224] Secur32.dll!DecryptMessage                                            76004CAB 5 Bytes  JMP 01712344 
.text    C:\Program Files\avmwlanstick\WLanGUI.exe[2224] CRYPT32.dll!PFXImportCertStore                                        75B3914C 5 Bytes  JMP 016F3357 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2264] ntdll.dll!LdrLoadDll                                       779279B3 5 Bytes  JMP 01578946 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2264] ntdll.dll!NtCreateUserProcess                              779590A8 5 Bytes  JMP 015787A8 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2264] USER32.dll!TranslateMessage                                77680069 5 Bytes  JMP 015716F1 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2264] USER32.dll!GetClipboardData                                776A70B2 5 Bytes  JMP 01571737 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2264] Secur32.dll!DeleteSecurityContext                          76002ABF 5 Bytes  JMP 015922B6 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2264] Secur32.dll!EncryptMessage                                 76004BDE 5 Bytes  JMP 01592300 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2264] Secur32.dll!DecryptMessage                                 76004CAB 5 Bytes  JMP 01592344 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2264] WS2_32.dll!closesocket                                     7617330C 5 Bytes  JMP 01578A3F 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2264] WS2_32.dll!recv                                            7617343A 5 Bytes  JMP 01578A96 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2264] WS2_32.dll!WSASend                                         76174496 5 Bytes  JMP 01578C7C 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2264] WS2_32.dll!send                                            7617659B 5 Bytes  JMP 01578C2A 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2264] WS2_32.dll!WSAGetOverlappedResult                          76178143 5 Bytes  JMP 01578D25 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2264] WS2_32.dll!WSARecv                                         76178400 5 Bytes  JMP 01578AEE 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2264] CRYPT32.dll!PFXImportCertStore                             75B3914C 5 Bytes  JMP 01573357 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2264] WININET.dll!HttpSendRequestA                               766D0F35 5 Bytes  JMP 0156D061 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2264] WININET.dll!HttpQueryInfoA                                 766D93B9 5 Bytes  JMP 0156D8CD 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2264] WININET.dll!InternetCloseHandle                            766DAE0B 5 Bytes  JMP 0156C5AA 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2264] WININET.dll!InternetReadFile                               766DEE5F 5 Bytes  JMP 0156D7C0 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2264] WININET.dll!HttpQueryInfoW                                 766E3DCB 5 Bytes  JMP 0156D8F1 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2264] WININET.dll!InternetQueryDataAvailable                     766E4773 5 Bytes  JMP 0156D832 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2264] WININET.dll!HttpSendRequestExW                             766E62C4 5 Bytes  JMP 0156D0CA 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2264] WININET.dll!InternetWriteFile                              766E63C3 5 Bytes  JMP 0156D24D 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2264] WININET.dll!HttpSendRequestW                               766EBBCC 5 Bytes  JMP 0156D084 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2264] WININET.dll!InternetReadFileExW                            766F0E54 5 Bytes  JMP 0156D80C 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2264] WININET.dll!InternetReadFileExA                            766F0E8C 5 Bytes  JMP 0156D7E6 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2264] WININET.dll!HttpSendRequestExA                             7673B1E6 5 Bytes  JMP 0156D0A7 
.text    C:\Program Files\Common Files\Java\Java Update\jusched.exe[2268] ntdll.dll!LdrLoadDll                                 779279B3 5 Bytes  JMP 00398946 
.text    C:\Program Files\Common Files\Java\Java Update\jusched.exe[2268] ntdll.dll!NtCreateUserProcess                        779590A8 5 Bytes  JMP 003987A8 
.text    C:\Program Files\Common Files\Java\Java Update\jusched.exe[2268] USER32.dll!TranslateMessage                          77680069 5 Bytes  JMP 003916F1 
.text    C:\Program Files\Common Files\Java\Java Update\jusched.exe[2268] USER32.dll!GetClipboardData                          776A70B2 5 Bytes  JMP 00391737 
.text    C:\Program Files\Common Files\Java\Java Update\jusched.exe[2268] WININET.dll!HttpSendRequestA                         766D0F35 5 Bytes  JMP 0038D061 
.text    C:\Program Files\Common Files\Java\Java Update\jusched.exe[2268] WININET.dll!HttpQueryInfoA                           766D93B9 5 Bytes  JMP 0038D8CD 
.text    C:\Program Files\Common Files\Java\Java Update\jusched.exe[2268] WININET.dll!InternetCloseHandle                      766DAE0B 5 Bytes  JMP 0038C5AA 
.text    C:\Program Files\Common Files\Java\Java Update\jusched.exe[2268] WININET.dll!InternetReadFile                         766DEE5F 5 Bytes  JMP 0038D7C0 
.text    C:\Program Files\Common Files\Java\Java Update\jusched.exe[2268] WININET.dll!HttpQueryInfoW                           766E3DCB 5 Bytes  JMP 0038D8F1 
.text    C:\Program Files\Common Files\Java\Java Update\jusched.exe[2268] WININET.dll!InternetQueryDataAvailable               766E4773 5 Bytes  JMP 0038D832 
.text    C:\Program Files\Common Files\Java\Java Update\jusched.exe[2268] WININET.dll!HttpSendRequestExW                       766E62C4 5 Bytes  JMP 0038D0CA 
.text    C:\Program Files\Common Files\Java\Java Update\jusched.exe[2268] WININET.dll!InternetWriteFile                        766E63C3 5 Bytes  JMP 0038D24D 
.text    C:\Program Files\Common Files\Java\Java Update\jusched.exe[2268] WININET.dll!HttpSendRequestW                         766EBBCC 5 Bytes  JMP 0038D084 
.text    C:\Program Files\Common Files\Java\Java Update\jusched.exe[2268] WININET.dll!InternetReadFileExW                      766F0E54 5 Bytes  JMP 0038D80C 
.text    C:\Program Files\Common Files\Java\Java Update\jusched.exe[2268] WININET.dll!InternetReadFileExA                      766F0E8C 5 Bytes  JMP 0038D7E6 
.text    C:\Program Files\Common Files\Java\Java Update\jusched.exe[2268] WININET.dll!HttpSendRequestExA                       7673B1E6 5 Bytes  JMP 0038D0A7 
.text    C:\Program Files\Common Files\Java\Java Update\jusched.exe[2268] Secur32.dll!DeleteSecurityContext                    76002ABF 5 Bytes  JMP 003B22B6 
.text    C:\Program Files\Common Files\Java\Java Update\jusched.exe[2268] Secur32.dll!EncryptMessage                           76004BDE 5 Bytes  JMP 003B2300 
.text    C:\Program Files\Common Files\Java\Java Update\jusched.exe[2268] Secur32.dll!DecryptMessage                           76004CAB 5 Bytes  JMP 003B2344 
.text    C:\Program Files\Common Files\Java\Java Update\jusched.exe[2268] WS2_32.dll!closesocket                               7617330C 5 Bytes  JMP 00398A3F 
.text    C:\Program Files\Common Files\Java\Java Update\jusched.exe[2268] WS2_32.dll!recv                                      7617343A 5 Bytes  JMP 00398A96 
