Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung

Log-Analyse und Auswertung: Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.

Antwort
Alt 01.01.2014, 13:19   #1
StefanA
 
Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig - Standard

Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig



Guten Tag,

ich bekomme seit ein paar Tagen immer ein Popup, welches nicht mehr verschwindet. Es fordert mich auf irgendwelche Weihnachtsgeschenke abzurufen. Im Taskmanager finde ich die Anwendung „Software.Updater.UI.exe“, die ich manuell gestoppt habe. Leider erscheint sie beim Start wieder.
Laut „Virus-total.com“ handelt es sich um einen Virus. F-Secure hatte den Virus leider nicht erkannt.
Die Applikationen Defogger, FRST und GMER habe ich ausgeführt, LogFiles sind anhängig.

Vielen Dank vorab,
Stefan
Angehängte Dateien
Dateityp: log defogger_disable.log (476 Bytes, 122x aufgerufen)
Dateityp: txt FRST.txt (45,8 KB, 113x aufgerufen)
Dateityp: txt Addition.txt (30,7 KB, 113x aufgerufen)
Dateityp: txt GMER, Teil1.txt (66,5 KB, 113x aufgerufen)
Dateityp: txt GMER, Teil2.txt (84,8 KB, 123x aufgerufen)

Alt 01.01.2014, 13:29   #2
schrauber
/// the machine
/// TB-Ausbilder
 

Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig - Standard

Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig



Hi,

Logs bitte immer in den Thread posten. Zur Not aufteilen und mehrere Posts nutzen.


So funktioniert es:
Posten in CODE-Tags
Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
  • Markiere das gesamte Logfile (geht meist mit STRG+A) und kopiere es in die Zwischenablage mit STRG+C.
  • Klicke im Editor auf das #-Symbol. Es erscheinen zwei Klammerausdrücke [CODE] [/CODE].
  • Setze den Curser zwischen die CODE-Tags und drücke STRG+V.
  • Klicke auf Erweitert/Vorschau, um so prüfen, ob du es richtig gemacht hast. Wenn alles stimmt ... auf Antworten.
__________________

__________________

Alt 01.01.2014, 13:57   #3
StefanA
 
Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig - Standard

Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig



Code:
ATTFilter
Hallo, die Logs wurden als zu groß beim Erstellen gemeldet. 
Hier nochmals ein Versuch.

DEFOGGER: 
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 18:39 on 30/12/2013 (Kathlen)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-
FRST Logfile:
Code:
ATTFilter
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 29-12-2013 01
Ran by Kathlen (administrator) on KATHLEN-PC on 30-12-2013 18:46:03
Running from D:\Users\Kathlen\Desktop
Windows 7 Home Premium Service Pack 1 (X64) OS Language: German Standard
Internet Explorer Version 11
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Anti-Virus\fsgk32st.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Common\FSMA32.EXE
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Common\FSHDLL32.EXE
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Anti-Virus\fsgk32.exe
() C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Common\FSHDLL64.EXE
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe
(Acronis) C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Common\FSM32.EXE
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Spam Control\fsscoepl_x64.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(CyberLink) C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe
(SRS Labs, Inc.) C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\FWES\program\fsdfwd.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\ORSP Client\fsorsp.exe
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Anti-Virus\fssm32.exe
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\EasySpeedUpManager\EasySpeedUpManager.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqste08.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Anti-Virus\fsav32.exe
(SEC) C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe
(Samsung Electronics Co., Ltd.) C:\Program Files\SAMSUNG\SamsungFastStart\SmartRestarter.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(SAMSUNG Electronics) C:\Program Files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe
(Samsung Electronics) C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVH.EXE
() Q:\140066.deu\Office14\WINWORDC.EXE
() C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\OFFICEVIRT.EXE
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Microsoft Corporation) C:\Windows\splwow64.exe
() Q:\140066.deu\Office14\OffSpon.EXE
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11780712 2011-02-27] (Realtek Semiconductor)
HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [ETDCtrl] - C:\Program Files\Elantech\ETDCtrl.exe [2588968 2010-11-12] (ELAN Microelectronics Corp.)
HKLM\...\Run: [Acronis Scheduler2 Service] - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe [395344 2011-09-22] (Acronis)
HKLM-x32\...\Run: [RemoteControl10] - C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe [87336 2010-09-20] (CyberLink Corp.)
HKLM-x32\...\Run: [TrueImageMonitor.exe] - C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe [5587832 2011-09-22] (Acronis)
HKLM-x32\...\Run: [F-Secure Manager] - C:\Program Files (x86)\F-Secure\Common\FSM32.EXE [201384 2011-10-21] (F-Secure Corporation)
HKLM-x32\...\Run: [F-Secure TNB] - C:\Program Files (x86)\F-Secure\FSGUI\tnbutil.exe [1655464 2011-10-21] (F-Secure Corporation)
HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe [49208 2011-05-10] (Hewlett-Packard)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:tabs
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://samsung.msn.com
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:tabs
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Bar = hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=
SearchScopes: HKLM-x32 - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://search.certified-toolbar.com?si=&st=bs&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q={searchTerms}
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://search.certified-toolbar.com?si=&st=bs&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q={searchTerms}
SearchScopes: HKLM-x32 - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = hxxp://search.certified-toolbar.com?si=43169&st=bs&tid=3580&ver=3.2&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q={searchTerms}
SearchScopes: HKCU - DefaultScope {7AF10BB5-1A3E-4F5E-9FA5-21102412DB25} URL = hxxp://search.certified-toolbar.com?si=&st=bs&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q={searchTerms}
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.google.com/search?q={sear
SearchScopes: HKCU - {7AF10BB5-1A3E-4F5E-9FA5-21102412DB25} URL = hxxp://search.certified-toolbar.com?si=&st=bs&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q={searchTerms}
SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = hxxp://search.certified-toolbar.com?si=43169&st=bs&tid=3580&ver=3.2&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q={searchTerms}
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Samsung BHO Class - {AA609D72-8482-4076-8991-8CDAE5B93BCB} - C:\Program Files\Samsung AnyWeb Print\W2PBrowser.dll ()
BHO-x32: Browsing Protection Class - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files (x86)\F-Secure\NRS\iescript\baselitmus.dll (F-Secure Corporation)
BHO-x32: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_BHO.dll (Hewlett-Packard Co.)
Toolbar: HKLM-x32 - Browsing Protection Toolbar - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files (x86)\F-Secure\NRS\iescript\baselitmus.dll (F-Secure Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Winsock: Catalog9 01 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation)
Winsock: Catalog9 02 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation)
Winsock: Catalog9 03 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation)
Winsock: Catalog9 04 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation)
Winsock: Catalog9 05 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation)
Winsock: Catalog9 06 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation)
Winsock: Catalog9 07 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation)
Winsock: Catalog9 08 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation)
Winsock: Catalog9 09 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation)
Winsock: Catalog9 10 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation)
Winsock: Catalog9 11 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation)
Winsock: Catalog9 23 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation)
Winsock: Catalog9-x64 01 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation)
Winsock: Catalog9-x64 02 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation)
Winsock: Catalog9-x64 03 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation)
Winsock: Catalog9-x64 04 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation)
Winsock: Catalog9-x64 05 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation)
Winsock: Catalog9-x64 06 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation)
Winsock: Catalog9-x64 07 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation)
Winsock: Catalog9-x64 08 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation)
Winsock: Catalog9-x64 09 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation)
Winsock: Catalog9-x64 10 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation)
Winsock: Catalog9-x64 11 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation)
Winsock: Catalog9-x64 23 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1

FireFox:
========
FF ProfilePath: C:\Users\Kathlen\AppData\Roaming\Mozilla\Firefox\Profiles\l2abf66u.default
FF DefaultSearchEngine: Web Search
FF SearchEngineOrder.1: Web Search
FF SelectedSearchEngine: Web Search
FF Homepage: about:home
FF Keyword.URL: hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_9_900_170.dll ()
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_170.dll ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 - C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=10.15.2 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\Kathlen\AppData\Roaming\Mozilla\Firefox\Profiles\l2abf66u.default\searchplugins\Web Search.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\Web Search.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\amazondotcom-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\eBay-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\leo_ende_de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\yahoo-de.xml
FF HKLM-x32\...\Firefox\Extensions: [litmus-ff@f-secure.com] - C:\Program Files (x86)\F-Secure\NRS\litmus-ff@f-secure.com
FF Extension: Browsing Protection - C:\Program Files (x86)\F-Secure\NRS\litmus-ff@f-secure.com
FF HKLM-x32\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF HKCU\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

==================== Services (Whitelisted) =================

R2 F-Secure Gatekeeper Handler Starter; C:\Program Files (x86)\F-Secure\Anti-Virus\fsgk32st.exe [221864 2011-10-21] (F-Secure Corporation)
R3 FSDFWD; C:\Program Files (x86)\F-Secure\FWES\Program\fsdfwd.exe [849576 2011-10-21] (F-Secure Corporation)
R2 FSMA; C:\Program Files (x86)\F-Secure\Common\FSMA32.EXE [189096 2011-10-21] (F-Secure Corporation)
R3 FSORSPClient; C:\Program Files (x86)\F-Secure\ORSP Client\fsorsp.exe [60352 2013-06-06] (F-Secure Corporation)
R2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [244904 2009-12-01] ()
S2 SystemStoreService; C:\Program Files (x86)\SoftwareUpdater\SystemStore.exe [297984 2013-12-30] ()

==================== Drivers (Whitelisted) ====================

R3 F-Secure Gatekeeper; C:\Program Files (x86)\F-Secure\Anti-Virus\minifilter\fsgk.sys [202176 2013-07-10] (F-Secure Corporation)
R1 F-Secure HIPS; C:\Program Files (x86)\F-Secure\HIPS\drivers\fshs.sys [61960 2011-10-21] (F-Secure Corporation)
R0 fsbts; C:\Windows\System32\Drivers\fsbts.sys [56016 2012-08-20] ()
R0 fsbts; C:\Windows\SysWow64\Drivers\fsbts.sys [42672 2011-10-21] ()
R1 FSES; C:\Windows\System32\drivers\fses.sys [46664 2011-10-21] (F-Secure Corporation)
R1 FSFW; C:\Windows\System32\drivers\fsdfw.sys [95784 2011-10-21] (F-Secure Corporation)
R1 fsvista; C:\Program Files (x86)\F-Secure\Anti-Virus\minifilter\fsvista.sys [15016 2011-10-21] ()
S3 VBoxUSB; C:\Windows\System32\Drivers\VBoxUSB.sys [117040 2011-10-03] (Oracle Corporation)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-12-30 18:45 - 2013-12-30 18:45 - 00000000 ____D C:\FRST
2013-12-30 18:39 - 2013-12-30 18:39 - 00000000 _____ C:\Users\Kathlen\defogger_reenable
2013-12-22 14:03 - 2013-12-22 14:03 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-12-21 10:40 - 2013-12-21 10:40 - 00002176 _____ C:\Users\Public\Desktop\Google Earth.lnk
2013-12-19 17:05 - 2013-12-19 17:05 - 00000000 ____D C:\Users\Kathlen\AppData\Local\SoftwareUpdater
2013-12-15 14:48 - 2013-11-26 12:54 - 23183360 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-12-15 14:48 - 2013-11-26 11:19 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-12-15 14:48 - 2013-11-26 11:18 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2013-12-15 14:48 - 2013-11-26 11:11 - 17112576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-12-15 14:48 - 2013-11-26 10:48 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2013-12-15 14:48 - 2013-11-26 10:46 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2013-12-15 14:48 - 2013-11-26 10:41 - 02764288 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-12-15 14:48 - 2013-11-26 10:29 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-12-15 14:48 - 2013-11-26 10:27 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2013-12-15 14:48 - 2013-11-26 10:23 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-12-15 14:48 - 2013-11-26 10:21 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-12-15 14:48 - 2013-11-26 10:18 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2013-12-15 14:48 - 2013-11-26 10:18 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2013-12-15 14:48 - 2013-11-26 10:16 - 00708608 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2013-12-15 14:48 - 2013-11-26 09:57 - 00218624 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2013-12-15 14:48 - 2013-11-26 09:38 - 02166784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-12-15 14:48 - 2013-11-26 09:38 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-12-15 14:48 - 2013-11-26 09:35 - 05769216 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-12-15 14:48 - 2013-11-26 09:32 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-12-15 14:48 - 2013-11-26 09:28 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2013-12-15 14:48 - 2013-11-26 09:16 - 04243968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-12-15 14:48 - 2013-11-26 09:02 - 01995264 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2013-12-15 14:48 - 2013-11-26 08:48 - 12996608 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-12-15 14:48 - 2013-11-26 08:32 - 01928192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-12-15 14:48 - 2013-11-26 08:26 - 11221504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-12-15 14:48 - 2013-11-26 08:07 - 02334208 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-12-15 14:48 - 2013-11-26 07:40 - 01395200 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-12-15 14:48 - 2013-11-26 07:34 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2013-12-15 14:48 - 2013-11-26 07:34 - 00703488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2013-12-15 14:48 - 2013-11-26 07:33 - 01820160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-12-15 14:48 - 2013-11-26 07:27 - 01157632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-12-15 14:22 - 2013-10-14 18:00 - 00028368 _____ (Microsoft Corporation) C:\Windows\system32\IEUDINIT.EXE
2013-12-15 14:19 - 2013-12-15 14:19 - 01228800 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 01051136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00942592 _____ (Microsoft Corporation) C:\Windows\system32\jsIntl.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2013-12-15 14:19 - 2013-12-15 14:19 - 00774144 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00645120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsIntl.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00626176 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00616104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dat
2013-12-15 14:19 - 2013-12-15 14:19 - 00616104 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dat
2013-12-15 14:19 - 2013-12-15 14:19 - 00610304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00548352 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00523776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00454656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00453120 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00413696 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2013-12-15 14:19 - 2013-12-15 14:19 - 00367104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00337408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2013-12-15 14:19 - 2013-12-15 14:19 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00263376 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00247808 _____ (Microsoft Corporation) C:\Windows\system32\msls31.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00244736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00243200 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00238288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00235520 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00235008 _____ (Microsoft Corporation) C:\Windows\system32\elshyph.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00233472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00208384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00194048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\elshyph.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00182272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msls31.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00167424 _____ (Microsoft Corporation) C:\Windows\system32\iexpress.exe
2013-12-15 14:19 - 2013-12-15 14:19 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00151552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iexpress.exe
2013-12-15 14:19 - 2013-12-15 14:19 - 00147968 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00143872 _____ (Microsoft Corporation) C:\Windows\system32\wextract.exe
2013-12-15 14:19 - 2013-12-15 14:19 - 00139264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wextract.exe
2013-12-15 14:19 - 2013-12-15 14:19 - 00135680 _____ (Microsoft Corporation) C:\Windows\system32\iepeers.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00131072 _____ (Microsoft Corporation) C:\Windows\system32\IEAdvpack.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00127488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00116736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-12-15 14:19 - 2013-12-15 14:19 - 00111616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\IEAdvpack.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00105984 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00101376 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00090112 _____ (Microsoft Corporation) C:\Windows\system32\SetIEInstalledDate.exe
2013-12-15 14:19 - 2013-12-15 14:19 - 00086016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00086016 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2013-12-15 14:19 - 2013-12-15 14:19 - 00084992 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00083968 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00083456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00081408 _____ (Microsoft Corporation) C:\Windows\system32\icardie.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00077312 _____ (Microsoft Corporation) C:\Windows\system32\tdc.ocx
2013-12-15 14:19 - 2013-12-15 14:19 - 00074240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SetIEInstalledDate.exe
2013-12-15 14:19 - 2013-12-15 14:19 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-12-15 14:19 - 2013-12-15 14:19 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00069120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\icardie.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdc.ocx
2013-12-15 14:19 - 2013-12-15 14:19 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\pngfilt.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00056832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\pngfilt.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00052224 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00048640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmler.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\mshtmler.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00048128 _____ (Microsoft Corporation) C:\Windows\system32\imgutil.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00040448 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00036352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\imgutil.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00034816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00030208 _____ (Microsoft Corporation) C:\Windows\system32\licmgr10.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00024576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\licmgr10.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00013824 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2013-12-15 14:19 - 2013-12-15 14:19 - 00013312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshta.exe
2013-12-15 14:19 - 2013-12-15 14:19 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
2013-12-15 14:19 - 2013-12-15 14:19 - 00012800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
2013-12-15 14:15 - 2013-12-15 14:23 - 00010277 _____ C:\Windows\IE11_main.log
2013-12-12 22:19 - 2013-05-10 06:56 - 14631424 _____ (Microsoft Corporation) C:\Windows\system32\wmp.dll
2013-12-12 22:19 - 2013-05-10 06:56 - 12625920 _____ (Microsoft Corporation) C:\Windows\system32\wmploc.DLL
2013-12-12 22:19 - 2013-05-10 05:56 - 12625408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmploc.DLL
2013-12-12 22:19 - 2013-05-10 05:56 - 11410432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmp.dll
2013-12-12 22:16 - 2013-10-12 03:32 - 00150016 _____ (Microsoft Corporation) C:\Windows\system32\wshom.ocx
2013-12-12 22:16 - 2013-10-12 03:31 - 00202752 _____ (Microsoft Corporation) C:\Windows\system32\scrrun.dll
2013-12-12 22:16 - 2013-10-12 03:04 - 00121856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wshom.ocx
2013-12-12 22:16 - 2013-10-12 03:03 - 00163840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\scrrun.dll
2013-12-12 22:16 - 2013-10-12 02:33 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\wscript.exe
2013-12-12 22:16 - 2013-10-12 02:33 - 00156160 _____ (Microsoft Corporation) C:\Windows\system32\cscript.exe
2013-12-12 22:16 - 2013-10-12 02:15 - 00141824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wscript.exe
2013-12-12 22:16 - 2013-10-12 02:15 - 00126976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cscript.exe
2013-12-12 22:15 - 2013-11-23 19:26 - 00417792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMPhoto.dll
2013-12-12 22:15 - 2013-11-23 18:47 - 00465920 _____ (Microsoft Corporation) C:\Windows\system32\WMPhoto.dll
2013-12-12 22:15 - 2013-11-12 03:23 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2013-12-12 22:15 - 2013-11-12 03:07 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2013-12-12 22:15 - 2013-10-30 03:32 - 00335360 _____ (Microsoft Corporation) C:\Windows\system32\msieftp.dll
2013-12-12 22:15 - 2013-10-30 03:19 - 00301568 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msieftp.dll
2013-12-12 22:15 - 2013-10-30 02:24 - 03155968 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2013-12-12 22:15 - 2013-10-19 03:18 - 00081408 _____ (Microsoft Corporation) C:\Windows\system32\imagehlp.dll
2013-12-12 22:15 - 2013-10-19 02:36 - 00159232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\imagehlp.dll
2013-12-12 22:15 - 2013-10-04 03:16 - 00116736 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\drmk.sys
2013-12-12 22:15 - 2013-10-04 02:36 - 00230400 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\portcls.sys

