hi,

So funktioniert es:
Posten in CODE-Tags
Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:

• Markiere das gesamte Logfile (geht meist mit STRG+A) und kopiere es in die Zwischenablage mit STRG+C.
• Klicke im Editor auf das #-Symbol. Es erscheinen zwei Klammerausdrücke [CODE] [/CODE].
• Setze den Curser zwischen die CODE-Tags und drücke STRG+V.
• Klicke auf Erweitert/Vorschau, um so prüfen, ob du es richtig gemacht hast. Wenn alles stimmt ... auf Antworten.

Hallo Schrauber,
danke für die schnelle Antwort, anbei die Datei. Ich hoffe ich habe alles richtig gemacht, aber bei Windows 7 ist alles etwas anders.

Gruß Bernd
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 08:57 on 15/09/2013 (Bernd)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-

#

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 15-09-2013 04
Ran by Bernd (administrator) on BERND-PC on 15-09-2013 08:59:36
Running from C:\Users\Bernd\Downloads
Windows 7 Home Premium Service Pack 1 (X64) OS Language: German Standard
Internet Explorer Version 10
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(AMD) C:\Windows\system32\atiesrxx.exe
(IDT, Inc.) C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe
(AMD) C:\Windows\system32\atieclxx.exe
(Andrea Electronics Corporation) C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\AESTSr64.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security CBE\Engine\20.4.0.40\ccSvcHst.exe
() c:\Program Files\Ocster Backup\bin\backupService-ox.exe
(Sony Corporation) C:\Program Files (x86)\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
() C:\Windows\SysWOW64\PSIService.exe
(TuneUp Software) C:\Program Files (x86)\TuneUp Utilities 2012\TuneUpUtilitiesService64.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
() c:\Program Files\Ocster Backup\bin\oxHelper.exe
(TuneUp Software) C:\Program Files (x86)\TuneUp Utilities 2012\TuneUpUtilitiesApp64.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security CBE\Engine\20.4.0.40\ccSvcHst.exe
(Abelssoft) C:\Program Files (x86)\CheckDrive\CheckDriveBackgroundGuard.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.21.153\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.21.153\GoogleCrashHandler64.exe
(Logitech, Inc.) C:\Program Files\Logitech\SetPointP\SetPoint.exe
(Microsoft Corporation) C:\Windows\WindowsMobile\wmdc.exe
() C:\Program Files\Ocster Backup\bin\backupClient-ox.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(Macrovision Corporation) C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe
(Logitech, Inc.) C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
() c:\Program Files\Ocster Backup\bin\oxHelper.exe
() C:\Program Files (x86)\Microtek\ScanWizard 5\ScannerFinder.exe
() C:\Users\Bernd\AppData\Roaming\BrowserCompanion\tcbhn.exe
(Sony Corporation) C:\Program Files (x86)\Sony\PlayMemories Home\PMBVolumeWatcher.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Nero AG) C:\Program Files (x86)\Nero\Nero BackItUp & Burn\Nero BackItUp\NBAgent.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Nero AG) C:\Program Files (x86)\Nero\Update\NASvc.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_8_800_168.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_8_800_168.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [EvtMgr6] - C:\Program Files\Logitech\SetPointP\SetPoint.exe [1680976 2010-10-29] (Logitech, Inc.)
HKLM\...\Run: [Windows Mobile Device Center] - C:\Windows\WindowsMobile\wmdc.exe [660360 2007-05-31] (Microsoft Corporation)
HKLM\...\Run: [Ocster Backup] - C:\Program Files\Ocster Backup\bin\backupClient-ox.exe [312488 2013-07-02] ()
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
HKCU\...\Run: [SSync] - C:\Users\Bernd\AppData\Roaming\SSync\SSync.exe [36864 2013-04-10] ()
HKCU\...\Run: [DataMgr] - C:\Users\Bernd\AppData\Roaming\DataMgr\DataMgr.exe [168824 2013-07-21] (HTTO Group, Ltd.)
HKCU\...\Run: [Skype] - C:\Program Files (x86)\Skype\Phone\Skype.exe [19875432 2013-06-21] (Skype Technologies S.A.)
HKCU\...\Run: [ISUSPM] - C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe [218032 2006-09-11] (Macrovision Corporation)
HKCU\...\Run: [SCheck] - C:\Users\Bernd\AppData\Roaming\SCheck\SCheck.exe [36864 2013-04-10] ()
HKCU\...\Run: [Intermediate] - C:\Users\Bernd\AppData\Roaming\Intermediate\Intermediate.exe [36864 2013-04-10] ()
MountPoints2: {52219491-d442-11de-9774-806e6f6e6963} - D:\autorun.exe
HKLM-x32\...\Run: [StartCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2009-06-25] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [PMBVolumeWatcher] - C:\Program Files (x86)\Sony\PlayMemories Home\PMBVolumeWatcher.exe [739936 2012-11-27] (Sony Corporation)
HKLM-x32\...\Run: [NBAgent] - C:\Program Files (x86)\Nero\Nero BackItUp & Burn\Nero BackItUp\NBAgent.exe [1086760 2010-03-14] (Nero AG)
Startup: C:\Users\Bernd\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