.text    C:\Program Files\Common Files\Java\Java Update\jusched.exe[2268] WS2_32.dll!WSASend                                   76174496 5 Bytes  JMP 00398C7C 
.text    C:\Program Files\Common Files\Java\Java Update\jusched.exe[2268] WS2_32.dll!send                                      7617659B 5 Bytes  JMP 00398C2A 
.text    C:\Program Files\Common Files\Java\Java Update\jusched.exe[2268] WS2_32.dll!WSAGetOverlappedResult                    76178143 5 Bytes  JMP 00398D25 
.text    C:\Program Files\Common Files\Java\Java Update\jusched.exe[2268] WS2_32.dll!WSARecv                                   76178400 5 Bytes  JMP 00398AEE 
.text    C:\Program Files\Common Files\Java\Java Update\jusched.exe[2268] CRYPT32.dll!PFXImportCertStore                       75B3914C 5 Bytes  JMP 00393357 
.text    C:\Program Files\Ask.com\Updater\Updater.exe[2292] ntdll.dll!LdrLoadDll                                               779279B3 5 Bytes  JMP 00B38946 
.text    C:\Program Files\Ask.com\Updater\Updater.exe[2292] ntdll.dll!NtCreateUserProcess                                      779590A8 5 Bytes  JMP 00B387A8 
.text    C:\Program Files\Ask.com\Updater\Updater.exe[2292] USER32.dll!TranslateMessage                                        77680069 5 Bytes  JMP 00B316F1 
.text    C:\Program Files\Ask.com\Updater\Updater.exe[2292] USER32.dll!GetClipboardData                                        776A70B2 5 Bytes  JMP 00B31737 
.text    C:\Program Files\Ask.com\Updater\Updater.exe[2292] WININET.dll!HttpSendRequestA                                       766D0F35 5 Bytes  JMP 00B2D061 
.text    C:\Program Files\Ask.com\Updater\Updater.exe[2292] WININET.dll!HttpQueryInfoA                                         766D93B9 5 Bytes  JMP 00B2D8CD 
.text    C:\Program Files\Ask.com\Updater\Updater.exe[2292] WININET.dll!InternetCloseHandle                                    766DAE0B 5 Bytes  JMP 00B2C5AA 
.text    C:\Program Files\Ask.com\Updater\Updater.exe[2292] WININET.dll!InternetReadFile                                       766DEE5F 5 Bytes  JMP 00B2D7C0 
.text    C:\Program Files\Ask.com\Updater\Updater.exe[2292] WININET.dll!HttpQueryInfoW                                         766E3DCB 5 Bytes  JMP 00B2D8F1 
.text    C:\Program Files\Ask.com\Updater\Updater.exe[2292] WININET.dll!InternetQueryDataAvailable                             766E4773 5 Bytes  JMP 00B2D832 
.text    C:\Program Files\Ask.com\Updater\Updater.exe[2292] WININET.dll!HttpSendRequestExW                                     766E62C4 5 Bytes  JMP 00B2D0CA 
.text    C:\Program Files\Ask.com\Updater\Updater.exe[2292] WININET.dll!InternetWriteFile                                      766E63C3 5 Bytes  JMP 00B2D24D 
.text    C:\Program Files\Ask.com\Updater\Updater.exe[2292] WININET.dll!HttpSendRequestW                                       766EBBCC 5 Bytes  JMP 00B2D084 
.text    C:\Program Files\Ask.com\Updater\Updater.exe[2292] WININET.dll!InternetReadFileExW                                    766F0E54 5 Bytes  JMP 00B2D80C 
.text    C:\Program Files\Ask.com\Updater\Updater.exe[2292] WININET.dll!InternetReadFileExA                                    766F0E8C 5 Bytes  JMP 00B2D7E6 
.text    C:\Program Files\Ask.com\Updater\Updater.exe[2292] WININET.dll!HttpSendRequestExA                                     7673B1E6 5 Bytes  JMP 00B2D0A7 
.text    C:\Program Files\Ask.com\Updater\Updater.exe[2292] CRYPT32.dll!PFXImportCertStore                                     75B3914C 5 Bytes  JMP 00B33357 
.text    C:\Program Files\Ask.com\Updater\Updater.exe[2292] Secur32.dll!DeleteSecurityContext                                  76002ABF 5 Bytes  JMP 00B522B6 
.text    C:\Program Files\Ask.com\Updater\Updater.exe[2292] Secur32.dll!EncryptMessage                                         76004BDE 5 Bytes  JMP 00B52300 
.text    C:\Program Files\Ask.com\Updater\Updater.exe[2292] Secur32.dll!DecryptMessage                                         76004CAB 5 Bytes  JMP 00B52344 
.text    C:\Program Files\Ask.com\Updater\Updater.exe[2292] WS2_32.dll!closesocket                                             7617330C 5 Bytes  JMP 00B38A3F 
.text    C:\Program Files\Ask.com\Updater\Updater.exe[2292] WS2_32.dll!recv                                                    7617343A 5 Bytes  JMP 00B38A96 
.text    C:\Program Files\Ask.com\Updater\Updater.exe[2292] WS2_32.dll!WSASend                                                 76174496 5 Bytes  JMP 00B38C7C 
.text    C:\Program Files\Ask.com\Updater\Updater.exe[2292] WS2_32.dll!send                                                    7617659B 5 Bytes  JMP 00B38C2A 
.text    C:\Program Files\Ask.com\Updater\Updater.exe[2292] WS2_32.dll!WSAGetOverlappedResult                                  76178143 5 Bytes  JMP 00B38D25 
.text    C:\Program Files\Ask.com\Updater\Updater.exe[2292] WS2_32.dll!WSARecv                                                 76178400 5 Bytes  JMP 00B38AEE 
.text    C:\Program Files\Inbox Toolbar\Inbox.exe[2300] ntdll.dll!LdrLoadDll                                                   779279B3 5 Bytes  JMP 00A58946 
.text    C:\Program Files\Inbox Toolbar\Inbox.exe[2300] ntdll.dll!NtCreateUserProcess                                          779590A8 5 Bytes  JMP 00A587A8 
.text    C:\Program Files\Inbox Toolbar\Inbox.exe[2300] USER32.dll!TranslateMessage                                            77680069 5 Bytes  JMP 00A516F1 
.text    C:\Program Files\Inbox Toolbar\Inbox.exe[2300] USER32.dll!GetClipboardData                                            776A70B2 5 Bytes  JMP 00A51737 
.text    C:\Program Files\Inbox Toolbar\Inbox.exe[2300] wininet.dll!HttpSendRequestA                                           766D0F35 5 Bytes  JMP 00A4D061 
.text    C:\Program Files\Inbox Toolbar\Inbox.exe[2300] wininet.dll!HttpQueryInfoA                                             766D93B9 5 Bytes  JMP 00A4D8CD 
.text    C:\Program Files\Inbox Toolbar\Inbox.exe[2300] wininet.dll!InternetCloseHandle                                        766DAE0B 5 Bytes  JMP 00A4C5AA 
.text    C:\Program Files\Inbox Toolbar\Inbox.exe[2300] wininet.dll!InternetReadFile                                           766DEE5F 5 Bytes  JMP 00A4D7C0 
.text    C:\Program Files\Inbox Toolbar\Inbox.exe[2300] wininet.dll!HttpQueryInfoW                                             766E3DCB 5 Bytes  JMP 00A4D8F1 
.text    C:\Program Files\Inbox Toolbar\Inbox.exe[2300] wininet.dll!InternetQueryDataAvailable                                 766E4773 5 Bytes  JMP 00A4D832 
.text    C:\Program Files\Inbox Toolbar\Inbox.exe[2300] wininet.dll!HttpSendRequestExW                                         766E62C4 5 Bytes  JMP 00A4D0CA 
.text    C:\Program Files\Inbox Toolbar\Inbox.exe[2300] wininet.dll!InternetWriteFile                                          766E63C3 5 Bytes  JMP 00A4D24D 
.text    C:\Program Files\Inbox Toolbar\Inbox.exe[2300] wininet.dll!HttpSendRequestW                                           766EBBCC 5 Bytes  JMP 00A4D084 
.text    C:\Program Files\Inbox Toolbar\Inbox.exe[2300] wininet.dll!InternetReadFileExW                                        766F0E54 5 Bytes  JMP 00A4D80C 
.text    C:\Program Files\Inbox Toolbar\Inbox.exe[2300] wininet.dll!InternetReadFileExA                                        766F0E8C 5 Bytes  JMP 00A4D7E6 