==================== One Month Modified Files and Folders =======

2013-12-30 18:45 - 2013-12-30 18:45 - 00000000 ____D C:\FRST
2013-12-30 18:40 - 2012-10-30 21:57 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-12-30 18:39 - 2013-12-30 18:39 - 00000000 _____ C:\Users\Kathlen\defogger_reenable
2013-12-30 18:39 - 2011-10-21 15:17 - 00000000 ____D C:\Users\Kathlen
2013-12-30 18:36 - 2011-10-21 19:36 - 00001112 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-12-30 18:36 - 2011-10-21 19:35 - 00001108 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-12-30 17:40 - 2009-07-14 05:45 - 00014144 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-12-30 17:40 - 2009-07-14 05:45 - 00014144 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-12-30 17:36 - 2011-03-17 05:36 - 01152402 _____ C:\Windows\WindowsUpdate.log
2013-12-30 17:31 - 2013-10-09 18:33 - 00004984 _____ C:\Windows\setupact.log
2013-12-30 17:31 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-12-30 16:46 - 2013-05-11 17:56 - 00004182 _____ C:\Windows\System32\Tasks\Software Updater Ui
2013-12-30 16:45 - 2013-05-11 17:56 - 00004206 _____ C:\Windows\System32\Tasks\Software Updater
2013-12-29 22:20 - 2011-10-21 17:42 - 00000000 ____D C:\Users\Kathlen\AppData\Roaming\SoftGrid Client
2013-12-29 11:51 - 2009-07-14 06:08 - 00032632 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-12-23 10:37 - 2012-11-30 21:40 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-12-22 14:03 - 2013-12-22 14:03 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-12-21 10:40 - 2013-12-21 10:40 - 00002176 _____ C:\Users\Public\Desktop\Google Earth.lnk
2013-12-21 10:40 - 2011-10-21 19:33 - 00000000 ____D C:\Program Files (x86)\Google
2013-12-19 17:05 - 2013-12-19 17:05 - 00000000 ____D C:\Users\Kathlen\AppData\Local\SoftwareUpdater
2013-12-15 20:24 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\rescache
2013-12-15 14:48 - 2013-08-17 18:55 - 00000000 ____D C:\Windows\system32\MRT
2013-12-15 14:45 - 2012-07-22 10:40 - 90708896 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2013-12-15 14:41 - 2011-10-21 15:23 - 00001421 _____ C:\Users\Kathlen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2013-12-15 14:38 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\PolicyDefinitions
2013-12-15 14:23 - 2013-12-15 14:15 - 00010277 _____ C:\Windows\IE11_main.log
2013-12-15 14:19 - 2013-12-15 14:19 - 01228800 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 01051136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00942592 _____ (Microsoft Corporation) C:\Windows\system32\jsIntl.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2013-12-15 14:19 - 2013-12-15 14:19 - 00774144 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00645120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsIntl.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00626176 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00616104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dat
2013-12-15 14:19 - 2013-12-15 14:19 - 00616104 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dat
2013-12-15 14:19 - 2013-12-15 14:19 - 00610304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00548352 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00523776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00454656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00453120 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00413696 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2013-12-15 14:19 - 2013-12-15 14:19 - 00367104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00337408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2013-12-15 14:19 - 2013-12-15 14:19 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00263376 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00247808 _____ (Microsoft Corporation) C:\Windows\system32\msls31.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00244736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00243200 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00238288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00235520 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00235008 _____ (Microsoft Corporation) C:\Windows\system32\elshyph.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00233472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00208384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00194048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\elshyph.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00182272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msls31.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00167424 _____ (Microsoft Corporation) C:\Windows\system32\iexpress.exe
2013-12-15 14:19 - 2013-12-15 14:19 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00151552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iexpress.exe
2013-12-15 14:19 - 2013-12-15 14:19 - 00147968 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00143872 _____ (Microsoft Corporation) C:\Windows\system32\wextract.exe
2013-12-15 14:19 - 2013-12-15 14:19 - 00139264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wextract.exe
2013-12-15 14:19 - 2013-12-15 14:19 - 00135680 _____ (Microsoft Corporation) C:\Windows\system32\iepeers.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00131072 _____ (Microsoft Corporation) C:\Windows\system32\IEAdvpack.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00127488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00116736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-12-15 14:19 - 2013-12-15 14:19 - 00111616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\IEAdvpack.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00105984 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00101376 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00090112 _____ (Microsoft Corporation) C:\Windows\system32\SetIEInstalledDate.exe
2013-12-15 14:19 - 2013-12-15 14:19 - 00086016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00086016 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2013-12-15 14:19 - 2013-12-15 14:19 - 00084992 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00083968 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00083456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00081408 _____ (Microsoft Corporation) C:\Windows\system32\icardie.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00077312 _____ (Microsoft Corporation) C:\Windows\system32\tdc.ocx
2013-12-15 14:19 - 2013-12-15 14:19 - 00074240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SetIEInstalledDate.exe
2013-12-15 14:19 - 2013-12-15 14:19 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-12-15 14:19 - 2013-12-15 14:19 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00069120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\icardie.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdc.ocx
2013-12-15 14:19 - 2013-12-15 14:19 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\pngfilt.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00056832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\pngfilt.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00052224 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00048640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmler.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\mshtmler.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00048128 _____ (Microsoft Corporation) C:\Windows\system32\imgutil.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00040448 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00036352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\imgutil.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00034816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00030208 _____ (Microsoft Corporation) C:\Windows\system32\licmgr10.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00024576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\licmgr10.dll
2013-12-15 14:19 - 2013-12-15 14:19 - 00013824 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2013-12-15 14:19 - 2013-12-15 14:19 - 00013312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshta.exe
2013-12-15 14:19 - 2013-12-15 14:19 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
2013-12-15 14:19 - 2013-12-15 14:19 - 00012800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
2013-12-13 21:54 - 2011-03-17 22:00 - 00661980 _____ C:\Windows\system32\perfh007.dat
2013-12-13 21:54 - 2011-03-17 22:00 - 00133678 _____ C:\Windows\system32\perfc007.dat
2013-12-13 21:54 - 2009-07-14 06:13 - 01522106 _____ C:\Windows\system32\PerfStringBackup.INI
2013-12-13 21:49 - 2009-07-14 05:45 - 00350104 _____ C:\Windows\system32\FNTCACHE.DAT
2013-12-10 21:57 - 2012-10-30 21:57 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-12-10 21:57 - 2012-10-30 21:57 - 00003822 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-12-10 21:57 - 2011-10-21 16:43 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-12-05 22:25 - 2011-10-21 15:18 - 00091112 _____ C:\Users\Kathlen\AppData\Local\GDIPFONTCACHEV1.DAT
2013-12-03 18:31 - 2011-10-21 19:36 - 00004108 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2013-12-03 18:31 - 2011-10-21 19:35 - 00003856 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2013-12-21 11:20