ShortcutTarget: Adobe Gamma.lnk -> C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
Startup: C:\Users\Bernd\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tcbhn.lnk
ShortcutTarget: tcbhn.lnk -> C:\Users\Bernd\AppData\Roaming\BrowserCompanion\tcbhn.exe ()
Startup: C:\Users\Bernd\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows-Kalender (2).lnk
ShortcutTarget: Windows-Kalender (2).lnk -> C:\Program Files\WinCal.exe (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:Tabs
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = MSN Deutschland: Aktuelle Nachrichten, Outlook.com Email und Skype Login.
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x0744722B4E4FCC01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
URLSearchHook: (No Name) - {40c3cc16-7269-4b32-9531-17f2950fb06f} - No File
SearchScopes: HKLM-x32 - DefaultScope {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2319825
SearchScopes: HKLM-x32 - {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2319825
SearchScopes: HKCU - {171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E} URL =
SearchScopes: HKCU - {6EF87C3B-FC3C-4306-9EDD-43675667079D} URL = hxxp://www.google.de/search?q={searchTerms}
SearchScopes: HKCU - {8962F6AD-6740-4EF0-B319-67F408792CC6} URL = hxxp://de.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&type=302398&p={searchTerms}
SearchScopes: HKCU - {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2319825
SearchScopes: HKCU - {CF739809-1C6C-47C0-85B9-569DBB141420} URL = hxxp://dl.ask.com/toolbarv/askRedirect.jsp?gct=&gc=1&q={searchTerms}&crm=1&toolbar=GLS
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Browser Companion Helper - {00cbb66b-1d3b-46d3-9577-323a336acb50} - C:\Program Files (x86)\BrowserCompanion\jsloader.dll ( )
BHO-x32: Winload Toolbar - {40c3cc16-7269-4b32-9531-17f2950fb06f} - C:\Program Files (x86)\Winload\prxtbWinl.dll (Conduit Ltd.)
BHO-x32: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security CBE\Engine\20.4.0.40\coIEPlg.dll (Symantec Corporation)
BHO-x32: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security CBE\Engine\20.4.0.40\IPS\IPSBHO.DLL (Symantec Corporation)
BHO-x32: Microsoft-Konto-Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Browser Companion Helper Verifier - {963B125B-8B21-49A2-A3A8-E37092276531} - C:\Program Files (x86)\BrowserCompanion\updatebhoWin32.dll ( )
Toolbar: HKLM-x32 - Winload Toolbar - {40c3cc16-7269-4b32-9531-17f2950fb06f} - C:\Program Files (x86)\Winload\prxtbWinl.dll (Conduit Ltd.)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security CBE\Engine\20.4.0.40\coIEPlg.dll (Symantec Corporation)
Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
Toolbar: HKCU - No Name - {40C3CC16-7269-4B32-9531-17F2950FB06F} - No File
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Handler: base64 - {5ACE96C0-C70A-4A4D-AF14-2E7B869345E1} - No File
Handler: chrome - {5ACE96C0-C70A-4A4D-AF14-2E7B869345E1} - No File
Handler: ipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - No File
Handler: prox - {5ACE96C0-C70A-4A4D-AF14-2E7B869345E1} - No File
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll ()
Handler-x32: base64 - {5ACE96C0-C70A-4A4D-AF14-2E7B869345E1} - C:\Program Files (x86)\BrowserCompanion\tdataprotocol.dll (Blabbers Communications Ltd)
Handler-x32: chrome - {5ACE96C0-C70A-4A4D-AF14-2E7B869345E1} - C:\Program Files (x86)\BrowserCompanion\tdataprotocol.dll (Blabbers Communications Ltd)
Handler-x32: http\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: http\oledb - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: https\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: https\oledb - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: ipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: msdaipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: msdaipp\oledb - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: prox - {5ACE96C0-C70A-4A4D-AF14-2E7B869345E1} - C:\Program Files (x86)\BrowserCompanion\tdataprotocol.dll (Blabbers Communications Ltd)
Handler-x32: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll ()
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:

#
GMER Logfile:

Code: Alles auswählenAufklappen

ATTFilter

GMER 2.1.19163 - GMER - Rootkit Detector and Remover
Rootkit scan 2013-09-15 09:37:57
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000BEVT-00A0RT0 rev.01.01A01 465,76GB
Running: gmer_2.1.19163.exe; Driver: C:\Users\Bernd\AppData\Local\Temp\pgloqpog.sys


---- Kernel code sections - GMER 2.1 ----

INITKDBG  C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 544                                                          fffff80003403000 45 bytes [00, 10, D0, 0A, A0, F8, FF, ...]
INITKDBG  C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 591                                                          fffff8000340302f 16 bytes [00, 01, 00, 00, 00, 00, 00, ...]