.text    C:\Program Files\Inbox Toolbar\Inbox.exe[2300] wininet.dll!HttpSendRequestExA                                         7673B1E6 5 Bytes  JMP 00A4D0A7 
.text    C:\Program Files\Inbox Toolbar\Inbox.exe[2300] WS2_32.dll!closesocket                                                 7617330C 5 Bytes  JMP 00A58A3F 
.text    C:\Program Files\Inbox Toolbar\Inbox.exe[2300] WS2_32.dll!recv                                                        7617343A 5 Bytes  JMP 00A58A96 
.text    C:\Program Files\Inbox Toolbar\Inbox.exe[2300] WS2_32.dll!WSASend                                                     76174496 5 Bytes  JMP 00A58C7C 
.text    C:\Program Files\Inbox Toolbar\Inbox.exe[2300] WS2_32.dll!send                                                        7617659B 5 Bytes  JMP 00A58C2A 
.text    C:\Program Files\Inbox Toolbar\Inbox.exe[2300] WS2_32.dll!WSAGetOverlappedResult                                      76178143 5 Bytes  JMP 00A58D25 
.text    C:\Program Files\Inbox Toolbar\Inbox.exe[2300] WS2_32.dll!WSARecv                                                     76178400 5 Bytes  JMP 00A58AEE 
.text    C:\Program Files\Inbox Toolbar\Inbox.exe[2300] Secur32.dll!DeleteSecurityContext                                      76002ABF 5 Bytes  JMP 00A722B6 
.text    C:\Program Files\Inbox Toolbar\Inbox.exe[2300] Secur32.dll!EncryptMessage                                             76004BDE 5 Bytes  JMP 00A72300 
.text    C:\Program Files\Inbox Toolbar\Inbox.exe[2300] Secur32.dll!DecryptMessage                                             76004CAB 5 Bytes  JMP 00A72344 
.text    C:\Program Files\Inbox Toolbar\Inbox.exe[2300] CRYPT32.dll!PFXImportCertStore                                         75B3914C 5 Bytes  JMP 00A53357 
.text    C:\Program Files\Windows Sidebar\sidebar.exe[2356] ntdll.dll!LdrLoadDll                                               779279B3 5 Bytes  JMP 00748946 
.text    C:\Program Files\Windows Sidebar\sidebar.exe[2356] ntdll.dll!NtCreateUserProcess                                      779590A8 5 Bytes  JMP 007487A8 
.text    C:\Program Files\Windows Sidebar\sidebar.exe[2356] USER32.dll!TranslateMessage                                        77680069 5 Bytes  JMP 007416F1 
.text    C:\Program Files\Windows Sidebar\sidebar.exe[2356] USER32.dll!GetClipboardData                                        776A70B2 5 Bytes  JMP 00741737 
.text    C:\Program Files\Windows Sidebar\sidebar.exe[2356] CRYPT32.dll!PFXImportCertStore                                     75B3914C 5 Bytes  JMP 00743357 
.text    C:\Program Files\Windows Sidebar\sidebar.exe[2356] Secur32.dll!DeleteSecurityContext                                  76002ABF 5 Bytes  JMP 007622B6 
.text    C:\Program Files\Windows Sidebar\sidebar.exe[2356] Secur32.dll!EncryptMessage                                         76004BDE 5 Bytes  JMP 00762300 
.text    C:\Program Files\Windows Sidebar\sidebar.exe[2356] Secur32.dll!DecryptMessage                                         76004CAB 5 Bytes  JMP 00762344 
.text    C:\Program Files\Windows Sidebar\sidebar.exe[2356] WS2_32.dll!closesocket                                             7617330C 5 Bytes  JMP 00748A3F 
.text    C:\Program Files\Windows Sidebar\sidebar.exe[2356] WS2_32.dll!recv                                                    7617343A 5 Bytes  JMP 00748A96 
.text    C:\Program Files\Windows Sidebar\sidebar.exe[2356] WS2_32.dll!WSASend                                                 76174496 5 Bytes  JMP 00748C7C 
.text    C:\Program Files\Windows Sidebar\sidebar.exe[2356] WS2_32.dll!send                                                    7617659B 5 Bytes  JMP 00748C2A 
.text    C:\Program Files\Windows Sidebar\sidebar.exe[2356] WS2_32.dll!WSAGetOverlappedResult                                  76178143 5 Bytes  JMP 00748D25 
.text    C:\Program Files\Windows Sidebar\sidebar.exe[2356] WS2_32.dll!WSARecv                                                 76178400 5 Bytes  JMP 00748AEE 
.text    C:\Program Files\Windows Sidebar\sidebar.exe[2356] WININET.dll!HttpSendRequestA                                       766D0F35 5 Bytes  JMP 0073D061 
.text    C:\Program Files\Windows Sidebar\sidebar.exe[2356] WININET.dll!HttpQueryInfoA                                         766D93B9 5 Bytes  JMP 0073D8CD 
.text    C:\Program Files\Windows Sidebar\sidebar.exe[2356] WININET.dll!InternetCloseHandle                                    766DAE0B 5 Bytes  JMP 0073C5AA 
.text    C:\Program Files\Windows Sidebar\sidebar.exe[2356] WININET.dll!InternetReadFile                                       766DEE5F 5 Bytes  JMP 0073D7C0 
.text    C:\Program Files\Windows Sidebar\sidebar.exe[2356] WININET.dll!HttpQueryInfoW                                         766E3DCB 5 Bytes  JMP 0073D8F1 
.text    C:\Program Files\Windows Sidebar\sidebar.exe[2356] WININET.dll!InternetQueryDataAvailable                             766E4773 5 Bytes  JMP 0073D832 
.text    C:\Program Files\Windows Sidebar\sidebar.exe[2356] WININET.dll!HttpSendRequestExW                                     766E62C4 5 Bytes  JMP 0073D0CA 
.text    C:\Program Files\Windows Sidebar\sidebar.exe[2356] WININET.dll!InternetWriteFile                                      766E63C3 5 Bytes  JMP 0073D24D 
.text    C:\Program Files\Windows Sidebar\sidebar.exe[2356] WININET.dll!HttpSendRequestW                                       766EBBCC 5 Bytes  JMP 0073D084 
.text    C:\Program Files\Windows Sidebar\sidebar.exe[2356] WININET.dll!InternetReadFileExW                                    766F0E54 5 Bytes  JMP 0073D80C 
.text    C:\Program Files\Windows Sidebar\sidebar.exe[2356] WININET.dll!InternetReadFileExA                                    766F0E8C 5 Bytes  JMP 0073D7E6 
.text    C:\Program Files\Windows Sidebar\sidebar.exe[2356] WININET.dll!HttpSendRequestExA                                     7673B1E6 5 Bytes  JMP 0073D0A7 
.text    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2960] ntdll.dll!LdrLoadDll                    779279B3 5 Bytes  JMP 01588946 
.text    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2960] ntdll.dll!NtCreateUserProcess           779590A8 5 Bytes  JMP 015887A8 
.text    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2960] USER32.dll!TranslateMessage             77680069 5 Bytes  JMP 015816F1 
.text    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2960] USER32.dll!GetClipboardData             776A70B2 5 Bytes  JMP 01581737 
.text    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2960] WS2_32.dll!closesocket                  7617330C 5 Bytes  JMP 01588A3F 
.text    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2960] WS2_32.dll!recv                         7617343A 5 Bytes  JMP 01588A96 
.text    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2960] WS2_32.dll!WSASend                      76174496 5 Bytes  JMP 01588C7C 
.text    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2960] WS2_32.dll!send                         7617659B 5 Bytes  JMP 01588C2A 
.text    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2960] WS2_32.dll!WSAGetOverlappedResult       76178143 5 Bytes  JMP 01588D25 
.text    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2960] WS2_32.dll!WSARecv                      76178400 5 Bytes  JMP 01588AEE 
.text    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2960] Secur32.dll!DeleteSecurityContext       76002ABF 5 Bytes  JMP 015A22B6 
