Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung

Log-Analyse und Auswertung: Avira durch Gruppenrichtlinien geblockt und Trojan.fakems

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.

Antwort
Alt 24.05.2013, 23:00   #1
uuuuuvex
 
Avira durch Gruppenrichtlinien geblockt und Trojan.fakems - Standard

Avira durch Gruppenrichtlinien geblockt und Trojan.fakems



Guten Abend,

ich habe ein Problem auf meinem PC (vermutlich Befall durch einen Trojaner) und benötige dazu Ihre Hilfe.
Identische Fälle sind bereits bekannt und habe ich mir bei HijackThis bereits durchgelesen. Mehrere Aussagen bestätigen, dass jeder Fall eigenständig behandelt werden soll um gravierende Schäden zu vermeiden.

Folgendes Problem trat auf:
- Vor ca. 1 Woche kam die Meldung durch den WindowsKontrollcenter, dass meine Antivirenprogramm Avira inaktiv ist. Daraufhin habe ich einfach versucht es wieder einzuschalten - vergebens.
- Anschließend habe ich versucht das Programm über den Desktop zu starten - auch kein Erfolg, es kam die Meldung "Programm wurde durch eine Gruppenrichtlinie geblockt"
nach einiger Recherche wird ein Trojaner dafür verantwortlich gemacht.
- Ich habe versucht Avira über Systemst. zu deinstallieren - auch kein Erfolg
- Daraufhin habe ich mir avast downgeloadet und installiert (vermutlich ein Fehler, da ja
nicht 2 Antivirenprogramme zeitgleich installiert sein sollen)
- Das Programm läuft momentan problemlos und erfüllt denke ich seinen Zweck
- Heute habe ich mit Malwarebytes einen Check durchgeführt und 2 Trojaner : Trojan.fakems gefunden
- Darufhin bin ich in Ihr Forum und bitte um Hilfe bei der Lösung des Problems !

Alt 25.05.2013, 00:23   #2
aharonov
/// TB-Ausbilder
 
Avira durch Gruppenrichtlinien geblockt und Trojan.fakems - Standard

Avira durch Gruppenrichtlinien geblockt und Trojan.fakems



Hallo uuuuuvex und

Mein Name ist Leo und ich werde dich durch die Bereinigung deines Rechners begleiten.

Eins vorneweg: Ich kann dir keine Garantien geben, dass ich alles finden werde. Bei schwerwiegenden Infektionen ist ein Formatieren und Neuinstallieren meist der schnellere und immer der sicherere Weg.
Wenn du dich für eine Bereinigung entscheidest, dann sollten wir gründlich vorgehen. Bleib also dran, bis ich dir eindeutig mitteile, dass wir fertig sind.
Auch wenn die auffälligen Symptome schon früh verschwinden, bedeutet das nicht, dass dein Rechner dann schon sauber und sicher ist.

Hinweise zum Ablauf
  • Du bekommst von mir jeweils eine individuell auf dich abgestimmte schrittweise Anleitung.
    • Lese diese Anweisungen immer zuerst vollständig durch und frag bei Unklarheiten nach, bevor du beginnst.
    • Arbeite die Anleitungen dann sorgfältig und in der angegebenen Reihenfolge ab und poste deine Rückmeldungen und Logfiles erst zum Schluss gesammelt in einer Antwort.
    • Füge den Inhalt der Logfiles wenn immer möglich innerhalb von Code-Tags in deine Antwort ein.
    • Sollten Probleme auftauchen, dann brich an dieser Stelle ab und schildere sie so gut wie möglich.
  • Es ist wichtig für mich, dass sich der Zustand deines Systems nicht plötzlich unvorhersehbar ändert:
    • Lasse keine Scanner oder Tools ohne Aufforderung laufen. Lösche nichts auf eigene Faust.
    • Installiere oder deinstalliere während der Bereinigung keine Software.

Los geht's:

Zitat:
Heute habe ich mit Malwarebytes einen Check durchgeführt und 2 Trojaner : Trojan.fakems gefunden
Poste mir bitte dieses Logfile mit den beiden Funden, siehe hier: http://www.trojaner-board.de/125889-...en-posten.html

Zusätzlich:


Schritt 1

Downloade dir bitte defogger (von jpshortstuff) auf deinen Desktop.
  • Starte das Tool mit Doppelklick.
  • Klicke nun auf den Disable Button.
  • Bestätige diese Sicherheitsabfrage mit Ja.
  • Wenn der Scan beendet wurde (Finished), klicke auf OK.
  • Falls Defogger zu einem Neustart auffordert, bestätige dies mit OK.
  • Defogger erstellt auf dem Desktop eine Logdatei mit dem Namen defogger_disable.txt.
  • Nur falls Probleme aufgetreten sind, poste deren Inhalt mit deiner nächsten Antwort.
Klicke den Re-enable Button nicht ohne Anweisung!



Schritt 2

Bitte lade dir GMER Rootkit Scanner GMER herunter: (Dateiname zufällig)
  • Schließe alle anderen Programme, deaktiviere deinen Virenscanner und trenne den Rechner vom Internet bevor du GMER startest.
  • Sollte sich nach dem Start ein Fenster mit folgender Warnung öffnen:
    WARNING !!!
    GMER has found system modification, which might have been caused by ROOTKIT activity.
    Do you want to fully scan your system ?
    Unbedingt auf "No" klicken.
  • Entferne rechts den Haken bei: IAT/EAT und Show All
  • Setze den Haken bei Quickscan und entferne ihn bei allen anderen Laufwerken.
  • Starte den Scan mit "Scan".
  • Mache nichts am Computer während der Scan läuft.
  • Wenn der Scan fertig ist klicke auf Save und speichere die Logfile unter Gmer.txt auf deinem Desktop. Mit "Ok" wird GMER beendet.
Antiviren-Programm und sonstige Scanner wieder einschalten, bevor Du ins Netz gehst!


Tauchen Probleme auf?
  • Probiere alternativ den abgesicherten Modus.
  • Erhältst du einen Bluescreen, dann entferne den Haken vor Devices.



Schritt 3

Lade dir bitte OTL (von Oldtimer) herunter und speichere es auf deinen Desktop.
  • Doppelklick auf die OTL.exe.
  • Kopiere den Inhalt aus der Codebox in die Textbox.
    Code:
    ATTFilter
    reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths" /s /c
             
  • Unter Extra Registry, wähle bitte Use SafeList.
  • Setze den Haken bei Scan all Users.
  • Klicke nun auf Run Scan.
  • Wenn der Scan beendet ist, werden 2 Logfiles (OTL.txt und Extras.txt) erstellt.
  • Poste den Inhalt dieser Logfiles hier in den Thread.



Bitte poste in deiner nächsten Antwort:
  • bestehendes Log von MBAM mit den Funden
  • Log von Gmer
  • Logs von OTL
__________________

__________________

Alt 25.05.2013, 09:52   #3
uuuuuvex
 
Avira durch Gruppenrichtlinien geblockt und Trojan.fakems - Standard

Avira durch Gruppenrichtlinien geblockt und Trojan.fakems



hier der fund von malwarebytes:
Code:
ATTFilter
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Datenbank Version: v2013.05.24.07

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
xxx :: xxx-PC [Administrator]

24.05.2013 21:10:08
MBAM-log-2013-05-24 (21-37-35).txt

Art des Suchlaufs: Quick-Scan
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 207913
Laufzeit: 13 Minute(n), 58 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 2
C:\Users\xxx\AppData\Roaming\Cuelle\libnspr4.dll (Trojan.FakeMS) -> Keine Aktion durchgeführt.
C:\Users\xxx\AppData\Local\Temp\libnspr4.dll (Trojan.FakeMS) -> Keine Aktion durchgeführt.

(Ende)
         

und die otl files:
Code:
ATTFilter
OTL logfile created on: 24.05.2013 21:39:43 - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\xxx\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
2,93 Gb Total Physical Memory | 1,86 Gb Available Physical Memory | 63,39% Memory free
6,08 Gb Paging File | 4,78 Gb Available in Paging File | 78,63% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 288,08 Gb Total Space | 171,26 Gb Free Space | 59,45% Space Free | Partition Type: NTFS
 
Computer Name: xxx-PC | User Name: xxx | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2013.05.24 21:38:22 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\xxx\Desktop\OTL.exe
PRC - [2013.05.09 10:58:30 | 004,858,968 | ---- | M] (AVAST Software) -- C:\Programme\AVAST Software\Avast\AvastUI.exe
PRC - [2013.05.09 10:58:30 | 000,046,808 | ---- | M] (AVAST Software) -- C:\Programme\AVAST Software\Avast\AvastSvc.exe
PRC - [2013.04.01 13:23:17 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\sched.exe
PRC - [2013.04.01 13:23:01 | 000,079,584 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe
PRC - [2013.04.01 13:22:58 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe
PRC - [2013.03.12 09:05:50 | 029,106,336 | ---- | M] (Dropbox, Inc.) -- C:\Users\Astrid\AppData\Roaming\Dropbox\bin\Dropbox.exe
PRC - [2012.12.20 19:44:32 | 000,844,296 | ---- | M] (Samsung) -- C:\Programme\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
PRC - [2012.12.20 19:44:28 | 000,310,280 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Programme\Samsung\Kies\KiesTrayAgent.exe
PRC - [2012.12.20 19:44:26 | 001,476,104 | ---- | M] (Samsung) -- C:\Programme\Samsung\Kies\Kies.exe
PRC - [2012.05.23 08:57:30 | 000,871,608 | ---- | M] (Citrix Systems, Inc.) -- C:\Programme\Citrix\ICA Client\wfcrun32.exe
PRC - [2012.05.23 08:54:42 | 000,371,896 | ---- | M] (Citrix Systems, Inc.) -- C:\Programme\Citrix\ICA Client\concentr.exe
PRC - [2012.04.05 11:11:18 | 001,144,704 | ---- | M] (Citrix Systems, Inc.) -- C:\Programme\Citrix\ICA Client\Receiver\Receiver.exe
PRC - [2012.04.03 11:00:24 | 000,051,128 | ---- | M] (Citrix Systems, Inc.) -- C:\Programme\Citrix\SelfServicePlugin\SelfServicePlugin.exe
PRC - [2009.11.02 03:30:00 | 002,508,104 | ---- | M] (CANON INC.) -- C:\Programme\Canon\MyPrinter\BJMYPRT.EXE
PRC - [2009.04.11 08:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009.04.11 08:27:28 | 000,069,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conime.exe
PRC - [2008.07.25 06:18:26 | 000,768,520 | ---- | M] (Dritek System Inc.) -- C:\Programme\Launch Manager\LManager.exe
PRC - [2008.06.27 12:33:18 | 006,244,896 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2008.06.11 12:18:30 | 000,024,576 | ---- | M] () -- C:\Programme\EMACHINES\eMachines Recovery Management\Service\ETService.exe
PRC - [2008.01.21 04:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnetwk.exe
PRC - [2008.01.21 04:25:33 | 000,202,240 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnscfg.exe
PRC - [2008.01.21 04:23:32 | 001,008,184 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Defender\MSASCui.exe
PRC - [2007.08.24 05:45:42 | 000,101,784 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE
PRC - [2007.01.04 20:48:50 | 000,112,152 | ---- | M] (InterVideo) -- C:\Programme\Common Files\InterVideo\RegMgr\iviRegMgr.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2012.12.20 19:41:18 | 012,976,640 | ---- | M] () -- C:\Programme\Samsung\Kies\Theme\Kies.Theme.dll
MOD - [2012.12.20 13:31:44 | 000,572,416 | ---- | M] () -- C:\Programme\Samsung\Kies\Common\Kies.UI.dll
MOD - [2012.12.18 11:35:44 | 000,034,816 | ---- | M] () -- C:\Programme\Samsung\Kies\Common\Kies.Common.DeviceServiceLib.Interface.dll
MOD - [2012.12.18 11:35:06 | 000,023,040 | ---- | M] () -- C:\Programme\Samsung\Kies\MVVM\Kies.MVVM.dll
MOD - [2012.12.18 11:07:10 | 000,057,856 | ---- | M] () -- C:\Programme\Samsung\Kies\External\MediaModules\ASF_cSharpAPI.dll
MOD - [2012.12.12 07:34:13 | 005,025,792 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
MOD - [2012.10.05 12:59:03 | 003,194,880 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
MOD - [2012.10.05 12:59:03 | 000,630,784 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
MOD - [2012.08.31 13:01:10 | 004,550,656 | ---- | M] () -- C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
MOD - [2012.02.13 13:02:15 | 001,249,280 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\WindowsBase\3.0.0.0__31bf3856ad364e35\WindowsBase.dll
MOD - [2012.02.13 13:02:09 | 005,283,840 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\PresentationFramework\3.0.0.0__31bf3856ad364e35\PresentationFramework.dll
MOD - [2012.02.13 13:02:04 | 004,214,784 | ---- | M] () -- C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationCore.dll
MOD - [2009.06.13 14:34:17 | 000,667,648 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\System.Core.dll
MOD - [2009.03.30 06:42:20 | 002,048,000 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.dll
MOD - [2009.03.30 06:42:19 | 000,303,104 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
MOD - [2009.03.30 06:42:19 | 000,114,688 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
MOD - [2009.03.30 06:42:17 | 000,425,984 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
MOD - [2009.03.30 06:42:12 | 000,040,960 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.ServiceProcess.resources\2.0.0.0_de_b03f5f7f11d50a3a\System.ServiceProcess.resources.dll
MOD - [2009.03.30 06:42:11 | 000,315,392 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_de_b77a5c561934e089\mscorlib.resources.dll
MOD - [2009.03.30 06:42:10 | 000,010,752 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
MOD - [2009.02.25 03:16:56 | 000,110,592 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\PresentationCore.resources\3.0.0.0_de_31bf3856ad364e35\PresentationCore.resources.dll
MOD - [2003.06.07 07:30:08 | 000,057,344 | ---- | M] () -- C:\Programme\Launch Manager\PowerUtl.dll
 
 
========== Services (SafeList) ==========
 
SRV - [2013.05.20 20:03:32 | 000,117,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013.05.15 16:49:47 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013.05.09 10:58:30 | 000,046,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Programme\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2013.04.01 13:23:17 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2013.04.01 13:22:58 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2008.06.11 12:18:30 | 000,024,576 | ---- | M] () [Auto | Running] -- C:\Programme\EMACHINES\eMachines Recovery Management\Service\ETService.exe -- (ETService)
SRV - [2008.01.21 04:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc)
SRV - [2008.01.21 04:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007.08.24 04:19:12 | 000,443,776 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2007.01.04 20:48:50 | 000,112,152 | ---- | M] (InterVideo) [Auto | Running] -- C:\Programme\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
SRV - [2006.10.26 15:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE -- (ose)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - [2013.05.09 10:59:10 | 000,765,736 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2013.05.09 10:59:10 | 000,368,944 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2013.05.09 10:59:10 | 000,174,664 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\drivers\aswVmm.sys -- (aswVmm)
DRV - [2013.05.09 10:59:10 | 000,056,080 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2013.05.09 10:59:10 | 000,049,376 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\drivers\aswRvrt.sys -- (aswRvrt)
DRV - [2013.05.09 10:59:09 | 000,066,336 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2013.05.09 10:59:09 | 000,049,760 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (AswRdr)
DRV - [2013.05.09 10:59:08 | 000,029,816 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2013.04.01 13:23:19 | 000,135,136 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2013.04.01 13:23:19 | 000,084,744 | ---- | M] (Avira Operations GmbH & Co. KG) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2013.04.01 13:23:19 | 000,037,352 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2012.09.20 06:35:36 | 000,181,344 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssudmdm.sys -- (ssudmdm)
DRV - [2012.09.20 06:35:36 | 000,083,168 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssudbus.sys -- (dg_ssudbus)
DRV - [2012.08.27 15:50:24 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2012.05.17 08:14:58 | 000,067,960 | ---- | M] (Citrix Systems, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\ctxusbm.sys -- (ctxusbm)
DRV - [2008.06.11 12:13:24 | 000,015,392 | ---- | M] (Acer, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\int15.sys -- (int15)
DRV - [2008.06.10 12:54:36 | 000,123,904 | ---- | M] (Realtek Corporation                                            ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2008.03.17 11:05:30 | 000,101,632 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2007.04.17 21:09:28 | 000,011,032 | ---- | M] (InterVideo) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\regi.sys -- (regi)
DRV - [2006.11.02 15:27:34 | 000,020,112 | ---- | M] (Dritek System Inc.) [Kernel | System | Running] -- C:\Programme\Launch Manager\DPortIO.sys -- (DritekPortIO)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0407&s=2&o=vp32&d=0309&m=e720
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0407&s=2&o=vp32&d=0309&m=e720
IE - HKLM\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACEW
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0407&s=2&o=vp32&d=0309&m=e720
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.web.de/tb/ie_startpage
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook:  - No CLSID value found
IE - HKCU\..\SearchScopes,DefaultScope = {CEE438B0-8D23-43BD-AAAF-0823A494B43B}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{0C9BE677-668C-44B7-9BF4-60D03EB5C683}: "URL" = hxxp://go.web.de/tb/ie_searchplugin/?su={searchTerms}
IE - HKCU\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACEW
IE - HKCU\..\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}: "URL" = hxxp://127.0.0.1:4664/search&s=N7nV7JXvDwOgfsrGFMLlL7Lp9s8?q={searchTerms}
IE - HKCU\..\SearchScopes\{84EE01E4-BB12-412E-8548-DBB48CE4C558}: "URL" = hxxp://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000027&src=kw&q={searchTerms}&locale=de_DE&apn_ptnrs=U3&apn_dtid=OSJ000YYDE&apn_uid=7216D071-F749-4970-9500-BC9DA7BE6D9A&apn_sauid=37FBC488-8C66-4DF7-9809-1DABE7B9D46E
IE - HKCU\..\SearchScopes\{89FAD86A-4F5A-4459-89BD-2384D21B171E}: "URL" = hxxp://go.gmx.net/tb/ie_searchplugin/?su={searchTerms}
IE - HKCU\..\SearchScopes\{BFCB5309-6270-4E5C-9372-E669C681DD8C}: "URL" = hxxp://search.gmx.com/web?q={searchTerms}&origin=tb_splugin_ie
IE - HKCU\..\SearchScopes\{CEE438B0-8D23-43BD-AAAF-0823A494B43B}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7ACEW_de
IE - HKCU\..\SearchScopes\{EA6DBBB1-372A-4F57-A46D-B6E2F642C4C7}: "URL" = hxxp://go.1und1.de/tb/ie_searchplugin/?su={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
========== FireFox ==========
 
FF - prefs.js..browser.search.defaultengine: "Google"
FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "hxxp://www.google.de/"
FF - prefs.js..extensions.enabledAddons: add-to-searchbox%40maltekraus.de:2.0
FF - prefs.js..extensions.enabledAddons: donottrackplus%40abine.com:2.2.8.307
FF - prefs.js..extensions.enabledAddons: %7BC9B68337-E93A-44EA-94DC-CB300EC06444%7D:5.30.4
FF - prefs.js..extensions.enabledAddons: %7Ba0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7%7D:20130515
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:21.0
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
FF - prefs.js..network.proxy.type: 0
 
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_202.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/EPPEX: C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@Citrix.com/npican: C:\Program Files\Citrix\ICA Client\npicaN.dll (Citrix Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.17.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.17.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2013.05.18 14:19:04 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
 
[2012.10.19 20:10:47 | 000,000,000 | ---D | M] (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\Extensions
[2013.05.16 18:10:01 | 000,000,000 | ---D | M] (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\Firefox\Profiles\z9rne1fk.default\extensions
[2013.05.16 18:10:01 | 000,000,000 | ---D | M] (WOT) -- C:\Users\xxx\AppData\Roaming\mozilla\Firefox\Profiles\z9rne1fk.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2013.03.31 14:55:16 | 000,000,000 | ---D | M] (IMinent Toolbar) -- C:\Users\xxx\AppData\Roaming\mozilla\Firefox\Profiles\z9rne1fk.default\extensions\{C9B68337-E93A-44EA-94DC-CB300EC06444}
[2013.03.26 20:22:35 | 000,000,000 | ---D | M] (DoNotTrackMe) -- C:\Users\xxx\AppData\Roaming\mozilla\Firefox\Profiles\z9rne1fk.default\extensions\donottrackplus@abine.com
[2013.03.31 15:05:52 | 000,000,000 | ---D | M] (Delta Toolbar) -- C:\Users\xxx\AppData\Roaming\mozilla\Firefox\Profiles\z9rne1fk.default\extensions\ffxtlbr@delta.com
[2012.11.10 23:31:11 | 000,025,781 | ---- | M] () (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\extensions\add-to-searchbox@maltekraus.de.xpi
[2012.12.13 22:29:00 | 000,199,445 | ---- | M] () (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\extensions\movie2kdownloader@movie2kdownloader.com.xpi
[2012.10.19 20:16:29 | 000,020,591 | ---- | M] () (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi
[2013.03.07 02:06:18 | 000,007,919 | ---- | M] () (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\extensions\donottrackplus@abine.com\chrome\content\ff\view_expiry.js
[2011.10.13 17:19:44 | 000,000,855 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\1und1-suche.xml
[2011.10.10 15:27:30 | 000,001,281 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\amazondotcom-de.xml
[2013.03.31 15:05:54 | 000,001,294 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\delta.xml
[2011.10.10 14:59:22 | 000,002,364 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\eBay-de.xml
[2011.10.13 17:01:56 | 000,010,507 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\gmx-suche.xml
[2011.10.10 15:12:38 | 000,002,385 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\lastminute.xml
[2011.10.13 17:34:10 | 000,002,248 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\mailcom-search.xml
[2013.05.20 20:03:34 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\browser\extensions
[2013.05.20 20:03:34 | 000,000,000 | ---D | M] (Default) -- C:\Programme\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2013.03.31 15:03:08 | 000,006,508 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
[2012.12.14 09:57:14 | 000,002,157 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\SearchTheWeb.xml
 
O1 HOSTS File: ([2006.09.18 23:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1             localhost
O2 - BHO: (Canon Easy-WebPrint EX BHO) - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Programme\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programme\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (WEB.DE Toolbar BHO) - {BF42D4A8-016E-4fcd-B1EB-837659FD77C6} - C:\Programme\WEB.DE Toolbar\IE\uitb.dll (1und1 Mail und Media GmbH)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Programme\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O3 - HKLM\..\Toolbar: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programme\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (WEB.DE Toolbar) - {C424171E-592A-415a-9EB1-DFD6D95D3530} - C:\Programme\WEB.DE Toolbar\IE\uitb.dll (1und1 Mail und Media GmbH)
O3 - HKCU\..\Toolbar\WebBrowser: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Programme\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O3 - HKCU\..\Toolbar\WebBrowser: (WEB.DE Toolbar) - {C424171E-592A-415A-9EB1-DFD6D95D3530} - C:\Programme\WEB.DE Toolbar\IE\uitb.dll (1und1 Mail und Media GmbH)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [ConnectionCenter] C:\Program Files\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.)
O4 - HKLM..\Run: [eRecoveryService]  File not found
O4 - HKLM..\Run: [KiesTrayAgent] C:\Programme\Samsung\Kies\KiesTrayAgent.exe (Samsung Electronics Co., Ltd.)
O4 - HKLM..\Run: [LManager] C:\Programme\Launch Manager\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [] C:\Programme\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe (Samsung)
O4 - HKCU..\Run: [KiesAirMessage] C:\Program Files\Samsung\Kies\KiesAirMessage.exe -startup File not found
O4 - HKCU..\Run: [KiesPreload] C:\Program Files\Samsung\Kies\Kies.exe (Samsung)
O4 - HKCU..\Run: [Uxxyduubm] C:\Users\xxx\AppData\Roaming\Cuelle\cihoy.exe File not found
O4 - HKLM..\RunOnce: [ Malwarebytes Anti-Malware ] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Users\xxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Astrid\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O4 - Startup: C:\Users\xxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk = C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Programme\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Programme\ICQ7.2\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Programme\ICQ7.2\ICQ.exe (ICQ, LLC.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {28B66320-9687-4B13-8757-36F901887AB5} hxxp://www.photodose.de/ips-opdata/operator/69189345/objects/canvasx.cab (CanvasX Class)
O16 - DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} hxxp://www.photodose.de/ips-opdata/operator/69189345/objects/jordan.cab (JordanUploader Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 10.17.2)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{4DE48291-937F-4F23-A3D0-13D377260A3F}: DhcpNameServer = 192.168.178.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6094CB2C-98BC-4A93-A44B-D3DB86A05EE3}: DhcpNameServer = 192.168.178.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\webde {8FAF0273-9CA8-4efc-9536-1E35E254D5CD} - C:\Programme\WEB.DE Toolbar\IE\uitb.dll (1und1 Mail und Media GmbH)
O18 - Protocol\Filter\application/x-ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=euc-jp {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=ISO-8859-1 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=MS936 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=MS949 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=MS950 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=UTF8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=UTF-8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=euc-jp {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=ISO-8859-1 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=MS936 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=MS949 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=MS950 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=UTF8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=UTF-8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) - C:\Programme\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\xxx\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg
O24 - Desktop BackupWallPaper: C:\Users\xxx\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{e5738528-6716-11de-ae82-00235a569b62}\Shell - "" = AutoRun
O33 - MountPoints2\{e5738528-6716-11de-ae82-00235a569b62}\Shell\AutoRun\command - "" = E:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{e573852a-6716-11de-ae82-00235a569b62}\Shell - "" = AutoRun
O33 - MountPoints2\{e573852a-6716-11de-ae82-00235a569b62}\Shell\AutoRun\command - "" = E:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{f039e429-5849-11de-95ca-00235a569b62}\Shell - "" = AutoRun
O33 - MountPoints2\{f039e429-5849-11de-95ca-00235a569b62}\Shell\AutoRun\command - "" = E:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{f039e42f-5849-11de-95ca-00235a569b62}\Shell - "" = AutoRun
O33 - MountPoints2\{f039e42f-5849-11de-95ca-00235a569b62}\Shell\AutoRun\command - "" = F:\setup_vmc_lite.exe /checkApplicationPresence
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013.05.24 21:38:18 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\xxx\Desktop\OTL.exe
[2013.05.24 21:09:17 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Roaming\Malwarebytes
[2013.05.24 21:08:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013.05.24 21:08:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2013.05.24 21:08:54 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2013.05.24 21:08:54 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2013.05.20 20:03:12 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013.05.18 14:20:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
[2013.05.18 14:20:42 | 000,029,816 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2013.05.18 14:20:41 | 000,368,944 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2013.05.18 14:20:37 | 000,056,080 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2013.05.18 14:20:37 | 000,049,760 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2013.05.18 14:20:36 | 000,765,736 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2013.05.18 14:20:29 | 000,066,336 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2013.05.18 14:20:28 | 000,229,648 | ---- | C] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
[2013.05.18 14:18:40 | 000,041,664 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2013.05.18 14:17:39 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2013.05.18 14:16:28 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
[2013.05.17 18:42:24 | 000,000,000 | ---D | C] -- C:\Users\xxx\Desktop\Hochzeit xxx und xxx 11.05.13
[2013.05.17 18:35:42 | 000,000,000 | ---D | C] -- C:\Users\xxx\Desktop\Hamburg 28.02.-01.03.13
[2013.05.01 15:05:43 | 000,000,000 | ---D | C] -- C:\Users\xxx\Desktop\Bridge
[2013.05.01 15:00:17 | 000,000,000 | ---D | C] -- C:\Users\xxx\Desktop\Spiegel
[2013.05.01 13:35:35 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Roaming\Ogvuuq
[2013.05.01 13:35:35 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Roaming\Galyy
[2013.05.01 13:35:35 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Roaming\Cuelle
 