---- User code sections - GMER 2.1 ----

.text     C:\Windows\SysWOW64\PnkBstrA.exe[1108] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322                                     0000000072f71a22 2 bytes [F7, 72]
.text     C:\Windows\SysWOW64\PnkBstrA.exe[1108] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496                                     0000000072f71ad0 2 bytes [F7, 72]
.text     C:\Windows\SysWOW64\PnkBstrA.exe[1108] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552                                     0000000072f71b08 2 bytes [F7, 72]
.text     C:\Windows\SysWOW64\PnkBstrA.exe[1108] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730                                     0000000072f71bba 2 bytes [F7, 72]
.text     C:\Windows\SysWOW64\PnkBstrA.exe[1108] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762                                     0000000072f71bda 2 bytes [F7, 72]
.text     C:\Users\Bernd\Downloads\gmer_2.1.19163.exe[4400] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                          0000000076fdfcb0 5 bytes JMP 00000001002b091c
.text     C:\Users\Bernd\Downloads\gmer_2.1.19163.exe[4400] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                        0000000076fdfe14 5 bytes JMP 00000001002b0048
.text     C:\Users\Bernd\Downloads\gmer_2.1.19163.exe[4400] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                 0000000076fdfea8 5 bytes JMP 00000001002b02ee
.text     C:\Users\Bernd\Downloads\gmer_2.1.19163.exe[4400] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                              0000000076fe0004 5 bytes JMP 00000001002b04b2
.text     C:\Users\Bernd\Downloads\gmer_2.1.19163.exe[4400] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                      0000000076fe0038 5 bytes JMP 00000001002b09fe
.text     C:\Users\Bernd\Downloads\gmer_2.1.19163.exe[4400] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                              0000000076fe0068 5 bytes JMP 00000001002b0ae0
.text     C:\Users\Bernd\Downloads\gmer_2.1.19163.exe[4400] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                           0000000076fe0084 5 bytes JMP 0000000100020050
.text     C:\Users\Bernd\Downloads\gmer_2.1.19163.exe[4400] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                              0000000076fe079c 5 bytes JMP 00000001002b012a
.text     C:\Users\Bernd\Downloads\gmer_2.1.19163.exe[4400] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                  0000000076fe088c 5 bytes JMP 00000001002b0758
.text     C:\Users\Bernd\Downloads\gmer_2.1.19163.exe[4400] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                            0000000076fe08a4 5 bytes JMP 00000001002b0676
.text     C:\Users\Bernd\Downloads\gmer_2.1.19163.exe[4400] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                0000000076fe0df4 5 bytes JMP 00000001002b03d0
.text     C:\Users\Bernd\Downloads\gmer_2.1.19163.exe[4400] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                          0000000076fe1920 5 bytes JMP 00000001002b0594
.text     C:\Users\Bernd\Downloads\gmer_2.1.19163.exe[4400] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                      0000000076fe1be4 5 bytes JMP 00000001002b083a
.text     C:\Users\Bernd\Downloads\gmer_2.1.19163.exe[4400] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                             0000000076fe1d70 5 bytes JMP 00000001002b020c
.text     C:\Users\Bernd\Downloads\gmer_2.1.19163.exe[4400] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206            000000007617524f 7 bytes JMP 00000001002b0f52
.text     C:\Users\Bernd\Downloads\gmer_2.1.19163.exe[4400] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                00000000761753d0 7 bytes JMP 00000001002c0210
.text     C:\Users\Bernd\Downloads\gmer_2.1.19163.exe[4400] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149               0000000076175677 1 byte JMP 00000001002c0048
.text     C:\Users\Bernd\Downloads\gmer_2.1.19163.exe[4400] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151               0000000076175679 5 bytes {JMP 0xffffffff8a14a9d1}
.text     C:\Users\Bernd\Downloads\gmer_2.1.19163.exe[4400] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                      000000007617589a 7 bytes JMP 00000001002b0ca6
.text     C:\Users\Bernd\Downloads\gmer_2.1.19163.exe[4400] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                      0000000076175a1d 7 bytes JMP 00000001002c03d8
.text     C:\Users\Bernd\Downloads\gmer_2.1.19163.exe[4400] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                 0000000076175c9b 7 bytes JMP 00000001002c012c
.text     C:\Users\Bernd\Downloads\gmer_2.1.19163.exe[4400] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                   0000000076175d87 7 bytes JMP 00000001002c02f4
.text     C:\Users\Bernd\Downloads\gmer_2.1.19163.exe[4400] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123  0000000076177240 7 bytes JMP 00000001002b0e6e
.text     C:\Users\Bernd\Downloads\gmer_2.1.19163.exe[4400] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                 0000000075451492 7 bytes JMP 00000001002c04bc

---- Registry - GMER 2.1 ----

Reg       HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\temp\aulauncher.exe   1

---- EOF - GMER 2.1 ----
         

--- --- ---