.text    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2960] Secur32.dll!EncryptMessage              76004BDE 5 Bytes  JMP 015A2300 
.text    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2960] Secur32.dll!DecryptMessage              76004CAB 5 Bytes  JMP 015A2344 
.text    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2960] WININET.dll!HttpSendRequestA            766D0F35 5 Bytes  JMP 0157D061 
.text    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2960] WININET.dll!HttpQueryInfoA              766D93B9 5 Bytes  JMP 0157D8CD 
.text    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2960] WININET.dll!InternetCloseHandle         766DAE0B 5 Bytes  JMP 0157C5AA 
.text    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2960] WININET.dll!InternetReadFile            766DEE5F 5 Bytes  JMP 0157D7C0 
.text    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2960] WININET.dll!HttpQueryInfoW              766E3DCB 5 Bytes  JMP 0157D8F1 
.text    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2960] WININET.dll!InternetQueryDataAvailable  766E4773 5 Bytes  JMP 0157D832 
.text    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2960] WININET.dll!HttpSendRequestExW          766E62C4 5 Bytes  JMP 0157D0CA 
.text    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2960] WININET.dll!InternetWriteFile           766E63C3 5 Bytes  JMP 0157D24D 
.text    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2960] WININET.dll!HttpSendRequestW            766EBBCC 5 Bytes  JMP 0157D084 
.text    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2960] WININET.dll!InternetReadFileExW         766F0E54 5 Bytes  JMP 0157D80C 
.text    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2960] WININET.dll!InternetReadFileExA         766F0E8C 5 Bytes  JMP 0157D7E6 
.text    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2960] WININET.dll!HttpSendRequestExA          7673B1E6 5 Bytes  JMP 0157D0A7 
.text    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2960] CRYPT32.dll!PFXImportCertStore          75B3914C 5 Bytes  JMP 01583357 
.text    C:\Windows\ehome\ehtray.exe[3028] ntdll.dll!LdrLoadDll                                                                779279B3 5 Bytes  JMP 01598946 
.text    C:\Windows\ehome\ehtray.exe[3028] ntdll.dll!NtCreateUserProcess                                                       779590A8 5 Bytes  JMP 015987A8 
.text    C:\Windows\ehome\ehtray.exe[3028] USER32.dll!TranslateMessage                                                         77680069 5 Bytes  JMP 015916F1 
.text    C:\Windows\ehome\ehtray.exe[3028] USER32.dll!GetClipboardData                                                         776A70B2 5 Bytes  JMP 01591737 
.text    C:\Windows\ehome\ehtray.exe[3028] Secur32.dll!DeleteSecurityContext                                                   76002ABF 5 Bytes  JMP 015B22B6 
.text    C:\Windows\ehome\ehtray.exe[3028] Secur32.dll!EncryptMessage                                                          76004BDE 5 Bytes  JMP 015B2300 
.text    C:\Windows\ehome\ehtray.exe[3028] Secur32.dll!DecryptMessage                                                          76004CAB 5 Bytes  JMP 015B2344 
.text    C:\Windows\ehome\ehtray.exe[3028] WS2_32.dll!closesocket                                                              7617330C 5 Bytes  JMP 01598A3F 
.text    C:\Windows\ehome\ehtray.exe[3028] WS2_32.dll!recv                                                                     7617343A 5 Bytes  JMP 01598A96 
.text    C:\Windows\ehome\ehtray.exe[3028] WS2_32.dll!WSASend                                                                  76174496 5 Bytes  JMP 01598C7C 
.text    C:\Windows\ehome\ehtray.exe[3028] WS2_32.dll!send                                                                     7617659B 5 Bytes  JMP 01598C2A 
.text    C:\Windows\ehome\ehtray.exe[3028] WS2_32.dll!WSAGetOverlappedResult                                                   76178143 5 Bytes  JMP 01598D25 
.text    C:\Windows\ehome\ehtray.exe[3028] WS2_32.dll!WSARecv                                                                  76178400 5 Bytes  JMP 01598AEE 
.text    C:\Windows\ehome\ehtray.exe[3028] CRYPT32.dll!PFXImportCertStore                                                      75B3914C 5 Bytes  JMP 01593357 
.text    C:\Windows\ehome\ehtray.exe[3028] WININET.dll!HttpSendRequestA                                                        766D0F35 5 Bytes  JMP 0158D061 
.text    C:\Windows\ehome\ehtray.exe[3028] WININET.dll!HttpQueryInfoA                                                          766D93B9 5 Bytes  JMP 0158D8CD 
.text    C:\Windows\ehome\ehtray.exe[3028] WININET.dll!InternetCloseHandle                                                     766DAE0B 5 Bytes  JMP 0158C5AA 
.text    C:\Windows\ehome\ehtray.exe[3028] WININET.dll!InternetReadFile                                                        766DEE5F 5 Bytes  JMP 0158D7C0 
.text    C:\Windows\ehome\ehtray.exe[3028] WININET.dll!HttpQueryInfoW                                                          766E3DCB 5 Bytes  JMP 0158D8F1 
.text    C:\Windows\ehome\ehtray.exe[3028] WININET.dll!InternetQueryDataAvailable                                              766E4773 5 Bytes  JMP 0158D832 
.text    C:\Windows\ehome\ehtray.exe[3028] WININET.dll!HttpSendRequestExW                                                      766E62C4 5 Bytes  JMP 0158D0CA 
.text    C:\Windows\ehome\ehtray.exe[3028] WININET.dll!InternetWriteFile                                                       766E63C3 5 Bytes  JMP 0158D24D 
.text    C:\Windows\ehome\ehtray.exe[3028] WININET.dll!HttpSendRequestW                                                        766EBBCC 5 Bytes  JMP 0158D084 
.text    C:\Windows\ehome\ehtray.exe[3028] WININET.dll!InternetReadFileExW                                                     766F0E54 5 Bytes  JMP 0158D80C 
.text    C:\Windows\ehome\ehtray.exe[3028] WININET.dll!InternetReadFileExA                                                     766F0E8C 5 Bytes  JMP 0158D7E6 
.text    C:\Windows\ehome\ehtray.exe[3028] WININET.dll!HttpSendRequestExA                                                      7673B1E6 5 Bytes  JMP 0158D0A7 
.text    C:\Windows\system32\taskeng.exe[3076] ntdll.dll!LdrLoadDll                                                            779279B3 5 Bytes  JMP 02908946 
.text    C:\Windows\system32\taskeng.exe[3076] ntdll.dll!NtCreateUserProcess                                                   779590A8 5 Bytes  JMP 029087A8 
.text    C:\Windows\system32\taskeng.exe[3076] USER32.dll!TranslateMessage                                                     77680069 5 Bytes  JMP 029016F1 
.text    C:\Windows\system32\taskeng.exe[3076] USER32.dll!GetClipboardData                                                     776A70B2 5 Bytes  JMP 02901737 
.text    C:\Windows\system32\taskeng.exe[3076] Secur32.dll!DeleteSecurityContext                                               76002ABF 5 Bytes  JMP 029222B6 
.text    C:\Windows\system32\taskeng.exe[3076] Secur32.dll!EncryptMessage                                                      76004BDE 5 Bytes  JMP 02922300 
.text    C:\Windows\system32\taskeng.exe[3076] Secur32.dll!DecryptMessage                                                      76004CAB 5 Bytes  JMP 02922344 
.text    C:\Windows\system32\taskeng.exe[3076] CRYPT32.dll!PFXImportCertStore                                                  75B3914C 5 Bytes  JMP 02903357 