==================== End Of Log ============================
         
--- --- --- Additional scan result of Farbar Recovery Scan Tool (x64) Version: 29-12-2013 01 Ran by Kathlen at 2013-12-30 18:46:45 Running from D:\Users\Kathlen\Desktop Boot Mode: Normal ========================================================== ==================== Security Center ======================== AV: F-Secure Internet Security 2011 10.51 (Enabled - Up to date) {15414183-282E-D62C-CA37-EF24860A2F17} AS: F-Secure Internet Security 2011 10.51 (Enabled - Up to date) {AE20A067-0E14-D9A2-F087-D456FD8D65AA} AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} FW: F-Secure Internet Security 2011 10.51 (Enabled) {2D7AC0A6-6241-D774-E168-461178D9686C} ==================== Installed Programs ====================== „Windows Live Essentials“ (x32 Version: 15.4.3502.0922 - Microsoft Corporation) „Windows Live Mail“ (x32 Version: 15.4.3502.0922 - „Microsoft Corporation“) „Windows Live Messenger“ (x32 Version: 15.4.3502.0922 - „Microsoft Corporation“) „Windows Live“ fotogalerija (x32 Version: 15.4.3502.0922 - Microsoft Corporation) 6000E609_eDocs (x32 Version: 1.00.0000 - Hewlett-Packard) 6000E609_Help (x32 Version: 1.00.0000 - Hewlett-Packard) 6000E609a (x32 Version: 140.0.000.000 - Hewlett-Packard) 64 Bit HP CIO Components Installer (Version: 7.2.8 - Hewlett-Packard) Acronis*True*Image*Home 2011 (x32 Version: 14.0.6942 - Acronis) Adobe Flash Player 11 ActiveX (x32 Version: 11.9.900.170 - Adobe Systems Incorporated) Adobe Flash Player 11 Plugin (x32 Version: 11.9.900.170 - Adobe Systems Incorporated) Adobe Reader XI (11.0.05) - Deutsch (x32 Version: 11.0.05 - Adobe Systems Incorporated) Atheros Client Installation Program (x32 Version: 9.0 - Atheros) AWIN NotenBox 7 (x32 Version: 7 - AWIN Software) BatteryLifeExtender (x32 Version: 1.0.11 - Samsung) BPDSoftware (x32 Version: 140.0.000.000 - Hewlett-Packard) BPDSoftware_Ini (x32 Version: 1.00.0000 - Hewlett-Packard) Broadcom 802.11 Network Adapter (Version: 5.60.48.55 - Broadcom Corporation) BufferChm (x32 Version: 140.0.213.000 - Hewlett-Packard) CCleaner (Version: 4.06 - Piriform) CyberLink Media Suite (x32 Version: 8.0.2227 - CyberLink Corp.) CyberLink Media+ Player10 (x32 Version: 10.0.1110.00 - CyberLink Corp.) CyberLink MediaShow (x32 Version: 5.0.1130a - CyberLink Corp.) CyberLink Power2Go (x32 Version: 6.1.3802 - CyberLink Corp.) CyberLink PowerDirector (x32 Version: 8.0.3306 - CyberLink Corp.) CyberLink YouCam (x32 Version: 3.1.3509 - CyberLink Corp.) D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) DeviceDiscovery (x32 Version: 140.0.213.000 - Hewlett-Packard) Easy Content Share (x32 Version: 1.0 - Samsung Electronics Co., LTD) Easy Display Manager (x32 Version: 3.2 - Samsung Electronics Co., Ltd.) Easy Migration (x32 Version: 1.0.0.5 - Samsung Electronics Co., Ltd.) Easy Network Manager (x32 Version: 4.4.7 - Samsung) Easy SpeedUp Manager (x32 Version: 2.1.1.1 - Samsung Electronics Co.,Ltd.) EasyBatteryManager (x32 Version: 4.0.0.4 - Samsung) EasyFileShare (x32 Version: 1.0.12 - Samsung) ETDWare PS/2-X64 8.0.7.2_WHQL (Version: 8.0.7.2 - ELAN Microelectronic Corp.) Fast Start (x32 Version: 2.2.0.1 - SAMSUNG) Fotogalerija Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Free System Utilities (x32 Version: 1.0.0.28 - Covus Freemium GmbH) Free SystemUtilities (x32 Version: 1.0.0.28 - Covus Freemium GmbH) F-Secure Internet Security 2011 (x32 Version: - ) Galeria de Fotografias do Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Galería fotográfica de Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Galeria fotografii usługi Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Galerie de photos Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Galerie foto Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Google Earth (x32 Version: 7.1.2.2041 - Google) Google Update Helper (x32 Version: 1.3.22.3 - Google Inc.) GPBaseService2 (x32 Version: 140.0.212.000 - Hewlett-Packard) Hewlett-Packard ACLM.NET v1.1.0.0 (x32 Version: 1.00.0000 - Hewlett-Packard) HP Customer Participation Program 14.0 (Version: 14.0 - HP) HP Imaging Device Functions 14.0 (Version: 14.0 - HP) HP Officejet 6000 E609 Series (Version: 14.0 - HP) HP Photo Creations (x32 Version: 1.0.0.9572 - HP) HP Product Detection (x32 Version: 11.14.0001 - HP) HP Smart Web Printing 4.60 (Version: 4.60 - HP) HP Solution Center 14.0 (Version: 14.0 - HP) HP Update (x32 Version: 5.003.001.001 - Hewlett-Packard) HPProductAssistant (x32 Version: 140.0.213.000 - Hewlett-Packard) HPSSupply (x32 Version: 140.0.212.000 - Hewlett-Packard) Intel PROSet Wireless (Version: - ) Intel(R) Control Center (x32 Version: 1.2.1.1007 - Intel Corporation) Intel(R) Management Engine Components (x32 Version: 7.0.0.1144 - Intel Corporation) Intel(R) Processor Graphics (x32 Version: 8.15.10.2266 - Intel Corporation) Intel(R) PROSet/Wireless WiFi Software (Version: 14.0.2000 - Intel Corporation) Intel(R) Rapid Storage Technology (x32 Version: 10.0.0.1046 - Intel Corporation) Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) MarketResearch (x32 Version: 140.0.214.000 - Hewlett-Packard) Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Microsoft Application Error Reporting (Version: 12.0.6015.5000 - Microsoft Corporation) Microsoft Office 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Microsoft Office Klick-und-Los 2010 (Version: 14.0.4763.1000 - Microsoft Corporation) Microsoft Office Klick-und-Los 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Microsoft Office Starter 2010 - Deutsch (x32 Version: 14.0.5128.5002 - Microsoft Corporation) Microsoft Silverlight (Version: 5.1.20913.0 - Microsoft Corporation) Microsoft SQL Server 2005 Compact Edition [ENU] (x32 Version: 3.1.0000 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (x32 Version: 8.0.61001 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (x32 Version: 9.0.30729 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (x32 Version: 9.0.30729.4148 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (x32 Version: 9.0.30729.6161 - Microsoft Corporation) Movie Color Enhancer (x32 Version: 1.0 - Samsung Electronics Co., Ltd.) Mozilla Firefox 26.0 (x86 de) (x32 Version: 26.0 - Mozilla) Mozilla Maintenance Service (x32 Version: 26.0 - Mozilla) MSVCRT (x32 Version: 15.4.2862.0708 - Microsoft) MSVCRT_amd64 (x32 Version: 15.4.2862.0708 - Microsoft) Network64 (Version: 140.0.215.000 - Hewlett-Packard) Network64 (Version: 140.0.221.000 - Hewlett-Packard) OpenOffice 4.0.0 (x32 Version: 4.00.9702 - Apache Software Foundation) Oracle VM VirtualBox 4.1.4 (Version: 4.1.4 - Oracle Corporation) PhoneShare (x32 Version: 9.1.4 - Samsung) Picasa 3 (x32 Version: 3.8 - Google, Inc.) Poczta usługi Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Podstawowe programy Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Pošta Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) ProductContext (x32 Version: 140.0.000.000 - Hewlett-Packard) Raccolta foto di Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Realtek Ethernet Controller Driver (x32 Version: 7.40.126.2011 - Realtek) Realtek High Definition Audio Driver (x32 Version: 6.0.1.6318 - Realtek Semiconductor Corp.) Samsung AnyWeb Print (x32 Version: 2.0.67.1 - Samsung Electronics Co., Ltd.) Samsung Printer Live Update (x32 Version: - Samsung Electronics Co., Ltd.) Samsung Recovery Solution 5 (x32 Version: 5.0.1.0 - Samsung) Samsung Support Center (x32 Version: 1.1.24 - Samsung) Samsung Universal Print Driver (x32 Version: 2.02.05.00:27 - Samsung Electronics Co., Ltd.) Samsung Universal Scan Driver (x32 Version: 1.2.5.0 - Samsung Electronics Co., Ltd.) Samsung Update Plus (x32 Version: 3.0.0.17 - Samsung Electronics Co., Ltd.) SES Driver (Version: 1.0.0 - Western Digital) Shop for HP Supplies (Version: 14.0 - HP) SISShortcut (x32 Version: 1.00.000 - Samsung) Skype™ 5.10 (x32 Version: 5.10.116 - Skype Technologies S.A.) SmartWebPrinting (x32 Version: 140.0.213.000 - Hewlett-Packard) SolutionCenter (x32 Version: 140.0.214.000 - Hewlett-Packard) SRS Premium Sound Control Panel (Version: 1.11.1300 - SRS Labs, Inc.) Status (x32 Version: 140.0.256.000 - Hewlett-Packard) Toolbox (x32 Version: 140.0.428.000 - Hewlett-Packard) TrayApp (x32 Version: 140.0.213.000 - Hewlett-Packard) Überwachungstool für die Intel® Turbo-Boost-Technik 2.0 (Version: 2.0.82.0 - Intel) Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (x32 Version: 1 - Microsoft Corporation) Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (x32 Version: 1 - Microsoft Corporation) Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (x32 Version: 1 - Microsoft Corporation) Update for Microsoft .NET Framework 4 Client Profile (KB2836939) (x32 Version: 1 - Microsoft Corporation) Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3) (x32 Version: 3 - Microsoft Corporation) User Guide (x32 Version: 1.0 - ) WebReg (x32 Version: 140.0.213.017 - Hewlett-Packard) Windows Driver Package - Western Digital Technologies (WDC_SAM) WDC_SAM (03/06/2009 1.0.0008.0) (Version: 03/06/2009 1.0.0008.0 - Western Digital Technologies) Windows Live Communications Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Live Essentials (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Live fotoattēlu galerija (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Live Fotogaléria (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Live Fotogalerie (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Live Foto-galerija (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Live Fotogalleri (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Live Fotoğraf Galerisi (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Live Fotótár (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Live Galeria de Fotos (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Live Galerija fotografija (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Live ID Sign-in Assistant (Version: 7.250.4225.0 - Microsoft Corporation) Windows Live Installer (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Live Language Selector (Version: 15.4.3508.1109 - Microsoft Corporation) Windows Live Mail (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Live Mesh (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Live Messenger (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Live Messenger (x32 Version: 15.4.3502.0922 - Корпорация Майкрософт) Windows Live MIME IFilter (Version: 15.4.3502.0922 - Microsoft Corporation) Windows Live Movie Maker (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Live Photo Common (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Live Photo Gallery (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Live PIMT Platform (x32 Version: 15.4.3508.1109 - Microsoft Corporation) Windows Live Pošta (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Live Remote Client (Version: 15.4.5722.2 - Microsoft Corporation) Windows Live Remote Client Resources (Version: 15.4.5722.2 - Microsoft Corporation) Windows Live Remote Service (Version: 15.4.5722.2 - Microsoft Corporation) Windows Live Remote Service Resources (Version: 15.4.5722.2 - Microsoft Corporation) Windows Live SOXE (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Live SOXE Definitions (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Live Temel Parçalar (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Live UX Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Live UX Platform Language Pack (x32 Version: 15.4.3508.1109 - Microsoft Corporation) Windows Live Writer (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Live Writer Resources (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Live 메일 (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Live 사진 갤러리 (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Live 필수 패키지 (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Live 影像中心 (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Live 照片库 (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Live 程式集 (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Live 程式集 (x32 Version: 15.4.3508.1109 - Microsoft Corporation) Windows Live 软件包 (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Liven asennustyökalu (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Liven sähköposti (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Windows Liven valokuvavalikoima (x32 Version: 15.4.3502.0922 - Microsoft Corporation) WordCaptureX Pro (x32 Version: 4.0.0 - Deskperience) Συλλογή φωτογραφιών του Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Основные компоненты Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Почта Windows Live (x32 Version: 15.4.3502.0922 - Корпорация Майкрософт) Фотоальбом Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Фотогалерия на Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) גלריית התמונות של Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) بريد Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) معرض صور Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) ==================== Restore Points ========================= 15-12-2013 13:14:29 Windows Update 15-12-2013 13:45:12 Windows Update 20-12-2013 16:47:35 Windows Update 24-12-2013 09:38:15 Windows Update 28-12-2013 18:28:46 Windows Update ==================== Hosts content: ========================== 2009-07-14 03:34 - 2009-06-10 22:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts ==================== Scheduled Tasks (whitelisted) ============= Task: {005124D4-79F9-4756-BA7C-C36B49AF9D03} - System32\Tasks\EasySpeedUpManager => C:\Program Files (x86)\Samsung\EasySpeedUpManager\EasySpeedUpManager.exe [2010-02-10] (Samsung Electronics Co., Ltd.) Task: {0EEE9748-567C-4806-8ECB-04535BFA957C} - System32\Tasks\{09278993-17F8-47F2-9583-62245189EBFD} => D:\Eigene Dateien\Kathlen_Schule\NOTENBOX\NOTENBOX.EXE Task: {123CB41D-331F-4864-92DB-9E68824DE585} - System32\Tasks\BatteryLifeExtender => C:\Program Files (x86)\Samsung\BatteryLifeExtender\BatteryLifeExtender.exe [2010-12-18] (Samsung Electronics. Co. Ltd.) Task: {1C1727E7-88E0-4CB4-87C5-C3A152A15286} - System32\Tasks\MirageAgent => C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe [2010-11-10] (CyberLink) Task: {28FF2ECD-747C-4870-82E5-4120F2F18A2E} - System32\Tasks\Freemium1ClickMaint => D:\Users\Kathlen\Downloads\1Click.exe Task: {302C3BC6-F254-4ACD-A6D6-701D5FC296AC} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-12-10] (Adobe Systems Incorporated) Task: {406F6E60-5E49-4B30-80D3-8DCC0F058469} - System32\Tasks\EasyDisplayMgr => C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe [2010-12-23] (Samsung Electronics Co., Ltd.) Task: {4496F700-2791-4DAE-97F7-7B3A58477C8C} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2013-09-19] (Piriform Ltd) Task: {4518FAEE-0816-4B1C-A589-66BE928E2688} - System32\Tasks\Software Updater => C:\Program Files (x86)\SoftwareUpdater\SoftwareUpdater.Bootstrapper.exe [2013-12-19] () Task: {4BE5808E-894C-46B6-B096-04BC30F30D36} - System32\Tasks\SamsungSupportCenter => C:\Program Files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe [2011-02-07] (SAMSUNG Electronics) Task: {4C971725-6A7A-4B2B-B898-4F9827322140} - System32\Tasks\{7B0A976F-05CC-4DB3-BA76-6EEEEBC55584} => D:\Eigene Dateien\Kathlen_Schule\NOTENBOX\NOTENBOX.EXE Task: {4D473986-E45B-4661-9BB1-1C1A10A1416C} - System32\Tasks\Software Updater Ui => C:\Program Files (x86)\SoftwareUpdater\SoftwareUpdater.Ui.exe [2013-12-19] () Task: {51A245F2-E16A-4523-AA10-805333B16C8C} - System32\Tasks\{5E274F95-0DDD-4FCF-863D-CE532B6A54EB} => D:\Eigene Dateien\Kathlen_Schule\NOTENBOX\NOTENBOX.EXE Task: {6E050F94-8B61-4CAA-8A66-607102F1B260} - System32\Tasks\MovieColorEnhancer => C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe [2010-11-29] (Samsung Electronics Co., Ltd.) Task: {6F5CB2FF-BED6-4293-B692-B6CC1FC11EA8} - System32\Tasks\{1777ED2A-1054-4771-A345-478F457C2FDE} => D:\Eigene Dateien\Kathlen_Schule\NOTENBOX\NOTENBOX.EXE Task: {708319C0-3013-43F7-874C-6BC6692C6F4D} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-10-21] (Google Inc.) Task: {7393340B-1A82-49F0-9434-66AFA25610E0} - System32\Tasks\WifiManager => C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe [2011-01-04] (Samsung Electronics Co., Ltd.) Task: {86EC4423-A4C7-4179-84AE-D06A24412130} - System32\Tasks\EasyBatteryManager => C:\Program Files (x86)\Samsung\EasyBatteryManager\EasyBatteryMgr4.exe [2010-07-20] (SAMSUNG Electronics co., LTD.) Task: {8ABA4BC6-0C16-4A2D-8DC1-CF74B4A7F284} - System32\Tasks\{1BCDF4DF-E1FF-412D-A4CE-939B67191475} => D:\Eigene Dateien\Kathlen_Schule\NOTENBOX\NOTENBOX.EXE Task: {8BC3EB02-1186-42D8-BFED-9765A91C90A8} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-10-21] (Google Inc.) Task: {8F531D07-0BD6-4B7E-B278-D6441821F2D9} - System32\Tasks\advSRS5 => C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe [2011-02-14] (SEC) Task: {A23093A1-0567-46D8-BB9C-D1B5DCB4CEBF} - System32\Tasks\SRS Premium Sound => C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe [2011-02-24] (SRS Labs, Inc.) Task: {CD68F9C9-6B80-4FE4-BBC6-3CB671C4EAFC} - System32\Tasks\{6287B10E-5FFE-4B01-AECE-AE61C901CDD1} => D:\Eigene Dateien\Kathlen_Schule\NOTENBOX\NOTENBOX.EXE Task: {CEDEFDEB-FE07-4744-9854-FE889E47F04F} - System32\Tasks\{45F18247-C3FA-4078-A1FF-65F0B3EAB0EF} => D:\Eigene Dateien\Kathlen_Schule\NOTENBOX\NOTENBOX.EXE Task: {D49520CB-B34E-4C13-8BC3-B69362F84532} - System32\Tasks\SmartRestarter => C:\Program Files\SAMSUNG\SamsungFastStart\SmartRestarter.exe [2010-08-05] (Samsung Electronics Co., Ltd.) Task: {DF748906-35E0-436F-9C55-7E86C24D083B} - System32\Tasks\SUPBackground => C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe [2010-08-27] (Samsung Electronics) Task: {E63C4EB2-F2D2-453E-B6AA-11F7BB900259} - System32\Tasks\{07F7B715-00A0-4952-8847-BED1C90E48DD} => D:\Eigene Dateien\Kathlen_Schule\NOTENBOX\NOTENBOX.EXE Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe ==================== Loaded Modules (whitelisted) ============= 2011-03-17 20:56 - 2010-12-17 02:37 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll 2011-09-22 21:20 - 2011-09-22 21:20 - 11233136 _____ () C:\Program Files (x86)\Acronis\TrueImageHome\Common\ti_managers.dll 2011-03-17 05:49 - 2010-07-05 11:42 - 00203776 _____ () C:\Program Files (x86)\Samsung\Movie Color Enhancer\WinCRT.dll 2011-10-21 16:30 - 2011-10-21 16:30 - 00443048 _____ () C:\Program Files (x86)\F-Secure\FSGUI\about.dll 2011-10-21 16:30 - 2011-10-21 16:30 - 00090792 _____ () C:\Program Files (x86)\F-Secure\FSGUI\aboutres.dll 2011-10-21 16:30 - 2011-10-21 16:30 - 00086016 _____ () C:\Program Files (x86)\F-Secure\FSGUI\strres.eng 2011-10-21 16:30 - 2011-10-21 16:30 - 00553640 _____ () C:\Program Files (x86)\F-Secure\FSGUI\gres.dll 2011-10-21 16:30 - 2011-10-21 16:30 - 00045056 _____ () C:\Program Files (x86)\F-Secure\FSGUI\fsavures.eng 2011-10-21 16:30 - 2011-10-21 16:30 - 00143360 _____ () C:\Program Files (x86)\F-Secure\FSGUI\flyerres.eng 2011-10-21 16:30 - 2011-10-21 16:30 - 00001536 _____ () C:\Program Files (x86)\F-Secure\FSPC\fspcfsm.eng 2011-03-17 05:47 - 2006-08-12 04:48 - 00049152 _____ () C:\Program Files (x86)\Samsung\Easy Display Manager\HookDllPS2.dll 2011-10-21 16:30 - 2011-10-21 16:30 - 00217768 _____ () c:\program files (x86)\f-secure\daas2\daas2.dll 2011-10-21 16:35 - 2011-10-21 16:35 - 00030888 _____ () C:\Program Files (x86)\F-Secure\Anti-Virus\minifilter\hashlib_x86.dll 2011-10-21 16:30 - 2013-04-23 17:03 - 00213048 _____ () C:\Program Files (x86)\F-Secure\Spam Control\fsas.dll 2011-10-21 16:30 - 2013-07-02 17:39 - 00945088 _____ () C:\Program Files (x86)\F-Secure\Anti-Virus\fm4av.dll 2011-10-21 16:30 - 2011-10-21 16:30 - 00036864 _____ () C:\Program Files (x86)\F-Secure\Anti-Virus\FSAVHRES.eng 2011-03-17 05:55 - 2010-05-07 15:22 - 01636864 _____ () C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\Resdll.dll 2013-12-22 14:03 - 2013-12-22 14:03 - 03559024 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll ==================== Safe Mode (whitelisted) =================== ==================== Faulty Device Manager Devices ============= ==================== Event log errors: ========================= Application errors: ================== Error: (12/30/2013 06:46:52 PM) (Source: FSecure-FSecure-F-Secure Anti-Virus) (User: ) Description: 2 2013-12-30 18:46:52+02:00 KATHLEN-PC Kathlen-PC\Kathlen F-Secure Anti-Virus Spyware detected: Type: riskware Family: Name: Application.Generic.582927 Object: C:\Program Files (x86)\SoftwareUpdater\SoftwareUpdater.Bootstrapper.exe Error: (12/30/2013 05:36:38 PM) (Source: FSecure-FSecure-F-Secure Anti-Virus) (User: ) Description: 1 2013-12-30 17:36:37+02:00 KATHLEN-PC Kathlen-PC\Kathlen F-Secure Anti-Virus Spyware detected: Type: riskware Family: Name: Application.Generic.582927 Object: C:\Program Files (x86)\SoftwareUpdater\SoftwareUpdater.Bootstrapper.exe Error: (12/15/2013 09:10:49 PM) (Source: Application Hang) (User: ) Description: Programm firefox.exe, Version 25.0.1.5064 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen. Prozess-ID: 574c Startzeit: 01cef9d188b34684 Endzeit: 16 Anwendungspfad: C:\Program Files (x86)\Mozilla Firefox\firefox.exe Berichts-ID: f4705984-65c4-11e3-adad-e81132797eea Error: (12/08/2013 11:32:06 AM) (Source: Application Error) (User: ) Description: Name der fehlerhaften Anwendung: sidebar.exe, Version: 6.1.7601.17514, Zeitstempel: 0x4ce7a1c7 Name des fehlerhaften Moduls: ntdll.dll, Version: 6.1.7601.18247, Zeitstempel: 0x521eaf24 Ausnahmecode: 0xc0000264 Fehleroffset: 0x00000000000cd7e8 ID des fehlerhaften Prozesses: 0x52c Startzeit der fehlerhaften Anwendung: 0xsidebar.exe0 Pfad der fehlerhaften Anwendung: sidebar.exe1 Pfad des fehlerhaften Moduls: sidebar.exe2 Berichtskennung: sidebar.exe3 Error: (12/01/2013 04:18:54 PM) (Source: Application Error) (User: ) Description: Name der fehlerhaften Anwendung: WINWORDC.EXE, Version: 14.0.6129.5000, Zeitstempel: 0x5082ffdf Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000 Ausnahmecode: 0xc0000005 Fehleroffset: 0x00413920 ID des fehlerhaften Prozesses: 0x1b50 Startzeit der fehlerhaften Anwendung: 0xWINWORDC.EXE0 Pfad der fehlerhaften Anwendung: WINWORDC.EXE1 Pfad des fehlerhaften Moduls: WINWORDC.EXE2 Berichtskennung: WINWORDC.EXE3 Error: (11/06/2013 07:41:58 PM) (Source: Application Hang) (User: ) Description: Programm firefox.exe, Version 25.0.0.5046 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen. Prozess-ID: fa0 Startzeit: 01cedb1e269e5ed6 Endzeit: 26 Anwendungspfad: C:\Program Files (x86)\Mozilla Firefox\firefox.exe Berichts-ID: 102f5c82-4713-11e3-ada7-e81132797eea Error: (10/28/2013 08:27:05 AM) (Source: Application Error) (User: ) Description: Name der fehlerhaften Anwendung: hpqgpc01.exe, Version: 130.0.14.16, Zeitstempel: 0x49dd90d9 Name des fehlerhaften Moduls: ole32.dll, Version: 6.1.7601.17514, Zeitstempel: 0x4ce7b96f Ausnahmecode: 0xc0000005 Fehleroffset: 0x0003bc24 ID des fehlerhaften Prozesses: 0x1580 Startzeit der fehlerhaften Anwendung: 0xhpqgpc01.exe0 Pfad der fehlerhaften Anwendung: hpqgpc01.exe1 Pfad des fehlerhaften Moduls: hpqgpc01.exe2 Berichtskennung: hpqgpc01.exe3 Error: (10/10/2013 08:24:41 PM) (Source: CVHSVC) (User: ) Description: Nur zur Information. Fehler bei der Registrierung des Click-2-Run-Pakets. Error: (10/08/2013 08:36:18 PM) (Source: System Restore) (User: ) Description: Der geplante Wiederherstellungspunkt konnte nicht erstellt werden. Zusätzliche Informationen: (0x81000101). Error: (10/08/2013 08:36:18 PM) (Source: System Restore) (User: ) Description: Fehler beim Erstellen des Wiederherstellungspunkts (Prozess = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Beschreibung = Geplanter Prüfpunkt; Fehler = 0x81000101). System errors: ============= Error: (12/22/2013 06:06:50 PM) (Source: Disk) (User: ) Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk1\DR1 gefunden. Error: (12/16/2013 07:51:26 PM) (Source: DCOM) (User: ) Description: {078AEF33-C48A-49F7-AFF3-A0EE810BFE7C} Error: (12/15/2013 02:39:01 PM) (Source: DCOM) (User: ) Description: {995C996E-D918-4A8C-A302-45719A6F4EA7} Error: (12/15/2013 02:13:55 PM) (Source: Service Control Manager) (User: ) Description: Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung von Dienst lmhosts erreicht. Error: (12/13/2013 09:47:45 PM) (Source: Microsoft-Windows-LanguagePackSetup) (User: NT-AUTORITÄT) Description: Fehler bei der CBS-Clientinitialisierung. Letzter Fehler: 0x8007045b Error: (12/08/2013 06:47:14 PM) (Source: Disk) (User: ) Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk1\DR1 gefunden. Error: (12/08/2013 04:21:25 PM) (Source: Microsoft-Windows-BitLocker-Driver) (User: NT-AUTORITÄT) Description: Überprüfung des verschlüsselten Volumes: Die Volumeinformationen auf "" können nicht gelesen werden. Error: (12/08/2013 11:31:49 AM) (Source: Microsoft-Windows-BitLocker-Driver) (User: NT-AUTORITÄT) Description: Überprüfung des verschlüsselten Volumes: Die Volumeinformationen auf "" können nicht gelesen werden. Error: (12/07/2013 05:11:15 PM) (Source: Disk) (User: ) Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk1\DR1 gefunden. Error: (12/02/2013 08:19:43 PM) (Source: Service Control Manager) (User: ) Description: Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung von Dienst lmhosts erreicht. Microsoft Office Sessions: ========================= Error: (12/30/2013 06:46:52 PM) (Source: FSecure-FSecure-F-Secure Anti-Virus)(User: ) Description: 2 2013-12-30 18:46:52+02:00 KATHLEN-PC Kathlen-PC\Kathlen F-Secure Anti-Virus Spyware detected: Type: riskware Family: Name: Application.Generic.582927 Object: C:\Program Files (x86)\SoftwareUpdater\SoftwareUpdater.Bootstrapper.exe Error: (12/30/2013 05:36:38 PM) (Source: FSecure-FSecure-F-Secure Anti-Virus)(User: ) Description: 1 2013-12-30 17:36:37+02:00 KATHLEN-PC Kathlen-PC\Kathlen F-Secure Anti-Virus Spyware detected: Type: riskware Family: Name: Application.Generic.582927 Object: C:\Program Files (x86)\SoftwareUpdater\SoftwareUpdater.Bootstrapper.exe Error: (12/15/2013 09:10:49 PM) (Source: Application Hang)(User: ) Description: firefox.exe25.0.1.5064574c01cef9d188b3468416C:\Program Files (x86)\Mozilla Firefox\firefox.exef4705984-65c4-11e3-adad-e81132797eea Error: (12/08/2013 11:32:06 AM) (Source: Application Error)(User: ) Description: sidebar.exe6.1.7601.175144ce7a1c7ntdll.dll6.1.7601.18247521eaf24c000026400000000000cd7e852c01cef400b1b4dc32C:\Program Files\Windows Sidebar\sidebar.exeC:\Windows\SYSTEM32\ntdll.dllfbe64d9f-5ff3-11e3-abf2-e81132797eea Error: (12/01/2013 04:18:54 PM) (Source: Application Error)(User: ) Description: WINWORDC.EXE14.0.6129.50005082ffdfunknown0.0.0.000000000c0000005004139201b5001ceeea84cb6aed2Q:\140066.deu\Office14\WINWORDC.EXEunknowne351226e-5a9b-11e3-953f-c309a1cbf1a6 Error: (11/06/2013 07:41:58 PM) (Source: Application Hang)(User: ) Description: firefox.exe25.0.0.5046fa001cedb1e269e5ed626C:\Program Files (x86)\Mozilla Firefox\firefox.exe102f5c82-4713-11e3-ada7-e81132797eea Error: (10/28/2013 08:27:05 AM) (Source: Application Error)(User: ) Description: hpqgpc01.exe130.0.14.1649dd90d9ole32.dll6.1.7601.175144ce7b96fc00000050003bc24158001ced3ae2cd902daC:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exeC:\Windows\syswow64\ole32.dll57ce1b7c-3fa2-11e3-a7e6-e81132797eea Error: (10/10/2013 08:24:41 PM) (Source: CVHSVC)(User: ) Description: Fehler bei der Registrierung des Click-2-Run-Pakets. Error: (10/08/2013 08:36:18 PM) (Source: System Restore)(User: ) Description: 0x81000101 Error: (10/08/2013 08:36:18 PM) (Source: System Restore)(User: ) Description: C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreationGeplanter Prüfpunkt0x81000101 ==================== Memory info =========================== Percentage of memory in use: 45% Total physical RAM: 4009.55 MB Available physical RAM: 2179.5 MB Total Pagefile: 8017.27 MB Available Pagefile: 5925.9 MB Total Virtual: 8192 MB Available Virtual: 8191.78 MB ==================== Drives ================================ Drive c: (Win7) (Fixed) (Total:111 GB) (Free:53.9 GB) NTFS Drive d: (Daten) (Fixed) (Total:164.05 GB) (Free:161.97 GB) NTFS ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (Size: 298 GB) (Disk ID: C5D3BC32) Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=111 GB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=164 GB) - (Type=05) Partition 4: (Not Active) - (Size=23 GB) - (Type=27) ==================== End Of Log ============================
__________________