========== Files - Modified Within 30 Days ==========
 
[2013.05.24 21:38:22 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\xxx\Desktop\OTL.exe
[2013.05.24 21:36:00 | 000,000,000 | ---- | M] () -- C:\Users\xxx\defogger_reenable
[2013.05.24 21:35:00 | 000,050,477 | ---- | M] () -- C:\Users\xxx\Desktop\Defogger.exe
[2013.05.24 21:08:59 | 000,000,908 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2013.05.24 20:55:02 | 000,001,098 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013.05.24 20:49:16 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013.05.24 20:36:58 | 000,000,000 | ---- | M] () -- C:\Windows\System32\LogConfigTemp.xml
[2013.05.24 20:36:55 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013.05.24 20:36:23 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2013.05.24 20:36:23 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2013.05.24 20:36:16 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013.05.24 20:36:10 | 3147,841,536 | -HS- | M] () -- C:\hiberfil.sys
[2013.05.23 18:27:37 | 000,001,052 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
[2013.05.22 21:07:17 | 000,025,600 | ---- | M] () -- C:\Users\xxx\Documents\Geld 2012 Bär.xlr
[2013.05.22 21:07:17 | 000,002,180 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\wklnhst.dat
[2013.05.18 14:20:44 | 000,001,831 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2013.05.18 14:20:29 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2013.05.18 12:25:27 | 000,001,889 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2013.05.17 18:31:08 | 000,623,280 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2013.05.17 18:31:08 | 000,591,320 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013.05.17 18:31:08 | 000,125,378 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2013.05.17 18:31:08 | 000,103,194 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013.05.17 16:14:18 | 000,020,992 | ---- | M] () -- C:\Users\xxx\Documents\Prinzessinnengeld1.xlr
[2013.05.16 16:25:35 | 000,340,296 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2013.05.13 21:07:19 | 000,030,727 | ---- | M] () -- C:\Users\xxx\Documents\Waage.ods
[2013.05.09 10:59:10 | 000,765,736 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2013.05.09 10:59:10 | 000,368,944 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2013.05.09 10:59:10 | 000,174,664 | ---- | M] () -- C:\Windows\System32\drivers\aswVmm.sys
[2013.05.09 10:59:10 | 000,056,080 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2013.05.09 10:59:10 | 000,049,376 | ---- | M] () -- C:\Windows\System32\drivers\aswRvrt.sys
[2013.05.09 10:59:09 | 000,066,336 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2013.05.09 10:59:09 | 000,049,760 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2013.05.09 10:59:08 | 000,029,816 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2013.05.09 10:58:37 | 000,041,664 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
[2013.05.09 10:58:28 | 000,229,648 | ---- | M] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
 
========== Files Created - No Company Name ==========
 
[2013.05.24 21:36:00 | 000,000,000 | ---- | C] () -- C:\Users\xxx\defogger_reenable
[2013.05.24 21:34:59 | 000,050,477 | ---- | C] () -- C:\Users\xxx\Desktop\Defogger.exe
[2013.05.24 21:08:59 | 000,000,908 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2013.05.18 14:20:44 | 000,001,831 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2013.05.18 14:20:35 | 000,174,664 | ---- | C] () -- C:\Windows\System32\drivers\aswVmm.sys
[2013.05.18 14:20:34 | 000,049,376 | ---- | C] () -- C:\Windows\System32\drivers\aswRvrt.sys
[2013.02.16 22:35:03 | 000,016,311 | ---- | C] () -- C:\Users\xxx\.TransferManager.db
[2013.01.27 12:24:29 | 000,000,246 | ---- | C] () -- C:\Windows\wininit.ini
[2012.12.18 11:06:10 | 000,030,568 | ---- | C] () -- C:\Windows\MusiccityDownload.exe
[2012.12.18 11:06:06 | 000,974,848 | ---- | C] () -- C:\Windows\System32\cis-2.4.dll
[2012.12.18 11:06:06 | 000,081,920 | ---- | C] () -- C:\Windows\System32\issacapi_bs-2.3.dll
[2012.12.18 11:06:06 | 000,065,536 | ---- | C] () -- C:\Windows\System32\issacapi_pe-2.3.dll
[2012.12.18 11:06:06 | 000,057,344 | ---- | C] () -- C:\Windows\System32\issacapi_se-2.3.dll
[2012.09.18 17:31:20 | 000,000,857 | ---- | C] () -- C:\Users\xxx\.recently-used.xbel
[2011.03.13 20:55:05 | 000,000,680 | ---- | C] () -- C:\Users\xxx\AppData\Local\d3d9caps.dat
[2010.02.09 19:13:58 | 000,005,184 | ---- | C] () -- C:\ProgramData\N360BUOptions.ini
[2009.07.15 17:35:28 | 000,002,180 | ---- | C] () -- C:\Users\xxx\AppData\Roaming\wklnhst.dat
[2009.06.15 19:09:41 | 000,026,624 | ---- | C] () -- C:\Users\xxx\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
 
========== ZeroAccess Check ==========
 
[2006.11.02 14:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012.06.08 19:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009.04.11 08:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009.04.11 08:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
========== LOP Check ==========
 
[2011.12.19 17:35:32 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\1&1 Mail & Media GmbH
[2013.03.29 16:29:23 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\AnvSoft
[2013.03.31 15:07:11 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\BabSolution
[2013.03.31 15:03:02 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Babylon
[2013.05.18 15:40:29 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Cuelle
[2013.05.24 20:39:32 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Dropbox
[2011.12.17 10:21:29 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\fotobuch.de AG
[2013.05.01 13:35:35 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Galyy
[2012.09.18 17:31:20 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\gtk-2.0
[2012.09.07 17:50:10 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\ICAClient
[2012.05.28 20:00:12 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\ICQ
[2009.06.13 22:45:08 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\InterVideo
[2012.09.26 17:06:06 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Langenscheidt
[2013.05.18 14:58:03 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Ogvuuq
[2009.08.27 19:05:39 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\OpenOffice.org
[2013.03.31 15:03:24 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Optimizer Pro
[2013.02.16 20:29:31 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Samsung
[2010.09.30 19:21:04 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Template
[2009.06.13 14:03:07 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Vodafone
 
========== Purity Check ==========
 
 
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:9F683177
@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:CF5C4195
@Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:8AB6C1D7

< End of report >
         

Code:
ATTFilter
OTL Extras logfile created on: 24.05.2013 21:39:43 - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\xxx\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
2,93 Gb Total Physical Memory | 1,86 Gb Available Physical Memory | 63,39% Memory free
6,08 Gb Paging File | 4,78 Gb Available in Paging File | 78,63% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 288,08 Gb Total Space | 171,26 Gb Free Space | 59,45% Space Free | Partition Type: NTFS
 
Computer Name: xxx-PC | User Name: xxx | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
 
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\fotobuch.de\Designer 2.0\Designer.exe" = C:\Program Files\fotobuch.de\Designer 2.0\Designer.exe:*:Designer.exe
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0A3BD388-905E-4422-A3AB-058F0033DADC}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe | 
"{4C61EE98-FB3D-4F45-9FF5-81ECE62DE238}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{900498E1-C173-4FAE-8A5D-8010D9583F03}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{9D71D38C-5C9C-4549-80D8-EE0A1CC0E958}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe | 
"{C3790585-1710-432A-A849-50C85C1097B8}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe | 
"{DB432D38-975F-4BF8-B5FF-056D1E175ABE}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe | 
"{EAFEFA52-399B-4130-9C9E-6354650C70F5}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{F6EB0082-5EF1-4270-A308-A45494A56F22}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{15A86B15-ACA3-461F-9A29-75583740A0E6}" = protocol=17 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\schedulersvc.exe | 
"{247C3C74-70DC-4ADD-A55D-EC3102B0307B}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | 
"{37B17D1C-10FD-4515-91A3-F27935568514}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{3A526904-A7B2-47AD-BFBB-858EFAA21C5B}" = protocol=17 | dir=in | app=c:\program files\icq7.2\aolload.exe | 
"{3FBB7E09-CE47-4A81-AB75-079E9F83C455}" = protocol=6 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\client\agentsvc.exe | 
"{49612362-6B51-4A59-BF2D-D7A92CB5DC91}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 
"{4F0D85D6-85AF-4EEC-BFAD-88AAC234B37A}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe | 
"{6B256466-A6F0-4136-B7CC-4A828A0923B2}" = protocol=6 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\schedulersvc.exe | 
"{72886A47-67AD-424E-95EC-0EB068403ED2}" = protocol=17 | dir=in | app=c:\program files\icq7.2\icq.exe | 
"{75C39AEF-D685-4527-A325-D37649D889DE}" = protocol=17 | dir=in | app=c:\program files\icq7.2\aolload.exe | 
"{794BE6CF-4F82-4575-B5B2-B8B635A5C188}" = protocol=6 | dir=in | app=c:\program files\icq7.2\icq.exe | 
"{84872F10-4805-4391-A694-59230A86BE9A}" = protocol=17 | dir=in | app=c:\users\xxx\appdata\roaming\dropbox\bin\dropbox.exe | 
"{87FB78AD-283D-4550-A0FD-0842B5A42E4E}" = protocol=17 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\backupsvc.exe | 
"{8E49ACE9-78E0-4A9D-8948-A3796F92AE29}" = protocol=17 | dir=in | app=c:\program files\icq7.2\icq.exe | 
"{A2E5D1A0-0821-4EC1-896E-DD32653060A7}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | 
"{A51038BF-001D-4763-8481-C84D47E6164D}" = protocol=6 | dir=in | app=c:\program files\icq7.2\aolload.exe | 
"{A547F228-9382-46A1-9524-FED56E51321B}" = protocol=6 | dir=in | app=c:\program files\icq7.2\icq.exe | 
"{B8B2DE30-982D-4580-A249-D040D455E8B0}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | 
"{BF279619-05D7-497B-A8BE-2137CFB9004F}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | 
"{C85875EB-D6A4-41F6-9E86-6B68C2DAE271}" = protocol=17 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\client\agentsvc.exe | 
"{CC92A875-0703-4E1B-8B46-3DB4E252DFE7}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | 
"{DE84BDD0-987A-473A-9EF6-C0667F271B29}" = protocol=6 | dir=in | app=c:\users\xxx\appdata\roaming\dropbox\bin\dropbox.exe | 
"{EA0771F1-07BC-4318-8D94-D028E0079289}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{F2D77A8D-D782-4116-96A1-12217C395BC2}" = protocol=6 | dir=in | app=c:\program files\icq7.2\aolload.exe | 
"{F61E56FE-7FC7-44C3-9392-D66382E6C8AE}" = protocol=6 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\backupsvc.exe | 
"{FCE9531D-B7BB-497F-B37A-3447CD35D7EB}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe | 
"TCP Query User{1A572BB1-4FAB-42B3-BE7C-DE968AAD6BD1}C:\program files\icq6.5\icq.exe" = protocol=6 | dir=in | app=c:\program files\icq6.5\icq.exe | 
"TCP Query User{1F9437C7-4A6A-434B-A5F8-761E345697BA}C:\windows\system32\taskeng.exe" = protocol=6 | dir=in | app=c:\windows\system32\taskeng.exe | 
"TCP Query User{2E5C3701-36FF-4F9E-9107-F3C3BF638B07}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe | 
"TCP Query User{30D452E1-FBD2-4F8F-AD8E-E5D76CED1E8B}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe | 
"TCP Query User{3F411AF7-C9B6-421F-A0F6-2B69FA10A4DC}C:\users\xxx\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=6 | dir=in | app=c:\users\astrid\appdata\roaming\dropbox\bin\dropbox.exe | 
"TCP Query User{4F7DB614-5D91-4494-8E95-A8A99AAE47EA}C:\program files\icq7.2\icq.exe" = protocol=6 | dir=in | app=c:\program files\icq7.2\icq.exe | 
"TCP Query User{6AE8AC03-104E-4F26-A6E3-01FCC3F8F474}C:\program files\google\google earth\client\googleearth.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe | 
"TCP Query User{AB0F7B42-B527-41C2-94ED-DCF5F07FD8EB}C:\program files\icq6.5\icq.exe" = protocol=6 | dir=in | app=c:\program files\icq6.5\icq.exe | 
"TCP Query User{D4CE7A5B-E799-47C9-98E4-AB3F27284503}C:\windows\system32\taskeng.exe" = protocol=6 | dir=in | app=c:\windows\system32\taskeng.exe | 
"TCP Query User{E17FC99A-D425-4AE1-AFE1-9AD97BD67572}C:\program files\google\google earth\plugin\geplugin.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\plugin\geplugin.exe | 
"TCP Query User{FFE87A3E-D0D3-4794-B544-45CEEDC63246}C:\program files\google\google earth\client\googleearth.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe | 
"UDP Query User{0DC868F5-0B7F-4C92-881F-871CD17C7868}C:\program files\icq6.5\icq.exe" = protocol=17 | dir=in | app=c:\program files\icq6.5\icq.exe | 
"UDP Query User{401C38BD-DD94-4283-A1FE-4F116EDDF5A0}C:\program files\google\google earth\client\googleearth.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe | 
"UDP Query User{5748D7CB-DB48-440D-A6AE-7C611CE9747F}C:\program files\google\google earth\client\googleearth.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe | 
"UDP Query User{611A4B4A-A32B-46F6-8DB4-B4BDEF336C70}C:\windows\system32\taskeng.exe" = protocol=17 | dir=in | app=c:\windows\system32\taskeng.exe | 
"UDP Query User{7092F445-D93F-40B5-9D46-4A5C1FEE0DC1}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe | 
"UDP Query User{83985F17-B5EC-4FCE-B397-5C58D60D4DB0}C:\users\xxx\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=17 | dir=in | app=c:\users\astrid\appdata\roaming\dropbox\bin\dropbox.exe | 
"UDP Query User{8F3467DC-BC4D-4F3E-8C01-C4A901352624}C:\windows\system32\taskeng.exe" = protocol=17 | dir=in | app=c:\windows\system32\taskeng.exe | 
"UDP Query User{965484C4-FBC3-452C-B290-CCB9ED06B3ED}C:\program files\icq6.5\icq.exe" = protocol=17 | dir=in | app=c:\program files\icq6.5\icq.exe | 
"UDP Query User{D54BA3D7-94E9-4FFC-A24A-EE4C682E1C60}C:\program files\icq7.2\icq.exe" = protocol=17 | dir=in | app=c:\program files\icq7.2\icq.exe | 
"UDP Query User{DD79B672-F749-4AA4-8DCE-2E923190614D}C:\program files\google\google earth\plugin\geplugin.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\plugin\geplugin.exe | 
"UDP Query User{EAE5C0D8-9007-46CC-9CF2-FBBCC39472AA}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe | 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{1111706F-666A-4037-7777-211328764D10}" = JavaFX 2.1.1
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP2700_series" = Canon iP2700 series Printer Driver
"{12EFA1A4-AC3B-443C-8143-237EDE760403}" = NTI Backup Now Standard
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{20471B27-D702-4FE8-8DEC-0702CC8C0A85}" = InterVideo WinDVD 8
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2413930C-8309-47A6-BC61-5EF27A4222BC}" = NTI Media Maker 8
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(TM) 6 Update 29
"{26A24AE4-039D-4CA4-87B4-2F83217017FF}" = Java 7 Update 17
"{2DE9C112-2482-4D27-AA90-1504DFD9F117}" = Citrix Authentication Manager
"{2EA6C7A4-9178-4C04-887E-D3515F4AAC1B}" = Online Plug-in
"{39D0E034-1042-4905-BECB-5502909FCB7C}" = Microsoft Works
"{452F5D68-F680-4F84-9146-509C0DFEB8D6}" = Citrix Receiver (USB)
"{468D22C0-8080-11E2-B86E-B8AC6F98CCE3}" = Google Earth
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{589D1E78-A6BA-485D-85D9-83F9E3DC1379}" = Vokabeltrainer En Vivo A1
"{5D601655-6D54-4384-B52C-17EC5385FBBD}" = iTunes
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{72EFBFE4-C74F-4187-AEFD-73EA3BE968D6}" = ICQ7.2
"{73A32AC6-C6DE-410E-8869-83E5D725DDE0}" = Citrix Receiver(Aero)
"{758C8301-2696-4855-AF45-534B1200980A}" = Samsung Kies
"{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}" = eMachines ScreenSaver
"{7CE1F876-6012-431F-A514-C67107D6D8E1}" = Citrix Receiver (DV)
"{7F811A54-5A09-4579-90E1-C93498E230D9}" = eMachines Recovery Management
"{82149c0c-52f4-42eb-9683-55ae065bad30}" = Begado
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11019760}" = eMachines
"{8355F970-601D-442D-A79B-1D7DB4F24CAD}" = Apple Mobile Device Support
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 8168 8101E 8102E Ethernet Driver
"{8EC50898-E24A-4C0C-A1F2-A71A8DBF291F}" = Citrix Receiver Inside
"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
"{90120000-0016-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DCBECE36-8F23-4B33-925E-A1C6183C0DBD}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
"{90120000-0018-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DCBECE36-8F23-4B33-925E-A1C6183C0DBD}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
"{90120000-001B-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DCBECE36-8F23-4B33-925E-A1C6183C0DBD}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_HOMESTUDENTR_{2AB528A5-BB1B-4EBE-8E51-AD0C4CD33CA9}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-001F-0410-0000-0000000FF1CE}_HOMESTUDENTR_{58FC5E37-DD28-4D4A-A549-125744C6763C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0020-0407-0000-0000000FF1CE}" = Compatibility Pack für 2007 Office System
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}_HOMESTUDENTR_{888B9AC7-8F5C-456B-A27A-157A6C310E52}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007
"{90120000-00A1-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DCBECE36-8F23-4B33-925E-A1C6183C0DBD}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{95120000-00AF-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (German)
"{99E862CC-6F69-4D39-99AA-DBF71BF3B585}" = OpenOffice.org 3.1
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A4987FC4-33BE-4227-B290-FAA1819B65C2}" = Vokabeltrainer-Update 5.0.27
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1031-7B44-A95000000001}" = Adobe Reader 9.5.5 - Deutsch
"{B48A3CE4-2F1E-45EF-841A-C0A3C407EB0F}" = Self-Service Plug-in
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{CB84F0F2-927B-458D-9DC5-87832E3DC653}" = GearDrvs
"{CC4BBCBA-89F6-47C3-9B0F-5CE5BB1C316C}" = WEB.DE Toolbar MSVC100 CRT x86
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE386A4E-D0DA-4208-8235-BCE43275C694}" = LightScribe  1.4.142.1
"{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}" = SAMSUNG USB Driver for Mobile Phones
"{D2A27492-2F6B-49BE-A4E4-BFCE01828FB7}" = Citrix Receiver (HDX Flash-Umleitung)
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"1&1 Mail & Media GmbH 1und1Softwareaktualisierung" = WEB.DE Softwareaktualisierung
"1&1 Mail & Media GmbH Toolbar FF" = WEB.DE Toolbar für Mozilla Firefox
"1&1 Mail & Media GmbH Toolbar IE8" = WEB.DE Toolbar für Internet Explorer
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Any Video Converter 5_is1" = Any Video Converter 5 5.0.4
"avast" = avast! Free Antivirus
"Avira AntiVir Desktop" = Avira Free Antivirus
"Canon iP2700 series Benutzerregistrierung" = Canon iP2700 series Benutzerregistrierung
"CanonMyPrinter" = Canon Utilities My Printer
"CanonSolutionMenu" = Canon Utilities Solution Menu
"CitrixOnlinePluginPackWeb" = Citrix Receiver
"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
"Easy-WebPrint EX" = Canon Easy-WebPrint EX
"ElsterFormular" = ElsterFormular
"Google Desktop" = Google Desktop
"Google Updater" = Google Updater
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"InstallShield_{12EFA1A4-AC3B-443C-8143-237EDE760403}" = NTI Backup Now 5
"InstallShield_{20471B27-D702-4FE8-8DEC-0702CC8C0A85}" = InterVideo WinDVD 8
"InstallShield_{2413930C-8309-47A6-BC61-5EF27A4222BC}" = NTI Media Maker 8
"InstallShield_{758C8301-2696-4855-AF45-534B1200980A}" = Samsung Kies
"LManager" = Launch Manager
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.75.0.1300
"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox 21.0 (x86 de)" = Mozilla Firefox 21.0 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"NAVIGON Fresh" = NAVIGON Fresh 3.4.1
"PokerStars" = PokerStars
"PokerStars.net" = PokerStars.net
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"WinGimp-2.0_is1" = GIMP 2.6.11
 
========== HKEY_CURRENT_USER Uninstall List ==========
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox
"MyFreeCodec" = MyFreeCodec
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 19.05.2013 08:06:49 | Computer Name = xxx-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 19.05.2013 11:41:54 | Computer Name = xxx-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 20.05.2013 05:40:21 | Computer Name = xxx-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 20.05.2013 13:28:42 | Computer Name = xxx-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 21.05.2013 11:14:13 | Computer Name = xxx-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 21.05.2013 13:27:37 | Computer Name = xxx-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 21.05.2013 13:32:45 | Computer Name = xxx-PC | Source = Windows Search Service | ID = 3013
Description = 
 
Error - 22.05.2013 10:30:31 | Computer Name = xxx-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 22.05.2013 13:45:06 | Computer Name = xxx-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 24.05.2013 07:35:57 | Computer Name = xxx-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 24.05.2013 14:37:55 | Computer Name = xxx-PC | Source = WinMgmt | ID = 10
Description = 
 
[ System Events ]
Error - 16.05.2013 12:09:49 | Computer Name = xxx-PC | Source = Service Control Manager | ID = 7011
Description = 
 
Error - 18.05.2013 06:25:15 | Computer Name = xxx-PC | Source = DCOM | ID = 10005
Description = 
 
Error - 18.05.2013 06:25:15 | Computer Name = xxx-PC | Source = Service Control Manager | ID = 7009
Description = 
 
Error - 18.05.2013 06:25:15 | Computer Name = xxx-PC | Source = Service Control Manager | ID = 7000
Description = 
 
Error - 19.05.2013 11:43:19 | Computer Name = xxx-PC | Source = Service Control Manager | ID = 7009
Description = 
 
Error - 19.05.2013 11:43:20 | Computer Name = xxx-PC | Source = Service Control Manager | ID = 7000
Description = 
 
Error - 19.05.2013 11:44:36 | Computer Name = xxx-PC | Source = Service Control Manager | ID = 7009
Description = 
 
Error - 19.05.2013 11:44:36 | Computer Name = xxx-PC | Source = Service Control Manager | ID = 7000
Description = 
 
Error - 20.05.2013 05:40:22 | Computer Name = xxx-PC | Source = Service Control Manager | ID = 7009
Description = 
 
Error - 20.05.2013 05:40:22 | Computer Name = xxx-PC | Source = Service Control Manager | ID = 7009
Description = 
 
 
< End of report >
         
__________________

Geändert von uuuuuvex (25.05.2013 um 10:17 Uhr)

Alt 25.05.2013, 10:12   #4
uuuuuvex
 
Avira durch Gruppenrichtlinien geblockt und Trojan.fakems - Standard

Avira durch Gruppenrichtlinien geblockt und Trojan.fakems



Gmer log-file:
Code:
ATTFilter
GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2013-05-24 23:33:51
Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS543232L9A300 rev.FB4OC40C 298,09GB
Running: gmer_2.1.19163.exe; Driver: C:\Users\xxx\AppData\Local\Temp\pwdiqpob.sys


---- System - GMER 2.1 ----

SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwAddBootEntry [0x8FE7E644]
SSDT    \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)                                  ZwAllocateVirtualMemory [0x904AC668]
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwAssignProcessToJobObject [0x8FE7F0D6]
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwCreateEvent [0x8FE8A89A]
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwCreateEventPair [0x8FE8A8E6]
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwCreateIoCompletion [0x8FE8AA80]
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwCreateMutant [0x8FE8A808]
SSDT    8C4B8516                                                                                                               ZwCreateSection
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwCreateSemaphore [0x8FE8A850]
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwCreateThread [0x8FE7F5D4]
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwCreateTimer [0x8FE8AA3A]
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwDebugActiveProcess [0x8FE7FE8C]
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwDeleteBootEntry [0x8FE7E6AA]
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwDuplicateObject [0x8FE836AC]
SSDT    \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)                                  ZwFreeVirtualMemory [0x904AC730]
SSDT    \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)                                  ZwLoadDriver [0x904AAC80]
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwModifyBootEntry [0x8FE7E710]
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwNotifyChangeKey [0x8FE83A76]
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwNotifyChangeMultipleKeys [0x8FE8091C]
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwOpenEvent [0x8FE8A8C4]
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwOpenEventPair [0x8FE8A908]
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwOpenIoCompletion [0x8FE8AAA4]
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwOpenMutant [0x8FE8A82E]
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwOpenProcess [0x8FE82F92]
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwOpenSection [0x8FE8A9B8]
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwOpenSemaphore [0x8FE8A878]
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwOpenThread [0x8FE83384]
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwOpenTimer [0x8FE8AA5E]
SSDT    \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)                                  ZwProtectVirtualMemory [0x904AC890]
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwQueryObject [0x8FE807E8]
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwQueueApcThread [0x8FE8033E]
SSDT    8C4B8520                                                                                                               ZwRequestWaitReplyPort
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwSetBootEntryOrder [0x8FE7E776]
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwSetBootOptions [0x8FE7E7DC]
SSDT    8C4B851B                                                                                                               ZwSetContextThread
SSDT    8C4B8525                                                                                                               ZwSetSecurityObject
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwSetSystemInformation [0x8FE7E32C]
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwSetSystemPowerState [0x8FE7E502]
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwShutdownSystem [0x8FE7E490]
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwSuspendProcess [0x8FE80056]
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwSuspendThread [0x8FE801B8]
SSDT    8C4B852A                                                                                                               ZwSystemDebugControl
SSDT    8C4B84B7                                                                                                               ZwTerminateProcess
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwTerminateThread [0x8FE7FCE6]
SSDT    \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)                                  ZwUnloadDriver [0x904AACB0]
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwVdmControl [0x8FE7E842]
SSDT    \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)                                  ZwWriteVirtualMemory [0x904AC7DC]
SSDT    \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)                                  ZwCreateThreadEx [0x8FE7F7F0]

Code    \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)                                  ZwCreateProcessEx [0x904C5E80]
Code    \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)                                  ObInsertObject
Code    \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)                                  ObMakeTemporaryObject

---- Kernel code sections - GMER 2.1 ----

.text   ntkrnlpa.exe!KeSetEvent + 10D                                                                                          824FE850 4 Bytes  [44, E6, E7, 8F]
.text   ntkrnlpa.exe!KeSetEvent + 131                                                                                          824FE874 4 Bytes  [68, C6, 4A, 90]
.text   ntkrnlpa.exe!KeSetEvent + 191                                                                                          824FE8D4 4 Bytes  [D6, F0, E7, 8F] {SALC ; OUT 0x8f, EAX}
.text   ntkrnlpa.exe!KeSetEvent + 1D1                                                                                          824FE914 8 Bytes  [9A, A8, E8, 8F, E6, A8, E8, ...]
.text   ntkrnlpa.exe!KeSetEvent + 1DD                                                                                          824FE920 4 Bytes  [80, AA, E8, 8F]
.text   ...                                                                                                                    
PAGE    ntkrnlpa.exe!ObMakeTemporaryObject                                                                                     82629663 5 Bytes  JMP 904C2D1A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE    ntkrnlpa.exe!ObInsertObject                                                                                            82682703 5 Bytes  JMP 904C4834 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE    ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110                                                                            8268C01F 4 Bytes  CALL 8FE80FDF \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE    ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121                                                                           8268FC93 4 Bytes  CALL 8FE80FF5 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE    ntkrnlpa.exe!ZwCreateProcessEx                                                                                         826E3FE0 7 Bytes  JMP 904C5E84 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