.text    C:\Windows\system32\taskeng.exe[3076] WS2_32.dll!closesocket                                                          7617330C 5 Bytes  JMP 02908A3F 
.text    C:\Windows\system32\taskeng.exe[3076] WS2_32.dll!recv                                                                 7617343A 5 Bytes  JMP 02908A96 
.text    C:\Windows\system32\taskeng.exe[3076] WS2_32.dll!WSASend                                                              76174496 5 Bytes  JMP 02908C7C 
.text    C:\Windows\system32\taskeng.exe[3076] WS2_32.dll!send                                                                 7617659B 5 Bytes  JMP 02908C2A 
.text    C:\Windows\system32\taskeng.exe[3076] WS2_32.dll!WSAGetOverlappedResult                                               76178143 5 Bytes  JMP 02908D25 
.text    C:\Windows\system32\taskeng.exe[3076] WS2_32.dll!WSARecv                                                              76178400 5 Bytes  JMP 02908AEE 
.text    C:\Windows\system32\taskeng.exe[3076] WININET.dll!HttpSendRequestA                                                    766D0F35 5 Bytes  JMP 028FD061 
.text    C:\Windows\system32\taskeng.exe[3076] WININET.dll!HttpQueryInfoA                                                      766D93B9 5 Bytes  JMP 028FD8CD 
.text    C:\Windows\system32\taskeng.exe[3076] WININET.dll!InternetCloseHandle                                                 766DAE0B 5 Bytes  JMP 028FC5AA 
.text    C:\Windows\system32\taskeng.exe[3076] WININET.dll!InternetReadFile                                                    766DEE5F 5 Bytes  JMP 028FD7C0 
.text    C:\Windows\system32\taskeng.exe[3076] WININET.dll!HttpQueryInfoW                                                      766E3DCB 5 Bytes  JMP 028FD8F1 
.text    C:\Windows\system32\taskeng.exe[3076] WININET.dll!InternetQueryDataAvailable                                          766E4773 5 Bytes  JMP 028FD832 
.text    C:\Windows\system32\taskeng.exe[3076] WININET.dll!HttpSendRequestExW                                                  766E62C4 5 Bytes  JMP 028FD0CA 
.text    C:\Windows\system32\taskeng.exe[3076] WININET.dll!InternetWriteFile                                                   766E63C3 5 Bytes  JMP 028FD24D 
.text    C:\Windows\system32\taskeng.exe[3076] WININET.dll!HttpSendRequestW                                                    766EBBCC 5 Bytes  JMP 028FD084 
.text    C:\Windows\system32\taskeng.exe[3076] WININET.dll!InternetReadFileExW                                                 766F0E54 5 Bytes  JMP 028FD80C 
.text    C:\Windows\system32\taskeng.exe[3076] WININET.dll!InternetReadFileExA                                                 766F0E8C 5 Bytes  JMP 028FD7E6 
.text    C:\Windows\system32\taskeng.exe[3076] WININET.dll!HttpSendRequestExA                                                  7673B1E6 5 Bytes  JMP 028FD0A7 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3264] ntdll.dll!LdrLoadDll                                       779279B3 5 Bytes  JMP 00148946 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3264] ntdll.dll!NtCreateUserProcess                              779590A8 5 Bytes  JMP 001487A8 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3264] USER32.dll!TranslateMessage                                77680069 5 Bytes  JMP 001416F1 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3264] USER32.dll!GetClipboardData                                776A70B2 5 Bytes  JMP 00141737 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3264] Secur32.dll!DeleteSecurityContext                          76002ABF 5 Bytes  JMP 001622B6 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3264] Secur32.dll!EncryptMessage                                 76004BDE 5 Bytes  JMP 00162300 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3264] Secur32.dll!DecryptMessage                                 76004CAB 5 Bytes  JMP 00162344 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3264] WS2_32.dll!closesocket                                     7617330C 5 Bytes  JMP 00148A3F 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3264] WS2_32.dll!recv                                            7617343A 5 Bytes  JMP 00148A96 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3264] WS2_32.dll!WSASend                                         76174496 5 Bytes  JMP 00148C7C 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3264] WS2_32.dll!send                                            7617659B 5 Bytes  JMP 00148C2A 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3264] WS2_32.dll!WSAGetOverlappedResult                          76178143 5 Bytes  JMP 00148D25 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3264] WS2_32.dll!WSARecv                                         76178400 5 Bytes  JMP 00148AEE 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3264] CRYPT32.dll!PFXImportCertStore                             75B3914C 5 Bytes  JMP 00143357 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3264] WININET.dll!HttpSendRequestA                               766D0F35 5 Bytes  JMP 0013D061 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3264] WININET.dll!HttpQueryInfoA                                 766D93B9 5 Bytes  JMP 0013D8CD 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3264] WININET.dll!InternetCloseHandle                            766DAE0B 5 Bytes  JMP 0013C5AA 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3264] WININET.dll!InternetReadFile                               766DEE5F 5 Bytes  JMP 0013D7C0 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3264] WININET.dll!HttpQueryInfoW                                 766E3DCB 5 Bytes  JMP 0013D8F1 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3264] WININET.dll!InternetQueryDataAvailable                     766E4773 5 Bytes  JMP 0013D832 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3264] WININET.dll!HttpSendRequestExW                             766E62C4 5 Bytes  JMP 0013D0CA 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3264] WININET.dll!InternetWriteFile                              766E63C3 5 Bytes  JMP 0013D24D 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3264] WININET.dll!HttpSendRequestW                               766EBBCC 5 Bytes  JMP 0013D084 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3264] WININET.dll!InternetReadFileExW                            766F0E54 5 Bytes  JMP 0013D80C 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3264] WININET.dll!InternetReadFileExA                            766F0E8C 5 Bytes  JMP 0013D7E6 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3264] WININET.dll!HttpSendRequestExA                             7673B1E6 5 Bytes  JMP 0013D0A7 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3300] ntdll.dll!LdrLoadDll                                       779279B3 5 Bytes  JMP 00148946 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3300] ntdll.dll!NtCreateUserProcess                              779590A8 5 Bytes  JMP 001487A8 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3300] USER32.dll!TranslateMessage                                77680069 5 Bytes  JMP 001416F1 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3300] USER32.dll!GetClipboardData                                776A70B2 5 Bytes  JMP 00141737 