Alt 01.01.2014, 14:00   #4
StefanA
 
Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig - Standard

Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig



Code:
ATTFilter
GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2013-12-30 19:07:12
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AJ1 298,09GB
Running: gmer_2.1.19163.exe; Driver: C:\Users\Kathlen\AppData\Local\Temp\pxriafow.sys


---- User code sections - GMER 2.1 ----

.text  C:\Windows\system32\wininit.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                                                                                                  0000000077b31780 5 bytes JMP 0000000100191018
.text  C:\Windows\system32\wininit.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                                                                                                    0000000077b31cd0 5 bytes JMP 0000000100190018
.text  C:\Windows\system32\wininit.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess                                                                                                                                                0000000077b31d80 5 bytes JMP 0000000100192018
.text  C:\Windows\system32\wininit.exe[760] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                                                                                                000007fefd958ef0 5 bytes JMP 000007ff7d960018
.text  C:\Windows\system32\wininit.exe[760] C:\Windows\system32\KERNELBASE.dll!TerminateThread                                                                                                                                               000007fefd95c450 5 bytes JMP 000007ff7d961018
.text  C:\Windows\system32\wininit.exe[760] C:\Windows\system32\USER32.dll!SetWindowsHookExW                                                                                                                                                 00000000778cf874 5 bytes JMP 0000000100193018
.text  C:\Windows\system32\wininit.exe[760] C:\Windows\system32\USER32.dll!DdeConnect                                                                                                                                                        000000007790dec0 5 bytes JMP 0000000100194018
.text  C:\Windows\system32\wininit.exe[760] C:\Windows\SYSTEM32\sechost.dll!ControlService                                                                                                                                                   000007fefef2642c 5 bytes JMP 000007ff7ef31018
.text  C:\Windows\system32\wininit.exe[760] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                                                                                                     000007fefef26484 5 bytes JMP 000007ff7ef30018
.text  C:\Windows\system32\wininit.exe[760] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle                                                                                                                                               000007fefef26518 5 bytes JMP 000007ff7ef32018
.text  C:\Windows\system32\winlogon.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                                                                                                 0000000077b31780 5 bytes JMP 0000000100af1018
.text  C:\Windows\system32\winlogon.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                                                                                                   0000000077b31cd0 5 bytes JMP 0000000100af0018
.text  C:\Windows\system32\winlogon.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess                                                                                                                                               0000000077b31d80 5 bytes JMP 0000000100af2018
.text  C:\Windows\system32\winlogon.exe[828] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                                                                                               000007fefd958ef0 5 bytes JMP 000007ff7d960018
.text  C:\Windows\system32\winlogon.exe[828] C:\Windows\system32\KERNELBASE.dll!TerminateThread                                                                                                                                              000007fefd95c450 5 bytes JMP 000007ff7d961018
.text  C:\Windows\system32\winlogon.exe[828] C:\Windows\system32\USER32.dll!SetWindowsHookExW                                                                                                                                                00000000778cf874 5 bytes JMP 0000000100af3018
.text  C:\Windows\system32\winlogon.exe[828] C:\Windows\system32\USER32.dll!DdeConnect                                                                                                                                                       000000007790dec0 4 bytes JMP 0000000100af4018
.text  C:\Windows\system32\winlogon.exe[828] C:\Windows\SYSTEM32\sechost.dll!ControlService                                                                                                                                                  000007fefef2642c 5 bytes JMP 000007ff7ef31018
.text  C:\Windows\system32\winlogon.exe[828] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                                                                                                    000007fefef26484 5 bytes JMP 000007ff7ef30018
.text  C:\Windows\system32\winlogon.exe[828] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle                                                                                                                                              000007fefef26518 5 bytes JMP 000007ff7ef32018
.text  C:\Windows\system32\lsass.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                                                                                                    0000000077b31780 5 bytes JMP 0000000100061018
.text  C:\Windows\system32\lsass.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                                                                                                      0000000077b31cd0 5 bytes JMP 0000000100060018
.text  C:\Windows\system32\lsass.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess                                                                                                                                                  0000000077b31d80 5 bytes JMP 0000000100062018
.text  C:\Windows\system32\lsass.exe[892] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                                                                                                  000007fefd958ef0 5 bytes JMP 000007ff7d960018
.text  C:\Windows\system32\lsass.exe[892] C:\Windows\system32\KERNELBASE.dll!TerminateThread                                                                                                                                                 000007fefd95c450 5 bytes JMP 000007ff7d961018
.text  C:\Windows\system32\lsass.exe[892] C:\Windows\SYSTEM32\sechost.dll!ControlService                                                                                                                                                     000007fefef2642c 5 bytes JMP 000007ff7ef31018
.text  C:\Windows\system32\lsass.exe[892] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                                                                                                       000007fefef26484 5 bytes JMP 000007ff7ef30018
.text  C:\Windows\system32\lsass.exe[892] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle                                                                                                                                                 000007fefef26518 5 bytes JMP 000007ff7ef32018
.text  C:\Windows\system32\lsass.exe[892] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                                                                                                    000007feff2455c8 5 bytes JMP 000007ff7f250018
.text  C:\Windows\system32\lsm.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                                                                                                      0000000077b31780 5 bytes JMP 0000000100131018
.text  C:\Windows\system32\lsm.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                                                                                                        0000000077b31cd0 5 bytes JMP 0000000100130018
.text  C:\Windows\system32\lsm.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess                                                                                                                                                    0000000077b31d80 5 bytes JMP 0000000100132018
.text  C:\Windows\system32\lsm.exe[900] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                                                                                                    000007fefd958ef0 5 bytes JMP 000007ff7d960018
.text  C:\Windows\system32\lsm.exe[900] C:\Windows\system32\KERNELBASE.dll!TerminateThread                                                                                                                                                   000007fefd95c450 5 bytes JMP 000007ff7d961018
.text  C:\Windows\system32\lsm.exe[900] C:\Windows\SYSTEM32\sechost.dll!ControlService                                                                                                                                                       000007fefef2642c 5 bytes JMP 000007ff7ef31018
.text  C:\Windows\system32\lsm.exe[900] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                                                                                                         000007fefef26484 5 bytes JMP 000007ff7ef30018
.text  C:\Windows\system32\lsm.exe[900] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle                                                                                                                                                   000007fefef26518 5 bytes JMP 000007ff7ef32018
.text  C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                                                                                                 0000000077b31780 5 bytes JMP 00000001001e1018
.text  C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                                                                                                   0000000077b31cd0 5 bytes JMP 00000001001e0018
.text  C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess                                                                                                                                               0000000077b31d80 5 bytes JMP 00000001001e2018
.text  C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                                                                                                  0000000077b31780 5 bytes JMP 00000001001a1018
.text  C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                                                                                                    0000000077b31cd0 5 bytes JMP 00000001001a0018
.text  C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess                                                                                                                                                0000000077b31d80 5 bytes JMP 00000001001a2018
.text  C:\Windows\System32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                                                                                                  0000000077b31780 5 bytes JMP 0000000100ce1018
.text  C:\Windows\System32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                                                                                                    0000000077b31cd0 5 bytes JMP 0000000100ce0018
.text  C:\Windows\System32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess                                                                                                                                                0000000077b31d80 5 bytes JMP 0000000100ce2018
.text  C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                                                                                                  0000000077b31780 5 bytes JMP 0000000100ea1018
.text  C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                                                                                                    0000000077b31cd0 5 bytes JMP 0000000100ea0018
.text  C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess                                                                                                                                                0000000077b31d80 5 bytes JMP 0000000100ea2018
.text  C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                                                                                                 0000000077b31780 5 bytes JMP 0000000100d31018
.text  C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                                                                                                   0000000077b31cd0 5 bytes JMP 0000000100d30018
.text  C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess                                                                                                                                               0000000077b31d80 5 bytes JMP 0000000100d32018
.text  C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                                                                                                 0000000077b31780 5 bytes JMP 0000000100e01018
.text  C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                                                                                                   0000000077b31cd0 5 bytes JMP 0000000100e00018
.text  C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess                                                                                                                                               0000000077b31d80 5 bytes JMP 0000000100e02018
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                                                                                                 0000000077b31780 5 bytes JMP 0000000100ba1018
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                                                                                                   0000000077b31cd0 5 bytes JMP 0000000100ba0018
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess                                                                                                                                               0000000077b31d80 5 bytes JMP 0000000100ba2018
.text  C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                                                                                                 0000000077b31780 5 bytes JMP 0000000100bf1018
.text  C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                                                                                                   0000000077b31cd0 5 bytes JMP 0000000100bf0018
.text  C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess                                                                                                                                               0000000077b31d80 5 bytes JMP 0000000100bf2018
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[1640] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                                                            000007fefd958ef0 5 bytes JMP 000007ff7d960018
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[1640] C:\Windows\system32\KERNELBASE.dll!TerminateThread                                                                                                           000007fefd95c450 5 bytes JMP 000007ff7d961018
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[1640] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                                                              000007feff2455c8 5 bytes JMP 000007ff7f250018
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[1640] C:\Windows\SYSTEM32\sechost.dll!ControlService                                                                                                               000007fefef2642c 5 bytes JMP 000007ff7ef31018
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[1640] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                                                                 000007fefef26484 5 bytes JMP 000007ff7ef30018
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[1640] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle                                                                                                           000007fefef26518 5 bytes JMP 000007ff7ef32018
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1664] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                                                                                                    0000000077cdffec 5 bytes JMP 000000010011100c
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1664] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                                                                                                      0000000077ce0814 5 bytes JMP 000000010011000c
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1664] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess                                                                                                                  0000000077ce091c 5 bytes JMP 000000010011200c
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1664] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW                                                                                                                    0000000075ab48fd 5 bytes JMP 000000010011300c
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1664] C:\Windows\syswow64\kernel32.dll!TerminateThread                                                                                                                   0000000075ab79cf 5 bytes JMP 000000010011400c
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1664] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                                   0000000075897603 5 bytes JMP 000000010011500c
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1664] C:\Windows\syswow64\USER32.dll!DdeConnect                                                                                                                          00000000758ceb7f 5 bytes JMP 000000010011b00c
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1664] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW                                                                                                                      0000000075a0c9ec 5 bytes JMP 000000010011600c
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1664] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle                                                                                                                0000000075a1361c 5 bytes JMP 000000010011800c
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1664] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                                                                                                    0000000075a270c4 5 bytes JMP 000000010011900c
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1664] C:\Windows\syswow64\ADVAPI32.dll!ControlService                                                                                                                    0000000075a270dc 5 bytes JMP 000000010011700c
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1664] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx                                                                                                                   0000000075f29d4e 5 bytes JMP 000000010011a00c
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1664] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                            00000000773d1465 2 bytes [3D, 77]
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1664] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                           00000000773d14bb 2 bytes [3D, 77]
.text  ...                                                                                                                                                                                                                                   * 2
.text  C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                                                                                                    0000000077cdffec 5 bytes JMP 00000001002b100c
.text  C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                                                                                                      0000000077ce0814 5 bytes JMP 00000001002b000c
.text  C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess                                                                                                                  0000000077ce091c 5 bytes JMP 00000001002b200c
.text  C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[1712] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW                                                                                                                    0000000075ab48fd 5 bytes JMP 00000001002b300c
.text  C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[1712] C:\Windows\syswow64\kernel32.dll!TerminateThread                                                                                                                   0000000075ab79cf 5 bytes JMP 00000001002b400c
.text  C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[1712] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW                                                                                                                      0000000075a0c9ec 5 bytes JMP 00000001002b600c
.text  C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[1712] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle                                                                                                                0000000075a1361c 5 bytes JMP 00000001002b800c
.text  C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[1712] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                                                                                                    0000000075a270c4 5 bytes JMP 00000001002b900c
.text  C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[1712] C:\Windows\syswow64\ADVAPI32.dll!ControlService                                                                                                                    0000000075a270dc 5 bytes JMP 00000001002b700c
.text  C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[1712] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                                   0000000075897603 5 bytes JMP 00000001002b500c
.text  C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[1712] C:\Windows\syswow64\USER32.dll!DdeConnect                                                                                                                          00000000758ceb7f 5 bytes JMP 00000001002bb00c
.text  C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[1712] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx                                                                                                                   0000000075f29d4e 5 bytes JMP 00000001002ba00c
.text  C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[1712] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                            00000000773d1465 2 bytes [3D, 77]
.text  C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe[1712] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                           00000000773d14bb 2 bytes [3D, 77]
.text  ...                                                                                                                                                                                                                                   * 2
.text  C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                                                                                                0000000077b31780 5 bytes JMP 0000000103371018
.text  C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                                                                                                  0000000077b31cd0 5 bytes JMP 0000000103370018
.text  C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess                                                                                                                                              0000000077b31d80 5 bytes JMP 0000000103372018
.text  C:\Windows\system32\taskhost.exe[1764] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                                                                                              000007fefd958ef0 5 bytes JMP 000007ff7d960018
.text  C:\Windows\system32\taskhost.exe[1764] C:\Windows\system32\KERNELBASE.dll!TerminateThread                                                                                                                                             000007fefd95c450 5 bytes JMP 000007ff7d961018
.text  C:\Windows\system32\taskhost.exe[1764] C:\Windows\system32\ole32.dll!CoCreateInstanceEx                                                                                                                                               000007feff7dde90 5 bytes JMP 000007ff7f801018
.text  C:\Windows\system32\taskhost.exe[1764] C:\Windows\system32\ole32.dll!CoCreateInstance                                                                                                                                                 000007feff7f7490 5 bytes JMP 000007ff7f800018
.text  C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\sechost.dll!ControlService                                                                                                                                                 000007fefef2642c 5 bytes JMP 000007ff7ef31018
.text  C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                                                                                                   000007fefef26484 5 bytes JMP 000007ff7ef30018
.text  C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle                                                                                                                                             000007fefef26518 5 bytes JMP 000007ff7ef32018
.text  C:\Windows\system32\taskhost.exe[1764] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                                                                                                000007feff2455c8 5 bytes JMP 000007ff7f250018
.text  C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                                                                                                 0000000077b31780 5 bytes JMP 0000000100261018
.text  C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                                                                                                   0000000077b31cd0 5 bytes JMP 0000000100260018
.text  C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess                                                                                                                                               0000000077b31d80 5 bytes JMP 0000000100262018
.text  C:\Windows\SysWOW64\svchost.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                                                                                                                                 0000000077cdffec 5 bytes JMP 00000001005c100c
.text  C:\Windows\SysWOW64\svchost.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                                                                                                                                   0000000077ce0814 5 bytes JMP 00000001005c000c
.text  C:\Windows\SysWOW64\svchost.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess                                                                                                                                               0000000077ce091c 5 bytes JMP 00000001005c200c
.text  C:\Windows\SysWOW64\svchost.exe[1976] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW                                                                                                                                                 0000000075ab48fd 5 bytes JMP 00000001005c300c
.text  C:\Windows\SysWOW64\svchost.exe[1976] C:\Windows\syswow64\kernel32.dll!TerminateThread                                                                                                                                                0000000075ab79cf 5 bytes JMP 00000001005c400c
.text  C:\Windows\SysWOW64\svchost.exe[1976] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW                                                                                                                                                   0000000075a0c9ec 5 bytes JMP 00000001005c600c
.text  C:\Windows\SysWOW64\svchost.exe[1976] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle                                                                                                                                             0000000075a1361c 5 bytes JMP 00000001005c800c
.text  C:\Windows\SysWOW64\svchost.exe[1976] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                                                                                                                                 0000000075a270c4 5 bytes JMP 00000001005c900c