---- User code sections - GMER 2.1 ----

.text   C:\Windows\System32\spoolsv.exe[284] kernel32.dll!GetBinaryTypeW + 70                                                  77E72447 1 Byte  [62]
.text   C:\Windows\system32\taskeng.exe[312] kernel32.dll!GetBinaryTypeW + 70                                                  77E72447 1 Byte  [62]
.text   C:\Windows\Explorer.EXE[316] kernel32.dll!GetBinaryTypeW + 70                                                          77E72447 1 Byte  [62]
.text   C:\Program Files\Avira\AntiVir Desktop\sched.exe[496] kernel32.dll!GetBinaryTypeW + 70                                 77E72447 1 Byte  [62]
.text   C:\Windows\system32\csrss.exe[608] KERNEL32.dll!GetBinaryTypeW + 70                                                    77E72447 1 Byte  [62]
.text   ...                                                                                                                    
.text   C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] ntdll.dll!LdrLoadDll                           77CC9378 5 Bytes  JMP 000601F8 
.text   C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] ntdll.dll!LdrUnloadDll                         77CDB680 5 Bytes  JMP 000603FC 
.text   C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] ntdll.dll!DbgBreakPoint                        77CE878E 1 Byte  [C3]
.text   C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] KERNEL32.dll!GetBinaryTypeW + 70               77E72447 1 Byte  [62]
.text   C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] ADVAPI32.dll!CreateServiceW                    76609EB4 5 Bytes  JMP 000A03FC 
.text   C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] ADVAPI32.dll!DeleteService                     7660A07E 5 Bytes  JMP 000A0600 
.text   C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] ADVAPI32.dll!SetServiceObjectSecurity          76646CD9 5 Bytes  JMP 000A1014 
.text   C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] ADVAPI32.dll!ChangeServiceConfigA              76646DD9 5 Bytes  JMP 000A0804 
.text   C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] ADVAPI32.dll!ChangeServiceConfigW              76646F81 5 Bytes  JMP 000A0A08 
.text   C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] ADVAPI32.dll!ChangeServiceConfig2A             76647099 5 Bytes  JMP 000A0C0C 
.text   C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] ADVAPI32.dll!ChangeServiceConfig2W             766471E1 5 Bytes  JMP 000A0E10 
.text   C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] ADVAPI32.dll!CreateServiceA                    766472A1 5 Bytes  JMP 000A01F8 
.text   C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] USER32.dll!SetWindowsHookExA                   776F6322 5 Bytes  JMP 000C0600 
.text   C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] USER32.dll!SetWindowsHookExW                   776F87AD 5 Bytes  JMP 000C0804 
.text   C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] USER32.dll!UnhookWindowsHookEx                 776F98DB 5 Bytes  JMP 000C0A08 
.text   C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] USER32.dll!SetWinEventHook                     776F9F3A 5 Bytes  JMP 000C01F8 
.text   C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[972] USER32.dll!UnhookWinEvent                      776FC06F 5 Bytes  JMP 000C03FC 
.text   C:\Windows\system32\svchost.exe[1028] kernel32.dll!GetBinaryTypeW + 70                                                 77E72447 1 Byte  [62]
.text   C:\Windows\System32\svchost.exe[1068] kernel32.dll!GetBinaryTypeW + 70                                                 77E72447 1 Byte  [62]
.text   C:\Windows\System32\svchost.exe[1176] kernel32.dll!GetBinaryTypeW + 70                                                 77E72447 1 Byte  [62]
.text   C:\Program Files\Windows Media Player\wmpnetwk.exe[1232] ntdll.dll!LdrLoadDll                                          77CC9378 5 Bytes  JMP 000601F8 
.text   C:\Program Files\Windows Media Player\wmpnetwk.exe[1232] ntdll.dll!LdrUnloadDll                                        77CDB680 5 Bytes  JMP 000603FC 
.text   C:\Program Files\Windows Media Player\wmpnetwk.exe[1232] KERNEL32.dll!GetBinaryTypeW + 70                              77E72447 1 Byte  [62]
.text   C:\Program Files\Windows Media Player\wmpnetwk.exe[1232] ADVAPI32.dll!CreateServiceW                                   76609EB4 5 Bytes  JMP 000703FC 
.text   C:\Program Files\Windows Media Player\wmpnetwk.exe[1232] ADVAPI32.dll!DeleteService                                    7660A07E 5 Bytes  JMP 00070600 
.text   C:\Program Files\Windows Media Player\wmpnetwk.exe[1232] ADVAPI32.dll!SetServiceObjectSecurity                         76646CD9 5 Bytes  JMP 00071014 
.text   C:\Program Files\Windows Media Player\wmpnetwk.exe[1232] ADVAPI32.dll!ChangeServiceConfigA                             76646DD9 5 Bytes  JMP 00070804 
.text   C:\Program Files\Windows Media Player\wmpnetwk.exe[1232] ADVAPI32.dll!ChangeServiceConfigW                             76646F81 5 Bytes  JMP 00070A08 
.text   C:\Program Files\Windows Media Player\wmpnetwk.exe[1232] ADVAPI32.dll!ChangeServiceConfig2A                            76647099 5 Bytes  JMP 00070C0C 
.text   C:\Program Files\Windows Media Player\wmpnetwk.exe[1232] ADVAPI32.dll!ChangeServiceConfig2W                            766471E1 5 Bytes  JMP 00070E10 
.text   C:\Program Files\Windows Media Player\wmpnetwk.exe[1232] ADVAPI32.dll!CreateServiceA                                   766472A1 5 Bytes  JMP 000701F8 
.text   C:\Program Files\Windows Media Player\wmpnetwk.exe[1232] USER32.dll!SetWindowsHookExA                                  776F6322 5 Bytes  JMP 00540600 
.text   C:\Program Files\Windows Media Player\wmpnetwk.exe[1232] USER32.dll!SetWindowsHookExW                                  776F87AD 5 Bytes  JMP 00540804 
.text   C:\Program Files\Windows Media Player\wmpnetwk.exe[1232] USER32.dll!UnhookWindowsHookEx                                776F98DB 5 Bytes  JMP 00540A08 
.text   C:\Program Files\Windows Media Player\wmpnetwk.exe[1232] USER32.dll!SetWinEventHook                                    776F9F3A 5 Bytes  JMP 005401F8 
.text   C:\Program Files\Windows Media Player\wmpnetwk.exe[1232] USER32.dll!UnhookWinEvent                                     776FC06F 5 Bytes  JMP 005403FC 
.text   C:\Windows\System32\svchost.exe[1252] kernel32.dll!GetBinaryTypeW + 70                                                 77E72447 1 Byte  [62]
.text   C:\Windows\system32\svchost.exe[1268] kernel32.dll!GetBinaryTypeW + 70                                                 77E72447 1 Byte  [62]
.text   C:\Windows\system32\AUDIODG.EXE[1336] kernel32.dll!GetBinaryTypeW + 70                                                 77E72447 1 Byte  [62]
.text   C:\Windows\system32\svchost.exe[1360] kernel32.dll!GetBinaryTypeW + 70                                                 77E72447 1 Byte  [62]
.text   C:\Windows\system32\svchost.exe[1452] kernel32.dll!GetBinaryTypeW + 70                                                 77E72447 1 Byte  [62]
.text   C:\Windows\system32\svchost.exe[1472] ntdll.dll!LdrLoadDll                                                             77CC9378 5 Bytes  JMP 000601F8 
.text   C:\Windows\system32\svchost.exe[1472] ntdll.dll!LdrUnloadDll                                                           77CDB680 5 Bytes  JMP 000603FC 
.text   C:\Windows\system32\svchost.exe[1472] KERNEL32.dll!GetBinaryTypeW + 70                                                 77E72447 1 Byte  [62]
.text   C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!CreateServiceW                                                      76609EB4 5 Bytes  JMP 000703FC 
.text   C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!DeleteService                                                       7660A07E 5 Bytes  JMP 00070600 
.text   C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!SetServiceObjectSecurity                                            76646CD9 5 Bytes  JMP 00071014 
.text   C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!ChangeServiceConfigA                                                76646DD9 5 Bytes  JMP 00070804 
.text   C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!ChangeServiceConfigW                                                76646F81 5 Bytes  JMP 00070A08 
.text   C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!ChangeServiceConfig2A                                               76647099 5 Bytes  JMP 00070C0C 
.text   C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!ChangeServiceConfig2W                                               766471E1 5 Bytes  JMP 00070E10 
.text   C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!CreateServiceA                                                      766472A1 5 Bytes  JMP 000701F8 
.text   C:\Windows\system32\svchost.exe[1472] USER32.dll!SetWindowsHookExA                                                     776F6322 5 Bytes  JMP 00080600 
.text   C:\Windows\system32\svchost.exe[1472] USER32.dll!SetWindowsHookExW                                                     776F87AD 5 Bytes  JMP 00080804 
.text   C:\Windows\system32\svchost.exe[1472] USER32.dll!UnhookWindowsHookEx                                                   776F98DB 5 Bytes  JMP 00080A08 
.text   C:\Windows\system32\svchost.exe[1472] USER32.dll!SetWinEventHook                                                       776F9F3A 5 Bytes  JMP 000801F8 
.text   C:\Windows\system32\svchost.exe[1472] USER32.dll!UnhookWinEvent                                                        776FC06F 5 Bytes  JMP 000803FC 
.text   C:\Windows\system32\svchost.exe[1660] kernel32.dll!GetBinaryTypeW + 70                                                 77E72447 1 Byte  [62]
.text   C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1756] kernel32.dll!GetBinaryTypeW + 70                              77E72447 1 Byte  [62]
.text   C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe[1772] KERNEL32.dll!GetBinaryTypeW + 70  77E72447 1 Byte  [62]
.text   C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1804] kernel32.dll!GetBinaryTypeW + 70                              77E72447 1 Byte  [62]
.text   C:\Windows\system32\WLANExt.exe[1812] kernel32.dll!GetBinaryTypeW + 70                                                 77E72447 1 Byte  [62]
.text   ...                                                                                                                    
.text   C:\Program Files\Samsung\Kies\Kies.exe[1996] ntdll.dll!LdrLoadDll                                                      77CC9378 5 Bytes  JMP 000601F8 
.text   C:\Program Files\Samsung\Kies\Kies.exe[1996] ntdll.dll!LdrUnloadDll                                                    77CDB680 5 Bytes  JMP 000603FC 
.text   C:\Program Files\Samsung\Kies\Kies.exe[1996] KERNEL32.dll!GetBinaryTypeW + 70                                          77E72447 1 Byte  [62]
.text   C:\Program Files\Samsung\Kies\Kies.exe[1996] ADVAPI32.dll!CreateServiceW                                               76609EB4 5 Bytes  JMP 000703FC 
.text   C:\Program Files\Samsung\Kies\Kies.exe[1996] ADVAPI32.dll!DeleteService                                                7660A07E 5 Bytes  JMP 00070600 
.text   C:\Program Files\Samsung\Kies\Kies.exe[1996] ADVAPI32.dll!SetServiceObjectSecurity                                     76646CD9 5 Bytes  JMP 00071014 
.text   C:\Program Files\Samsung\Kies\Kies.exe[1996] ADVAPI32.dll!ChangeServiceConfigA                                         76646DD9 5 Bytes  JMP 00070804 
.text   C:\Program Files\Samsung\Kies\Kies.exe[1996] ADVAPI32.dll!ChangeServiceConfigW                                         76646F81 5 Bytes  JMP 00070A08 
.text   C:\Program Files\Samsung\Kies\Kies.exe[1996] ADVAPI32.dll!ChangeServiceConfig2A                                        76647099 5 Bytes  JMP 00070C0C 
.text   C:\Program Files\Samsung\Kies\Kies.exe[1996] ADVAPI32.dll!ChangeServiceConfig2W                                        766471E1 5 Bytes  JMP 00070E10 
.text   C:\Program Files\Samsung\Kies\Kies.exe[1996] ADVAPI32.dll!CreateServiceA                                               766472A1 5 Bytes  JMP 000701F8 
.text   C:\Program Files\Samsung\Kies\Kies.exe[1996] USER32.dll!SetWindowsHookExA                                              776F6322 5 Bytes  JMP 00080600 
.text   C:\Program Files\Samsung\Kies\Kies.exe[1996] USER32.dll!SetWindowsHookExW                                              776F87AD 5 Bytes  JMP 00080804 
.text   C:\Program Files\Samsung\Kies\Kies.exe[1996] USER32.dll!UnhookWindowsHookEx                                            776F98DB 5 Bytes  JMP 00080A08 
.text   C:\Program Files\Samsung\Kies\Kies.exe[1996] USER32.dll!SetWinEventHook                                                776F9F3A 5 Bytes  JMP 000801F8 
.text   C:\Program Files\Samsung\Kies\Kies.exe[1996] USER32.dll!UnhookWinEvent                                                 776FC06F 5 Bytes  JMP 000803FC 
.text   C:\Windows\system32\Dwm.exe[2020] kernel32.dll!GetBinaryTypeW + 70                                                     77E72447 1 Byte  [62]
.text   C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[2584] ntdll.dll!LdrLoadDll                                     77CC9378 5 Bytes  JMP 001601F8 
.text   C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[2584] ntdll.dll!LdrUnloadDll                                   77CDB680 5 Bytes  JMP 001603FC 
.text   C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[2584] KERNEL32.dll!GetBinaryTypeW + 70                         77E72447 1 Byte  [62]
.text   C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[2584] USER32.dll!SetWindowsHookExA                             776F6322 5 Bytes  JMP 00170600 
.text   C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[2584] USER32.dll!SetWindowsHookExW                             776F87AD 5 Bytes  JMP 00170804 
.text   C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[2584] USER32.dll!UnhookWindowsHookEx                           776F98DB 5 Bytes  JMP 00170A08 
.text   C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[2584] USER32.dll!SetWinEventHook                               776F9F3A 5 Bytes  JMP 001701F8 
.text   C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[2584] USER32.dll!UnhookWinEvent                                776FC06F 5 Bytes  JMP 001703FC 
.text   C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[2584] ADVAPI32.dll!CreateServiceW                              76609EB4 5 Bytes  JMP 001803FC 
.text   C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[2584] ADVAPI32.dll!DeleteService                               7660A07E 5 Bytes  JMP 00180600 
.text   C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[2584] ADVAPI32.dll!SetServiceObjectSecurity                    76646CD9 5 Bytes  JMP 00181014 
.text   C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[2584] ADVAPI32.dll!ChangeServiceConfigA                        76646DD9 5 Bytes  JMP 00180804 
.text   C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[2584] ADVAPI32.dll!ChangeServiceConfigW                        76646F81 5 Bytes  JMP 00180A08 
.text   C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[2584] ADVAPI32.dll!ChangeServiceConfig2A                       76647099 5 Bytes  JMP 00180C0C 
.text   C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[2584] ADVAPI32.dll!ChangeServiceConfig2W                       766471E1 5 Bytes  JMP 00180E10 
.text   C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[2584] ADVAPI32.dll!CreateServiceA                              766472A1 5 Bytes  JMP 001801F8 
.text   C:\Windows\System32\hkcmd.exe[2612] ntdll.dll!LdrLoadDll                                                               77CC9378 5 Bytes  JMP 001601F8 
.text   C:\Windows\System32\hkcmd.exe[2612] ntdll.dll!LdrUnloadDll                                                             77CDB680 5 Bytes  JMP 001603FC 
.text   C:\Windows\System32\hkcmd.exe[2612] KERNEL32.dll!GetBinaryTypeW + 70                                                   77E72447 1 Byte  [62]
.text   C:\Windows\System32\hkcmd.exe[2612] USER32.dll!SetWindowsHookExA                                                       776F6322 5 Bytes  JMP 00180600 
.text   C:\Windows\System32\hkcmd.exe[2612] USER32.dll!SetWindowsHookExW                                                       776F87AD 5 Bytes  JMP 00180804 
.text   C:\Windows\System32\hkcmd.exe[2612] USER32.dll!UnhookWindowsHookEx                                                     776F98DB 5 Bytes  JMP 00180A08 
.text   C:\Windows\System32\hkcmd.exe[2612] USER32.dll!SetWinEventHook                                                         776F9F3A 5 Bytes  JMP 001801F8 
.text   C:\Windows\System32\hkcmd.exe[2612] USER32.dll!UnhookWinEvent                                                          776FC06F 5 Bytes  JMP 001803FC 
.text   C:\Windows\System32\hkcmd.exe[2612] ADVAPI32.dll!CreateServiceW                                                        76609EB4 5 Bytes  JMP 001903FC 
.text   C:\Windows\System32\hkcmd.exe[2612] ADVAPI32.dll!DeleteService                                                         7660A07E 3 Bytes  JMP 00190600 
.text   C:\Windows\System32\hkcmd.exe[2612] ADVAPI32.dll!DeleteService + 4                                                     7660A082 1 Byte  [89]
.text   C:\Windows\System32\hkcmd.exe[2612] ADVAPI32.dll!SetServiceObjectSecurity                                              76646CD9 5 Bytes  JMP 00191014 
.text   C:\Windows\System32\hkcmd.exe[2612] ADVAPI32.dll!ChangeServiceConfigA                                                  76646DD9 5 Bytes  JMP 00190804 
.text   C:\Windows\System32\hkcmd.exe[2612] ADVAPI32.dll!ChangeServiceConfigW                                                  76646F81 5 Bytes  JMP 00190A08 
.text   C:\Windows\System32\hkcmd.exe[2612] ADVAPI32.dll!ChangeServiceConfig2A                                                 76647099 5 Bytes  JMP 00190C0C 
.text   C:\Windows\System32\hkcmd.exe[2612] ADVAPI32.dll!ChangeServiceConfig2W                                                 766471E1 5 Bytes  JMP 00190E10 
.text   C:\Windows\System32\hkcmd.exe[2612] ADVAPI32.dll!CreateServiceA                                                        766472A1 5 Bytes  JMP 001901F8 
.text   C:\Program Files\AVAST Software\Avast\AvastUI.exe[2660] kernel32.dll!GetBinaryTypeW + 70                               77E72447 1 Byte  [62]
.text   C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2748] ntdll.dll!LdrLoadDll                                     77CC9378 5 Bytes  JMP 000601F8 
.text   C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2748] ntdll.dll!LdrUnloadDll                                   77CDB680 5 Bytes  JMP 000603FC 
.text   C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2748] KERNEL32.dll!GetBinaryTypeW + 70                         77E72447 1 Byte  [62]
.text   C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2748] USER32.dll!SetWindowsHookExA                             776F6322 5 Bytes  JMP 00070600 
.text   C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2748] USER32.dll!SetWindowsHookExW                             776F87AD 5 Bytes  JMP 00070804 
.text   C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2748] USER32.dll!UnhookWindowsHookEx                           776F98DB 5 Bytes  JMP 00070A08 
.text   C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2748] USER32.dll!SetWinEventHook                               776F9F3A 5 Bytes  JMP 000701F8 
.text   C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2748] USER32.dll!UnhookWinEvent                                776FC06F 5 Bytes  JMP 000703FC 
.text   C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2748] ADVAPI32.dll!CreateServiceW                              76609EB4 5 Bytes  JMP 000803FC 
.text   C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2748] ADVAPI32.dll!DeleteService                               7660A07E 5 Bytes  JMP 00080600 
.text   C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2748] ADVAPI32.dll!SetServiceObjectSecurity                    76646CD9 5 Bytes  JMP 00081014 
.text   C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2748] ADVAPI32.dll!ChangeServiceConfigA                        76646DD9 5 Bytes  JMP 00080804 
.text   C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2748] ADVAPI32.dll!ChangeServiceConfigW                        76646F81 5 Bytes  JMP 00080A08 
.text   C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2748] ADVAPI32.dll!ChangeServiceConfig2A                       76647099 5 Bytes  JMP 00080C0C 
.text   C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2748] ADVAPI32.dll!ChangeServiceConfig2W                       766471E1 5 Bytes  JMP 00080E10 
.text   C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2748] ADVAPI32.dll!CreateServiceA                              766472A1 5 Bytes  JMP 000801F8 
.text   C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[2752] ntdll.dll!LdrLoadDll                               77CC9378 5 Bytes  JMP 001601F8 
.text   C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[2752] ntdll.dll!LdrUnloadDll                             77CDB680 5 Bytes  JMP 001603FC 
.text   C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[2752] KERNEL32.dll!GetBinaryTypeW + 70                   77E72447 1 Byte  [62]
.text   C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[2752] USER32.dll!SetWindowsHookExA                       776F6322 5 Bytes  JMP 00170600 
.text   C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[2752] USER32.dll!SetWindowsHookExW                       776F87AD 5 Bytes  JMP 00170804 
.text   C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[2752] USER32.dll!UnhookWindowsHookEx                     776F98DB 5 Bytes  JMP 00170A08 
.text   C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[2752] USER32.dll!SetWinEventHook                         776F9F3A 5 Bytes  JMP 001701F8 
.text   C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[2752] USER32.dll!UnhookWinEvent                          776FC06F 5 Bytes  JMP 001703FC 
.text   C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[2752] ADVAPI32.dll!CreateServiceW                        76609EB4 5 Bytes  JMP 001803FC 
.text   C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[2752] ADVAPI32.dll!DeleteService                         7660A07E 5 Bytes  JMP 00180600 
.text   C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[2752] ADVAPI32.dll!SetServiceObjectSecurity              76646CD9 5 Bytes  JMP 00181014 
.text   C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[2752] ADVAPI32.dll!ChangeServiceConfigA                  76646DD9 5 Bytes  JMP 00180804 
.text   C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[2752] ADVAPI32.dll!ChangeServiceConfigW                  76646F81 5 Bytes  JMP 00180A08 
.text   C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[2752] ADVAPI32.dll!ChangeServiceConfig2A                 76647099 5 Bytes  JMP 00180C0C 
.text   C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[2752] ADVAPI32.dll!ChangeServiceConfig2W                 766471E1 5 Bytes  JMP 00180E10 
.text   C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[2752] ADVAPI32.dll!CreateServiceA                        766472A1 5 Bytes  JMP 001801F8 
.text   C:\Windows\system32\igfxsrvc.exe[2784] ntdll.dll!LdrLoadDll                                                            77CC9378 5 Bytes  JMP 001601F8 
.text   C:\Windows\system32\igfxsrvc.exe[2784] ntdll.dll!LdrUnloadDll                                                          77CDB680 5 Bytes  JMP 001603FC 
.text   C:\Windows\system32\igfxsrvc.exe[2784] KERNEL32.dll!GetBinaryTypeW + 70                                                77E72447 1 Byte  [62]
.text   C:\Windows\system32\igfxsrvc.exe[2784] USER32.dll!SetWindowsHookExA                                                    776F6322 5 Bytes  JMP 00170600 
.text   C:\Windows\system32\igfxsrvc.exe[2784] USER32.dll!SetWindowsHookExW                                                    776F87AD 5 Bytes  JMP 00170804 
.text   C:\Windows\system32\igfxsrvc.exe[2784] USER32.dll!UnhookWindowsHookEx                                                  776F98DB 5 Bytes  JMP 00170A08 
.text   C:\Windows\system32\igfxsrvc.exe[2784] USER32.dll!SetWinEventHook                                                      776F9F3A 5 Bytes  JMP 001701F8 
.text   C:\Windows\system32\igfxsrvc.exe[2784] USER32.dll!UnhookWinEvent                                                       776FC06F 5 Bytes  JMP 001703FC 
.text   C:\Windows\system32\igfxsrvc.exe[2784] ADVAPI32.dll!CreateServiceW                                                     76609EB4 5 Bytes  JMP 001803FC 
.text   C:\Windows\system32\igfxsrvc.exe[2784] ADVAPI32.dll!DeleteService                                                      7660A07E 5 Bytes  JMP 00180600 
.text   C:\Windows\system32\igfxsrvc.exe[2784] ADVAPI32.dll!SetServiceObjectSecurity                                           76646CD9 5 Bytes  JMP 00181014 
.text   C:\Windows\system32\igfxsrvc.exe[2784] ADVAPI32.dll!ChangeServiceConfigA                                               76646DD9 5 Bytes  JMP 00180804 
.text   C:\Windows\system32\igfxsrvc.exe[2784] ADVAPI32.dll!ChangeServiceConfigW                                               76646F81 5 Bytes  JMP 00180A08 
.text   C:\Windows\system32\igfxsrvc.exe[2784] ADVAPI32.dll!ChangeServiceConfig2A                                              76647099 5 Bytes  JMP 00180C0C 
.text   C:\Windows\system32\igfxsrvc.exe[2784] ADVAPI32.dll!ChangeServiceConfig2W                                              766471E1 5 Bytes  JMP 00180E10 
.text   C:\Windows\system32\igfxsrvc.exe[2784] ADVAPI32.dll!CreateServiceA                                                     766472A1 5 Bytes  JMP 001801F8 
.text   C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[2800] ntdll.dll!LdrLoadDll                                      77CC9378 5 Bytes  JMP 001601F8 
.text   C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[2800] ntdll.dll!LdrUnloadDll                                    77CDB680 5 Bytes  JMP 001603FC 
.text   C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[2800] KERNEL32.dll!GetBinaryTypeW + 70                          77E72447 1 Byte  [62]
.text   C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[2800] USER32.dll!SetWindowsHookExA                              776F6322 5 Bytes  JMP 00170600 
.text   C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[2800] USER32.dll!SetWindowsHookExW                              776F87AD 5 Bytes  JMP 00170804 
.text   C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[2800] USER32.dll!UnhookWindowsHookEx                            776F98DB 5 Bytes  JMP 00170A08 
.text   C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[2800] USER32.dll!SetWinEventHook                                776F9F3A 5 Bytes  JMP 001701F8 
.text   C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[2800] USER32.dll!UnhookWinEvent                                 776FC06F 5 Bytes  JMP 001703FC 
.text   C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[2800] ADVAPI32.dll!CreateServiceW                               76609EB4 5 Bytes  JMP 001803FC 
.text   C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[2800] ADVAPI32.dll!DeleteService                                7660A07E 5 Bytes  JMP 00180600 
.text   C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[2800] ADVAPI32.dll!SetServiceObjectSecurity                     76646CD9 5 Bytes  JMP 00181014 
.text   C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[2800] ADVAPI32.dll!ChangeServiceConfigA                         76646DD9 5 Bytes  JMP 00180804 
.text   C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[2800] ADVAPI32.dll!ChangeServiceConfigW                         76646F81 5 Bytes  JMP 00180A08 
.text   C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[2800] ADVAPI32.dll!ChangeServiceConfig2A                        76647099 5 Bytes  JMP 00180C0C 
.text   C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[2800] ADVAPI32.dll!ChangeServiceConfig2W                        766471E1 5 Bytes  JMP 00180E10 
.text   C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[2800] ADVAPI32.dll!CreateServiceA                               766472A1 5 Bytes  JMP 001801F8 
.text   C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] ntdll.dll!LdrLoadDll                                        77CC9378 5 Bytes  JMP 001601F8 
.text   C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] ntdll.dll!LdrUnloadDll                                      77CDB680 5 Bytes  JMP 001603FC 
.text   C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] KERNEL32.dll!GetBinaryTypeW + 70                            77E72447 1 Byte  [62]
.text   C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] USER32.dll!SetWindowsHookExA                                776F6322 5 Bytes  JMP 00180600 
.text   C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] USER32.dll!SetWindowsHookExW                                776F87AD 5 Bytes  JMP 00180804 
.text   C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] USER32.dll!UnhookWindowsHookEx                              776F98DB 5 Bytes  JMP 00180A08 
.text   C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] USER32.dll!SetWinEventHook                                  776F9F3A 5 Bytes  JMP 001801F8 
.text   C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] USER32.dll!UnhookWinEvent                                   776FC06F 5 Bytes  JMP 001803FC 
.text   C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] ADVAPI32.dll!CreateServiceW                                 76609EB4 5 Bytes  JMP 001903FC 
.text   C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] ADVAPI32.dll!DeleteService                                  7660A07E 3 Bytes  JMP 00190600 
.text   C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] ADVAPI32.dll!DeleteService + 4                              7660A082 1 Byte  [89]
.text   C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] ADVAPI32.dll!SetServiceObjectSecurity                       76646CD9 5 Bytes  JMP 00191014 
.text   C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] ADVAPI32.dll!ChangeServiceConfigA                           76646DD9 5 Bytes  JMP 00190804 
.text   C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] ADVAPI32.dll!ChangeServiceConfigW                           76646F81 5 Bytes  JMP 00190A08 
.text   C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] ADVAPI32.dll!ChangeServiceConfig2A                          76647099 5 Bytes  JMP 00190C0C 
.text   C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] ADVAPI32.dll!ChangeServiceConfig2W                          766471E1 5 Bytes  JMP 00190E10 
.text   C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2820] ADVAPI32.dll!CreateServiceA                                 766472A1 5 Bytes  JMP 001901F8 
.text   C:\Windows\system32\igfxext.exe[2836] ntdll.dll!LdrLoadDll                                                             77CC9378 5 Bytes  JMP 001601F8 
.text   C:\Windows\system32\igfxext.exe[2836] ntdll.dll!LdrUnloadDll                                                           77CDB680 5 Bytes  JMP 001603FC 
.text   C:\Windows\system32\igfxext.exe[2836] KERNEL32.dll!GetBinaryTypeW + 70                                                 77E72447 1 Byte  [62]
.text   C:\Windows\system32\igfxext.exe[2836] USER32.dll!SetWindowsHookExA                                                     776F6322 5 Bytes  JMP 00170600 
.text   C:\Windows\system32\igfxext.exe[2836] USER32.dll!SetWindowsHookExW                                                     776F87AD 5 Bytes  JMP 00170804 