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3300] Secur32.dll!DeleteSecurityContext                          76002ABF 5 Bytes  JMP 001622B6 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3300] Secur32.dll!EncryptMessage                                 76004BDE 5 Bytes  JMP 00162300 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3300] Secur32.dll!DecryptMessage                                 76004CAB 5 Bytes  JMP 00162344 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3300] WS2_32.dll!closesocket                                     7617330C 5 Bytes  JMP 00148A3F 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3300] WS2_32.dll!recv                                            7617343A 5 Bytes  JMP 00148A96 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3300] WS2_32.dll!WSASend                                         76174496 5 Bytes  JMP 00148C7C 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3300] WS2_32.dll!send                                            7617659B 5 Bytes  JMP 00148C2A 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3300] WS2_32.dll!WSAGetOverlappedResult                          76178143 5 Bytes  JMP 00148D25 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3300] WS2_32.dll!WSARecv                                         76178400 5 Bytes  JMP 00148AEE 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3300] CRYPT32.dll!PFXImportCertStore                             75B3914C 5 Bytes  JMP 00143357 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3300] WININET.dll!HttpSendRequestA                               766D0F35 5 Bytes  JMP 0013D061 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3300] WININET.dll!HttpQueryInfoA                                 766D93B9 5 Bytes  JMP 0013D8CD 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3300] WININET.dll!InternetCloseHandle                            766DAE0B 5 Bytes  JMP 0013C5AA 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3300] WININET.dll!InternetReadFile                               766DEE5F 5 Bytes  JMP 0013D7C0 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3300] WININET.dll!HttpQueryInfoW                                 766E3DCB 5 Bytes  JMP 0013D8F1 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3300] WININET.dll!InternetQueryDataAvailable                     766E4773 5 Bytes  JMP 0013D832 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3300] WININET.dll!HttpSendRequestExW                             766E62C4 5 Bytes  JMP 0013D0CA 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3300] WININET.dll!InternetWriteFile                              766E63C3 5 Bytes  JMP 0013D24D 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3300] WININET.dll!HttpSendRequestW                               766EBBCC 5 Bytes  JMP 0013D084 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3300] WININET.dll!InternetReadFileExW                            766F0E54 5 Bytes  JMP 0013D80C 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3300] WININET.dll!InternetReadFileExA                            766F0E8C 5 Bytes  JMP 0013D7E6 
.text    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3300] WININET.dll!HttpSendRequestExA                             7673B1E6 5 Bytes  JMP 0013D0A7 
.text    C:\Windows\ehome\ehmsas.exe[3308] ntdll.dll!LdrLoadDll                                                                779279B3 5 Bytes  JMP 01538946 
.text    C:\Windows\ehome\ehmsas.exe[3308] ntdll.dll!NtCreateUserProcess                                                       779590A8 5 Bytes  JMP 015387A8 
.text    C:\Windows\ehome\ehmsas.exe[3308] USER32.dll!TranslateMessage                                                         77680069 5 Bytes  JMP 015316F1 
.text    C:\Windows\ehome\ehmsas.exe[3308] USER32.dll!GetClipboardData                                                         776A70B2 5 Bytes  JMP 01531737 
.text    C:\Windows\ehome\ehmsas.exe[3308] Secur32.dll!DeleteSecurityContext                                                   76002ABF 5 Bytes  JMP 015522B6 
.text    C:\Windows\ehome\ehmsas.exe[3308] Secur32.dll!EncryptMessage                                                          76004BDE 5 Bytes  JMP 01552300 
.text    C:\Windows\ehome\ehmsas.exe[3308] Secur32.dll!DecryptMessage                                                          76004CAB 5 Bytes  JMP 01552344 
.text    C:\Windows\ehome\ehmsas.exe[3308] WS2_32.dll!closesocket                                                              7617330C 5 Bytes  JMP 01538A3F 
.text    C:\Windows\ehome\ehmsas.exe[3308] WS2_32.dll!recv                                                                     7617343A 5 Bytes  JMP 01538A96 
.text    C:\Windows\ehome\ehmsas.exe[3308] WS2_32.dll!WSASend                                                                  76174496 5 Bytes  JMP 01538C7C 
.text    C:\Windows\ehome\ehmsas.exe[3308] WS2_32.dll!send                                                                     7617659B 5 Bytes  JMP 01538C2A 
.text    C:\Windows\ehome\ehmsas.exe[3308] WS2_32.dll!WSAGetOverlappedResult                                                   76178143 5 Bytes  JMP 01538D25 
.text    C:\Windows\ehome\ehmsas.exe[3308] WS2_32.dll!WSARecv                                                                  76178400 5 Bytes  JMP 01538AEE 
.text    C:\Windows\ehome\ehmsas.exe[3308] CRYPT32.dll!PFXImportCertStore                                                      75B3914C 5 Bytes  JMP 01533357 
.text    C:\Windows\ehome\ehmsas.exe[3308] WININET.dll!HttpSendRequestA                                                        766D0F35 5 Bytes  JMP 0152D061 
.text    C:\Windows\ehome\ehmsas.exe[3308] WININET.dll!HttpQueryInfoA                                                          766D93B9 5 Bytes  JMP 0152D8CD 
.text    C:\Windows\ehome\ehmsas.exe[3308] WININET.dll!InternetCloseHandle                                                     766DAE0B 5 Bytes  JMP 0152C5AA 
.text    C:\Windows\ehome\ehmsas.exe[3308] WININET.dll!InternetReadFile                                                        766DEE5F 5 Bytes  JMP 0152D7C0 
.text    C:\Windows\ehome\ehmsas.exe[3308] WININET.dll!HttpQueryInfoW                                                          766E3DCB 5 Bytes  JMP 0152D8F1 
.text    C:\Windows\ehome\ehmsas.exe[3308] WININET.dll!InternetQueryDataAvailable                                              766E4773 5 Bytes  JMP 0152D832 
.text    C:\Windows\ehome\ehmsas.exe[3308] WININET.dll!HttpSendRequestExW                                                      766E62C4 5 Bytes  JMP 0152D0CA 
.text    C:\Windows\ehome\ehmsas.exe[3308] WININET.dll!InternetWriteFile                                                       766E63C3 5 Bytes  JMP 0152D24D 
.text    C:\Windows\ehome\ehmsas.exe[3308] WININET.dll!HttpSendRequestW                                                        766EBBCC 5 Bytes  JMP 0152D084 
.text    C:\Windows\ehome\ehmsas.exe[3308] WININET.dll!InternetReadFileExW                                                     766F0E54 5 Bytes  JMP 0152D80C 
.text    C:\Windows\ehome\ehmsas.exe[3308] WININET.dll!InternetReadFileExA                                                     766F0E8C 5 Bytes  JMP 0152D7E6 
.text    C:\Windows\ehome\ehmsas.exe[3308] WININET.dll!HttpSendRequestExA                                                      7673B1E6 5 Bytes  JMP 0152D0A7 