.text  C:\Windows\SysWOW64\svchost.exe[1976] C:\Windows\syswow64\ADVAPI32.dll!ControlService                                                                                                                                                 0000000075a270dc 5 bytes JMP 00000001005c700c
.text  C:\Windows\SysWOW64\svchost.exe[1976] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                                                                0000000075897603 5 bytes JMP 00000001005c500c
.text  C:\Windows\SysWOW64\svchost.exe[1976] C:\Windows\syswow64\USER32.dll!DdeConnect                                                                                                                                                       00000000758ceb7f 5 bytes JMP 00000001005cb00c
.text  C:\Windows\SysWOW64\svchost.exe[1976] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx                                                                                                                                                0000000075f29d4e 5 bytes JMP 00000001005ca00c
.text  C:\Windows\SysWOW64\svchost.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                                         00000000773d1465 2 bytes [3D, 77]
.text  C:\Windows\SysWOW64\svchost.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                                        00000000773d14bb 2 bytes [3D, 77]
.text  ...                                                                                                                                                                                                                                   * 2
.text  C:\Windows\system32\Dwm.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                                                                                                     0000000077b31780 5 bytes JMP 0000000102171018
.text  C:\Windows\system32\Dwm.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                                                                                                       0000000077b31cd0 5 bytes JMP 0000000102170018
.text  C:\Windows\system32\Dwm.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess                                                                                                                                                   0000000077b31d80 5 bytes JMP 0000000102172018
.text  C:\Windows\system32\Dwm.exe[2000] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                                                                                                   000007fefd958ef0 5 bytes JMP 000007ff7d960018
.text  C:\Windows\system32\Dwm.exe[2000] C:\Windows\system32\KERNELBASE.dll!TerminateThread                                                                                                                                                  000007fefd95c450 5 bytes JMP 000007ff7d961018
.text  C:\Windows\system32\Dwm.exe[2000] C:\Windows\SYSTEM32\sechost.dll!ControlService                                                                                                                                                      000007fefef2642c 5 bytes JMP 000007ff7ef31018
.text  C:\Windows\system32\Dwm.exe[2000] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                                                                                                        000007fefef26484 5 bytes JMP 000007ff7ef30018
.text  C:\Windows\system32\Dwm.exe[2000] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle                                                                                                                                                  000007fefef26518 5 bytes JMP 000007ff7ef32018
.text  C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                                                                                                     0000000077cdffec 5 bytes JMP 000000010035100c
.text  C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                                                                                                       0000000077ce0814 5 bytes JMP 000000010035000c
.text  C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2096] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess                                                                                                                   0000000077ce091c 5 bytes JMP 000000010035200c
.text  C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2096] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW                                                                                                                     0000000075ab48fd 5 bytes JMP 000000010035300c
.text  C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2096] C:\Windows\syswow64\kernel32.dll!TerminateThread                                                                                                                    0000000075ab79cf 5 bytes JMP 000000010035400c
.text  C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2096] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                                    0000000075897603 5 bytes JMP 000000010035500c
.text  C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2096] C:\Windows\syswow64\USER32.dll!DdeConnect                                                                                                                           00000000758ceb7f 5 bytes JMP 000000010035b00c
.text  C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2096] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW                                                                                                                       0000000075a0c9ec 5 bytes JMP 000000010035600c
.text  C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2096] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle                                                                                                                 0000000075a1361c 5 bytes JMP 000000010035800c
.text  C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2096] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                                                                                                     0000000075a270c4 5 bytes JMP 000000010035900c
.text  C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2096] C:\Windows\syswow64\ADVAPI32.dll!ControlService                                                                                                                     0000000075a270dc 5 bytes JMP 000000010035700c
.text  C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2096] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx                                                                                                                    0000000075f29d4e 5 bytes JMP 000000010035a00c
.text  C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                             00000000773d1465 2 bytes [3D, 77]
.text  C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                            00000000773d14bb 2 bytes [3D, 77]
.text  ...                                                                                                                                                                                                                                   * 2
.text  C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                                                                                   0000000077cdffec 5 bytes JMP 000000010014100c
.text  C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                                                                                     0000000077ce0814 5 bytes JMP 000000010014000c
.text  C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess                                                                                                 0000000077ce091c 5 bytes JMP 000000010014200c
.text  C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2416] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW                                                                                                   0000000075ab48fd 5 bytes JMP 000000010014300c
.text  C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2416] C:\Windows\syswow64\kernel32.dll!TerminateThread                                                                                                  0000000075ab79cf 5 bytes JMP 000000010014400c
.text  C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2416] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW                                                                                                     0000000075a0c9ec 5 bytes JMP 000000010014600c
.text  C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2416] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle                                                                                               0000000075a1361c 5 bytes JMP 000000010014800c
.text  C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2416] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                                                                                   0000000075a270c4 5 bytes JMP 000000010014900c
.text  C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2416] C:\Windows\syswow64\ADVAPI32.dll!ControlService                                                                                                   0000000075a270dc 5 bytes JMP 000000010014700c
.text  C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2416] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                  0000000075897603 5 bytes JMP 000000010014500c
.text  C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2416] C:\Windows\syswow64\USER32.dll!DdeConnect                                                                                                         00000000758ceb7f 5 bytes JMP 000000010014b00c
.text  C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2416] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx                                                                                                  0000000075f29d4e 5 bytes JMP 000000010014a00c
.text  C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2416] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                           00000000773d1465 2 bytes [3D, 77]
.text  C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2416] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                          00000000773d14bb 2 bytes [3D, 77]
.text  ...                                                                                                                                                                                                                                   * 2
.text  C:\Windows\Explorer.EXE[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                                                                                                         0000000077b31780 5 bytes JMP 0000000104911018
.text  C:\Windows\Explorer.EXE[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                                                                                                           0000000077b31cd0 5 bytes JMP 0000000104910018
.text  C:\Windows\Explorer.EXE[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess                                                                                                                                                       0000000077b31d80 5 bytes JMP 0000000104912018
.text  C:\Windows\Explorer.EXE[3000] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                                                                                                       000007fefd958ef0 5 bytes JMP 000007ff7d960018
.text  C:\Windows\Explorer.EXE[3000] C:\Windows\system32\KERNELBASE.dll!TerminateThread                                                                                                                                                      000007fefd95c450 5 bytes JMP 000007ff7d961018
.text  C:\Windows\Explorer.EXE[3000] C:\Windows\SYSTEM32\sechost.dll!ControlService                                                                                                                                                          000007fefef2642c 5 bytes JMP 000007ff7ef31018
.text  C:\Windows\Explorer.EXE[3000] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                                                                                                            000007fefef26484 5 bytes JMP 000007ff7ef30018
.text  C:\Windows\Explorer.EXE[3000] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle                                                                                                                                                      000007fefef26518 5 bytes JMP 000007ff7ef32018
.text  C:\Windows\Explorer.EXE[3000] C:\Windows\system32\USER32.dll!SetWindowsHookExW                                                                                                                                                        00000000778cf874 5 bytes JMP 0000000104913018
.text  C:\Windows\Explorer.EXE[3000] C:\Windows\system32\USER32.dll!DdeConnect                                                                                                                                                               000000007790dec0 5 bytes JMP 0000000104914018
.text  C:\Windows\Explorer.EXE[3000] C:\Windows\system32\ole32.dll!CoCreateInstanceEx                                                                                                                                                        000007feff7dde90 5 bytes JMP 000007ff7f801018
.text  C:\Windows\Explorer.EXE[3000] C:\Windows\system32\ole32.dll!CoCreateInstance                                                                                                                                                          000007feff7f7490 5 bytes JMP 000007ff7f800018
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                                                                                 0000000077b31780 5 bytes JMP 00000001022b1018
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                                                                                   0000000077b31cd0 5 bytes JMP 00000001022b0018
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess                                                                                                                               0000000077b31d80 5 bytes JMP 00000001022b2018
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1732] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                                                                               000007fefd958ef0 5 bytes JMP 000007ff7d960018
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1732] C:\Windows\system32\KERNELBASE.dll!TerminateThread                                                                                                                              000007fefd95c450 5 bytes JMP 000007ff7d961018
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1732] C:\Windows\SYSTEM32\sechost.dll!ControlService                                                                                                                                  000007fefef2642c 5 bytes JMP 000007ff7ef31018
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1732] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                                                                                    000007fefef26484 5 bytes JMP 000007ff7ef30018
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1732] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle                                                                                                                              000007fefef26518 5 bytes JMP 000007ff7ef32018
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1732] C:\Windows\system32\ole32.dll!CoCreateInstanceEx                                                                                                                                000007feff7dde90 5 bytes JMP 000007ff7f801018
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1732] C:\Windows\system32\ole32.dll!CoCreateInstance                                                                                                                                  000007feff7f7490 5 bytes JMP 000007ff7f800018
.text  C:\Windows\System32\igfxtray.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                                                                                                0000000077b31780 5 bytes JMP 0000000101ce1018
.text  C:\Windows\System32\igfxtray.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                                                                                                  0000000077b31cd0 5 bytes JMP 0000000101ce0018
.text  C:\Windows\System32\igfxtray.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess                                                                                                                                              0000000077b31d80 5 bytes JMP 0000000101ce2018
.text  C:\Windows\System32\igfxtray.exe[1740] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                                                                                              000007fefd958ef0 5 bytes JMP 000007ff7d960018
.text  C:\Windows\System32\igfxtray.exe[1740] C:\Windows\system32\KERNELBASE.dll!TerminateThread                                                                                                                                             000007fefd95c450 5 bytes JMP 000007ff7d961018
.text  C:\Windows\System32\igfxtray.exe[1740] C:\Windows\SYSTEM32\sechost.dll!ControlService                                                                                                                                                 000007fefef2642c 5 bytes JMP 000007ff7ef31018
.text  C:\Windows\System32\igfxtray.exe[1740] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                                                                                                   000007fefef26484 5 bytes JMP 000007ff7ef30018
.text  C:\Windows\System32\igfxtray.exe[1740] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle                                                                                                                                             000007fefef26518 5 bytes JMP 000007ff7ef32018
.text  C:\Windows\System32\igfxtray.exe[1740] C:\Windows\system32\ole32.dll!CoCreateInstanceEx                                                                                                                                               000007feff7dde90 5 bytes JMP 000007ff7f801018
.text  C:\Windows\System32\igfxtray.exe[1740] C:\Windows\system32\ole32.dll!CoCreateInstance                                                                                                                                                 000007feff7f7490 5 bytes JMP 000007ff7f800018
.text  C:\Windows\System32\hkcmd.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                                                                                                   0000000077b31780 5 bytes JMP 00000001002b1018
.text  C:\Windows\System32\hkcmd.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                                                                                                     0000000077b31cd0 5 bytes JMP 00000001002b0018
.text  C:\Windows\System32\hkcmd.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess                                                                                                                                                 0000000077b31d80 5 bytes JMP 00000001002b2018
.text  C:\Windows\System32\hkcmd.exe[2796] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                                                                                                 000007fefd958ef0 5 bytes JMP 000007ff7d960018
.text  C:\Windows\System32\hkcmd.exe[2796] C:\Windows\system32\KERNELBASE.dll!TerminateThread                                                                                                                                                000007fefd95c450 5 bytes JMP 000007ff7d961018
.text  C:\Windows\System32\hkcmd.exe[2796] C:\Windows\SYSTEM32\sechost.dll!ControlService                                                                                                                                                    000007fefef2642c 5 bytes JMP 000007ff7ef31018
.text  C:\Windows\System32\hkcmd.exe[2796] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                                                                                                      000007fefef26484 5 bytes JMP 000007ff7ef30018
.text  C:\Windows\System32\hkcmd.exe[2796] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle                                                                                                                                                000007fefef26518 5 bytes JMP 000007ff7ef32018
.text  C:\Windows\System32\hkcmd.exe[2796] C:\Windows\system32\ole32.dll!CoCreateInstanceEx                                                                                                                                                  000007feff7dde90 5 bytes JMP 000007ff7f801018
.text  C:\Windows\System32\hkcmd.exe[2796] C:\Windows\system32\ole32.dll!CoCreateInstance                                                                                                                                                    000007feff7f7490 5 bytes JMP 000007ff7f800018
.text  C:\Windows\System32\igfxpers.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                                                                                                0000000077b31780 5 bytes JMP 0000000101fe1018
.text  C:\Windows\System32\igfxpers.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                                                                                                  0000000077b31cd0 5 bytes JMP 0000000101fe0018
.text  C:\Windows\System32\igfxpers.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess                                                                                                                                              0000000077b31d80 5 bytes JMP 0000000101fe2018
.text  C:\Windows\System32\igfxpers.exe[2800] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                                                                                              000007fefd958ef0 5 bytes JMP 000007ff7d960018
.text  C:\Windows\System32\igfxpers.exe[2800] C:\Windows\system32\KERNELBASE.dll!TerminateThread                                                                                                                                             000007fefd95c450 5 bytes JMP 000007ff7d961018
.text  C:\Windows\System32\igfxpers.exe[2800] C:\Windows\SYSTEM32\sechost.dll!ControlService                                                                                                                                                 000007fefef2642c 5 bytes JMP 000007ff7ef31018
.text  C:\Windows\System32\igfxpers.exe[2800] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                                                                                                   000007fefef26484 5 bytes JMP 000007ff7ef30018
.text  C:\Windows\System32\igfxpers.exe[2800] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle                                                                                                                                             000007fefef26518 5 bytes JMP 000007ff7ef32018
.text  C:\Windows\System32\igfxpers.exe[2800] C:\Windows\system32\ole32.dll!CoCreateInstanceEx                                                                                                                                               000007feff7dde90 5 bytes JMP 000007ff7f801018
.text  C:\Windows\System32\igfxpers.exe[2800] C:\Windows\system32\ole32.dll!CoCreateInstance                                                                                                                                                 000007feff7f7490 5 bytes JMP 000007ff7f800018
.text  C:\Program Files\Elantech\ETDCtrl.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                                                                                           0000000077b31780 5 bytes JMP 00000001025f1018
.text  C:\Program Files\Elantech\ETDCtrl.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                                                                                             0000000077b31cd0 5 bytes JMP 00000001025f0018
.text  C:\Program Files\Elantech\ETDCtrl.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess                                                                                                                                         0000000077b31d80 5 bytes JMP 00000001025f2018
.text  C:\Program Files\Elantech\ETDCtrl.exe[2896] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                                                                                         000007fefd958ef0 5 bytes JMP 000007ff7d960018
.text  C:\Program Files\Elantech\ETDCtrl.exe[2896] C:\Windows\system32\KERNELBASE.dll!TerminateThread                                                                                                                                        000007fefd95c450 5 bytes JMP 000007ff7d961018
.text  C:\Program Files\Elantech\ETDCtrl.exe[2896] C:\Windows\SYSTEM32\sechost.dll!ControlService                                                                                                                                            000007fefef2642c 5 bytes JMP 000007ff7ef31018
.text  C:\Program Files\Elantech\ETDCtrl.exe[2896] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                                                                                              000007fefef26484 5 bytes JMP 000007ff7ef30018
.text  C:\Program Files\Elantech\ETDCtrl.exe[2896] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle                                                                                                                                        000007fefef26518 5 bytes JMP 000007ff7ef32018
.text  C:\Program Files\Elantech\ETDCtrl.exe[2896] C:\Windows\system32\ole32.dll!CoCreateInstanceEx                                                                                                                                          000007feff7dde90 5 bytes JMP 000007ff7f801018
.text  C:\Program Files\Elantech\ETDCtrl.exe[2896] C:\Windows\system32\ole32.dll!CoCreateInstance                                                                                                                                            000007feff7f7490 5 bytes JMP 000007ff7f800018
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                                                                                              0000000077cdffec 5 bytes JMP 00000001003f100c
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                                                                                                0000000077ce0814 5 bytes JMP 00000001003f000c
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess                                                                                                            0000000077ce091c 5 bytes JMP 00000001003f200c
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2792] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW                                                                                                              0000000075ab48fd 5 bytes JMP 00000001003f300c
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2792] C:\Windows\syswow64\kernel32.dll!TerminateThread                                                                                                             0000000075ab79cf 5 bytes JMP 00000001003f400c
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW                                                                                                                0000000075a0c9ec 5 bytes JMP 00000001003f600c
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle                                                                                                          0000000075a1361c 5 bytes JMP 00000001003f800c
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                                                                                              0000000075a270c4 5 bytes JMP 00000001003f900c
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!ControlService                                                                                                              0000000075a270dc 5 bytes JMP 00000001003f700c
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2792] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                             0000000075897603 5 bytes JMP 00000001003f500c
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2792] C:\Windows\syswow64\USER32.dll!DdeConnect                                                                                                                    00000000758ceb7f 5 bytes JMP 00000001003fb00c
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2792] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx                                                                                                             0000000075f29d4e 5 bytes JMP 00000001003fa00c
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2792] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                      00000000773d1465 2 bytes [3D, 77]
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2792] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                     00000000773d14bb 2 bytes [3D, 77]
         