.text   C:\Windows\system32\igfxext.exe[2836] USER32.dll!UnhookWindowsHookEx                                                   776F98DB 5 Bytes  JMP 00170A08 
.text   C:\Windows\system32\igfxext.exe[2836] USER32.dll!SetWinEventHook                                                       776F9F3A 5 Bytes  JMP 001701F8 
.text   C:\Windows\system32\igfxext.exe[2836] USER32.dll!UnhookWinEvent                                                        776FC06F 5 Bytes  JMP 001703FC 
.text   C:\Windows\system32\igfxext.exe[2836] ADVAPI32.dll!CreateServiceW                                                      76609EB4 5 Bytes  JMP 001803FC 
.text   C:\Windows\system32\igfxext.exe[2836] ADVAPI32.dll!DeleteService                                                       7660A07E 5 Bytes  JMP 00180600 
.text   C:\Windows\system32\igfxext.exe[2836] ADVAPI32.dll!SetServiceObjectSecurity                                            76646CD9 5 Bytes  JMP 00181014 
.text   C:\Windows\system32\igfxext.exe[2836] ADVAPI32.dll!ChangeServiceConfigA                                                76646DD9 5 Bytes  JMP 00180804 
.text   C:\Windows\system32\igfxext.exe[2836] ADVAPI32.dll!ChangeServiceConfigW                                                76646F81 5 Bytes  JMP 00180A08 
.text   C:\Windows\system32\igfxext.exe[2836] ADVAPI32.dll!ChangeServiceConfig2A                                               76647099 5 Bytes  JMP 00180C0C 
.text   C:\Windows\system32\igfxext.exe[2836] ADVAPI32.dll!ChangeServiceConfig2W                                               766471E1 5 Bytes  JMP 00180E10 
.text   C:\Windows\system32\igfxext.exe[2836] ADVAPI32.dll!CreateServiceA                                                      766472A1 5 Bytes  JMP 001801F8 
.text   C:\Program Files\Windows Media Player\wmpnscfg.exe[2880] ntdll.dll!LdrLoadDll                                          77CC9378 5 Bytes  JMP 000601F8 
.text   C:\Program Files\Windows Media Player\wmpnscfg.exe[2880] ntdll.dll!LdrUnloadDll                                        77CDB680 5 Bytes  JMP 000603FC 
.text   C:\Program Files\Windows Media Player\wmpnscfg.exe[2880] KERNEL32.dll!GetBinaryTypeW + 70                              77E72447 1 Byte  [62]
.text   C:\Program Files\Windows Media Player\wmpnscfg.exe[2880] ADVAPI32.dll!CreateServiceW                                   76609EB4 5 Bytes  JMP 000703FC 
.text   C:\Program Files\Windows Media Player\wmpnscfg.exe[2880] ADVAPI32.dll!DeleteService                                    7660A07E 5 Bytes  JMP 00070600 
.text   C:\Program Files\Windows Media Player\wmpnscfg.exe[2880] ADVAPI32.dll!SetServiceObjectSecurity                         76646CD9 5 Bytes  JMP 00071014 
.text   C:\Program Files\Windows Media Player\wmpnscfg.exe[2880] ADVAPI32.dll!ChangeServiceConfigA                             76646DD9 5 Bytes  JMP 00070804 
.text   C:\Program Files\Windows Media Player\wmpnscfg.exe[2880] ADVAPI32.dll!ChangeServiceConfigW                             76646F81 5 Bytes  JMP 00070A08 
.text   C:\Program Files\Windows Media Player\wmpnscfg.exe[2880] ADVAPI32.dll!ChangeServiceConfig2A                            76647099 5 Bytes  JMP 00070C0C 
.text   C:\Program Files\Windows Media Player\wmpnscfg.exe[2880] ADVAPI32.dll!ChangeServiceConfig2W                            766471E1 5 Bytes  JMP 00070E10 
.text   C:\Program Files\Windows Media Player\wmpnscfg.exe[2880] ADVAPI32.dll!CreateServiceA                                   766472A1 5 Bytes  JMP 000701F8 
.text   C:\Program Files\Windows Media Player\wmpnscfg.exe[2880] USER32.dll!SetWindowsHookExA                                  776F6322 5 Bytes  JMP 00080600 
.text   C:\Program Files\Windows Media Player\wmpnscfg.exe[2880] USER32.dll!SetWindowsHookExW                                  776F87AD 5 Bytes  JMP 00080804 
.text   C:\Program Files\Windows Media Player\wmpnscfg.exe[2880] USER32.dll!UnhookWindowsHookEx                                776F98DB 5 Bytes  JMP 00080A08 
.text   C:\Program Files\Windows Media Player\wmpnscfg.exe[2880] USER32.dll!SetWinEventHook                                    776F9F3A 5 Bytes  JMP 000801F8 
.text   C:\Program Files\Windows Media Player\wmpnscfg.exe[2880] USER32.dll!UnhookWinEvent                                     776FC06F 5 Bytes  JMP 000803FC 
.text   C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[2896] ntdll.dll!LdrLoadDll                         77CC9378 5 Bytes  JMP 001601F8 
.text   C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[2896] ntdll.dll!LdrUnloadDll                       77CDB680 5 Bytes  JMP 001603FC 
.text   C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[2896] KERNEL32.dll!GetBinaryTypeW + 70             77E72447 1 Byte  [62]
.text   C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[2896] ADVAPI32.dll!CreateServiceW                  76609EB4 5 Bytes  JMP 001703FC 
.text   C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[2896] ADVAPI32.dll!DeleteService                   7660A07E 5 Bytes  JMP 00170600 
.text   C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[2896] ADVAPI32.dll!SetServiceObjectSecurity        76646CD9 5 Bytes  JMP 00171014 
.text   C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[2896] ADVAPI32.dll!ChangeServiceConfigA            76646DD9 5 Bytes  JMP 00170804 
.text   C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[2896] ADVAPI32.dll!ChangeServiceConfigW            76646F81 5 Bytes  JMP 00170A08 
.text   C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[2896] ADVAPI32.dll!ChangeServiceConfig2A           76647099 5 Bytes  JMP 00170C0C 
.text   C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[2896] ADVAPI32.dll!ChangeServiceConfig2W           766471E1 5 Bytes  JMP 00170E10 
.text   C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[2896] ADVAPI32.dll!CreateServiceA                  766472A1 5 Bytes  JMP 001701F8 
.text   C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[2896] USER32.dll!SetWindowsHookExA                 776F6322 5 Bytes  JMP 00180600 
.text   C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[2896] USER32.dll!SetWindowsHookExW                 776F87AD 5 Bytes  JMP 00180804 
.text   C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[2896] USER32.dll!UnhookWindowsHookEx               776F98DB 5 Bytes  JMP 00180A08 
.text   C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[2896] USER32.dll!SetWinEventHook                   776F9F3A 5 Bytes  JMP 001801F8 
.text   C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[2896] USER32.dll!UnhookWinEvent                    776FC06F 5 Bytes  JMP 001803FC 
.text   C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2952] ntdll.dll!LdrLoadDll                      77CC9378 5 Bytes  JMP 001501F8 
.text   C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2952] ntdll.dll!LdrUnloadDll                    77CDB680 5 Bytes  JMP 001503FC 
.text   C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2952] KERNEL32.dll!GetBinaryTypeW + 70          77E72447 1 Byte  [62]
.text   C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2952] USER32.dll!SetWindowsHookExA              776F6322 5 Bytes  JMP 00160600 
.text   C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2952] USER32.dll!SetWindowsHookExW              776F87AD 5 Bytes  JMP 00160804 
.text   C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2952] USER32.dll!UnhookWindowsHookEx            776F98DB 5 Bytes  JMP 00160A08 
.text   C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2952] USER32.dll!SetWinEventHook                776F9F3A 5 Bytes  JMP 001601F8 
.text   C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2952] USER32.dll!UnhookWinEvent                 776FC06F 5 Bytes  JMP 001603FC 
.text   C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2952] ADVAPI32.dll!CreateServiceW               76609EB4 5 Bytes  JMP 001703FC 
.text   C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2952] ADVAPI32.dll!DeleteService                7660A07E 5 Bytes  JMP 00170600 
.text   C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2952] ADVAPI32.dll!SetServiceObjectSecurity     76646CD9 5 Bytes  JMP 00171014 
.text   C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2952] ADVAPI32.dll!ChangeServiceConfigA         76646DD9 5 Bytes  JMP 00170804 
.text   C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2952] ADVAPI32.dll!ChangeServiceConfigW         76646F81 5 Bytes  JMP 00170A08 
.text   C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2952] ADVAPI32.dll!ChangeServiceConfig2A        76647099 5 Bytes  JMP 00170C0C 
.text   C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2952] ADVAPI32.dll!ChangeServiceConfig2W        766471E1 5 Bytes  JMP 00170E10 
.text   C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2952] ADVAPI32.dll!CreateServiceA               766472A1 5 Bytes  JMP 001701F8 
.text   C:\Windows\RtHDVCpl.exe[2976] ntdll.dll!LdrLoadDll                                                                     77CC9378 5 Bytes  JMP 001601F8 
.text   C:\Windows\RtHDVCpl.exe[2976] ntdll.dll!LdrUnloadDll                                                                   77CDB680 5 Bytes  JMP 001603FC 
.text   C:\Windows\RtHDVCpl.exe[2976] KERNEL32.dll!GetBinaryTypeW + 70                                                         77E72447 1 Byte  [62]
.text   C:\Windows\RtHDVCpl.exe[2976] ADVAPI32.dll!CreateServiceW                                                              76609EB4 5 Bytes  JMP 001703FC 
.text   C:\Windows\RtHDVCpl.exe[2976] ADVAPI32.dll!DeleteService                                                               7660A07E 5 Bytes  JMP 00170600 
.text   C:\Windows\RtHDVCpl.exe[2976] ADVAPI32.dll!SetServiceObjectSecurity                                                    76646CD9 5 Bytes  JMP 00171014 
.text   C:\Windows\RtHDVCpl.exe[2976] ADVAPI32.dll!ChangeServiceConfigA                                                        76646DD9 5 Bytes  JMP 00170804 
.text   C:\Windows\RtHDVCpl.exe[2976] ADVAPI32.dll!ChangeServiceConfigW                                                        76646F81 5 Bytes  JMP 00170A08 
.text   C:\Windows\RtHDVCpl.exe[2976] ADVAPI32.dll!ChangeServiceConfig2A                                                       76647099 5 Bytes  JMP 00170C0C 
.text   C:\Windows\RtHDVCpl.exe[2976] ADVAPI32.dll!ChangeServiceConfig2W                                                       766471E1 5 Bytes  JMP 00170E10 
.text   C:\Windows\RtHDVCpl.exe[2976] ADVAPI32.dll!CreateServiceA                                                              766472A1 5 Bytes  JMP 001701F8 
.text   C:\Windows\RtHDVCpl.exe[2976] USER32.dll!SetWindowsHookExA                                                             776F6322 5 Bytes  JMP 00180600 
.text   C:\Windows\RtHDVCpl.exe[2976] USER32.dll!SetWindowsHookExW                                                             776F87AD 5 Bytes  JMP 00180804 
.text   C:\Windows\RtHDVCpl.exe[2976] USER32.dll!UnhookWindowsHookEx                                                           776F98DB 5 Bytes  JMP 00180A08 
.text   C:\Windows\RtHDVCpl.exe[2976] USER32.dll!SetWinEventHook                                                               776F9F3A 5 Bytes  JMP 001801F8 
.text   C:\Windows\RtHDVCpl.exe[2976] USER32.dll!UnhookWinEvent                                                                776FC06F 5 Bytes  JMP 001803FC 
.text   C:\Windows\system32\svchost.exe[2996] ntdll.dll!LdrLoadDll                                                             77CC9378 5 Bytes  JMP 000601F8 
.text   C:\Windows\system32\svchost.exe[2996] ntdll.dll!LdrUnloadDll                                                           77CDB680 5 Bytes  JMP 000603FC 
.text   C:\Windows\system32\svchost.exe[2996] KERNEL32.dll!GetBinaryTypeW + 70                                                 77E72447 1 Byte  [62]
.text   C:\Windows\system32\svchost.exe[2996] ADVAPI32.dll!CreateServiceW                                                      76609EB4 5 Bytes  JMP 000703FC 
.text   C:\Windows\system32\svchost.exe[2996] ADVAPI32.dll!DeleteService                                                       7660A07E 5 Bytes  JMP 00070600 
.text   C:\Windows\system32\svchost.exe[2996] ADVAPI32.dll!SetServiceObjectSecurity                                            76646CD9 5 Bytes  JMP 00071014 
.text   C:\Windows\system32\svchost.exe[2996] ADVAPI32.dll!ChangeServiceConfigA                                                76646DD9 5 Bytes  JMP 00070804 
.text   C:\Windows\system32\svchost.exe[2996] ADVAPI32.dll!ChangeServiceConfigW                                                76646F81 5 Bytes  JMP 00070A08 
.text   C:\Windows\system32\svchost.exe[2996] ADVAPI32.dll!ChangeServiceConfig2A                                               76647099 5 Bytes  JMP 00070C0C 
.text   C:\Windows\system32\svchost.exe[2996] ADVAPI32.dll!ChangeServiceConfig2W                                               766471E1 5 Bytes  JMP 00070E10 
.text   C:\Windows\system32\svchost.exe[2996] ADVAPI32.dll!CreateServiceA                                                      766472A1 5 Bytes  JMP 000701F8 
.text   C:\Windows\system32\svchost.exe[2996] USER32.dll!SetWindowsHookExA                                                     776F6322 5 Bytes  JMP 00080600 
.text   C:\Windows\system32\svchost.exe[2996] USER32.dll!SetWindowsHookExW                                                     776F87AD 5 Bytes  JMP 00080804 
.text   C:\Windows\system32\svchost.exe[2996] USER32.dll!UnhookWindowsHookEx                                                   776F98DB 5 Bytes  JMP 00080A08 
.text   C:\Windows\system32\svchost.exe[2996] USER32.dll!SetWinEventHook                                                       776F9F3A 5 Bytes  JMP 000801F8 
.text   C:\Windows\system32\svchost.exe[2996] USER32.dll!UnhookWinEvent                                                        776FC06F 5 Bytes  JMP 000803FC 
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] ntdll.dll!LdrLoadDll                                               77CC9378 5 Bytes  JMP 001501F8 
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] ntdll.dll!LdrUnloadDll                                             77CDB680 5 Bytes  JMP 001503FC 
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] KERNEL32.dll!GetBinaryTypeW + 70                                   77E72447 1 Byte  [62]
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] USER32.dll!SetWindowsHookExA                                       776F6322 5 Bytes  JMP 00160600 
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] USER32.dll!SetWindowsHookExW                                       776F87AD 5 Bytes  JMP 00160804 
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] USER32.dll!UnhookWindowsHookEx                                     776F98DB 5 Bytes  JMP 00160A08 
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] USER32.dll!SetWinEventHook                                         776F9F3A 5 Bytes  JMP 001601F8 
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] USER32.dll!UnhookWinEvent                                          776FC06F 5 Bytes  JMP 001603FC 
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] ADVAPI32.dll!CreateServiceW                                        76609EB4 5 Bytes  JMP 001703FC 
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] ADVAPI32.dll!DeleteService                                         7660A07E 5 Bytes  JMP 00170600 
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] ADVAPI32.dll!SetServiceObjectSecurity                              76646CD9 5 Bytes  JMP 00171014 
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] ADVAPI32.dll!ChangeServiceConfigA                                  76646DD9 5 Bytes  JMP 00170804 
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] ADVAPI32.dll!ChangeServiceConfigW                                  76646F81 5 Bytes  JMP 00170A08 
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] ADVAPI32.dll!ChangeServiceConfig2A                                 76647099 5 Bytes  JMP 00170C0C 
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] ADVAPI32.dll!ChangeServiceConfig2W                                 766471E1 5 Bytes  JMP 00170E10 
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] ADVAPI32.dll!CreateServiceA                                        766472A1 5 Bytes  JMP 001701F8 
.text   C:\Windows\system32\svchost.exe[3016] ntdll.dll!LdrLoadDll                                                             77CC9378 5 Bytes  JMP 000A01F8 
.text   C:\Windows\system32\svchost.exe[3016] ntdll.dll!LdrUnloadDll                                                           77CDB680 5 Bytes  JMP 000A03FC 
.text   C:\Windows\system32\svchost.exe[3016] KERNEL32.dll!GetBinaryTypeW + 70                                                 77E72447 1 Byte  [62]
.text   C:\Windows\system32\svchost.exe[3016] ADVAPI32.dll!CreateServiceW                                                      76609EB4 5 Bytes  JMP 000B03FC 
.text   C:\Windows\system32\svchost.exe[3016] ADVAPI32.dll!DeleteService                                                       7660A07E 5 Bytes  JMP 000B0600 
.text   C:\Windows\system32\svchost.exe[3016] ADVAPI32.dll!SetServiceObjectSecurity                                            76646CD9 5 Bytes  JMP 000B1014 
.text   C:\Windows\system32\svchost.exe[3016] ADVAPI32.dll!ChangeServiceConfigA                                                76646DD9 5 Bytes  JMP 000B0804 
.text   C:\Windows\system32\svchost.exe[3016] ADVAPI32.dll!ChangeServiceConfigW                                                76646F81 5 Bytes  JMP 000B0A08 
.text   C:\Windows\system32\svchost.exe[3016] ADVAPI32.dll!ChangeServiceConfig2A                                               76647099 5 Bytes  JMP 000B0C0C 
.text   C:\Windows\system32\svchost.exe[3016] ADVAPI32.dll!ChangeServiceConfig2W                                               766471E1 5 Bytes  JMP 000B0E10 
.text   C:\Windows\system32\svchost.exe[3016] ADVAPI32.dll!CreateServiceA                                                      766472A1 5 Bytes  JMP 000B01F8 
.text   C:\Windows\system32\svchost.exe[3016] USER32.dll!SetWindowsHookExA                                                     776F6322 5 Bytes  JMP 000C0600 
.text   C:\Windows\system32\svchost.exe[3016] USER32.dll!SetWindowsHookExW                                                     776F87AD 5 Bytes  JMP 000C0804 
.text   C:\Windows\system32\svchost.exe[3016] USER32.dll!UnhookWindowsHookEx                                                   776F98DB 5 Bytes  JMP 000C0A08 
.text   C:\Windows\system32\svchost.exe[3016] USER32.dll!SetWinEventHook                                                       776F9F3A 5 Bytes  JMP 000C01F8 
.text   C:\Windows\system32\svchost.exe[3016] USER32.dll!UnhookWinEvent                                                        776FC06F 5 Bytes  JMP 000C03FC 
.text   C:\Windows\System32\svchost.exe[3048] ntdll.dll!LdrLoadDll                                                             77CC9378 5 Bytes  JMP 000601F8 
.text   C:\Windows\System32\svchost.exe[3048] ntdll.dll!LdrUnloadDll                                                           77CDB680 5 Bytes  JMP 000603FC 
.text   C:\Windows\System32\svchost.exe[3048] KERNEL32.dll!GetBinaryTypeW + 70                                                 77E72447 1 Byte  [62]
.text   C:\Windows\System32\svchost.exe[3048] ADVAPI32.dll!CreateServiceW                                                      76609EB4 5 Bytes  JMP 000703FC 
.text   C:\Windows\System32\svchost.exe[3048] ADVAPI32.dll!DeleteService                                                       7660A07E 5 Bytes  JMP 00070600 
.text   C:\Windows\System32\svchost.exe[3048] ADVAPI32.dll!SetServiceObjectSecurity                                            76646CD9 5 Bytes  JMP 00071014 
.text   C:\Windows\System32\svchost.exe[3048] ADVAPI32.dll!ChangeServiceConfigA                                                76646DD9 5 Bytes  JMP 00070804 
.text   C:\Windows\System32\svchost.exe[3048] ADVAPI32.dll!ChangeServiceConfigW                                                76646F81 5 Bytes  JMP 00070A08 
.text   C:\Windows\System32\svchost.exe[3048] ADVAPI32.dll!ChangeServiceConfig2A                                               76647099 5 Bytes  JMP 00070C0C 
.text   C:\Windows\System32\svchost.exe[3048] ADVAPI32.dll!ChangeServiceConfig2W                                               766471E1 5 Bytes  JMP 00070E10 
.text   C:\Windows\System32\svchost.exe[3048] ADVAPI32.dll!CreateServiceA                                                      766472A1 5 Bytes  JMP 000701F8 
.text   C:\Windows\system32\SearchIndexer.exe[3100] ntdll.dll!LdrLoadDll                                                       77CC9378 5 Bytes  JMP 000601F8 
.text   C:\Windows\system32\SearchIndexer.exe[3100] ntdll.dll!LdrUnloadDll                                                     77CDB680 5 Bytes  JMP 000603FC 
.text   C:\Windows\system32\SearchIndexer.exe[3100] KERNEL32.dll!GetBinaryTypeW + 70                                           77E72447 1 Byte  [62]
.text   C:\Windows\system32\SearchIndexer.exe[3100] ADVAPI32.dll!CreateServiceW                                                76609EB4 5 Bytes  JMP 000703FC 
.text   C:\Windows\system32\SearchIndexer.exe[3100] ADVAPI32.dll!DeleteService                                                 7660A07E 5 Bytes  JMP 00070600 
.text   C:\Windows\system32\SearchIndexer.exe[3100] ADVAPI32.dll!SetServiceObjectSecurity                                      76646CD9 5 Bytes  JMP 00071014 
.text   C:\Windows\system32\SearchIndexer.exe[3100] ADVAPI32.dll!ChangeServiceConfigA                                          76646DD9 5 Bytes  JMP 00070804 
.text   C:\Windows\system32\SearchIndexer.exe[3100] ADVAPI32.dll!ChangeServiceConfigW                                          76646F81 5 Bytes  JMP 00070A08 
.text   C:\Windows\system32\SearchIndexer.exe[3100] ADVAPI32.dll!ChangeServiceConfig2A                                         76647099 5 Bytes  JMP 00070C0C 
.text   C:\Windows\system32\SearchIndexer.exe[3100] ADVAPI32.dll!ChangeServiceConfig2W                                         766471E1 5 Bytes  JMP 00070E10 
.text   C:\Windows\system32\SearchIndexer.exe[3100] ADVAPI32.dll!CreateServiceA                                                766472A1 5 Bytes  JMP 000701F8 
.text   C:\Windows\system32\SearchIndexer.exe[3100] USER32.dll!SetWindowsHookExA                                               776F6322 5 Bytes  JMP 00080600 
.text   C:\Windows\system32\SearchIndexer.exe[3100] USER32.dll!SetWindowsHookExW                                               776F87AD 5 Bytes  JMP 00080804 
.text   C:\Windows\system32\SearchIndexer.exe[3100] USER32.dll!UnhookWindowsHookEx                                             776F98DB 5 Bytes  JMP 00080A08 
.text   C:\Windows\system32\SearchIndexer.exe[3100] USER32.dll!SetWinEventHook                                                 776F9F3A 5 Bytes  JMP 000801F8 
.text   C:\Windows\system32\SearchIndexer.exe[3100] USER32.dll!UnhookWinEvent                                                  776FC06F 5 Bytes  JMP 000803FC 
.text   C:\Program Files\Launch Manager\LManager.exe[3188] ntdll.dll!LdrLoadDll                                                77CC9378 5 Bytes  JMP 001601F8 
.text   C:\Program Files\Launch Manager\LManager.exe[3188] ntdll.dll!LdrUnloadDll                                              77CDB680 5 Bytes  JMP 001603FC 
.text   C:\Program Files\Launch Manager\LManager.exe[3188] KERNEL32.dll!GetBinaryTypeW + 70                                    77E72447 1 Byte  [62]
.text   C:\Program Files\Launch Manager\LManager.exe[3188] ADVAPI32.dll!CreateServiceW                                         76609EB4 5 Bytes  JMP 001703FC 
.text   C:\Program Files\Launch Manager\LManager.exe[3188] ADVAPI32.dll!DeleteService                                          7660A07E 5 Bytes  JMP 00170600 
.text   C:\Program Files\Launch Manager\LManager.exe[3188] ADVAPI32.dll!SetServiceObjectSecurity                               76646CD9 5 Bytes  JMP 00171014 
.text   C:\Program Files\Launch Manager\LManager.exe[3188] ADVAPI32.dll!ChangeServiceConfigA                                   76646DD9 5 Bytes  JMP 00170804 
.text   C:\Program Files\Launch Manager\LManager.exe[3188] ADVAPI32.dll!ChangeServiceConfigW                                   76646F81 5 Bytes  JMP 00170A08 
.text   C:\Program Files\Launch Manager\LManager.exe[3188] ADVAPI32.dll!ChangeServiceConfig2A                                  76647099 5 Bytes  JMP 00170C0C 
.text   C:\Program Files\Launch Manager\LManager.exe[3188] ADVAPI32.dll!ChangeServiceConfig2W                                  766471E1 5 Bytes  JMP 00170E10 
.text   C:\Program Files\Launch Manager\LManager.exe[3188] ADVAPI32.dll!CreateServiceA                                         766472A1 5 Bytes  JMP 001701F8 
.text   C:\Program Files\Launch Manager\LManager.exe[3188] USER32.dll!SetWindowsHookExA                                        776F6322 5 Bytes  JMP 00280600 
.text   C:\Program Files\Launch Manager\LManager.exe[3188] USER32.dll!SetWindowsHookExW                                        776F87AD 5 Bytes  JMP 00280804 
.text   C:\Program Files\Launch Manager\LManager.exe[3188] USER32.dll!UnhookWindowsHookEx                                      776F98DB 5 Bytes  JMP 00280A08 
.text   C:\Program Files\Launch Manager\LManager.exe[3188] USER32.dll!SetWinEventHook                                          776F9F3A 5 Bytes  JMP 002801F8 
.text   C:\Program Files\Launch Manager\LManager.exe[3188] USER32.dll!UnhookWinEvent                                           776FC06F 5 Bytes  JMP 002803FC 
.text   C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[3264] ntdll.dll!LdrLoadDll                                                77CC9378 5 Bytes  JMP 001601F8 
.text   C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[3264] ntdll.dll!LdrUnloadDll                                              77CDB680 5 Bytes  JMP 001603FC 
.text   C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[3264] KERNEL32.dll!GetBinaryTypeW + 70                                    77E72447 1 Byte  [62]
.text   C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[3264] USER32.dll!SetWindowsHookExA                                        776F6322 5 Bytes  JMP 00170600 
.text   C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[3264] USER32.dll!SetWindowsHookExW                                        776F87AD 5 Bytes  JMP 00170804 
.text   C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[3264] USER32.dll!UnhookWindowsHookEx                                      776F98DB 5 Bytes  JMP 00170A08 
.text   C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[3264] USER32.dll!SetWinEventHook                                          776F9F3A 5 Bytes  JMP 001701F8 
.text   C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[3264] USER32.dll!UnhookWinEvent                                           776FC06F 5 Bytes  JMP 001703FC 
.text   C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[3264] ADVAPI32.dll!CreateServiceW                                         76609EB4 5 Bytes  JMP 001803FC 
.text   C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[3264] ADVAPI32.dll!DeleteService                                          7660A07E 5 Bytes  JMP 00180600 
.text   C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[3264] ADVAPI32.dll!SetServiceObjectSecurity                               76646CD9 5 Bytes  JMP 00181014 
.text   C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[3264] ADVAPI32.dll!ChangeServiceConfigA                                   76646DD9 5 Bytes  JMP 00180804 
.text   C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[3264] ADVAPI32.dll!ChangeServiceConfigW                                   76646F81 5 Bytes  JMP 00180A08 
.text   C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[3264] ADVAPI32.dll!ChangeServiceConfig2A                                  76647099 5 Bytes  JMP 00180C0C 
.text   C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[3264] ADVAPI32.dll!ChangeServiceConfig2W                                  766471E1 5 Bytes  JMP 00180E10 
.text   C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[3264] ADVAPI32.dll!CreateServiceA                                         766472A1 5 Bytes  JMP 001801F8 
.text   C:\Program Files\Common Files\Java\Java Update\jusched.exe[3268] ntdll.dll!LdrLoadDll                                  77CC9378 5 Bytes  JMP 001701F8 
.text   C:\Program Files\Common Files\Java\Java Update\jusched.exe[3268] ntdll.dll!LdrUnloadDll                                77CDB680 5 Bytes  JMP 001703FC 
.text   C:\Program Files\Common Files\Java\Java Update\jusched.exe[3268] KERNEL32.dll!GetBinaryTypeW + 70                      77E72447 1 Byte  [62]
.text   C:\Program Files\Common Files\Java\Java Update\jusched.exe[3268] ADVAPI32.dll!CreateServiceW                           76609EB4 5 Bytes  JMP 001803FC 
.text   C:\Program Files\Common Files\Java\Java Update\jusched.exe[3268] ADVAPI32.dll!DeleteService                            7660A07E 5 Bytes  JMP 00180600 
.text   C:\Program Files\Common Files\Java\Java Update\jusched.exe[3268] ADVAPI32.dll!SetServiceObjectSecurity                 76646CD9 5 Bytes  JMP 00181014 
.text   C:\Program Files\Common Files\Java\Java Update\jusched.exe[3268] ADVAPI32.dll!ChangeServiceConfigA                     76646DD9 5 Bytes  JMP 00180804 
.text   C:\Program Files\Common Files\Java\Java Update\jusched.exe[3268] ADVAPI32.dll!ChangeServiceConfigW                     76646F81 5 Bytes  JMP 00180A08 
.text   C:\Program Files\Common Files\Java\Java Update\jusched.exe[3268] ADVAPI32.dll!ChangeServiceConfig2A                    76647099 5 Bytes  JMP 00180C0C 
.text   C:\Program Files\Common Files\Java\Java Update\jusched.exe[3268] ADVAPI32.dll!ChangeServiceConfig2W                    766471E1 5 Bytes  JMP 00180E10 
.text   C:\Program Files\Common Files\Java\Java Update\jusched.exe[3268] ADVAPI32.dll!CreateServiceA                           766472A1 5 Bytes  JMP 001801F8 
.text   C:\Program Files\Common Files\Java\Java Update\jusched.exe[3268] USER32.dll!SetWindowsHookExA                          776F6322 5 Bytes  JMP 00190600 
.text   C:\Program Files\Common Files\Java\Java Update\jusched.exe[3268] USER32.dll!SetWindowsHookExW                          776F87AD 5 Bytes  JMP 00190804 
.text   C:\Program Files\Common Files\Java\Java Update\jusched.exe[3268] USER32.dll!UnhookWindowsHookEx                        776F98DB 5 Bytes  JMP 00190A08 
.text   C:\Program Files\Common Files\Java\Java Update\jusched.exe[3268] USER32.dll!SetWinEventHook                            776F9F3A 5 Bytes  JMP 001901F8 
.text   C:\Program Files\Common Files\Java\Java Update\jusched.exe[3268] USER32.dll!UnhookWinEvent                             776FC06F 5 Bytes  JMP 001903FC 
.text   C:\Windows\System32\igfxtray.exe[3572] ntdll.dll!LdrLoadDll                                                            77CC9378 5 Bytes  JMP 001601F8 
.text   C:\Windows\System32\igfxtray.exe[3572] ntdll.dll!LdrUnloadDll                                                          77CDB680 5 Bytes  JMP 001603FC 
.text   C:\Windows\System32\igfxtray.exe[3572] KERNEL32.dll!GetBinaryTypeW + 70                                                77E72447 1 Byte  [62]
.text   C:\Windows\System32\igfxtray.exe[3572] USER32.dll!SetWindowsHookExA                                                    776F6322 5 Bytes  JMP 00280600 
.text   C:\Windows\System32\igfxtray.exe[3572] USER32.dll!SetWindowsHookExW                                                    776F87AD 5 Bytes  JMP 00280804 
.text   C:\Windows\System32\igfxtray.exe[3572] USER32.dll!UnhookWindowsHookEx                                                  776F98DB 5 Bytes  JMP 00280A08 