---- User IAT/EAT - GMER 2.1 ----

IAT      C:\Windows\Explorer.EXE[352] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown]                                  [746B8864] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll
IAT      C:\Windows\Explorer.EXE[352] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage]                                   [746F9855] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll
IAT      C:\Windows\Explorer.EXE[352] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI]                               [746BB984] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll
IAT      C:\Windows\Explorer.EXE[352] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode]                         [746AFB47] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll
IAT      C:\Windows\Explorer.EXE[352] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup]                                   [746B7A29] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll
IAT      C:\Windows\Explorer.EXE[352] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC]                                [746AEA65] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll
IAT      C:\Windows\Explorer.EXE[352] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM]                    [746EB12D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll
IAT      C:\Windows\Explorer.EXE[352] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream]                       [746BBC4A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll
IAT      C:\Windows\Explorer.EXE[352] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight]                               [746B0756] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll
IAT      C:\Windows\Explorer.EXE[352] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth]                                [746B06BD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll
IAT      C:\Windows\Explorer.EXE[352] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage]                                 [746A71B3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll
IAT      C:\Windows\Explorer.EXE[352] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM]                         [7473D9E0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll
IAT      C:\Windows\Explorer.EXE[352] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile]                            [746D7329] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll
IAT      C:\Windows\Explorer.EXE[352] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics]                               [746AE109] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll
IAT      C:\Windows\Explorer.EXE[352] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree]                                         [746A697E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll
IAT      C:\Windows\Explorer.EXE[352] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc]                                        [746A69A9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll
IAT      C:\Windows\Explorer.EXE[352] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode]                           [746B2475] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll

---- Processes - GMER 2.1 ----

Process   (*** hidden *** )                                                                                                    [4] 84930D90                                                                                                                  

---- EOF - GMER 2.1 ----
         
--- --- ---


Code:
ATTFilter
Malwarebytes Anti-Rootkit BETA 1.01.0.1021
www.malwarebytes.org

Database version: v2013.03.05.11

Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 7.0.6001.18000
Ruth :: RUTH-PC [limited]

05.03.2013 17:33:45
mbar-log-2013-03-05 (17-33-45).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled: 
Objects scanned: 29346
Time elapsed: 18 minute(s), 

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} (Hijack.Trojan.Siredef.C) -> Delete on reboot.

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|{0E40E18A-4B84-AD7E-C8A1-6CABE8D94FB6} (Trojan.Zbot) -> Data: C:\Users\Ruth\AppData\Roaming\Ewehne\kiqy.exe -> Delete on reboot.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 3
c:\$RECYCLE.BIN\S-1-5-21-545296325-4284398314-600840805-1000\$65f3adc165eb96de6e2b09677405ac73\U (Trojan.Siredef.C) -> Delete on reboot.
c:\$RECYCLE.BIN\S-1-5-21-545296325-4284398314-600840805-1000\$65f3adc165eb96de6e2b09677405ac73\L (Trojan.Siredef.C) -> Delete on reboot.
c:\$RECYCLE.BIN\S-1-5-21-545296325-4284398314-600840805-1000\$65f3adc165eb96de6e2b09677405ac73 (Trojan.Siredef.C) -> Delete on reboot.

Files Detected: 3
c:\Users\Ruth\AppData\Roaming\Ewehne\kiqy.exe (Trojan.Zbot) -> Delete on reboot.
c:\$RECYCLE.BIN\S-1-5-21-545296325-4284398314-600840805-1000\$65f3adc165eb96de6e2b09677405ac73\@ (Trojan.Siredef.C) -> Delete on reboot.
c:\Users\Ruth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0QDUZLD3\readme[1].exe (Trojan.Zbot) -> Delete on reboot.

(end)
         
nach dem 2. Scan mit MBAR:

Code:
ATTFilter
Malwarebytes Anti-Rootkit BETA 1.01.0.1021
www.malwarebytes.org

Database version: v2013.03.05.11

Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 7.0.6001.18000
Ruth :: RUTH-PC [administrator]

05.03.2013 17:51:56
mbar-log-2013-03-05 (17-51-56).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled: 
Objects scanned: 29304
Time elapsed: 11 minute(s), 23 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
         
Bin ich nun wieder clean? :-)

Alt 05.03.2013, 23:33   #10
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Online-Banking-Trojaner - Standard

Online-Banking-Trojaner




Lesestoff:
Rootkit-Warnung
Dein Computer wurde mit einem besonderen Schädling infiziert, der sich vor herkömmlichen Virenscannern und dem Betriebssystem selbst verstecken kann. Zusätzlich hat so ein Schädling meist auch Backdoor-Funktionalität, reißt also ganz bewußt Löcher durch alle Schutzmaßnahmen, damit er weiteren Schadcode nachladen oder die Daten, die er so sammelt, an die "bösen Jungs" weiterleiten kann. Was heißt das jetzt für dich?
  • Entscheide bitte ganz bewußt, ob du mit der Bereinigung fortfahren möchtest. Ein einmal derartig kompromittiertes System kann man niemals mit 100%iger Sicherheit wieder absichern. Auch wenn wir gute Chancen haben, deinen Computer zu bereinigen, kann es dennoch möglich sein, dass uns am Ende nur die Neuinstallation bleibt.
  • Wenn du mit diesem Computer beispielsweise Onlinebanking machst, dann solltest du zumindest dein Passwort von deiner Bank ändern lassen, wenn du ein ansonsten sicheres Verfahren wie beispielsweise "chip-TAN-comfort" nutzt. Hast du noch alte TAN-Bögen auf Papierbasis? Dann ist es höchste Zeit dich bei deiner Bank zu melden und notfalls das Konto temporär sperren zu lassen. Der Sperrnotruf 116 116 von www.sperr-notruf.de kann Tag und Nacht dafür benutzt werden.
  • Hast du ansonsten sensible Daten auf deinem Computer, dann solltest du auch darüber nachdenken, wie du damit umgehst, da sie sich praktisch "jeder" ansehen konnte.
Teile mir also mit, wie du dich entschieden hast.
__________________
"Die Wahrheit ist normalerweise nur eine Entschuldigung für einen Mangel an Fantasie." (Elim Garak)

Das Trojaner-Board unterstützen
Warum Linux besser als Windows ist!