Alt 01.01.2014, 14:00   #5
StefanA
 
Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig - Standard

Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig



Code:
ATTFilter
.text  ...                                                                                                                                                                                                                                   * 2
.text  C:\Program Files\Windows Sidebar\sidebar.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                                                                                    0000000077b31780 5 bytes JMP 0000000104591018
.text  C:\Program Files\Windows Sidebar\sidebar.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                                                                                      0000000077b31cd0 5 bytes JMP 0000000104590018
.text  C:\Program Files\Windows Sidebar\sidebar.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess                                                                                                                                  0000000077b31d80 5 bytes JMP 0000000104592018
.text  C:\Program Files\Windows Sidebar\sidebar.exe[2856] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                                                                                  000007fefd958ef0 5 bytes JMP 000007ff7d960018
.text  C:\Program Files\Windows Sidebar\sidebar.exe[2856] C:\Windows\system32\KERNELBASE.dll!TerminateThread                                                                                                                                 000007fefd95c450 5 bytes JMP 000007ff7d961018
.text  C:\Program Files\Windows Sidebar\sidebar.exe[2856] C:\Windows\SYSTEM32\sechost.dll!ControlService                                                                                                                                     000007fefef2642c 5 bytes JMP 000007ff7ef31018
.text  C:\Program Files\Windows Sidebar\sidebar.exe[2856] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                                                                                       000007fefef26484 5 bytes JMP 000007ff7ef30018
.text  C:\Program Files\Windows Sidebar\sidebar.exe[2856] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle                                                                                                                                 000007fefef26518 5 bytes JMP 000007ff7ef32018
.text  C:\Program Files\Windows Sidebar\sidebar.exe[2856] C:\Windows\system32\ole32.dll!CoCreateInstanceEx                                                                                                                                   000007feff7dde90 5 bytes JMP 000007ff7f801018
.text  C:\Program Files\Windows Sidebar\sidebar.exe[2856] C:\Windows\system32\ole32.dll!CoCreateInstance                                                                                                                                     000007feff7f7490 5 bytes JMP 000007ff7f800018
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                                                                                                      0000000077cdffec 5 bytes JMP 0000000104da100c
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                                                                                                        0000000077ce0814 5 bytes JMP 0000000104da000c
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess                                                                                                                    0000000077ce091c 5 bytes JMP 0000000104da200c
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[2848] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW                                                                                                                      0000000075ab48fd 5 bytes JMP 0000000104da300c
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[2848] C:\Windows\syswow64\kernel32.dll!TerminateThread                                                                                                                     0000000075ab79cf 5 bytes JMP 0000000104da400c
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[2848] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW                                                                                                                        0000000075a0c9ec 5 bytes JMP 0000000104da600c
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[2848] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle                                                                                                                  0000000075a1361c 5 bytes JMP 0000000104da800c
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[2848] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                                                                                                      0000000075a270c4 5 bytes JMP 0000000104da900c
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[2848] C:\Windows\syswow64\ADVAPI32.dll!ControlService                                                                                                                      0000000075a270dc 5 bytes JMP 0000000104da700c
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[2848] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                                     0000000075897603 5 bytes JMP 0000000104da500c
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[2848] C:\Windows\syswow64\USER32.dll!DdeConnect                                                                                                                            00000000758ceb7f 5 bytes JMP 0000000104dab00c
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[2848] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx                                                                                                                     0000000075f29d4e 5 bytes JMP 0000000104daa00c
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[2848] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                              00000000773d1465 2 bytes [3D, 77]
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[2848] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                             00000000773d14bb 2 bytes [3D, 77]
.text  ...                                                                                                                                                                                                                                   * 2
.text  C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                                                                                          0000000077cdffec 5 bytes JMP 00000001003f100c
.text  C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                                                                                            0000000077ce0814 5 bytes JMP 00000001003f000c
.text  C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess                                                                                                        0000000077ce091c 5 bytes JMP 00000001003f200c
.text  C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3588] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW                                                                                                          0000000075ab48fd 5 bytes JMP 00000001003f300c
.text  C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3588] C:\Windows\syswow64\kernel32.dll!TerminateThread                                                                                                         0000000075ab79cf 5 bytes JMP 00000001003f400c
.text  C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3588] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                         0000000075897603 5 bytes JMP 00000001003f500c
.text  C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3588] C:\Windows\syswow64\USER32.dll!DdeConnect                                                                                                                00000000758ceb7f 5 bytes JMP 00000001003fb00c
.text  C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3588] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW                                                                                                            0000000075a0c9ec 5 bytes JMP 00000001003f600c
.text  C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3588] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle                                                                                                      0000000075a1361c 5 bytes JMP 00000001003f800c
.text  C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3588] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                                                                                          0000000075a270c4 5 bytes JMP 00000001003f900c
.text  C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3588] C:\Windows\syswow64\ADVAPI32.dll!ControlService                                                                                                          0000000075a270dc 5 bytes JMP 00000001003f700c
.text  C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3588] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx                                                                                                         0000000075f29d4e 5 bytes JMP 00000001003fa00c
.text  C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3588] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                  00000000773d1465 2 bytes [3D, 77]
.text  C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[3588] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                 00000000773d14bb 2 bytes [3D, 77]
.text  ...                                                                                                                                                                                                                                   * 2
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3596] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                                                                                               0000000077cdffec 5 bytes JMP 000000010403100c
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3596] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                                                                                                 0000000077ce0814 5 bytes JMP 000000010403000c
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3596] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess                                                                                                             0000000077ce091c 5 bytes JMP 000000010403200c
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3596] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW                                                                                                               0000000075ab48fd 5 bytes JMP 000000010403300c
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3596] C:\Windows\syswow64\kernel32.dll!TerminateThread                                                                                                              0000000075ab79cf 5 bytes JMP 000000010403400c
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3596] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                              0000000075897603 5 bytes JMP 000000010403500c
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3596] C:\Windows\syswow64\USER32.dll!DdeConnect                                                                                                                     00000000758ceb7f 5 bytes JMP 000000010403b00c
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3596] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW                                                                                                                 0000000075a0c9ec 5 bytes JMP 000000010403600c
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3596] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle                                                                                                           0000000075a1361c 5 bytes JMP 000000010403800c
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3596] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                                                                                               0000000075a270c4 5 bytes JMP 000000010403900c
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3596] C:\Windows\syswow64\ADVAPI32.dll!ControlService                                                                                                               0000000075a270dc 5 bytes JMP 000000010403700c
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3596] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx                                                                                                              0000000075f29d4e 5 bytes JMP 000000010403a00c
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3596] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                       00000000773d1465 2 bytes [3D, 77]
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3596] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                      00000000773d14bb 2 bytes [3D, 77]
.text  ...                                                                                                                                                                                                                                   * 2
.text  C:\Program Files (x86)\F-Secure\Common\FSM32.EXE[3604] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                                                                                                                0000000077cdffec 5 bytes JMP 000000010523100c
.text  C:\Program Files (x86)\F-Secure\Common\FSM32.EXE[3604] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                                                                                                                  0000000077ce0814 5 bytes JMP 000000010523000c
.text  C:\Program Files (x86)\F-Secure\Common\FSM32.EXE[3604] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess                                                                                                                              0000000077ce091c 5 bytes JMP 000000010523200c
.text  C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                                                                                                      0000000077cdffec 5 bytes JMP 00000001002c100c
.text  C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                                                                                                        0000000077ce0814 5 bytes JMP 00000001002c000c
.text  C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess                                                                                                                    0000000077ce091c 5 bytes JMP 00000001002c200c
.text  C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3672] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW                                                                                                                      0000000075ab48fd 5 bytes JMP 00000001002c300c
.text  C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3672] C:\Windows\syswow64\kernel32.dll!TerminateThread                                                                                                                     0000000075ab79cf 5 bytes JMP 00000001002c400c
.text  C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3672] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                                     0000000075897603 5 bytes JMP 00000001002c500c
.text  C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3672] C:\Windows\syswow64\USER32.dll!DdeConnect                                                                                                                            00000000758ceb7f 5 bytes JMP 00000001002ca00c
.text  C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3672] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW                                                                                                                        0000000075a0c9ec 3 bytes JMP 00000001002c600c
.text  C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3672] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW + 4                                                                                                                    0000000075a0c9f0 1 byte [8A]
.text  C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3672] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle                                                                                                                  0000000075a1361c 3 bytes JMP 00000001002c800c
.text  C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3672] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle + 4                                                                                                              0000000075a13620 1 byte [8A]
.text  C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3672] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                                                                                                      0000000075a270c4 5 bytes JMP 00000001002c900c
.text  C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3672] C:\Windows\syswow64\ADVAPI32.dll!ControlService                                                                                                                      0000000075a270dc 5 bytes JMP 00000001002c700c
.text  C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3672] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                              00000000773d1465 2 bytes [3D, 77]
.text  C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3672] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                             00000000773d14bb 2 bytes [3D, 77]
.text  ...                                                                                                                                                                                                                                   * 2
.text  C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[4064] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                                                                                  0000000077cdffec 5 bytes JMP 000000010045100c
.text  C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[4064] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                                                                                    0000000077ce0814 5 bytes JMP 000000010045000c
.text  C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[4064] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess                                                                                                0000000077ce091c 5 bytes JMP 000000010045200c
.text  C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[4064] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW                                                                                                  0000000075ab48fd 5 bytes JMP 000000010045300c
.text  C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[4064] C:\Windows\syswow64\kernel32.dll!TerminateThread                                                                                                 0000000075ab79cf 5 bytes JMP 000000010045400c
.text  C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[4064] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW                                                                                                    0000000075a0c9ec 5 bytes JMP 000000010045600c
.text  C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[4064] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle                                                                                              0000000075a1361c 5 bytes JMP 000000010045800c
.text  C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[4064] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                                                                                  0000000075a270c4 5 bytes JMP 000000010045900c
.text  C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[4064] C:\Windows\syswow64\ADVAPI32.dll!ControlService                                                                                                  0000000075a270dc 5 bytes JMP 000000010045700c
.text  C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[4064] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                 0000000075897603 5 bytes JMP 000000010045500c
.text  C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[4064] C:\Windows\syswow64\USER32.dll!DdeConnect                                                                                                        00000000758ceb7f 5 bytes JMP 000000010045b00c
.text  C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[4064] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx                                                                                                 0000000075f29d4e 5 bytes JMP 000000010045a00c
.text  C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[4064] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                          00000000773d1465 2 bytes [3D, 77]
.text  C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[4064] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                         00000000773d14bb 2 bytes [3D, 77]
.text  ...                                                                                                                                                                                                                                   * 2
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1208] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                                                      000007fefd958ef0 5 bytes JMP 000007ff7d960018
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1208] C:\Windows\system32\KERNELBASE.dll!TerminateThread                                                                                                     000007fefd95c450 5 bytes JMP 000007ff7d961018
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1208] C:\Windows\SYSTEM32\sechost.dll!ControlService                                                                                                         000007fefef2642c 5 bytes JMP 000007ff7ef31018
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1208] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                                                           000007fefef26484 5 bytes JMP 000007ff7ef30018
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1208] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle                                                                                                     000007fefef26518 5 bytes JMP 000007ff7ef32018
.text  C:\Windows\system32\taskeng.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                                                                                                 0000000077b31780 5 bytes JMP 0000000100111018
.text  C:\Windows\system32\taskeng.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                                                                                                   0000000077b31cd0 5 bytes JMP 0000000100110018
.text  C:\Windows\system32\taskeng.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess                                                                                                                                               0000000077b31d80 5 bytes JMP 0000000100112018
.text  C:\Windows\system32\taskeng.exe[4136] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                                                                                               000007fefd958ef0 5 bytes JMP 000007ff7d960018
.text  C:\Windows\system32\taskeng.exe[4136] C:\Windows\system32\KERNELBASE.dll!TerminateThread                                                                                                                                              000007fefd95c450 5 bytes JMP 000007ff7d961018
.text  C:\Windows\system32\taskeng.exe[4136] C:\Windows\system32\ole32.dll!CoCreateInstanceEx                                                                                                                                                000007feff7dde90 5 bytes JMP 000007ff7f801018
.text  C:\Windows\system32\taskeng.exe[4136] C:\Windows\system32\ole32.dll!CoCreateInstance                                                                                                                                                  000007feff7f7490 5 bytes JMP 000007ff7f800018
.text  C:\Windows\system32\taskeng.exe[4136] C:\Windows\SYSTEM32\sechost.dll!ControlService                                                                                                                                                  000007fefef2642c 5 bytes JMP 000007ff7ef31018
.text  C:\Windows\system32\taskeng.exe[4136] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                                                                                                    000007fefef26484 5 bytes JMP 000007ff7ef30018