.text   C:\Windows\System32\igfxtray.exe[3572] USER32.dll!SetWinEventHook                                                      776F9F3A 5 Bytes  JMP 002801F8 
.text   C:\Windows\System32\igfxtray.exe[3572] USER32.dll!UnhookWinEvent                                                       776FC06F 5 Bytes  JMP 002803FC 
.text   C:\Windows\System32\igfxtray.exe[3572] ADVAPI32.dll!CreateServiceW                                                     76609EB4 5 Bytes  JMP 002903FC 
.text   C:\Windows\System32\igfxtray.exe[3572] ADVAPI32.dll!DeleteService                                                      7660A07E 5 Bytes  JMP 00290600 
.text   C:\Windows\System32\igfxtray.exe[3572] ADVAPI32.dll!SetServiceObjectSecurity                                           76646CD9 5 Bytes  JMP 00291014 
.text   C:\Windows\System32\igfxtray.exe[3572] ADVAPI32.dll!ChangeServiceConfigA                                               76646DD9 5 Bytes  JMP 00290804 
.text   C:\Windows\System32\igfxtray.exe[3572] ADVAPI32.dll!ChangeServiceConfigW                                               76646F81 5 Bytes  JMP 00290A08 
.text   C:\Windows\System32\igfxtray.exe[3572] ADVAPI32.dll!ChangeServiceConfig2A                                              76647099 5 Bytes  JMP 00290C0C 
.text   C:\Windows\System32\igfxtray.exe[3572] ADVAPI32.dll!ChangeServiceConfig2W                                              766471E1 5 Bytes  JMP 00290E10 
.text   C:\Windows\System32\igfxtray.exe[3572] ADVAPI32.dll!CreateServiceA                                                     766472A1 5 Bytes  JMP 002901F8 
.text   C:\Program Files\Citrix\ICA Client\concentr.exe[3728] ntdll.dll!LdrLoadDll                                             77CC9378 5 Bytes  JMP 000C01F8 
.text   C:\Program Files\Citrix\ICA Client\concentr.exe[3728] ntdll.dll!LdrUnloadDll                                           77CDB680 5 Bytes  JMP 000C03FC 
.text   C:\Program Files\Citrix\ICA Client\concentr.exe[3728] KERNEL32.dll!GetBinaryTypeW + 70                                 77E72447 1 Byte  [62]
.text   C:\Program Files\Citrix\ICA Client\concentr.exe[3728] USER32.dll!SetWindowsHookExA                                     776F6322 5 Bytes  JMP 000D0600 
.text   C:\Program Files\Citrix\ICA Client\concentr.exe[3728] USER32.dll!SetWindowsHookExW                                     776F87AD 5 Bytes  JMP 000D0804 
.text   C:\Program Files\Citrix\ICA Client\concentr.exe[3728] USER32.dll!UnhookWindowsHookEx                                   776F98DB 5 Bytes  JMP 000D0A08 
.text   C:\Program Files\Citrix\ICA Client\concentr.exe[3728] USER32.dll!SetWinEventHook                                       776F9F3A 5 Bytes  JMP 000D01F8 
.text   C:\Program Files\Citrix\ICA Client\concentr.exe[3728] USER32.dll!UnhookWinEvent                                        776FC06F 5 Bytes  JMP 000D03FC 
.text   C:\Program Files\Citrix\ICA Client\concentr.exe[3728] ADVAPI32.dll!CreateServiceW                                      76609EB4 5 Bytes  JMP 000E03FC 
.text   C:\Program Files\Citrix\ICA Client\concentr.exe[3728] ADVAPI32.dll!DeleteService                                       7660A07E 5 Bytes  JMP 000E0600 
.text   C:\Program Files\Citrix\ICA Client\concentr.exe[3728] ADVAPI32.dll!SetServiceObjectSecurity                            76646CD9 5 Bytes  JMP 000E1014 
.text   C:\Program Files\Citrix\ICA Client\concentr.exe[3728] ADVAPI32.dll!ChangeServiceConfigA                                76646DD9 5 Bytes  JMP 000E0804 
.text   C:\Program Files\Citrix\ICA Client\concentr.exe[3728] ADVAPI32.dll!ChangeServiceConfigW                                76646F81 5 Bytes  JMP 000E0A08 
.text   C:\Program Files\Citrix\ICA Client\concentr.exe[3728] ADVAPI32.dll!ChangeServiceConfig2A                               76647099 5 Bytes  JMP 000E0C0C 
.text   C:\Program Files\Citrix\ICA Client\concentr.exe[3728] ADVAPI32.dll!ChangeServiceConfig2W                               766471E1 5 Bytes  JMP 000E0E10 
.text   C:\Program Files\Citrix\ICA Client\concentr.exe[3728] ADVAPI32.dll!CreateServiceA                                      766472A1 5 Bytes  JMP 000E01F8 
.text   C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3736] ntdll.dll!LdrLoadDll                                         77CC9378 5 Bytes  JMP 000601F8 
.text   C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3736] ntdll.dll!LdrUnloadDll                                       77CDB680 5 Bytes  JMP 000603FC 
.text   C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3736] KERNEL32.dll!GetBinaryTypeW + 70                             77E72447 1 Byte  [62]
.text   C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3736] ADVAPI32.dll!CreateServiceW                                  76609EB4 5 Bytes  JMP 000703FC 
.text   C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3736] ADVAPI32.dll!DeleteService                                   7660A07E 5 Bytes  JMP 00070600 
.text   C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3736] ADVAPI32.dll!SetServiceObjectSecurity                        76646CD9 5 Bytes  JMP 00071014 
.text   C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3736] ADVAPI32.dll!ChangeServiceConfigA                            76646DD9 5 Bytes  JMP 00070804 
.text   C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3736] ADVAPI32.dll!ChangeServiceConfigW                            76646F81 5 Bytes  JMP 00070A08 
.text   C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3736] ADVAPI32.dll!ChangeServiceConfig2A                           76647099 5 Bytes  JMP 00070C0C 
.text   C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3736] ADVAPI32.dll!ChangeServiceConfig2W                           766471E1 5 Bytes  JMP 00070E10 
.text   C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3736] ADVAPI32.dll!CreateServiceA                                  766472A1 5 Bytes  JMP 000701F8 
.text   C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3736] USER32.dll!SetWindowsHookExA                                 776F6322 5 Bytes  JMP 00180600 
.text   C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3736] USER32.dll!SetWindowsHookExW                                 776F87AD 5 Bytes  JMP 00180804 
.text   C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3736] USER32.dll!UnhookWindowsHookEx                               776F98DB 5 Bytes  JMP 00180A08 
.text   C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3736] USER32.dll!SetWinEventHook                                   776F9F3A 5 Bytes  JMP 001801F8 
.text   C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3736] USER32.dll!UnhookWinEvent                                    776FC06F 5 Bytes  JMP 001803FC 
.text   C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3764] ntdll.dll!LdrLoadDll                     77CC9378 5 Bytes  JMP 001601F8 
.text   C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3764] ntdll.dll!LdrUnloadDll                   77CDB680 5 Bytes  JMP 001603FC 
.text   C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3764] KERNEL32.dll!GetBinaryTypeW + 70         77E72447 1 Byte  [62]
.text   C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3764] ADVAPI32.dll!CreateServiceW              76609EB4 5 Bytes  JMP 001703FC 
.text   C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3764] ADVAPI32.dll!DeleteService               7660A07E 5 Bytes  JMP 00170600 
.text   C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3764] ADVAPI32.dll!SetServiceObjectSecurity    76646CD9 5 Bytes  JMP 00171014 
.text   C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3764] ADVAPI32.dll!ChangeServiceConfigA        76646DD9 5 Bytes  JMP 00170804 
.text   C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3764] ADVAPI32.dll!ChangeServiceConfigW        76646F81 5 Bytes  JMP 00170A08 
.text   C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3764] ADVAPI32.dll!ChangeServiceConfig2A       76647099 5 Bytes  JMP 00170C0C 
.text   C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3764] ADVAPI32.dll!ChangeServiceConfig2W       766471E1 5 Bytes  JMP 00170E10 
.text   C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3764] ADVAPI32.dll!CreateServiceA              766472A1 5 Bytes  JMP 001701F8 
.text   C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3764] USER32.dll!SetWindowsHookExA             776F6322 5 Bytes  JMP 00180600 
.text   C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3764] USER32.dll!SetWindowsHookExW             776F87AD 5 Bytes  JMP 00180804 
.text   C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3764] USER32.dll!UnhookWindowsHookEx           776F98DB 5 Bytes  JMP 00180A08 
.text   C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3764] USER32.dll!SetWinEventHook               776F9F3A 5 Bytes  JMP 001801F8 
.text   C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3764] USER32.dll!UnhookWinEvent                776FC06F 5 Bytes  JMP 001803FC 
.text   C:\Windows\system32\igfxsrvc.exe[3788] ntdll.dll!LdrLoadDll                                                            77CC9378 5 Bytes  JMP 001601F8 
.text   C:\Windows\system32\igfxsrvc.exe[3788] ntdll.dll!LdrUnloadDll                                                          77CDB680 5 Bytes  JMP 001603FC 
.text   C:\Windows\system32\igfxsrvc.exe[3788] KERNEL32.dll!GetBinaryTypeW + 70                                                77E72447 1 Byte  [62]
.text   C:\Windows\system32\igfxsrvc.exe[3788] USER32.dll!SetWindowsHookExA                                                    776F6322 5 Bytes  JMP 00170600 
.text   C:\Windows\system32\igfxsrvc.exe[3788] USER32.dll!SetWindowsHookExW                                                    776F87AD 5 Bytes  JMP 00170804 
.text   C:\Windows\system32\igfxsrvc.exe[3788] USER32.dll!UnhookWindowsHookEx                                                  776F98DB 5 Bytes  JMP 00170A08 
.text   C:\Windows\system32\igfxsrvc.exe[3788] USER32.dll!SetWinEventHook                                                      776F9F3A 5 Bytes  JMP 001701F8 
.text   C:\Windows\system32\igfxsrvc.exe[3788] USER32.dll!UnhookWinEvent                                                       776FC06F 5 Bytes  JMP 001703FC 
.text   C:\Windows\system32\igfxsrvc.exe[3788] ADVAPI32.dll!CreateServiceW                                                     76609EB4 5 Bytes  JMP 001803FC 
.text   C:\Windows\system32\igfxsrvc.exe[3788] ADVAPI32.dll!DeleteService                                                      7660A07E 5 Bytes  JMP 00180600 
.text   C:\Windows\system32\igfxsrvc.exe[3788] ADVAPI32.dll!SetServiceObjectSecurity                                           76646CD9 5 Bytes  JMP 00181014 
.text   C:\Windows\system32\igfxsrvc.exe[3788] ADVAPI32.dll!ChangeServiceConfigA                                               76646DD9 5 Bytes  JMP 00180804 
.text   C:\Windows\system32\igfxsrvc.exe[3788] ADVAPI32.dll!ChangeServiceConfigW                                               76646F81 5 Bytes  JMP 00180A08 
.text   C:\Windows\system32\igfxsrvc.exe[3788] ADVAPI32.dll!ChangeServiceConfig2A                                              76647099 5 Bytes  JMP 00180C0C 
.text   C:\Windows\system32\igfxsrvc.exe[3788] ADVAPI32.dll!ChangeServiceConfig2W                                              766471E1 5 Bytes  JMP 00180E10 
.text   C:\Windows\system32\igfxsrvc.exe[3788] ADVAPI32.dll!CreateServiceA                                                     766472A1 5 Bytes  JMP 001801F8 
.text   C:\Program Files\Windows Defender\MSASCui.exe[3848] ntdll.dll!LdrLoadDll                                               77CC9378 5 Bytes  JMP 000A01F8 
.text   C:\Program Files\Windows Defender\MSASCui.exe[3848] ntdll.dll!LdrUnloadDll                                             77CDB680 5 Bytes  JMP 000A03FC 
.text   C:\Program Files\Windows Defender\MSASCui.exe[3848] KERNEL32.dll!GetBinaryTypeW + 70                                   77E72447 1 Byte  [62]
.text   C:\Program Files\Windows Defender\MSASCui.exe[3848] ADVAPI32.dll!CreateServiceW                                        76609EB4 5 Bytes  JMP 000B03FC 
.text   C:\Program Files\Windows Defender\MSASCui.exe[3848] ADVAPI32.dll!DeleteService                                         7660A07E 5 Bytes  JMP 000B0600 
.text   C:\Program Files\Windows Defender\MSASCui.exe[3848] ADVAPI32.dll!SetServiceObjectSecurity                              76646CD9 5 Bytes  JMP 000B1014 
.text   C:\Program Files\Windows Defender\MSASCui.exe[3848] ADVAPI32.dll!ChangeServiceConfigA                                  76646DD9 5 Bytes  JMP 000B0804 
.text   C:\Program Files\Windows Defender\MSASCui.exe[3848] ADVAPI32.dll!ChangeServiceConfigW                                  76646F81 5 Bytes  JMP 000B0A08 
.text   C:\Program Files\Windows Defender\MSASCui.exe[3848] ADVAPI32.dll!ChangeServiceConfig2A                                 76647099 5 Bytes  JMP 000B0C0C 
.text   C:\Program Files\Windows Defender\MSASCui.exe[3848] ADVAPI32.dll!ChangeServiceConfig2W                                 766471E1 5 Bytes  JMP 000B0E10 
.text   C:\Program Files\Windows Defender\MSASCui.exe[3848] ADVAPI32.dll!CreateServiceA                                        766472A1 5 Bytes  JMP 000B01F8 
.text   C:\Program Files\Windows Defender\MSASCui.exe[3848] USER32.dll!SetWindowsHookExA                                       776F6322 5 Bytes  JMP 000C0600 
.text   C:\Program Files\Windows Defender\MSASCui.exe[3848] USER32.dll!SetWindowsHookExW                                       776F87AD 5 Bytes  JMP 000C0804 
.text   C:\Program Files\Windows Defender\MSASCui.exe[3848] USER32.dll!UnhookWindowsHookEx                                     776F98DB 5 Bytes  JMP 000C0A08 
.text   C:\Program Files\Windows Defender\MSASCui.exe[3848] USER32.dll!SetWinEventHook                                         776F9F3A 5 Bytes  JMP 000C01F8 
.text   C:\Program Files\Windows Defender\MSASCui.exe[3848] USER32.dll!UnhookWinEvent                                          776FC06F 5 Bytes  JMP 000C03FC 
.text   C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] ntdll.dll!LdrLoadDll                                             77CC9378 5 Bytes  JMP 001701F8 
.text   C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] ntdll.dll!LdrUnloadDll                                           77CDB680 5 Bytes  JMP 001703FC 
.text   C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] KERNEL32.dll!GetBinaryTypeW + 70                                 77E72447 1 Byte  [62]
.text   C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] USER32.dll!SetWindowsHookExA                                     776F6322 5 Bytes  JMP 00180600 
.text   C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] USER32.dll!SetWindowsHookExW                                     776F87AD 5 Bytes  JMP 00180804 
.text   C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] USER32.dll!UnhookWindowsHookEx                                   776F98DB 5 Bytes  JMP 00180A08 
.text   C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] USER32.dll!SetWinEventHook                                       776F9F3A 5 Bytes  JMP 001801F8 
.text   C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] USER32.dll!UnhookWinEvent                                        776FC06F 5 Bytes  JMP 001803FC 
.text   C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] ADVAPI32.dll!CreateServiceW                                      76609EB4 5 Bytes  JMP 001903FC 
.text   C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] ADVAPI32.dll!DeleteService                                       7660A07E 3 Bytes  JMP 00190600 
.text   C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] ADVAPI32.dll!DeleteService + 4                                   7660A082 1 Byte  [89]
.text   C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] ADVAPI32.dll!SetServiceObjectSecurity                            76646CD9 5 Bytes  JMP 00191014 
.text   C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] ADVAPI32.dll!ChangeServiceConfigA                                76646DD9 5 Bytes  JMP 00190804 
.text   C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] ADVAPI32.dll!ChangeServiceConfigW                                76646F81 5 Bytes  JMP 00190A08 
.text   C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] ADVAPI32.dll!ChangeServiceConfig2A                               76647099 5 Bytes  JMP 00190C0C 
.text   C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] ADVAPI32.dll!ChangeServiceConfig2W                               766471E1 5 Bytes  JMP 00190E10 
.text   C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3984] ADVAPI32.dll!CreateServiceA                                      766472A1 5 Bytes  JMP 001901F8 
.text   C:\Windows\System32\igfxpers.exe[3992] ntdll.dll!LdrLoadDll                                                            77CC9378 5 Bytes  JMP 001601F8 
.text   C:\Windows\System32\igfxpers.exe[3992] ntdll.dll!LdrUnloadDll                                                          77CDB680 5 Bytes  JMP 001603FC 
.text   C:\Windows\System32\igfxpers.exe[3992] KERNEL32.dll!GetBinaryTypeW + 70                                                77E72447 1 Byte  [62]
.text   C:\Windows\System32\igfxpers.exe[3992] USER32.dll!SetWindowsHookExA                                                    776F6322 5 Bytes  JMP 00170600 
.text   C:\Windows\System32\igfxpers.exe[3992] USER32.dll!SetWindowsHookExW                                                    776F87AD 5 Bytes  JMP 00170804 
.text   C:\Windows\System32\igfxpers.exe[3992] USER32.dll!UnhookWindowsHookEx                                                  776F98DB 5 Bytes  JMP 00170A08 
.text   C:\Windows\System32\igfxpers.exe[3992] USER32.dll!SetWinEventHook                                                      776F9F3A 5 Bytes  JMP 001701F8 
.text   C:\Windows\System32\igfxpers.exe[3992] USER32.dll!UnhookWinEvent                                                       776FC06F 5 Bytes  JMP 001703FC 
.text   C:\Windows\System32\igfxpers.exe[3992] ADVAPI32.dll!CreateServiceW                                                     76609EB4 5 Bytes  JMP 001803FC 
.text   C:\Windows\System32\igfxpers.exe[3992] ADVAPI32.dll!DeleteService                                                      7660A07E 5 Bytes  JMP 00180600 
.text   C:\Windows\System32\igfxpers.exe[3992] ADVAPI32.dll!SetServiceObjectSecurity                                           76646CD9 5 Bytes  JMP 00181014 
.text   C:\Windows\System32\igfxpers.exe[3992] ADVAPI32.dll!ChangeServiceConfigA                                               76646DD9 5 Bytes  JMP 00180804 
.text   C:\Windows\System32\igfxpers.exe[3992] ADVAPI32.dll!ChangeServiceConfigW                                               76646F81 5 Bytes  JMP 00180A08 
.text   C:\Windows\System32\igfxpers.exe[3992] ADVAPI32.dll!ChangeServiceConfig2A                                              76647099 5 Bytes  JMP 00180C0C 
.text   C:\Windows\System32\igfxpers.exe[3992] ADVAPI32.dll!ChangeServiceConfig2W                                              766471E1 5 Bytes  JMP 00180E10 
.text   C:\Windows\System32\igfxpers.exe[3992] ADVAPI32.dll!CreateServiceA                                                     766472A1 5 Bytes  JMP 001801F8 
.text   C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe[4352] ntdll.dll!LdrLoadDll                                    77CC9378 5 Bytes  JMP 001601F8 
.text   C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe[4352] ntdll.dll!LdrUnloadDll                                  77CDB680 5 Bytes  JMP 001603FC 
.text   C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe[4352] KERNEL32.dll!GetBinaryTypeW + 70                        77E72447 1 Byte  [62]
.text   C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe[4352] ADVAPI32.dll!CreateServiceW                             76609EB4 5 Bytes  JMP 001703FC 
.text   C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe[4352] ADVAPI32.dll!DeleteService                              7660A07E 5 Bytes  JMP 00170600 
.text   C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe[4352] ADVAPI32.dll!SetServiceObjectSecurity                   76646CD9 5 Bytes  JMP 00171014 
.text   C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe[4352] ADVAPI32.dll!ChangeServiceConfigA                       76646DD9 5 Bytes  JMP 00170804 
.text   C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe[4352] ADVAPI32.dll!ChangeServiceConfigW                       76646F81 5 Bytes  JMP 00170A08 
.text   C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe[4352] ADVAPI32.dll!ChangeServiceConfig2A                      76647099 5 Bytes  JMP 00170C0C 
.text   C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe[4352] ADVAPI32.dll!ChangeServiceConfig2W                      766471E1 5 Bytes  JMP 00170E10 
.text   C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe[4352] ADVAPI32.dll!CreateServiceA                             766472A1 5 Bytes  JMP 001701F8 
.text   C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe[4352] USER32.dll!SetWindowsHookExA                            776F6322 5 Bytes  JMP 00190600 
.text   C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe[4352] USER32.dll!SetWindowsHookExW                            776F87AD 5 Bytes  JMP 00190804 
.text   C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe[4352] USER32.dll!UnhookWindowsHookEx                          776F98DB 5 Bytes  JMP 00190A08 
.text   C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe[4352] USER32.dll!SetWinEventHook                              776F9F3A 5 Bytes  JMP 001901F8 
.text   C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe[4352] USER32.dll!UnhookWinEvent                               776FC06F 5 Bytes  JMP 001903FC 
.text   C:\Users\Astrid\Desktop\gmer_2.1.19163.exe[4472] kernel32.dll!GetBinaryTypeW + 70                                      77E72447 1 Byte  [62]
.text   C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe[4832] ntdll.dll!LdrLoadDll                             77CC9378 5 Bytes  JMP 000601F8 
.text   C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe[4832] ntdll.dll!LdrUnloadDll                           77CDB680 5 Bytes  JMP 000603FC 
.text   C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe[4832] KERNEL32.dll!GetBinaryTypeW + 70                 77E72447 1 Byte  [62]
.text   C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe[4832] ADVAPI32.dll!CreateServiceW                      76609EB4 5 Bytes  JMP 000703FC 
.text   C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe[4832] ADVAPI32.dll!DeleteService                       7660A07E 5 Bytes  JMP 00070600 
.text   C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe[4832] ADVAPI32.dll!SetServiceObjectSecurity            76646CD9 5 Bytes  JMP 00071014 
.text   C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe[4832] ADVAPI32.dll!ChangeServiceConfigA                76646DD9 5 Bytes  JMP 00070804 
.text   C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe[4832] ADVAPI32.dll!ChangeServiceConfigW                76646F81 5 Bytes  JMP 00070A08 
.text   C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe[4832] ADVAPI32.dll!ChangeServiceConfig2A               76647099 5 Bytes  JMP 00070C0C 
.text   C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe[4832] ADVAPI32.dll!ChangeServiceConfig2W               766471E1 5 Bytes  JMP 00070E10 
.text   C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe[4832] ADVAPI32.dll!CreateServiceA                      766472A1 5 Bytes  JMP 000701F8 
.text   C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe[4832] USER32.dll!SetWindowsHookExA                     776F6322 5 Bytes  JMP 001E0600 
.text   C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe[4832] USER32.dll!SetWindowsHookExW                     776F87AD 5 Bytes  JMP 001E0804 
.text   C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe[4832] USER32.dll!UnhookWindowsHookEx                   776F98DB 5 Bytes  JMP 001E0A08 
.text   C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe[4832] USER32.dll!SetWinEventHook                       776F9F3A 5 Bytes  JMP 001E01F8 
.text   C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe[4832] USER32.dll!UnhookWinEvent                        776FC06F 5 Bytes  JMP 001E03FC 
.text   C:\Windows\system32\SearchProtocolHost.exe[5232] kernel32.dll!GetBinaryTypeW + 70                                      77E72447 1 Byte  [62]
.text   C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[5340] ntdll.dll!LdrLoadDll                       77CC9378 5 Bytes  JMP 000501F8 
.text   C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[5340] ntdll.dll!LdrUnloadDll                     77CDB680 5 Bytes  JMP 000503FC 
.text   C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[5340] KERNEL32.dll!GetBinaryTypeW + 70           77E72447 1 Byte  [62]
.text   C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[5340] ADVAPI32.dll!CreateServiceW                76609EB4 5 Bytes  JMP 000603FC 
.text   C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[5340] ADVAPI32.dll!DeleteService                 7660A07E 5 Bytes  JMP 00060600 
.text   C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[5340] ADVAPI32.dll!SetServiceObjectSecurity      76646CD9 5 Bytes  JMP 00061014 
.text   C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[5340] ADVAPI32.dll!ChangeServiceConfigA          76646DD9 5 Bytes  JMP 00060804 
.text   C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[5340] ADVAPI32.dll!ChangeServiceConfigW          76646F81 5 Bytes  JMP 00060A08 
.text   C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[5340] ADVAPI32.dll!ChangeServiceConfig2A         76647099 5 Bytes  JMP 00060C0C 
.text   C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[5340] ADVAPI32.dll!ChangeServiceConfig2W         766471E1 5 Bytes  JMP 00060E10 
.text   C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[5340] ADVAPI32.dll!CreateServiceA                766472A1 5 Bytes  JMP 000601F8 
.text   C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[5340] USER32.dll!SetWindowsHookExA               776F6322 5 Bytes  JMP 000B0600 
.text   C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[5340] USER32.dll!SetWindowsHookExW               776F87AD 5 Bytes  JMP 000B0804 
.text   C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[5340] USER32.dll!UnhookWindowsHookEx             776F98DB 5 Bytes  JMP 000B0A08 
.text   C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[5340] USER32.dll!SetWinEventHook                 776F9F3A 5 Bytes  JMP 000B01F8 
.text   C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[5340] USER32.dll!UnhookWinEvent                  776FC06F 5 Bytes  JMP 000B03FC 
.text   C:\Program Files\Citrix\ICA Client\wfcrun32.exe[5540] ntdll.dll!LdrLoadDll                                             77CC9378 5 Bytes  JMP 000601F8 
.text   C:\Program Files\Citrix\ICA Client\wfcrun32.exe[5540] ntdll.dll!LdrUnloadDll                                           77CDB680 5 Bytes  JMP 000603FC 
.text   C:\Program Files\Citrix\ICA Client\wfcrun32.exe[5540] KERNEL32.dll!GetBinaryTypeW + 70                                 77E72447 1 Byte  [62]
.text   C:\Program Files\Citrix\ICA Client\wfcrun32.exe[5540] USER32.dll!SetWindowsHookExA                                     776F6322 5 Bytes  JMP 00170600 
.text   C:\Program Files\Citrix\ICA Client\wfcrun32.exe[5540] USER32.dll!SetWindowsHookExW                                     776F87AD 5 Bytes  JMP 00170804 
.text   C:\Program Files\Citrix\ICA Client\wfcrun32.exe[5540] USER32.dll!UnhookWindowsHookEx                                   776F98DB 5 Bytes  JMP 00170A08 
.text   C:\Program Files\Citrix\ICA Client\wfcrun32.exe[5540] USER32.dll!SetWinEventHook                                       776F9F3A 5 Bytes  JMP 001701F8 
.text   C:\Program Files\Citrix\ICA Client\wfcrun32.exe[5540] USER32.dll!UnhookWinEvent                                        776FC06F 5 Bytes  JMP 001703FC 
.text   C:\Program Files\Citrix\ICA Client\wfcrun32.exe[5540] ADVAPI32.dll!CreateServiceW                                      76609EB4 5 Bytes  JMP 001803FC 
.text   C:\Program Files\Citrix\ICA Client\wfcrun32.exe[5540] ADVAPI32.dll!DeleteService                                       7660A07E 5 Bytes  JMP 00180600 
.text   C:\Program Files\Citrix\ICA Client\wfcrun32.exe[5540] ADVAPI32.dll!SetServiceObjectSecurity                            76646CD9 5 Bytes  JMP 00181014 
.text   C:\Program Files\Citrix\ICA Client\wfcrun32.exe[5540] ADVAPI32.dll!ChangeServiceConfigA                                76646DD9 5 Bytes  JMP 00180804 
.text   C:\Program Files\Citrix\ICA Client\wfcrun32.exe[5540] ADVAPI32.dll!ChangeServiceConfigW                                76646F81 5 Bytes  JMP 00180A08 
.text   C:\Program Files\Citrix\ICA Client\wfcrun32.exe[5540] ADVAPI32.dll!ChangeServiceConfig2A                               76647099 5 Bytes  JMP 00180C0C 
.text   C:\Program Files\Citrix\ICA Client\wfcrun32.exe[5540] ADVAPI32.dll!ChangeServiceConfig2W                               766471E1 5 Bytes  JMP 00180E10 
.text   C:\Program Files\Citrix\ICA Client\wfcrun32.exe[5540] ADVAPI32.dll!CreateServiceA                                      766472A1 5 Bytes  JMP 001801F8 
.text   C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5644] ntdll.dll!LdrLoadDll                                            77CC9378 5 Bytes  JMP 001601F8 
.text   C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5644] ntdll.dll!LdrUnloadDll                                          77CDB680 5 Bytes  JMP 001603FC 
.text   C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5644] KERNEL32.dll!GetBinaryTypeW + 70                                77E72447 1 Byte  [62]
.text   C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5644] USER32.dll!SetWindowsHookExA                                    776F6322 5 Bytes  JMP 00170600 
.text   C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5644] USER32.dll!SetWindowsHookExW                                    776F87AD 5 Bytes  JMP 00170804 
.text   C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5644] USER32.dll!UnhookWindowsHookEx                                  776F98DB 5 Bytes  JMP 00170A08 
.text   C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5644] USER32.dll!SetWinEventHook                                      776F9F3A 5 Bytes  JMP 001701F8 
.text   C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5644] USER32.dll!UnhookWinEvent                                       776FC06F 5 Bytes  JMP 001703FC 
.text   C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5644] ADVAPI32.dll!CreateServiceW                                     76609EB4 5 Bytes  JMP 001803FC 
.text   C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5644] ADVAPI32.dll!DeleteService                                      7660A07E 5 Bytes  JMP 00180600 
.text   C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5644] ADVAPI32.dll!SetServiceObjectSecurity                           76646CD9 5 Bytes  JMP 00181014 
.text   C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5644] ADVAPI32.dll!ChangeServiceConfigA                               76646DD9 5 Bytes  JMP 00180804 
.text   C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5644] ADVAPI32.dll!ChangeServiceConfigW                               76646F81 5 Bytes  JMP 00180A08 
.text   C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5644] ADVAPI32.dll!ChangeServiceConfig2A                              76647099 5 Bytes  JMP 00180C0C 
.text   C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5644] ADVAPI32.dll!ChangeServiceConfig2W                              766471E1 5 Bytes  JMP 00180E10 
.text   C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5644] ADVAPI32.dll!CreateServiceA                                     766472A1 5 Bytes  JMP 001801F8 