Alt 06.03.2013, 07:03   #11
hunn3s
 
Online-Banking-Trojaner - Standard

Online-Banking-Trojaner



Vielen Dank für deine Hilfe. Ich werde mich heute Abend noch einmal melden, da ich jetzt den ganzen Tag unterwegs sein werde. Allerdings denke ich wird es auf eine Neuinstallation hinauslaufen um einfach bedenkenlos zu sein.

Ich werde dir aber heute Abend eine endgültige Antwort schreiben. Ich hoffe das ist ok.
Vielen Dank nochmal.

Alt 06.03.2013, 10:42   #12
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Online-Banking-Trojaner - Standard

Online-Banking-Trojaner



Ok, bis heute Abend
__________________
"Die Wahrheit ist normalerweise nur eine Entschuldigung für einen Mangel an Fantasie." (Elim Garak)

Das Trojaner-Board unterstützen
Warum Linux besser als Windows ist!

Alt 06.03.2013, 13:41   #13
hunn3s
 
Online-Banking-Trojaner - Standard

Online-Banking-Trojaner



so ging doch schneller....

Also wie gesagt. Ich glaube ich schlafe ruhiger wenn ich die Kiste neu aufsetze. Kann ich die eigenen Dateien bedenkenlos kopieren oder lauf ich Gefahr, dass ich die Viren aufs neue System übertrage?

Alt 06.03.2013, 13:43   #14
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Online-Banking-Trojaner - Standard

Online-Banking-Trojaner



Zum Thema Datensicherung von infizierten Systemen; mach das über ne Live-CD wie Knoppix, Ubuntu (zweiter Link in meiner Signatur) oder über PartedMagic. Grund: Bei einem Live-System sind keine Schädlinge des infizierten Windows-Systems aktiv, damit ist dann auch eine negative Beeinflussung des Backups durch Schädlinge ausgeschlossen.

Du brauchst natürlich auch ein Sicherungsmedium, am besten dürfte eine externe Platte sein. Sofern du nicht allzuviel sichern musst, kann auch ein USB-Stick ausreichen.

Hier eine kurze Anleitung zu PartedMagic, funktioniert prinzipiell so aber fast genauso mit allen anderen Live-Systemen auch.
  1. Lade Dir ISO-Image von PartedMagic
  2. Brenn es per Imagebrennfunktion auf CD, geht zB mit ImgBurn unter Windows
  3. Boote von der gebrannten CD, im Bootmenü von Option 1 starten und warten bis der Linux-Desktop oben ist
  4. Du müsstest ein Symbol "Mount Devices" finden, das doppelklicken
  5. Mounte die Partitionen wo Windows installiert ist, meistens ist das /dev/sda1 bzw. /dev/sda2 bei Win7 und natürlich noch etwaige andere Partitionen, wo noch Daten liegen und die gesichert werden müssen - natürlich auch die der externen Platte (du
    bekommmst nur Lese- und Schreibzugriffe auf die Dateisysteme, wenn diese gemountet sind)
  6. Kopiere die Daten der internen Platte auf die externe Platte - kopiere nur persönliche Dateien, Musik, Videos, etc. auf die Backupplatte, KEINE ausführbaren Dateien wie Programme/Spiele/Setups!!
  7. Wenn fertig, starte den Rechner neu, schalte die ext. Platte ab und boote von der Windows-DVD zur Neuinstallation (Anleitung beachten)
__________________
"Die Wahrheit ist normalerweise nur eine Entschuldigung für einen Mangel an Fantasie." (Elim Garak)

Das Trojaner-Board unterstützen
Warum Linux besser als Windows ist!

Alt 06.03.2013, 13:47   #15
hunn3s
 
Online-Banking-Trojaner - Standard

Online-Banking-Trojaner



Alles klar. Prima. So werd ichs machen!
Herzlichen Dank. Spitze, dass es so eine Seite gibt. Hätte nicht gewusst was ich sonst machen sollte. ;-)

Antwort

Themen zu Online-Banking-Trojaner
brief, ebenfalls, erhalte, erhalten, gewisse, gewissen, helft, installiere, installieren, krieg, neu, neu installieren, online-banking-trojaner, rechner, sauber, system, telekom, tr/psw.zbot.1903, tr/psw.zbot.mek, zeus/zbot



Ähnliche Themen: Online-Banking-Trojaner


  1. Secure Banking - Online Banking auf der sicheren Seite!
    Archiv - 29.08.2016 (471)
  2. Trojaner im Online banking
    Lob, Kritik und Wünsche - 02.12.2014 (0)
  3. Online-Banking-Trojaner!
    Log-Analyse und Auswertung - 22.06.2013 (17)
  4. 2x Online-Banking: Trojaner
    Mülltonne - 02.05.2013 (1)
  5. Online-Banking: Trojaner
    Log-Analyse und Auswertung - 02.05.2013 (1)
  6. Trojaner im Online-Banking
    Plagegeister aller Art und deren Bekämpfung - 17.12.2012 (21)
  7. Müll aus Secure Banking - Online Banking auf der sicheren Seite!
    Mülltonne - 04.10.2012 (0)
  8. Online-Banking Trojaner (Sparkasse)
    Plagegeister aller Art und deren Bekämpfung - 07.09.2012 (13)
  9. Online-Banking Trojaner ?
    Log-Analyse und Auswertung - 02.03.2012 (20)
  10. Online-Banking Trojaner
    Log-Analyse und Auswertung - 23.12.2011 (3)
  11. TAN / Online-Banking Trojaner!
    Log-Analyse und Auswertung - 29.11.2011 (35)
  12. Online Banking - TAN Abfrage beim Banking - Trojaner?
    Log-Analyse und Auswertung - 12.08.2011 (3)
  13. Trojaner Problem mit Online-Banking
    Plagegeister aller Art und deren Bekämpfung - 03.05.2011 (13)
  14. Online-Banking Trojaner
    Log-Analyse und Auswertung - 05.12.2010 (5)
  15. 20 TAN Trojaner Sparkasse Online Banking :( Was nun?
    Plagegeister aller Art und deren Bekämpfung - 05.11.2010 (32)
  16. 40 Tan-Trojaner bei DKB Online-Banking
    Plagegeister aller Art und deren Bekämpfung - 23.09.2010 (28)
  17. Online-banking Problem : Trojaner
    Log-Analyse und Auswertung - 12.07.2010 (1)

Zum Thema Online-Banking-Trojaner - Hallo, ich habe ebenfalls einen Brief von der Telekom erhalten, dass ich einen gewissen "ZeuS/Zbot" auf meinem Rechner habe. Was muss ich nun tun? Neu installieren oder krieg ich das - Online-Banking-Trojaner...
Archiv
Du betrachtest: Online-Banking-Trojaner auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.