---- Devices - GMER 2.1 ----

Device  \FileSystem\Ntfs \Ntfs                                                                                                 aswSP.SYS (avast! self protection module/AVAST Software)

---- Disk sectors - GMER 2.1 ----

Disk    \Device\Harddisk0\DR0                                                                                                  unknown MBR code

---- EOF - GMER 2.1 ----
         


Vielen Dank schonmal vorab für Ihre Hilfe.

Alt 25.05.2013, 12:48   #5
aharonov
/// TB-Ausbilder
 
Avira durch Gruppenrichtlinien geblockt und Trojan.fakems - Standard

Avira durch Gruppenrichtlinien geblockt und Trojan.fakems



Hi,

machen wir weiter:


Warnung: Infostealer

Aus deinen Logs ist ersichtlich, dass du Malware eingefangen hast, die es speziell auf deine sensitiven Daten (Benutzernamen, Passwörter, Onlinebankingzugangsdaten, etc.) abgesehen hat.
Man kann nicht genau wissen, was alles mitgeloggt wurde, aber sicherheitshalber würd ich alle auf diesem Rechner eingegebenen Daten und Passwörter als bekannt voraussetzen.

Ich würde dir daher raten, zum Schluss oder von einem sauberen Rechner aus sämtliche Zugangsdaten, welche an diesem Rechner verwendet wurden, zu ändern.



Schritt 1

Downloade Dir bitte AdwCleaner Logo Icon AdwCleaner auf deinen Desktop.
  • Schließe alle offenen Programme und Browser. Bebilderte Anleitung zu AdwCleaner.
  • Starte die AdwCleaner.exe mit einem Doppelklick.
  • Stimme den Nutzungsbedingungen zu.
  • Klicke auf Optionen und vergewissere dich, dass die folgenden Punkte ausgewählt sind:
    • "Tracing" Schlüssel löschen
    • Winsock Einstellungen zurücksetzen
    • Proxy Einstellungen zurücksetzen
    • Internet Explorer Richtlinien zurücksetzen
    • Chrome Richtlinien zurücksetzen
    • Stelle sicher, dass alle 5 Optionen wie hier dargestellt, ausgewählt sind
  • Klicke auf Suchlauf und warte bis dieser abgeschlossen ist.
  • Klicke nun auf Löschen und bestätige auftretende Hinweise mit Ok.
  • Dein Rechner wird automatisch neu gestartet. Nach dem Neustart öffnet sich eine Textdatei. Poste mir deren Inhalt mit deiner nächsten Antwort.
  • Die Logdatei findest du auch unter C:\AdwCleaner\AdwCleaner[Cx].txt. (x = fortlaufende Nummer).



Schritt 2

Scan mit Combofix
WARNUNG an die MITLESER:
Combofix sollte ausschließlich ausgeführt werden, wenn dies von einem Teammitglied angewiesen wurde!

Downloade dir bitte Combofix vom folgenden Downloadspiegel: Link
  • WICHTIG: Speichere Combofix auf deinem Desktop.
  • Deaktiviere bitte alle deine Antivirensoftware sowie Malware/Spyware Scanner. Diese können Combofix bei der Arbeit stören. Combofix meckert auch manchmal trotzdem noch, das kannst du dann ignorieren, mir aber bitte mitteilen.
  • Starte die Combofix.exe und folge den Anweisungen auf dem Bildschirm.
  • Während Combofix läuft bitte nicht am Computer arbeiten, die Maus bewegen oder ins Combofixfenster klicken!
  • Wenn Combofix fertig ist, wird es ein Logfile erstellen.
  • Bitte poste die C:\Combofix.txt in deiner nächsten Antwort (möglichst in CODE-Tags).
Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten
Es wurde versucht, einen Registrierungsschlüssel einem ungültigen Vorgang zu unterziehen, der zum Löschen markiert wurde.
starte den Rechner einfach neu. Dies sollte das Problem beheben.




Schritt 3
  • Starte bitte die OTL.exe.
  • Kopiere nun den Inhalt aus der Codebox in die Textbox.
Code:
ATTFilter
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths" /s /c
         
  • Schliesse bitte alle anderen Programme.
  • Setze den Haken bei Scan all Users.
  • Drücke auf den Quick Scan Button.
  • Poste den Inhalt von OTL.txt hier in den Thread.



Bitte poste in deiner nächsten Antwort:
  • Log von Adwcleaner
  • Log von Combofix
  • Log von OTL

__________________
cheers,
Leo

Alt 27.05.2013, 20:12   #6
uuuuuvex
 
Avira durch Gruppenrichtlinien geblockt und Trojan.fakems - Standard

Avira durch Gruppenrichtlinien geblockt und Trojan.fakems



Hallo Leo,

habe nun alle scans durchgeführt. Hier die log Dateien.
Combofix brachte die Meldung, dass Avira noch aktiv ist und die Ausführung behindern könnte. Das war eben mein Problem, da ich auf Avira ja nicht mehr zugreifen konnte. Ich habe die Meldung bestätigt.

Code:
ATTFilter
# AdwCleaner v2.301 - Datei am 25/05/2013 um 14:03:11 erstellt
# Aktualisiert am 16/05/2013 von Xplode
# Betriebssystem : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
# Benutzer : xxx - xxx-PC
# Bootmodus : Normal
# Ausgeführt unter : C:\Users\xxx\Desktop\adwcleaner.exe
# Option [Löschen]


**** [Dienste] ****


***** [Dateien / Ordner] *****

Datei Gelöscht : C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml
Datei Gelöscht : C:\Program Files\Mozilla Firefox\searchplugins\SearchTheWeb.xml
Datei Gelöscht : C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\z9rne1fk.default\bProtector_extensions.rdf
Datei Gelöscht : C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\z9rne1fk.default\bprotector_extensions.sqlite
Datei Gelöscht : C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\z9rne1fk.default\extensions\movie2kdownloader@movie2kdownloader.com.xpi
Datei Gelöscht : C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\z9rne1fk.default\searchplugins\delta.xml
Datei Gelöscht : C:\Users\xxx\Desktop\eBay.lnk
Ordner Gelöscht : C:\Program Files\ICQ6Toolbar
Ordner Gelöscht : C:\Program Files\Iminent
Ordner Gelöscht : C:\Program Files\Movie2KDownloader.com
Ordner Gelöscht : C:\Program Files\Optimizer Pro
Ordner Gelöscht : C:\Program Files\Video Downloader
Ordner Gelöscht : C:\ProgramData\Ask
Ordner Gelöscht : C:\ProgramData\Babylon
Ordner Gelöscht : C:\ProgramData\boost_interprocess
Ordner Gelöscht : C:\ProgramData\BrowserProtect
Ordner Gelöscht : C:\ProgramData\ICQ\ICQToolbar
Ordner Gelöscht : C:\ProgramData\Iminent
Ordner Gelöscht : C:\Users\xxx\AppData\Local\SwvUpdater
Ordner Gelöscht : C:\Users\xxx\AppData\Local\Temp\Iminent
Ordner Gelöscht : C:\Users\xxx\AppData\Roaming\BabSolution
Ordner Gelöscht : C:\Users\xxx\AppData\Roaming\Babylon
Ordner Gelöscht : C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\z9rne1fk.default\extensions\{C9B68337-E93A-44EA-94DC-CB300EC06444}
Ordner Gelöscht : C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\z9rne1fk.default\extensions\ffxtlbr@delta.com
Ordner Gelöscht : C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\z9rne1fk.default\jetpack
Ordner Gelöscht : C:\Users\xxx\AppData\Roaming\Optimizer Pro

***** [Registrierungsdatenbank] *****

Schlüssel Gelöscht : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0}
Schlüssel Gelöscht : HKCU\Software\YahooPartnerToolbar
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\secman.DLL
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}
Wert Gelöscht : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]

***** [Internet Browser] *****

-\\ Internet Explorer v9.0.8112.16483

Ersetzt : [HKCU\Software\Microsoft\Internet Explorer\Main - ICQ Search] = hxxp://search.icq.com/search/results.php?q={searchTerms}&ch_id=osd --> hxxp://www.google.com

-\\ Mozilla Firefox v21.0 (de)

Datei : C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\z9rne1fk.default\prefs.js

C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\z9rne1fk.default\user.js ... Gelöscht !

Gelöscht : user_pref("browser.search.order.1", "Ask.com");

*************************

AdwCleaner[S1].txt - [4070 octets] - [25/05/2013 14:03:11]

########## EOF - C:\AdwCleaner[S1].txt - [4130 octets] ##########
         

Code:
ATTFilter
ComboFix 13-05-27.02 - xxx 27.05.2013  20:42:41.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.49.1031.18.3001.1392 [GMT 2:00]
ausgeführt von:: c:\users\xxx\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Im Speicher befindliches AV aktiv.
.
.
.
((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\xxx\4.0
c:\users\xxx\4.0\a\April.JPG
c:\users\xxx\4.0\a\August.JPG
c:\users\xxx\4.0\a\Deckblatt.JPG
c:\users\xxx\4.0\a\Februar.JPG
c:\users\xxx\4.0\a\Foto339.jpg
c:\users\xxx\4.0\a\Januar.JPG
c:\users\xxx\4.0\a\Juli.JPG
c:\users\xxx\4.0\a\Juni.jpg
c:\users\xxx\4.0\a\Mai.JPG
c:\users\xxx\4.0\a\März.JPG
c:\users\xxx\4.0\a\November.JPG
c:\users\xxx\4.0\a\Oktober.JPG
c:\users\xxx\4.0\a\September.JPG
c:\users\xxx\AppData\Roaming\Galyy
c:\users\xxx\AppData\Roaming\Galyy\soihx.rao
c:\users\xxx\AppData\Roaming\Microsoft\Windows\Recent\Citrix over Internet(1).url
c:\users\xxx\AppData\Roaming\Microsoft\Windows\Recent\Citrix over Internet.url
.
.
(((((((((((((((((((((((   Dateien erstellt von 2013-04-27 bis 2013-05-27  ))))))))))))))))))))))))))))))
.
.
2013-05-27 18:52 . 2013-05-27 18:52	--------	d-----w-	c:\users\xxx\AppData\Local\temp
2013-05-27 18:52 . 2013-05-27 18:52	--------	d-----w-	c:\users\Default\AppData\Local\temp
2013-05-24 19:09 . 2013-05-24 19:09	--------	d-----w-	c:\users\xxx\AppData\Roaming\Malwarebytes
2013-05-24 19:08 . 2013-05-24 19:08	--------	d-----w-	c:\programdata\Malwarebytes
2013-05-24 19:08 . 2013-05-24 19:09	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2013-05-24 19:08 . 2013-04-04 12:50	22856	----a-w-	c:\windows\system32\drivers\mbam.sys
2013-05-24 18:45 . 2013-05-13 06:19	7016152	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{9AF1852B-4F42-4C9F-99B5-FD0B55E9C72C}\mpengine.dll
2013-05-18 12:20 . 2013-05-09 08:59	29816	----a-w-	c:\windows\system32\drivers\aswFsBlk.sys
2013-05-18 12:20 . 2013-05-09 08:59	368944	----a-w-	c:\windows\system32\drivers\aswSP.sys
2013-05-18 12:20 . 2013-05-09 08:59	56080	----a-w-	c:\windows\system32\drivers\aswTdi.sys
2013-05-18 12:20 . 2013-05-09 08:59	49760	----a-w-	c:\windows\system32\drivers\aswRdr.sys
2013-05-18 12:20 . 2013-05-09 08:59	765736	----a-w-	c:\windows\system32\drivers\aswSnx.sys
2013-05-18 12:20 . 2013-05-09 08:59	174664	----a-w-	c:\windows\system32\drivers\aswVmm.sys
2013-05-18 12:20 . 2013-05-09 08:59	49376	----a-w-	c:\windows\system32\drivers\aswRvrt.sys
2013-05-18 12:20 . 2013-05-09 08:59	66336	----a-w-	c:\windows\system32\drivers\aswMonFlt.sys
2013-05-18 12:20 . 2013-05-09 08:58	229648	----a-w-	c:\windows\system32\aswBoot.exe
2013-05-18 12:18 . 2013-05-09 08:58	41664	----a-w-	c:\windows\avastSS.scr
2013-05-18 12:17 . 2013-05-18 12:17	--------	d-----w-	c:\program files\AVAST Software
2013-05-18 12:16 . 2013-05-18 12:17	--------	d-----w-	c:\programdata\AVAST Software
2013-05-15 19:15 . 2013-05-05 19:12	2382848	----a-w-	c:\windows\system32\mshtml.tlb
2013-05-15 14:37 . 2013-04-15 14:20	638328	----a-w-	c:\windows\system32\drivers\dxgkrnl.sys
2013-05-15 14:37 . 2013-04-13 10:56	37376	----a-w-	c:\windows\system32\cdd.dll
2013-05-15 14:37 . 2013-04-09 01:36	2049024	----a-w-	c:\windows\system32\win32k.sys
2013-05-08 01:12 . 2013-05-08 01:12	106088	----a-w-	c:\program files\Internet Explorer\Plugins\nppdf32.dll
2013-05-01 11:35 . 2013-05-18 13:40	--------	d-----w-	c:\users\xxx\AppData\Roaming\Cuelle
2013-05-01 11:35 . 2013-05-18 12:58	--------	d-----w-	c:\users\xxx\AppData\Roaming\Ogvuuq
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-15 14:49 . 2012-05-23 17:05	692104	----a-w-	c:\windows\system32\FlashPlayerApp.exe
2013-05-15 14:49 . 2011-05-20 19:07	71048	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-02 00:06 . 2009-10-06 15:46	238872	------w-	c:\windows\system32\MpSigStub.exe
2013-04-07 10:04 . 2013-04-07 10:04	94112	----a-w-	c:\windows\system32\WindowsAccessBridge.dll
2013-04-07 10:04 . 2012-07-12 10:26	861088	----a-w-	c:\windows\system32\npDeployJava1.dll
2013-04-07 10:04 . 2010-05-24 16:23	782240	----a-w-	c:\windows\system32\deployJava1.dll
2013-04-01 11:23 . 2012-10-15 15:06	84744	----a-w-	c:\windows\system32\drivers\avgntflt.sys
2013-04-01 11:23 . 2012-10-15 15:06	37352	----a-w-	c:\windows\system32\drivers\avkmgr.sys
2013-04-01 11:23 . 2012-10-15 15:06	135136	----a-w-	c:\windows\system32\drivers\avipbb.sys
2013-03-11 13:25 . 2013-04-10 16:22	3603816	----a-w-	c:\windows\system32\ntkrnlpa.exe
2013-03-11 13:25 . 2013-04-10 16:22	3551080	----a-w-	c:\windows\system32\ntoskrnl.exe
2013-03-09 03:45 . 2013-04-10 16:22	49152	----a-w-	c:\windows\system32\csrsrv.dll
2013-03-09 01:28 . 2013-04-10 16:22	64000	----a-w-	c:\windows\system32\smss.exe
2013-03-08 03:53 . 2013-04-10 16:22	376320	----a-w-	c:\windows\system32\winsrv.dll
2013-03-08 03:52 . 2013-04-10 16:22	2067968	----a-w-	c:\windows\system32\mstscax.dll
2013-03-03 19:07 . 2013-04-10 16:22	1082232	----a-w-	c:\windows\system32\drivers\ntfs.sys
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-05-09 08:58	121968	----a-w-	c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32	129272	----a-w-	c:\users\xxx\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32	129272	----a-w-	c:\users\xxx\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32	129272	----a-w-	c:\users\xxx\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-13 68856]
"KiesPreload"="c:\program files\Samsung\Kies\Kies.exe" [2012-12-20 1476104]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-07-25 768520]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-02-22 1037608]
"RtHDVCpl"="RtHDVCpl.exe" [2008-06-27 6244896]
"Skytel"="Skytel.exe" [2008-06-27 1826816]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-02 2508104]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-25 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 170520]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2013-05-08 41056]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2012-05-23 371896]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2013-05-07 345312]
"KiesTrayAgent"="c:\program files\Samsung\Kies\KiesTrayAgent.exe" [2012-12-20 310280]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-05-09 4858968]
.
c:\users\xxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe [2013-3-12 29106336]
OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation	REG_MULTI_SZ   	FontCache
.
Inhalt des "geplante Tasks" Ordners
.
2013-05-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-23 14:49]
.
2013-05-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-13 17:39]
.
2013-05-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-13 17:55]
.
2013-05-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-13 17:55]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://go.web.de/tb/ie_startpage
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0407&s=2&o=vp32&d=0309&m=e720
uInternet Settings,ProxyOverride = *.local
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.178.1
Handler: webde - {8FAF0273-9CA8-4efc-9536-1E35E254D5CD} - c:\program files\WEB.DE Toolbar\IE\uitb.dll
DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} - hxxp://www.photodose.de/ips-opdata/operator/69189345/objects/jordan.cab
FF - ProfilePath - c:\users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\z9rne1fk.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2013-05-18 14:19; wrc@avast.com; c:\program files\AVAST Software\Avast\WebRep\FF
FF - ExtSQL: !HIDDEN! 2009-09-02 20:23; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
HKCU-Run-KiesAirMessage - c:\program files\Samsung\Kies\KiesAirMessage.exe
HKCU-Run-Uxxyduubm - c:\users\xxx\AppData\Roaming\Cuelle\cihoy.exe
HKLM-Run-eRecoveryService - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-PokerStars.net - c:\program files\PokerStars.NET\PokerStarsUninstall.exe
AddRemove-25_escape - c:\program files\Samsung\USB Drivers\25_escape\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2013-05-27 20:52
Windows 6.0.6002 Service Pack 2 NTFS
.
Scanne versteckte Prozesse... 
.
Scanne versteckte Autostarteinträge... 
.
Scanne versteckte Dateien... 
.
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
.
**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Zeit der Fertigstellung: 2013-05-27  20:55:47
ComboFix-quarantined-files.txt  2013-05-27 18:55
.
Vor Suchlauf: 9 Verzeichnis(se), 185.033.314.304 Bytes frei
Nach Suchlauf: 15 Verzeichnis(se), 186.709.688.320 Bytes frei
.
- - End Of File - - 4330BF6A2BF07E73F3FA781666708CE3
         
und hier noch die otl

Code:
ATTFilter
OTL logfile created on: 27.05.2013 21:06:56 - Run 2
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\xxx\Desktop\Malwarebereinigung
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
2,93 Gb Total Physical Memory | 1,74 Gb Available Physical Memory | 59,45% Memory free
6,06 Gb Paging File | 4,83 Gb Available in Paging File | 79,73% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 288,08 Gb Total Space | 173,83 Gb Free Space | 60,34% Space Free | Partition Type: NTFS
 
Computer Name: xxx-PC | User Name: xxx | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2013.05.24 21:38:22 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\xxx\Desktop\Malwarebereinigung\OTL.exe
PRC - [2013.05.20 20:03:33 | 000,920,472 | ---- | M] (Mozilla Corporation) -- C:\Programme\Mozilla Firefox\firefox.exe
PRC - [2013.05.09 10:58:30 | 004,858,968 | ---- | M] (AVAST Software) -- C:\Programme\AVAST Software\Avast\AvastUI.exe
PRC - [2013.05.09 10:58:30 | 000,046,808 | ---- | M] (AVAST Software) -- C:\Programme\AVAST Software\Avast\AvastSvc.exe
PRC - [2013.04.01 13:23:17 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\sched.exe
PRC - [2013.04.01 13:23:01 | 000,079,584 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe
PRC - [2013.04.01 13:22:58 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe
PRC - [2013.03.12 09:05:50 | 029,106,336 | ---- | M] (Dropbox, Inc.) -- C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe
PRC - [2012.12.20 19:44:28 | 000,310,280 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Programme\Samsung\Kies\KiesTrayAgent.exe
PRC - [2012.12.20 19:44:26 | 001,476,104 | ---- | M] (Samsung) -- C:\Programme\Samsung\Kies\Kies.exe
PRC - [2012.05.23 08:57:30 | 000,871,608 | ---- | M] (Citrix Systems, Inc.) -- C:\Programme\Citrix\ICA Client\wfcrun32.exe
PRC - [2012.05.23 08:54:42 | 000,371,896 | ---- | M] (Citrix Systems, Inc.) -- C:\Programme\Citrix\ICA Client\concentr.exe
PRC - [2012.04.05 11:11:18 | 001,144,704 | ---- | M] (Citrix Systems, Inc.) -- C:\Programme\Citrix\ICA Client\Receiver\Receiver.exe
PRC - [2012.04.03 11:00:24 | 000,051,128 | ---- | M] (Citrix Systems, Inc.) -- C:\Programme\Citrix\SelfServicePlugin\SelfServicePlugin.exe
PRC - [2009.11.02 03:30:00 | 002,508,104 | ---- | M] (CANON INC.) -- C:\Programme\Canon\MyPrinter\BJMYPRT.EXE
PRC - [2009.04.11 08:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008.07.25 06:18:26 | 000,768,520 | ---- | M] (Dritek System Inc.) -- C:\Programme\Launch Manager\LManager.exe
PRC - [2008.06.27 12:33:18 | 006,244,896 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2008.06.11 12:18:30 | 000,024,576 | ---- | M] () -- C:\Programme\EMACHINES\eMachines Recovery Management\Service\ETService.exe
PRC - [2008.01.21 04:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnetwk.exe
PRC - [2008.01.21 04:25:33 | 000,202,240 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnscfg.exe
PRC - [2007.08.24 05:45:42 | 000,101,784 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE
PRC - [2007.01.04 20:48:50 | 000,112,152 | ---- | M] (InterVideo) -- C:\Programme\Common Files\InterVideo\RegMgr\iviRegMgr.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2013.05.20 20:03:31 | 003,128,728 | ---- | M] () -- C:\Programme\Mozilla Firefox\mozjs.dll
MOD - [2012.12.20 19:41:18 | 012,976,640 | ---- | M] () -- C:\Programme\Samsung\Kies\Theme\Kies.Theme.dll
MOD - [2012.12.20 13:31:44 | 000,572,416 | ---- | M] () -- C:\Programme\Samsung\Kies\Common\Kies.UI.dll
MOD - [2012.12.18 11:35:44 | 000,034,816 | ---- | M] () -- C:\Programme\Samsung\Kies\Common\Kies.Common.DeviceServiceLib.Interface.dll
MOD - [2012.12.18 11:35:06 | 000,023,040 | ---- | M] () -- C:\Programme\Samsung\Kies\MVVM\Kies.MVVM.dll
MOD - [2012.12.18 11:07:10 | 000,057,856 | ---- | M] () -- C:\Programme\Samsung\Kies\External\MediaModules\ASF_cSharpAPI.dll
MOD - [2012.12.12 07:34:13 | 005,025,792 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
MOD - [2012.10.05 12:59:03 | 003,194,880 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
MOD - [2012.10.05 12:59:03 | 000,630,784 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
MOD - [2012.08.31 13:01:10 | 004,550,656 | ---- | M] () -- C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
MOD - [2012.02.13 13:02:15 | 001,249,280 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\WindowsBase\3.0.0.0__31bf3856ad364e35\WindowsBase.dll
MOD - [2012.02.13 13:02:09 | 005,283,840 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\PresentationFramework\3.0.0.0__31bf3856ad364e35\PresentationFramework.dll
MOD - [2012.02.13 13:02:04 | 004,214,784 | ---- | M] () -- C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationCore.dll
MOD - [2009.06.13 14:34:17 | 000,667,648 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\System.Core.dll
MOD - [2009.03.30 06:42:20 | 002,048,000 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.dll
MOD - [2009.03.30 06:42:19 | 000,303,104 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
MOD - [2009.03.30 06:42:19 | 000,114,688 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
MOD - [2009.03.30 06:42:17 | 000,425,984 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
MOD - [2009.03.30 06:42:12 | 000,040,960 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.ServiceProcess.resources\2.0.0.0_de_b03f5f7f11d50a3a\System.ServiceProcess.resources.dll
MOD - [2009.03.30 06:42:10 | 000,010,752 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
MOD - [2003.06.07 07:30:08 | 000,057,344 | ---- | M] () -- C:\Programme\Launch Manager\PowerUtl.dll
 
 
========== Services (SafeList) ==========
 
SRV - [2013.05.20 20:03:32 | 000,117,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013.05.15 16:49:47 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013.05.09 10:58:30 | 000,046,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Programme\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2013.04.01 13:23:17 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2013.04.01 13:22:58 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2008.06.11 12:18:30 | 000,024,576 | ---- | M] () [Auto | Running] -- C:\Programme\EMACHINES\eMachines Recovery Management\Service\ETService.exe -- (ETService)
SRV - [2008.01.21 04:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc)
SRV - [2008.01.21 04:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007.08.24 04:19:12 | 000,443,776 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2007.01.04 20:48:50 | 000,112,152 | ---- | M] (InterVideo) [Auto | Running] -- C:\Programme\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
SRV - [2006.10.26 15:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE -- (ose)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\xxx\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - [2013.05.09 10:59:10 | 000,765,736 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2013.05.09 10:59:10 | 000,368,944 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2013.05.09 10:59:10 | 000,174,664 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\drivers\aswVmm.sys -- (aswVmm)
DRV - [2013.05.09 10:59:10 | 000,056,080 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2013.05.09 10:59:10 | 000,049,376 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\drivers\aswRvrt.sys -- (aswRvrt)
DRV - [2013.05.09 10:59:09 | 000,066,336 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2013.05.09 10:59:09 | 000,049,760 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (AswRdr)
DRV - [2013.05.09 10:59:08 | 000,029,816 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2013.04.01 13:23:19 | 000,135,136 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2013.04.01 13:23:19 | 000,084,744 | ---- | M] (Avira Operations GmbH & Co. KG) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2013.04.01 13:23:19 | 000,037,352 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2012.09.20 06:35:36 | 000,181,344 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssudmdm.sys -- (ssudmdm)
DRV - [2012.09.20 06:35:36 | 000,083,168 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssudbus.sys -- (dg_ssudbus)
DRV - [2012.08.27 15:50:24 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2012.05.17 08:14:58 | 000,067,960 | ---- | M] (Citrix Systems, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\ctxusbm.sys -- (ctxusbm)
DRV - [2008.06.11 12:13:24 | 000,015,392 | ---- | M] (Acer, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\int15.sys -- (int15)
DRV - [2008.06.10 12:54:36 | 000,123,904 | ---- | M] (Realtek Corporation                                            ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2008.03.17 11:05:30 | 000,101,632 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2007.04.17 21:09:28 | 000,011,032 | ---- | M] (InterVideo) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\regi.sys -- (regi)
DRV - [2006.11.02 15:27:34 | 000,020,112 | ---- | M] (Dritek System Inc.) [Kernel | System | Running] -- C:\Programme\Launch Manager\DPortIO.sys -- (DritekPortIO)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0407&s=2&o=vp32&d=0309&m=e720
IE - HKLM\..\SearchScopes,DefaultScope = 
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = 
 
IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = 
 
IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.web.de/tb/ie_startpage
IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\URLSearchHook:  - No CLSID value found
IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes,DefaultScope = {CEE438B0-8D23-43BD-AAAF-0823A494B43B}
IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes\{0C9BE677-668C-44B7-9BF4-60D03EB5C683}: "URL" = hxxp://go.web.de/tb/ie_searchplugin/?su={searchTerms}
IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes\{84EE01E4-BB12-412E-8548-DBB48CE4C558}: "URL" = hxxp://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000027&src=kw&q={searchTerms}&locale=de_DE&apn_ptnrs=U3&apn_dtid=OSJ000YYDE&apn_uid=7216D071-F749-4970-9500-BC9DA7BE6D9A&apn_sauid=37FBC488-8C66-4DF7-9809-1DABE7B9D46E
IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes\{89FAD86A-4F5A-4459-89BD-2384D21B171E}: "URL" = hxxp://go.gmx.net/tb/ie_searchplugin/?su={searchTerms}
IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes\{BFCB5309-6270-4E5C-9372-E669C681DD8C}: "URL" = hxxp://search.gmx.com/web?q={searchTerms}&origin=tb_splugin_ie
IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes\{CEE438B0-8D23-43BD-AAAF-0823A494B43B}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7ACEW_de
IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes\{EA6DBBB1-372A-4F57-A46D-B6E2F642C4C7}: "URL" = hxxp://go.1und1.de/tb/ie_searchplugin/?su={searchTerms}
IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
========== FireFox ==========
 
FF - prefs.js..browser.search.defaultengine: "Google"
FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "hxxp://www.google.de/"
FF - prefs.js..extensions.enabledAddons: add-to-searchbox%40maltekraus.de:2.0
FF - prefs.js..extensions.enabledAddons: donottrackplus%40abine.com:2.2.8.307
FF - prefs.js..extensions.enabledAddons: %7Ba0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7%7D:20130515
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:21.0
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_202.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/EPPEX: C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@Citrix.com/npican: C:\Program Files\Citrix\ICA Client\npicaN.dll (Citrix Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.17.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.17.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2013.05.18 14:19:04 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
 
[2012.10.19 20:10:47 | 000,000,000 | ---D | M] (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\Extensions
[2013.05.25 14:03:25 | 000,000,000 | ---D | M] (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\Firefox\Profiles\z9rne1fk.default\extensions
[2013.05.16 18:10:01 | 000,000,000 | ---D | M] (WOT) -- C:\Users\xxx\AppData\Roaming\mozilla\Firefox\Profiles\z9rne1fk.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2013.03.26 20:22:35 | 000,000,000 | ---D | M] (DoNotTrackMe) -- C:\Users\xxx\AppData\Roaming\mozilla\Firefox\Profiles\z9rne1fk.default\extensions\donottrackplus@abine.com
[2012.11.10 23:31:11 | 000,025,781 | ---- | M] () (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\extensions\add-to-searchbox@maltekraus.de.xpi
[2012.10.19 20:16:29 | 000,020,591 | ---- | M] () (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi
[2013.03.07 02:06:18 | 000,007,919 | ---- | M] () (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\extensions\donottrackplus@abine.com\chrome\content\ff\view_expiry.js
[2011.10.13 17:19:44 | 000,000,855 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\1und1-suche.xml
[2011.10.10 15:27:30 | 000,001,281 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\amazondotcom-de.xml
[2011.10.10 14:59:22 | 000,002,364 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\eBay-de.xml
[2011.10.13 17:01:56 | 000,010,507 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\gmx-suche.xml
[2011.10.10 15:12:38 | 000,002,385 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\lastminute.xml
[2011.10.13 17:34:10 | 000,002,248 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\mailcom-search.xml
[2013.05.20 20:03:34 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\browser\extensions
[2013.05.20 20:03:34 | 000,000,000 | ---D | M] (Default) -- C:\Programme\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
 
O1 HOSTS File: ([2006.09.18 23:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1             localhost
O2 - BHO: (Canon Easy-WebPrint EX BHO) - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Programme\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programme\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (WEB.DE Toolbar BHO) - {BF42D4A8-016E-4fcd-B1EB-837659FD77C6} - C:\Programme\WEB.DE Toolbar\IE\uitb.dll (1und1 Mail und Media GmbH)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Programme\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O3 - HKLM\..\Toolbar: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programme\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (WEB.DE Toolbar) - {C424171E-592A-415a-9EB1-DFD6D95D3530} - C:\Programme\WEB.DE Toolbar\IE\uitb.dll (1und1 Mail und Media GmbH)
O3 - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\Toolbar\WebBrowser: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Programme\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O3 - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\Toolbar\WebBrowser: (WEB.DE Toolbar) - {C424171E-592A-415A-9EB1-DFD6D95D3530} - C:\Programme\WEB.DE Toolbar\IE\uitb.dll (1und1 Mail und Media GmbH)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [ConnectionCenter] C:\Program Files\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.)
O4 - HKLM..\Run: [KiesTrayAgent] C:\Programme\Samsung\Kies\KiesTrayAgent.exe (Samsung Electronics Co., Ltd.)
O4 - HKLM..\Run: [LManager] C:\Programme\Launch Manager\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000..\Run: [KiesPreload] C:\Program Files\Samsung\Kies\Kies.exe (Samsung)
O4 - Startup: C:\Users\Astrid\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Astrid\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O4 - Startup: C:\Users\xxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk = C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Programme\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Programme\ICQ7.2\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Programme\ICQ7.2\ICQ.exe (ICQ, LLC.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {28B66320-9687-4B13-8757-36F901887AB5} hxxp://www.photodose.de/ips-opdata/operator/69189345/objects/canvasx.cab (CanvasX Class)
O16 - DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} hxxp://www.photodose.de/ips-opdata/operator/69189345/objects/jordan.cab (JordanUploader Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 10.17.2)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{4DE48291-937F-4F23-A3D0-13D377260A3F}: DhcpNameServer = 192.168.178.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6094CB2C-98BC-4A93-A44B-D3DB86A05EE3}: DhcpNameServer = 192.168.178.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\webde {8FAF0273-9CA8-4efc-9536-1E35E254D5CD} - C:\Programme\WEB.DE Toolbar\IE\uitb.dll (1und1 Mail und Media GmbH)
O18 - Protocol\Filter\application/x-ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=euc-jp {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=ISO-8859-1 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=MS936 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=MS949 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=MS950 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=UTF8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=UTF-8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=euc-jp {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=ISO-8859-1 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=MS936 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=MS949 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=MS950 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=UTF8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=UTF-8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll) - C:\Programme\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Astrid\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg
O24 - Desktop BackupWallPaper: C:\Users\Astrid\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013.05.27 20:55:53 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2013.05.27 20:55:49 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2013.05.27 20:55:49 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Local\temp
[2013.05.27 20:39:57 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2013.05.27 20:39:57 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2013.05.27 20:39:57 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2013.05.27 20:39:47 | 000,000,000 | ---D | C] -- C:\ComboFix
[2013.05.27 20:38:40 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013.05.27 20:37:49 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2013.05.25 11:20:54 | 000,000,000 | ---D | C] -- C:\Users\xxx\Desktop\Malwarebereinigung
[2013.05.24 21:09:17 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Roaming\Malwarebytes
[2013.05.24 21:08:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013.05.24 21:08:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2013.05.24 21:08:54 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2013.05.24 21:08:54 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2013.05.20 20:03:12 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013.05.18 14:20:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
[2013.05.18 14:20:42 | 000,029,816 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2013.05.18 14:20:41 | 000,368,944 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2013.05.18 14:20:37 | 000,056,080 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2013.05.18 14:20:37 | 000,049,760 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2013.05.18 14:20:36 | 000,765,736 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2013.05.18 14:20:29 | 000,066,336 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2013.05.18 14:20:28 | 000,229,648 | ---- | C] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
[2013.05.18 14:18:40 | 000,041,664 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2013.05.18 14:17:39 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2013.05.18 14:16:28 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
[2013.05.17 18:42:24 | 000,000,000 | ---D | C] -- C:\Users\xxx\Desktop\Hochzeit xxx und Mario 11.05.13
[2013.05.17 18:35:42 | 000,000,000 | ---D | C] -- C:\Users\xxx\Desktop\Hamburg 28.02.-01.03.13
[2013.05.01 15:05:43 | 000,000,000 | ---D | C] -- C:\Users\xxx\Desktop\Bridge
[2013.05.01 15:00:17 | 000,000,000 | ---D | C] -- C:\Users\xxx\Desktop\Spiegel
[2013.05.01 13:35:35 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Roaming\Ogvuuq
[2013.05.01 13:35:35 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Roaming\Cuelle
 
========== Files - Modified Within 30 Days ==========
 
[2013.05.27 21:02:35 | 000,000,000 | ---- | M] () -- C:\Windows\System32\LogConfigTemp.xml
[2013.05.27 21:02:23 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013.05.27 21:02:06 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2013.05.27 21:02:05 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2013.05.27 21:01:58 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013.05.27 21:01:51 | 3147,841,536 | -HS- | M] () -- C:\hiberfil.sys
[2013.05.27 20:55:14 | 000,001,098 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013.05.27 20:49:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013.05.27 19:31:36 | 000,002,180 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\wklnhst.dat
[2013.05.27 18:17:32 | 000,020,992 | ---- | M] () -- C:\Users\xxx\Documents\Prinzessinnengeld1.xlr
[2013.05.25 12:19:00 | 000,001,052 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
[2013.05.24 23:01:54 | 325,024,979 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2013.05.24 21:36:00 | 000,000,000 | ---- | M] () -- C:\Users\xxx\defogger_reenable
[2013.05.22 21:07:17 | 000,025,600 | ---- | M] () -- C:\Users\xxx\Documents\Geld 2012 Bär.xlr
[2013.05.18 14:20:44 | 000,001,831 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2013.05.18 14:20:29 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2013.05.18 12:25:27 | 000,001,889 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2013.05.17 18:31:08 | 000,623,280 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2013.05.17 18:31:08 | 000,591,320 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013.05.17 18:31:08 | 000,125,378 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2013.05.17 18:31:08 | 000,103,194 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013.05.16 16:25:35 | 000,340,296 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2013.05.13 21:07:19 | 000,030,727 | ---- | M] () -- C:\Users\xxx\Documents\Waage.ods
[2013.05.09 10:59:10 | 000,765,736 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2013.05.09 10:59:10 | 000,368,944 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2013.05.09 10:59:10 | 000,174,664 | ---- | M] () -- C:\Windows\System32\drivers\aswVmm.sys
[2013.05.09 10:59:10 | 000,056,080 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2013.05.09 10:59:10 | 000,049,376 | ---- | M] () -- C:\Windows\System32\drivers\aswRvrt.sys
[2013.05.09 10:59:09 | 000,066,336 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2013.05.09 10:59:09 | 000,049,760 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2013.05.09 10:59:08 | 000,029,816 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2013.05.09 10:58:37 | 000,041,664 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
[2013.05.09 10:58:28 | 000,229,648 | ---- | M] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
 
========== Files Created - No Company Name ==========
 
[2013.05.27 20:39:57 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2013.05.27 20:39:57 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2013.05.27 20:39:57 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2013.05.27 20:39:57 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2013.05.27 20:39:57 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2013.05.24 21:36:00 | 000,000,000 | ---- | C] () -- C:\Users\xxx\defogger_reenable
[2013.05.18 14:20:44 | 000,001,831 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2013.05.18 14:20:35 | 000,174,664 | ---- | C] () -- C:\Windows\System32\drivers\aswVmm.sys
[2013.05.18 14:20:34 | 000,049,376 | ---- | C] () -- C:\Windows\System32\drivers\aswRvrt.sys
[2013.02.16 22:35:03 | 000,016,311 | ---- | C] () -- C:\Users\xxx\.TransferManager.db
[2013.01.27 12:24:29 | 000,000,246 | ---- | C] () -- C:\Windows\wininit.ini
[2012.12.18 11:06:10 | 000,030,568 | ---- | C] () -- C:\Windows\MusiccityDownload.exe
[2012.12.18 11:06:06 | 000,974,848 | ---- | C] () -- C:\Windows\System32\cis-2.4.dll
[2012.12.18 11:06:06 | 000,081,920 | ---- | C] () -- C:\Windows\System32\issacapi_bs-2.3.dll
[2012.12.18 11:06:06 | 000,065,536 | ---- | C] () -- C:\Windows\System32\issacapi_pe-2.3.dll
[2012.12.18 11:06:06 | 000,057,344 | ---- | C] () -- C:\Windows\System32\issacapi_se-2.3.dll
[2012.09.18 17:31:20 | 000,000,857 | ---- | C] () -- C:\Users\xxx\.recently-used.xbel
[2011.03.13 20:55:05 | 000,000,680 | ---- | C] () -- C:\Users\xxx\AppData\Local\d3d9caps.dat
[2010.02.09 19:13:58 | 000,005,184 | ---- | C] () -- C:\ProgramData\N360BUOptions.ini
[2009.07.15 17:35:28 | 000,002,180 | ---- | C] () -- C:\Users\xxx\AppData\Roaming\wklnhst.dat
[2009.06.15 19:09:41 | 000,026,624 | ---- | C] () -- C:\Users\xxx\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
 
========== ZeroAccess Check ==========
 
[2006.11.02 14:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012.06.08 19:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009.04.11 08:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009.04.11 08:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
========== LOP Check ==========
 
[2011.12.19 17:35:32 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\1&1 Mail & Media GmbH
[2013.03.29 16:29:23 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\AnvSoft
[2013.05.18 15:40:29 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Cuelle
[2013.05.27 21:04:55 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Dropbox
[2011.12.17 10:21:29 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\fotobuch.de AG
[2012.09.18 17:31:20 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\gtk-2.0
[2012.09.07 17:50:10 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\ICAClient
[2012.05.28 20:00:12 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\ICQ
[2009.06.13 22:45:08 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\InterVideo
[2012.09.26 17:06:06 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Langenscheidt
[2013.05.18 14:58:03 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Ogvuuq
[2009.08.27 19:05:39 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\OpenOffice.org
[2013.02.16 20:29:31 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Samsung
[2010.09.30 19:21:04 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Template
[2009.06.13 14:03:07 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Vodafone
 
========== Purity Check ==========
 
 
 
========== Custom Scans ==========
 
< reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths" /s /c >
HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{02335D42-EEBF-465A-832D-D0E893B5502E}
    ItemData    REG_SZ    C:\Documents and Settings\All Users\Application Data\Symantec
    SaferFlags    REG_DWORD    0x2
HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{045ACDBB-9378-4937-9BD1-E934D79571E1}
    ItemData    REG_SZ    C:\Documents and Settings\All Users\Application Data\Symantec
    SaferFlags    REG_DWORD    0x2
HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{0CE8F104-3858-4825-8E18-42F97D6F29A4}
    ItemData    REG_SZ    C:\Program Files\Avira
    SaferFlags    REG_DWORD    0x2
HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{22A369DF-3092-4523-A515-5F61AB4AB28F}
    ItemData    REG_SZ    C:\Documents and Settings\All Users\Application Data\Avira
    SaferFlags    REG_DWORD    0x2
HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{B7D697E3-B419-4E64-995A-6743359F2B8A}
    ItemData    REG_SZ    C:\Program Files\Common Files\Symantec Shared
    SaferFlags    REG_DWORD    0x2
HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{ECF69C10-DC81-4CA5-8BB2-E8523F7C9561}
    ItemData    REG_SZ    C:\Documents and Settings\All Users\Application Data\Symantec
    SaferFlags    REG_DWORD    0x2
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:9F683177
@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:CF5C4195
@Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:8AB6C1D7

< End of report >
         

Geändert von uuuuuvex (27.05.2013 um 20:43 Uhr)

Alt 27.05.2013, 21:17   #7
aharonov
/// TB-Ausbilder
 
Avira durch Gruppenrichtlinien geblockt und Trojan.fakems - Standard

Avira durch Gruppenrichtlinien geblockt und Trojan.fakems



Bevor wir weitermachen:

Zitat:
c:\users\xxx\4.0
c:\users\xxx\4.0\a\April.JPG
c:\users\xxx\4.0\a\August.JPG
....
Brauchst du diesen von Combofix gelöschten Ordner mit den darin enthaltenen Bildern noch oder nicht?
__________________
cheers,
Leo

Alt 28.05.2013, 18:06   #8
uuuuuvex
 
Avira durch Gruppenrichtlinien geblockt und Trojan.fakems - Standard

Avira durch Gruppenrichtlinien geblockt und Trojan.fakems



nein den brauche ich nicht mehr

Alt 28.05.2013, 18:12   #9
aharonov
/// TB-Ausbilder
 
Avira durch Gruppenrichtlinien geblockt und Trojan.fakems - Standard

Avira durch Gruppenrichtlinien geblockt und Trojan.fakems



Ok, dann machen wir weiter.

Kannst du nach folgendem Schritt wieder normal auf Avira zugreifen? Wenn ja, dann deinstalliere eines der beiden Antivirenprogramme (avast oder avira, egal welches), so dass nur noch eines läuft.


Schritt 1

Fixen mit OTL

  • Starte bitte die OTL.exe.
  • Kopiere nun den Inhalt aus der Codebox in die Textbox.
Code:
ATTFilter
:OTL
[2013.05.18 15:40:29 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Cuelle
[2013.05.18 14:58:03 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Ogvuuq
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:9F683177
@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:CF5C4195
@Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:8AB6C1D7
IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes\{84EE01E4-BB12-412E-8548-DBB48CE4C558}: "URL" = hxxp://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000027&src=kw&q={searchTerms}&locale=de_DE&apn_ptnrs=U3&apn_dtid=OSJ000YYDE&apn_uid=7216D071-F749-4970-9500-BC9DA7BE6D9A&apn_sauid=37FBC488-8C66-4DF7-9809-1DABE7B9D46E

:reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{02335D42-EEBF-465A-832D-D0E893B5502E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{045ACDBB-9378-4937-9BD1-E934D79571E1}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{0CE8F104-3858-4825-8E18-42F97D6F29A4}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{22A369DF-3092-4523-A515-5F61AB4AB28F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{B7D697E3-B419-4E64-995A-6743359F2B8A}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{ECF69C10-DC81-4CA5-8BB2-E8523F7C9561}]

:commands
[emptytemp]
         
  • Solltest du deinen Benutzernamen z. B. durch "*****" unkenntlich gemacht haben, so füge an entsprechender Stelle deinen richtigen Benutzernamen ein. Andernfalls wird der Fix nicht funktionieren.
  • Schließe bitte nun alle Programme.
  • Klicke nun bitte auf den Fix Button.
  • OTL kann gegebenfalls einen Neustart verlangen. Bitte dies zulassen.
  • Nach dem Neustart findest Du ein Textdokument auf deinem Desktop.
    ( Auch zu finden unter C:\_OTL\MovedFiles\<Uhrzeit_Datum>.txt)
    Kopiere nun den Inhalt hier in Deinen Thread



Bitte poste in deiner nächsten Antwort:
  • Fixlog von OTL
__________________
cheers,
Leo

Alt 28.05.2013, 19:13   #10
uuuuuvex
 
Avira durch Gruppenrichtlinien geblockt und Trojan.fakems - Standard

Avira durch Gruppenrichtlinien geblockt und Trojan.fakems



ich habe den fix mit otl durchgeführt. leider hat sich im Anschluss daran der pc aufgehägt. Ich habe Ihn ausschalten müssen und wieder gestartet. auf dem desktop lagen folgende dateien..

Code:
ATTFilter
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21799
[LocalizedFileNames]
Microsoft Office - 60 Day Trial.lnk=@C:\PROGRA~1\MICROS~4\mui\oaa.dll,-103
         
und

Code:
ATTFilter
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21769
IconResource=%SystemRoot%\system32\imageres.dll,-183
[LocalizedFileNames]
Launch Internet Explorer Browser.lnk=@%windir%\System32\ie4uinit.exe,-733
         
ich habe jetzt wieder zugriff auf avira . soll ich nun deinstallieren ?

Alt 28.05.2013, 19:40   #11
aharonov
/// TB-Ausbilder
 
Avira durch Gruppenrichtlinien geblockt und Trojan.fakems - Standard

Avira durch Gruppenrichtlinien geblockt und Trojan.fakems



Hallo,

Zitat:
soll ich nun deinstallieren ?
Ja, jetzt eines von beiden Antivirenprogrammen deinstallieren, so dass nur noch eines läuft.


Schritt 1
  • Öffne das Programm Malwarebytes Anti-Malware.
    Vista und Win7 User mit Rechtsklick "als Administrator starten".
  • Klicke auf Aktualisierung --> Suche nach Aktualisierung.
  • Wenn das Update beendet wurde, aktiviere im Reiter Suchlauf die Option Quick-Scan durchführen und drücke auf Scannen.
  • Wenn der Scan fertig ist, klicke auf Ergebnisse anzeigen.
  • Versichere dich, dass alle Funde markiert sind und drücke Entferne Auswahl.
  • Poste das Logfile, welches sich in Notepad öffnet, hier in den Thread.
  • Nachträglich kannst du den Bericht unter dem Reiter Logdateien finden.



Schritt 2


ESET Online Scanner

  • Hier findest du eine bebilderte Anleitung zu ESET Online Scanner
  • Lade und starte Eset Online Scanner
  • Setze einen Haken bei Ja, ich bin mit den Nutzungsbedingungen einverstanden und klicke auf Starten.
  • Aktiviere die "Erkennung von eventuell unerwünschten Anwendungen" und wähle folgende Einstellungen.
  • Klicke auf Starten.
  • Die Signaturen werden heruntergeladen, der Scan beginnt automatisch.
  • Klicke am Ende des Suchlaufs auf Fertig stellen.
  • Schließe das Fenster von ESET.
  • Explorer öffnen.
  • C:\Programme\Eset\EsetOnlineScanner\log.txt (bei 64 Bit auch C:\Programme (x86)\Eset\EsetOnlineScanner\log.txt) suchen und mit Deinem Editor öffnen (bebildert).
  • Logfile hier posten.
  • Deinstallation: Systemsteuerung => Software / Programme deinstallieren => Eset Online Scanner V3 entfernen.
  • Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset




Schritt 3

Downloade Dir bitte SecurityCheck und:

  • Speichere es auf dem Desktop.
  • Starte SecurityCheck.exe und folge den Anweisungen in der DOS-Box.
  • Wenn der Scan beendet wurde sollte sich ein Textdokument (checkup.txt) öffnen.
Poste den Inhalt bitte hier.



Schritt 4

Starte bitte die OTL.exe.
  • Setze den Haken bei Scan all Users.
  • Drücke auf den Quick Scan Button.
  • Poste den Inhalt von OTL.txt hier in den Thread.



Bitte poste in deiner nächsten Antwort:
  • Log von MBAM
  • Log von ESET
  • Log von SecurityCheck
  • Log von OTL
__________________
cheers,
Leo

Alt 04.06.2013, 00:23   #12
aharonov
/// TB-Ausbilder
 
Avira durch Gruppenrichtlinien geblockt und Trojan.fakems - Standard

Avira durch Gruppenrichtlinien geblockt und Trojan.fakems



Hi,

ich hab schon länger keine Antwort mehr von dir erhalten. Brauchst du weiterhin noch Hilfe?

Wenn ich in den nächsten 24 Stunden nichts von dir höre, gehe ich davon aus, dass sich das Thema erledigt hat und lösche es aus meinen Abos.

Hinweis: Wir sind noch nicht fertig! Auch wenn die Symptome verschwunden sein sollten, kann dein System weiterhin infiziert sein und über Sicherheitslücken verfügen, welche eine erneute Infektion möglich machen.
__________________
cheers,
Leo

Alt 04.06.2013, 16:58   #13
uuuuuvex
 
Avira durch Gruppenrichtlinien geblockt und Trojan.fakems - Standard

Avira durch Gruppenrichtlinien geblockt und Trojan.fakems



Hallo Leo,

bitte entschuldigen Sie. Ich war die letzten Tage nicht zuhause und konnte den online scan nicht durchführen (dauert ja auch ewig).
Ich benötige weiterhin Ihre Hilfe und möchte nätürlich weitermachen

Alt 04.06.2013, 19:41   #14
aharonov
/// TB-Ausbilder
 
Avira durch Gruppenrichtlinien geblockt und Trojan.fakems - Standard

Avira durch Gruppenrichtlinien geblockt und Trojan.fakems



Ok, alles klar. Ich behalte das Thema in meinen Abos und warte auf die nächsten Logs.
__________________
cheers,
Leo

Alt 04.06.2013, 20:10   #15
uuuuuvex
 
Avira durch Gruppenrichtlinien geblockt und Trojan.fakems - Standard

Avira durch Gruppenrichtlinien geblockt und Trojan.fakems



Code:
ATTFilter
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Datenbank Version: v2013.05.28.06

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
xxx :: xxx-PC [Administrator]

28.05.2013 21:29:13
mbam-log-2013-05-28 (21-29-13).txt

Art des Suchlaufs: Quick-Scan
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 206844
Laufzeit: 6 Minute(n), 53 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 0
(Keine bösartigen Objekte gefunden)

(Ende)
         

Code:
ATTFilter
ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=96d19a1c0329a6469b80d73d47b6c2ad
# engine=13995
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2013-06-04 06:55:09
# local_time=2013-06-04 08:55:09 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=774 16777213 85 91 1492491 147081981 0 0
# compatibility_mode=5892 16776573 100 100 11209 207904837 0 0
# scanned=236332
# found=4
# cleaned=0
# scan_time=10207
sh=5E3D4BA042327C2390BA9834692572F293E59875 ft=0 fh=0000000000000000 vn="Java/Exploit.Agent.OFT trojan" ac=I fn="C:\Users\xxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\3a5faf18-3485981d"
sh=D943B67D89B95158C5B182B635DA2E2D836DC5AC ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Users\xxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\4054a20-6dfba174"
sh=353AB81FB995049C01067F119A6906D14ADF3495 ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Users\xxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\62c122ee-258ff79b"
sh=36EE4188ADB89388D7ED9913E13056BD461F27DD ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Users\xxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\760ee271-2aca0f4a"
         
Code:
ATTFilter
 Results of screen317's Security Check version 0.99.64  
 Windows Vista Service Pack 2 x86 (UAC is enabled)  
 Internet Explorer 10  
``````````````Antivirus/Firewall Check:`````````````` 
avast! Antivirus   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:````````` 
 Malwarebytes Anti-Malware Version 1.75.0.1300  
 JavaFX 2.1.1    
 Java(TM) 6 Update 29  
 Java 7 Update 17  
 Java version out of Date! 
 Adobe Flash Player 	11.7.700.202  
 Adobe Reader 9 Adobe Reader out of Date! 
 Mozilla Firefox (21.0) 
````````Process Check: objlist.exe by Laurent````````  
xxx Desktop Malwarebereinigung SecurityCheck.exe 
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast AvastUI.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  % 
````````````````````End of Log``````````````````````
         
Code:
ATTFilter
OTL logfile created on: 04.06.2013 21:31:22 - Run 3
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\xxx\Desktop\Malwarebereinigung
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
2,93 Gb Total Physical Memory | 1,27 Gb Available Physical Memory | 43,43% Memory free
6,07 Gb Paging File | 4,67 Gb Available in Paging File | 76,97% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 288,08 Gb Total Space | 176,08 Gb Free Space | 61,12% Space Free | Partition Type: NTFS
 
Computer Name: xxx-PC | User Name: xxx | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2013.05.24 21:38:22 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\xxx\Desktop\Malwarebereinigung\OTL.exe
PRC - [2013.05.20 20:03:33 | 000,920,472 | ---- | M] (Mozilla Corporation) -- C:\Programme\Mozilla Firefox\firefox.exe
PRC - [2013.05.09 10:58:30 | 004,858,968 | ---- | M] (AVAST Software) -- C:\Programme\AVAST Software\Avast\AvastUI.exe
PRC - [2013.05.09 10:58:30 | 000,046,808 | ---- | M] (AVAST Software) -- C:\Programme\AVAST Software\Avast\AvastSvc.exe
PRC - [2013.03.12 09:05:50 | 029,106,336 | ---- | M] (Dropbox, Inc.) -- C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe
PRC - [2012.12.20 19:44:28 | 000,310,280 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Programme\Samsung\Kies\KiesTrayAgent.exe
PRC - [2012.12.20 19:44:26 | 001,476,104 | ---- | M] (Samsung) -- C:\Programme\Samsung\Kies\Kies.exe
PRC - [2012.05.23 08:57:30 | 000,871,608 | ---- | M] (Citrix Systems, Inc.) -- C:\Programme\Citrix\ICA Client\wfcrun32.exe
PRC - [2012.05.23 08:54:42 | 000,371,896 | ---- | M] (Citrix Systems, Inc.) -- C:\Programme\Citrix\ICA Client\concentr.exe
PRC - [2012.04.05 11:11:18 | 001,144,704 | ---- | M] (Citrix Systems, Inc.) -- C:\Programme\Citrix\ICA Client\Receiver\Receiver.exe
PRC - [2012.04.03 11:00:24 | 000,051,128 | ---- | M] (Citrix Systems, Inc.) -- C:\Programme\Citrix\SelfServicePlugin\SelfServicePlugin.exe
PRC - [2009.11.02 03:30:00 | 002,508,104 | ---- | M] (CANON INC.) -- C:\Programme\Canon\MyPrinter\BJMYPRT.EXE
PRC - [2009.04.11 08:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009.04.11 08:27:28 | 000,069,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conime.exe
PRC - [2008.07.25 06:18:26 | 000,768,520 | ---- | M] (Dritek System Inc.) -- C:\Programme\Launch Manager\LManager.exe
PRC - [2008.06.27 12:33:18 | 006,244,896 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2008.06.11 12:18:30 | 000,024,576 | ---- | M] () -- C:\Programme\EMACHINES\eMachines Recovery Management\Service\ETService.exe
PRC - [2008.01.21 04:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnetwk.exe
PRC - [2008.01.21 04:25:33 | 000,202,240 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnscfg.exe
PRC - [2007.08.24 05:45:42 | 000,101,784 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE
PRC - [2007.01.04 20:48:50 | 000,112,152 | ---- | M] (InterVideo) -- C:\Programme\Common Files\InterVideo\RegMgr\iviRegMgr.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2013.05.20 20:03:31 | 003,128,728 | ---- | M] () -- C:\Programme\Mozilla Firefox\mozjs.dll
MOD - [2012.12.20 19:41:18 | 012,976,640 | ---- | M] () -- C:\Programme\Samsung\Kies\Theme\Kies.Theme.dll
MOD - [2012.12.20 13:31:44 | 000,572,416 | ---- | M] () -- C:\Programme\Samsung\Kies\Common\Kies.UI.dll
MOD - [2012.12.18 11:35:44 | 000,034,816 | ---- | M] () -- C:\Programme\Samsung\Kies\Common\Kies.Common.DeviceServiceLib.Interface.dll
MOD - [2012.12.18 11:35:06 | 000,023,040 | ---- | M] () -- C:\Programme\Samsung\Kies\MVVM\Kies.MVVM.dll
MOD - [2012.12.18 11:07:10 | 000,057,856 | ---- | M] () -- C:\Programme\Samsung\Kies\External\MediaModules\ASF_cSharpAPI.dll
MOD - [2012.12.12 07:34:13 | 005,025,792 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
MOD - [2012.10.05 12:59:03 | 003,194,880 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
MOD - [2012.10.05 12:59:03 | 000,630,784 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
MOD - [2012.08.31 13:01:10 | 004,550,656 | ---- | M] () -- C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
MOD - [2012.02.13 13:02:15 | 001,249,280 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\WindowsBase\3.0.0.0__31bf3856ad364e35\WindowsBase.dll
MOD - [2012.02.13 13:02:09 | 005,283,840 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\PresentationFramework\3.0.0.0__31bf3856ad364e35\PresentationFramework.dll
MOD - [2012.02.13 13:02:04 | 004,214,784 | ---- | M] () -- C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationCore.dll
MOD - [2009.06.13 14:34:17 | 000,667,648 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\System.Core.dll
MOD - [2009.03.30 06:42:20 | 002,048,000 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.dll
MOD - [2009.03.30 06:42:19 | 000,303,104 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
MOD - [2009.03.30 06:42:19 | 000,114,688 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
MOD - [2009.03.30 06:42:17 | 000,425,984 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
MOD - [2009.03.30 06:42:12 | 000,040,960 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.ServiceProcess.resources\2.0.0.0_de_b03f5f7f11d50a3a\System.ServiceProcess.resources.dll
MOD - [2009.03.30 06:42:10 | 000,010,752 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
MOD - [2003.06.07 07:30:08 | 000,057,344 | ---- | M] () -- C:\Programme\Launch Manager\PowerUtl.dll
 
 
========== Services (SafeList) ==========
 
SRV - [2013.05.20 20:03:32 | 000,117,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013.05.15 16:49:47 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013.05.09 10:58:30 | 000,046,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Programme\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2008.06.11 12:18:30 | 000,024,576 | ---- | M] () [Auto | Running] -- C:\Programme\EMACHINES\eMachines Recovery Management\Service\ETService.exe -- (ETService)
SRV - [2008.01.21 04:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc)
SRV - [2008.01.21 04:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007.08.24 04:19:12 | 000,443,776 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2007.01.04 20:48:50 | 000,112,152 | ---- | M] (InterVideo) [Auto | Running] -- C:\Programme\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
SRV - [2006.10.26 15:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE -- (ose)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\xxx\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - [2013.05.09 10:59:10 | 000,765,736 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2013.05.09 10:59:10 | 000,368,944 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2013.05.09 10:59:10 | 000,174,664 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\drivers\aswVmm.sys -- (aswVmm)
DRV - [2013.05.09 10:59:10 | 000,056,080 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2013.05.09 10:59:10 | 000,049,376 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\drivers\aswRvrt.sys -- (aswRvrt)
DRV - [2013.05.09 10:59:09 | 000,066,336 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2013.05.09 10:59:09 | 000,049,760 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (AswRdr)
DRV - [2013.05.09 10:59:08 | 000,029,816 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2012.09.20 06:35:36 | 000,181,344 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssudmdm.sys -- (ssudmdm)
DRV - [2012.09.20 06:35:36 | 000,083,168 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssudbus.sys -- (dg_ssudbus)
DRV - [2012.05.17 08:14:58 | 000,067,960 | ---- | M] (Citrix Systems, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\ctxusbm.sys -- (ctxusbm)
DRV - [2008.06.11 12:13:24 | 000,015,392 | ---- | M] (Acer, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\int15.sys -- (int15)
DRV - [2008.06.10 12:54:36 | 000,123,904 | ---- | M] (Realtek Corporation                                            ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2008.03.17 11:05:30 | 000,101,632 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2007.04.17 21:09:28 | 000,011,032 | ---- | M] (InterVideo) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\regi.sys -- (regi)
DRV - [2006.11.02 15:27:34 | 000,020,112 | ---- | M] (Dritek System Inc.) [Kernel | System | Running] -- C:\Programme\Launch Manager\DPortIO.sys -- (DritekPortIO)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0407&s=2&o=vp32&d=0309&m=e720
IE - HKLM\..\SearchScopes,DefaultScope = 
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = 
 
IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = 
 
IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.web.de/tb/ie_startpage
IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\URLSearchHook:  - No CLSID value found
IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes,DefaultScope = {CEE438B0-8D23-43BD-AAAF-0823A494B43B}
IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes\{0C9BE677-668C-44B7-9BF4-60D03EB5C683}: "URL" = hxxp://go.web.de/tb/ie_searchplugin/?su={searchTerms}
IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes\{89FAD86A-4F5A-4459-89BD-2384D21B171E}: "URL" = hxxp://go.gmx.net/tb/ie_searchplugin/?su={searchTerms}
IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes\{BFCB5309-6270-4E5C-9372-E669C681DD8C}: "URL" = hxxp://search.gmx.com/web?q={searchTerms}&origin=tb_splugin_ie
IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes\{CEE438B0-8D23-43BD-AAAF-0823A494B43B}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7ACEW_de
IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\SearchScopes\{EA6DBBB1-372A-4F57-A46D-B6E2F642C4C7}: "URL" = hxxp://go.1und1.de/tb/ie_searchplugin/?su={searchTerms}
IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
========== FireFox ==========
 
FF - prefs.js..browser.search.defaultengine: "Google"
FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "hxxp://www.google.de/"
FF - prefs.js..extensions.enabledAddons: add-to-searchbox%40maltekraus.de:2.0
FF - prefs.js..extensions.enabledAddons: donottrackplus%40abine.com:2.2.8.307
FF - prefs.js..extensions.enabledAddons: %7Ba0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7%7D:20130515
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:21.0
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_202.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/EPPEX: C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@Citrix.com/npican: C:\Program Files\Citrix\ICA Client\npicaN.dll (Citrix Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.17.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.17.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2013.05.18 14:19:04 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
 
[2012.10.19 20:10:47 | 000,000,000 | ---D | M] (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\Extensions
[2013.05.25 14:03:25 | 000,000,000 | ---D | M] (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\Firefox\Profiles\z9rne1fk.default\extensions
[2013.05.16 18:10:01 | 000,000,000 | ---D | M] (WOT) -- C:\Users\Astrid\AppData\Roaming\mozilla\Firefox\Profiles\z9rne1fk.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2013.03.26 20:22:35 | 000,000,000 | ---D | M] (DoNotTrackMe) -- C:\Users\xxx\AppData\Roaming\mozilla\Firefox\Profiles\z9rne1fk.default\extensions\donottrackplus@abine.com
[2012.11.10 23:31:11 | 000,025,781 | ---- | M] () (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\extensions\add-to-searchbox@maltekraus.de.xpi
[2012.10.19 20:16:29 | 000,020,591 | ---- | M] () (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi
[2013.03.07 02:06:18 | 000,007,919 | ---- | M] () (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\extensions\donottrackplus@abine.com\chrome\content\ff\view_expiry.js
[2011.10.13 17:19:44 | 000,000,855 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\1und1-suche.xml
[2011.10.10 15:27:30 | 000,001,281 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\amazondotcom-de.xml
[2011.10.10 14:59:22 | 000,002,364 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\eBay-de.xml
[2011.10.13 17:01:56 | 000,010,507 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\gmx-suche.xml
[2011.10.10 15:12:38 | 000,002,385 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\lastminute.xml
[2011.10.13 17:34:10 | 000,002,248 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\z9rne1fk.default\searchplugins\mailcom-search.xml
[2013.05.20 20:03:34 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\browser\extensions
[2013.05.20 20:03:34 | 000,000,000 | ---D | M] (Default) -- C:\Programme\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
 
O1 HOSTS File: ([2006.09.18 23:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1             localhost
O2 - BHO: (Canon Easy-WebPrint EX BHO) - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Programme\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programme\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (WEB.DE Toolbar BHO) - {BF42D4A8-016E-4fcd-B1EB-837659FD77C6} - C:\Programme\WEB.DE Toolbar\IE\uitb.dll (1und1 Mail und Media GmbH)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Programme\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O3 - HKLM\..\Toolbar: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programme\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (WEB.DE Toolbar) - {C424171E-592A-415a-9EB1-DFD6D95D3530} - C:\Programme\WEB.DE Toolbar\IE\uitb.dll (1und1 Mail und Media GmbH)
O3 - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\Toolbar\WebBrowser: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Programme\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O3 - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..\Toolbar\WebBrowser: (WEB.DE Toolbar) - {C424171E-592A-415A-9EB1-DFD6D95D3530} - C:\Programme\WEB.DE Toolbar\IE\uitb.dll (1und1 Mail und Media GmbH)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [ConnectionCenter] C:\Program Files\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.)
O4 - HKLM..\Run: [KiesTrayAgent] C:\Programme\Samsung\Kies\KiesTrayAgent.exe (Samsung Electronics Co., Ltd.)
O4 - HKLM..\Run: [LManager] C:\Programme\Launch Manager\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000..\Run: [KiesPreload] C:\Program Files\Samsung\Kies\Kies.exe (Samsung)
O4 - Startup: C:\Users\Astrid\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Astrid\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O4 - Startup: C:\Users\Astrid\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk = C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Programme\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Programme\ICQ7.2\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Programme\ICQ7.2\ICQ.exe (ICQ, LLC.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKU\S-1-5-21-3376188992-1505599475-3135630170-1000\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {28B66320-9687-4B13-8757-36F901887AB5} hxxp://www.photodose.de/ips-opdata/operator/69189345/objects/canvasx.cab (CanvasX Class)
O16 - DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} hxxp://www.photodose.de/ips-opdata/operator/69189345/objects/jordan.cab (JordanUploader Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 10.17.2)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{4DE48291-937F-4F23-A3D0-13D377260A3F}: DhcpNameServer = 192.168.178.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6094CB2C-98BC-4A93-A44B-D3DB86A05EE3}: DhcpNameServer = 192.168.178.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\webde {8FAF0273-9CA8-4efc-9536-1E35E254D5CD} - C:\Programme\WEB.DE Toolbar\IE\uitb.dll (1und1 Mail und Media GmbH)
O18 - Protocol\Filter\application/x-ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=euc-jp {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=ISO-8859-1 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=MS936 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=MS949 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=MS950 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=UTF8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=UTF-8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=euc-jp {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=ISO-8859-1 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=MS936 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=MS949 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=MS950 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=UTF8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=UTF-8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Programme\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll) - C:\Programme\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\xxx\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg
O24 - Desktop BackupWallPaper: C:\Users\Astrid\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013.05.28 19:58:18 | 000,000,000 | ---D | C] -- C:\_OTL
[2013.05.27 20:55:53 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2013.05.27 20:55:49 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2013.05.27 20:55:49 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Local\temp
[2013.05.27 20:39:57 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2013.05.27 20:39:57 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2013.05.27 20:39:57 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2013.05.27 20:39:47 | 000,000,000 | ---D | C] -- C:\ComboFix
[2013.05.27 20:38:40 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013.05.27 20:37:49 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2013.05.25 11:20:54 | 000,000,000 | ---D | C] -- C:\Users\xxx\Desktop\Malwarebereinigung
[2013.05.24 21:09:17 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Roaming\Malwarebytes
[2013.05.24 21:08:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013.05.24 21:08:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2013.05.24 21:08:54 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2013.05.24 21:08:54 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2013.05.20 20:03:12 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013.05.18 14:20:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
[2013.05.18 14:20:42 | 000,029,816 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2013.05.18 14:20:41 | 000,368,944 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2013.05.18 14:20:37 | 000,056,080 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2013.05.18 14:20:37 | 000,049,760 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2013.05.18 14:20:36 | 000,765,736 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2013.05.18 14:20:29 | 000,066,336 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2013.05.18 14:20:28 | 000,229,648 | ---- | C] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
[2013.05.18 14:18:40 | 000,041,664 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2013.05.18 14:17:39 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2013.05.18 14:16:28 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
[2013.05.17 18:42:24 | 000,000,000 | ---D | C] -- C:\Users\xxx\Desktop\Hochzeit xxx und xxx 11.05.13
[2013.05.17 18:35:42 | 000,000,000 | ---D | C] -- C:\Users\xxx\Desktop\Hamburg 28.02.-01.03.13
 
========== Files - Modified Within 30 Days ==========
 
[2013.06.04 21:19:06 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2013.06.04 21:19:06 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2013.06.04 20:55:01 | 000,001,098 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013.06.04 20:49:06 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013.06.04 19:11:25 | 000,020,992 | ---- | M] () -- C:\Users\xxx\Documents\xxxgeld1.xlr
[2013.06.04 19:11:25 | 000,002,180 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\wklnhst.dat
[2013.06.04 17:55:00 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013.06.04 17:19:28 | 000,000,000 | ---- | M] () -- C:\Windows\System32\LogConfigTemp.xml
[2013.06.04 17:18:56 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013.06.04 17:18:51 | 3147,841,536 | -HS- | M] () -- C:\hiberfil.sys
[2013.06.02 19:24:44 | 000,025,600 | ---- | M] () -- C:\Users\xxx\Documents\Geld 2012 Bär.xlr
[2013.05.28 21:42:45 | 000,623,280 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2013.05.28 21:42:45 | 000,591,320 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013.05.28 21:42:45 | 000,125,378 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2013.05.28 21:42:45 | 000,103,194 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013.05.25 12:19:00 | 000,001,052 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
[2013.05.24 23:01:54 | 325,024,979 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2013.05.24 21:36:00 | 000,000,000 | ---- | M] () -- C:\Users\xxx\defogger_reenable
[2013.05.18 14:20:44 | 000,001,831 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2013.05.18 14:20:29 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2013.05.18 12:25:27 | 000,001,889 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2013.05.16 16:25:35 | 000,340,296 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2013.05.13 21:07:19 | 000,030,727 | ---- | M] () -- C:\Users\xxx\Documents\Waage.ods
[2013.05.09 10:59:10 | 000,765,736 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2013.05.09 10:59:10 | 000,368,944 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2013.05.09 10:59:10 | 000,174,664 | ---- | M] () -- C:\Windows\System32\drivers\aswVmm.sys
[2013.05.09 10:59:10 | 000,056,080 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2013.05.09 10:59:10 | 000,049,376 | ---- | M] () -- C:\Windows\System32\drivers\aswRvrt.sys
[2013.05.09 10:59:09 | 000,066,336 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2013.05.09 10:59:09 | 000,049,760 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2013.05.09 10:59:08 | 000,029,816 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2013.05.09 10:58:37 | 000,041,664 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
[2013.05.09 10:58:28 | 000,229,648 | ---- | M] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
 
========== Files Created - No Company Name ==========
 
[2013.05.29 21:45:54 | 3147,841,536 | -HS- | C] () -- C:\hiberfil.sys
[2013.05.27 20:39:57 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2013.05.27 20:39:57 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2013.05.27 20:39:57 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2013.05.27 20:39:57 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2013.05.27 20:39:57 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2013.05.24 21:36:00 | 000,000,000 | ---- | C] () -- C:\Users\xxx\defogger_reenable
[2013.05.18 14:20:44 | 000,001,831 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2013.05.18 14:20:35 | 000,174,664 | ---- | C] () -- C:\Windows\System32\drivers\aswVmm.sys
[2013.05.18 14:20:34 | 000,049,376 | ---- | C] () -- C:\Windows\System32\drivers\aswRvrt.sys
[2013.02.16 22:35:03 | 000,016,311 | ---- | C] () -- C:\Users\Astrid\.TransferManager.db
[2013.01.27 12:24:29 | 000,000,246 | ---- | C] () -- C:\Windows\wininit.ini
[2012.12.18 11:06:10 | 000,030,568 | ---- | C] () -- C:\Windows\MusiccityDownload.exe
[2012.12.18 11:06:06 | 000,974,848 | ---- | C] () -- C:\Windows\System32\cis-2.4.dll
[2012.12.18 11:06:06 | 000,081,920 | ---- | C] () -- C:\Windows\System32\issacapi_bs-2.3.dll
[2012.12.18 11:06:06 | 000,065,536 | ---- | C] () -- C:\Windows\System32\issacapi_pe-2.3.dll
[2012.12.18 11:06:06 | 000,057,344 | ---- | C] () -- C:\Windows\System32\issacapi_se-2.3.dll
[2012.09.18 17:31:20 | 000,000,857 | ---- | C] () -- C:\Users\xxx\.recently-used.xbel
[2011.03.13 20:55:05 | 000,000,680 | ---- | C] () -- C:\Users\xxx\AppData\Local\d3d9caps.dat
[2010.02.09 19:13:58 | 000,005,184 | ---- | C] () -- C:\ProgramData\N360BUOptions.ini
[2009.07.15 17:35:28 | 000,002,180 | ---- | C] () -- C:\Users\xxx\AppData\Roaming\wklnhst.dat
[2009.06.15 19:09:41 | 000,026,624 | ---- | C] () -- C:\Users\xxx\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
 
========== ZeroAccess Check ==========
 
[2006.11.02 14:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012.06.08 19:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009.04.11 08:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009.04.11 08:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
========== LOP Check ==========
 
[2011.12.19 17:35:32 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\1&1 Mail & Media GmbH
[2013.03.29 16:29:23 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\AnvSoft
[2013.06.04 17:20:46 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Dropbox
[2011.12.17 10:21:29 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\fotobuch.de AG
[2012.09.18 17:31:20 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\gtk-2.0
[2012.09.07 17:50:10 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\ICAClient
[2012.05.28 20:00:12 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\ICQ
[2009.06.13 22:45:08 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\InterVideo
[2012.09.26 17:06:06 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Langenscheidt
[2009.08.27 19:05:39 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\OpenOffice.org
[2013.02.16 20:29:31 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Samsung
[2010.09.30 19:21:04 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Template
[2009.06.13 14:03:07 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\Vodafone
 
========== Purity Check ==========
 
 

< End of report >
         

Geändert von uuuuuvex (04.06.2013 um 20:51 Uhr)

Antwort

Themen zu Avira durch Gruppenrichtlinien geblockt und Trojan.fakems
aktiv, antivirenprogramm, avast, avira, befall, check, desktop, einfach, fehler, forum, geblockt, gruppe, guten, hijack, hijackthis, installiert, lösung, malwarebytes, meldung, problem, problemlos, programm, programme, richtlinie, starten, tan, trojaner



Ähnliche Themen: Avira durch Gruppenrichtlinien geblockt und Trojan.fakems


  1. Windows 7, Trojaner von Avira geblockt + entfernt, Malwarebytes möglicher Fund aber von Avira geblockt
    Log-Analyse und Auswertung - 13.05.2015 (13)
  2. Win 7; Trojan.FakeMS.ED durch Malwarebytes gefunden
    Log-Analyse und Auswertung - 13.03.2015 (3)
  3. Avira Pro - Dieses Programm wurde durch eine Gruppenrichtlinie geblockt.
    Plagegeister aller Art und deren Bekämpfung - 16.10.2014 (12)
  4. Trojaner.FakeMS und Avira Gruppenrichtlinien
    Log-Analyse und Auswertung - 11.09.2014 (6)
  5. Trojan.FakeMS.ED, Trojan.FakeMS, trojware.win32.injector
    Log-Analyse und Auswertung - 03.09.2014 (19)
  6. Avira: Dieses Programm wurde durch eine Gruppenrichtlinie geblockt --> Onlinebanking gesperrt
    Log-Analyse und Auswertung - 24.07.2014 (12)
  7. Avira wird durch Gruppenrichtlinien gesperrt.
    Log-Analyse und Auswertung - 04.07.2014 (13)
  8. Avira Fehlermeldung: Dieses Programm wurde durch Gruppenrichtlinien Blockiert. Ein Trojaner?
    Log-Analyse und Auswertung - 28.06.2014 (8)
  9. Avira durch Gruppenrichtlinie geblockt - Trojaner?
    Plagegeister aller Art und deren Bekämpfung - 21.06.2014 (17)
  10. Avira Free Antivirus startet nicht:Das Programm wurde durch Gruppenrichtlinien blockiert.
    Plagegeister aller Art und deren Bekämpfung - 17.06.2014 (13)
  11. Avira Antivir und MBAM werden durch Gruppenrichtlinien blockiert und lassen sich dadurch nicht starten
    Log-Analyse und Auswertung - 04.06.2014 (10)
  12. G-Data Antivir wird durch lokale Gruppenrichtlinien geblockt
    Log-Analyse und Auswertung - 25.04.2014 (11)
  13. Avira erst verschwunden und jetzt durch Gruppenrichtlinien blockier. Trojaner?
    Plagegeister aller Art und deren Bekämpfung - 02.03.2014 (3)
  14. Trojan.Ransom.ED, Trojan.Agent.ED und Trojan.FakeMS.PRGen auf laptop
    Log-Analyse und Auswertung - 13.04.2013 (9)
  15. Trojan.Ransom.ED, Trojan.Agent.ED, Trojan.FakeMS.PRGen und Bublik b. durch Email erhalten?
    Plagegeister aller Art und deren Bekämpfung - 02.04.2013 (29)
  16. Bublik b.; Trojan.Ransom.ED; Trojan.Agent.ED und Trojan.FakeMS.PRGen in Email?
    Mülltonne - 28.03.2013 (0)
  17. Trojan.Agent und Trojan.Phex.THA.Gen1, Avira Antivir Echtzeitscanner geblockt
    Plagegeister aller Art und deren Bekämpfung - 19.07.2012 (5)

Zum Thema Avira durch Gruppenrichtlinien geblockt und Trojan.fakems - Guten Abend, ich habe ein Problem auf meinem PC (vermutlich Befall durch einen Trojaner) und benötige dazu Ihre Hilfe. Identische Fälle sind bereits bekannt und habe ich mir bei HijackThis - Avira durch Gruppenrichtlinien geblockt und Trojan.fakems...
Archiv
Du betrachtest: Avira durch Gruppenrichtlinien geblockt und Trojan.fakems auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.