.text  C:\Windows\system32\taskeng.exe[4136] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle                                                                                                                                              000007fefef26518 5 bytes JMP 000007ff7ef32018
.text  C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                                                                                                 0000000077b31780 5 bytes JMP 00000001001a1018
.text  C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                                                                                                   0000000077b31cd0 5 bytes JMP 00000001001a0018
.text  C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess                                                                                                                                               0000000077b31d80 5 bytes JMP 00000001001a2018
.text  C:\Windows\system32\taskeng.exe[4168] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                                                                                               000007fefd958ef0 5 bytes JMP 000007ff7d960018
.text  C:\Windows\system32\taskeng.exe[4168] C:\Windows\system32\KERNELBASE.dll!TerminateThread                                                                                                                                              000007fefd95c450 5 bytes JMP 000007ff7d961018
.text  C:\Windows\system32\taskeng.exe[4168] C:\Windows\system32\ole32.dll!CoCreateInstanceEx                                                                                                                                                000007feff7dde90 5 bytes JMP 000007ff7f801018
.text  C:\Windows\system32\taskeng.exe[4168] C:\Windows\system32\ole32.dll!CoCreateInstance                                                                                                                                                  000007feff7f7490 5 bytes JMP 000007ff7f800018
.text  C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\sechost.dll!ControlService                                                                                                                                                  000007fefef2642c 5 bytes JMP 000007ff7ef31018
.text  C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                                                                                                    000007fefef26484 5 bytes JMP 000007ff7ef30018
.text  C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle                                                                                                                                              000007fefef26518 5 bytes JMP 000007ff7ef32018
.text  C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4200] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                                                                          0000000077cdffec 5 bytes JMP 000000010122100c
.text  C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4200] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                                                                            0000000077ce0814 5 bytes JMP 000000010122000c
.text  C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4200] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess                                                                                        0000000077ce091c 5 bytes JMP 000000010122200c
.text  C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4200] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW                                                                                          0000000075ab48fd 5 bytes JMP 000000010122300c
.text  C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4200] C:\Windows\syswow64\kernel32.dll!TerminateThread                                                                                         0000000075ab79cf 5 bytes JMP 000000010122400c
.text  C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4200] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW                                                                                            0000000075a0c9ec 5 bytes JMP 000000010122600c
.text  C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4200] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle                                                                                      0000000075a1361c 5 bytes JMP 000000010122800c
.text  C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4200] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                                                                          0000000075a270c4 5 bytes JMP 000000010122900c
.text  C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4200] C:\Windows\syswow64\ADVAPI32.dll!ControlService                                                                                          0000000075a270dc 5 bytes JMP 000000010122700c
.text  C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4200] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                         0000000075897603 5 bytes JMP 000000010122500c
.text  C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4200] C:\Windows\syswow64\USER32.dll!DdeConnect                                                                                                00000000758ceb7f 5 bytes JMP 000000010122b00c
.text  C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4200] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx                                                                                         0000000075f29d4e 5 bytes JMP 000000010122a00c
.text  C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4200] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                  00000000773d1465 2 bytes [3D, 77]
.text  C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4200] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                 00000000773d14bb 2 bytes [3D, 77]
.text  ...                                                                                                                                                                                                                                   * 2
.text  C:\Windows\system32\SearchIndexer.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                                                                                           0000000077b31780 5 bytes JMP 00000001045d1018
.text  C:\Windows\system32\SearchIndexer.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                                                                                             0000000077b31cd0 5 bytes JMP 00000001045d0018
.text  C:\Windows\system32\SearchIndexer.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess                                                                                                                                         0000000077b31d80 5 bytes JMP 00000001045d2018
.text  C:\Windows\system32\SearchIndexer.exe[4376] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                                                                                         000007fefd958ef0 5 bytes JMP 000007ff7d960018
.text  C:\Windows\system32\SearchIndexer.exe[4376] C:\Windows\system32\KERNELBASE.dll!TerminateThread                                                                                                                                        000007fefd95c450 5 bytes JMP 000007ff7d961018
.text  C:\Windows\system32\SearchIndexer.exe[4376] C:\Windows\SYSTEM32\sechost.dll!ControlService                                                                                                                                            000007fefef2642c 5 bytes JMP 000007ff7ef31018
.text  C:\Windows\system32\SearchIndexer.exe[4376] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                                                                                              000007fefef26484 5 bytes JMP 000007ff7ef30018
.text  C:\Windows\system32\SearchIndexer.exe[4376] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle                                                                                                                                        000007fefef26518 5 bytes JMP 000007ff7ef32018
.text  C:\Windows\system32\SearchIndexer.exe[4376] C:\Windows\system32\ole32.dll!CoCreateInstanceEx                                                                                                                                          000007feff7dde90 5 bytes JMP 000007ff7f801018
.text  C:\Windows\system32\SearchIndexer.exe[4376] C:\Windows\system32\ole32.dll!CoCreateInstance                                                                                                                                            000007feff7f7490 5 bytes JMP 000007ff7f800018
.text  C:\Windows\system32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                                                                                                 0000000077b31780 5 bytes JMP 00000001001c1018
.text  C:\Windows\system32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                                                                                                   0000000077b31cd0 5 bytes JMP 00000001001c0018
.text  C:\Windows\system32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess                                                                                                                                               0000000077b31d80 5 bytes JMP 00000001001c2018
.text  C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[4620] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                                                                                             0000000077cdffec 5 bytes JMP 0000000102ca100c
.text  C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[4620] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                                                                                               0000000077ce0814 5 bytes JMP 0000000102ca000c
.text  C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[4620] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess                                                                                                           0000000077ce091c 5 bytes JMP 0000000102ca200c
.text  C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[4620] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW                                                                                                             0000000075ab48fd 5 bytes JMP 0000000102ca300c
.text  C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[4620] C:\Windows\syswow64\kernel32.dll!TerminateThread                                                                                                            0000000075ab79cf 5 bytes JMP 0000000102ca400c
.text  C:\Program Files\Elantech\ETDCtrlHelper.exe[4860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                                                                                     0000000077b31780 5 bytes JMP 0000000101b41018
.text  C:\Program Files\Elantech\ETDCtrlHelper.exe[4860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                                                                                       0000000077b31cd0 5 bytes JMP 0000000101b40018
.text  C:\Program Files\Elantech\ETDCtrlHelper.exe[4860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess                                                                                                                                   0000000077b31d80 5 bytes JMP 0000000101b42018
.text  C:\Program Files\Elantech\ETDCtrlHelper.exe[4860] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                                                                                   000007fefd958ef0 5 bytes JMP 000007ff7d960018
.text  C:\Program Files\Elantech\ETDCtrlHelper.exe[4860] C:\Windows\system32\KERNELBASE.dll!TerminateThread                                                                                                                                  000007fefd95c450 5 bytes JMP 000007ff7d961018
.text  C:\Program Files\Elantech\ETDCtrlHelper.exe[4860] C:\Windows\SYSTEM32\sechost.dll!ControlService                                                                                                                                      000007fefef2642c 5 bytes JMP 000007ff7ef31018
.text  C:\Program Files\Elantech\ETDCtrlHelper.exe[4860] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                                                                                        000007fefef26484 5 bytes JMP 000007ff7ef30018
.text  C:\Program Files\Elantech\ETDCtrlHelper.exe[4860] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle                                                                                                                                  000007fefef26518 5 bytes JMP 000007ff7ef32018
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[5572] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW                                                                                                                      0000000075ab48fd 5 bytes JMP 000000010024000c
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[5572] C:\Windows\syswow64\kernel32.dll!TerminateThread                                                                                                                     0000000075ab79cf 5 bytes JMP 000000010024100c
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[5572] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                                     0000000075897603 5 bytes JMP 000000010024200c
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[5572] C:\Windows\syswow64\USER32.dll!DdeConnect                                                                                                                            00000000758ceb7f 5 bytes JMP 000000010024800c
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[5572] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW                                                                                                                        0000000075a0c9ec 5 bytes JMP 000000010024300c
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[5572] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle                                                                                                                  0000000075a1361c 5 bytes JMP 000000010024500c
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[5572] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                                                                                                      0000000075a270c4 5 bytes JMP 000000010024600c
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[5572] C:\Windows\syswow64\ADVAPI32.dll!ControlService                                                                                                                      0000000075a270dc 5 bytes JMP 000000010024400c
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[5572] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx                                                                                                                     0000000075f29d4e 5 bytes JMP 000000010024700c
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[5572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                              00000000773d1465 2 bytes [3D, 77]
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[5572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                             00000000773d14bb 2 bytes [3D, 77]
.text  ...                                                                                                                                                                                                                                   * 2
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[5692] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                                                                                                      0000000077cdffec 5 bytes JMP 00000001001e100c
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[5692] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                                                                                                        0000000077ce0814 5 bytes JMP 00000001001e000c
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[5692] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess                                                                                                                    0000000077ce091c 5 bytes JMP 00000001001e200c
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[5692] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW                                                                                                                      0000000075ab48fd 5 bytes JMP 00000001001e300c
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[5692] C:\Windows\syswow64\kernel32.dll!TerminateThread                                                                                                                     0000000075ab79cf 5 bytes JMP 00000001001e400c
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[5692] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                                     0000000075897603 5 bytes JMP 00000001001e500c
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[5692] C:\Windows\syswow64\USER32.dll!DdeConnect                                                                                                                            00000000758ceb7f 5 bytes JMP 00000001001eb00c
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[5692] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW                                                                                                                        0000000075a0c9ec 5 bytes JMP 00000001001e600c
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[5692] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle                                                                                                                  0000000075a1361c 5 bytes JMP 00000001001e800c
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[5692] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                                                                                                      0000000075a270c4 5 bytes JMP 00000001001e900c
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[5692] C:\Windows\syswow64\ADVAPI32.dll!ControlService                                                                                                                      0000000075a270dc 5 bytes JMP 00000001001e700c
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[5692] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx                                                                                                                     0000000075f29d4e 5 bytes JMP 00000001001ea00c
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[5692] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                              00000000773d1465 2 bytes [3D, 77]
.text  C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[5692] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                             00000000773d14bb 2 bytes [3D, 77]
.text  ...                                                                                                                                                                                                                                   * 2
.text  C:\Windows\system32\DllHost.exe[3996] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                                                                                               000007fefd958ef0 5 bytes JMP 000007ff7d960018
.text  C:\Windows\system32\DllHost.exe[3996] C:\Windows\system32\KERNELBASE.dll!TerminateThread                                                                                                                                              000007fefd95c450 5 bytes JMP 000007ff7d961018
.text  C:\Windows\system32\DllHost.exe[3996] C:\Windows\system32\ole32.dll!CoCreateInstanceEx                                                                                                                                                000007feff7dde90 5 bytes JMP 000007ff7f801018
.text  C:\Windows\system32\DllHost.exe[3996] C:\Windows\system32\ole32.dll!CoCreateInstance                                                                                                                                                  000007feff7f7490 5 bytes JMP 000007ff7f800018
.text  C:\Windows\system32\DllHost.exe[3996] C:\Windows\SYSTEM32\sechost.dll!ControlService                                                                                                                                                  000007fefef2642c 5 bytes JMP 000007ff7f803018
.text  C:\Windows\system32\DllHost.exe[3996] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                                                                                                    000007fefef26484 5 bytes JMP 000007ff7f802018
.text  C:\Windows\system32\DllHost.exe[3996] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle                                                                                                                                              000007fefef26518 5 bytes JMP 000007ff7f804018
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[2484] C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe!?SparseBitMask@DataSourceDescription@FlexUI@@2HB + 960  000000002d1d5984 4 bytes [E2, 47, 58, 2B]
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                                                                             0000000077cdffec 5 bytes JMP 00000001003f100c
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                                                                               0000000077ce0814 5 bytes JMP 00000001003f000c
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess                                                                                           0000000077ce091c 5 bytes JMP 00000001003f200c
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[2484] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW                                                                                             0000000075ab48fd 5 bytes JMP 00000001003f300c
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[2484] C:\Windows\syswow64\kernel32.dll!TerminateThread                                                                                            0000000075ab79cf 5 bytes JMP 00000001003f400c
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[2484] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx                                                                                            0000000075f29d4e 5 bytes JMP 00000001003fa00c
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[2484] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                            0000000075897603 5 bytes JMP 00000001003f500c
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[2484] C:\Windows\syswow64\USER32.dll!DdeConnect                                                                                                   00000000758ceb7f 5 bytes JMP 00000001003fb00c
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[2484] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW                                                                                               0000000075a0c9ec 5 bytes JMP 00000001003f600c
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[2484] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle                                                                                         0000000075a1361c 5 bytes JMP 00000001003f800c
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[2484] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                                                                             0000000075a270c4 5 bytes JMP 00000001003f900c
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[2484] C:\Windows\syswow64\ADVAPI32.dll!ControlService                                                                                             0000000075a270dc 5 bytes JMP 00000001003f700c
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                     00000000773d1465 2 bytes [3D, 77]
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                    00000000773d14bb 2 bytes [3D, 77]
.text  ...                                                                                                                                                                                                                                   * 2
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                0000000077cdf9e0 5 bytes JMP 0000000175486f86
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtQueryObject                                                                                          0000000077cdf9f8 5 bytes JMP 000000017548741f
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey                                                                                              0000000077cdfa28 5 bytes JMP 0000000175481027
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey                                                                                    0000000077cdfa40 5 bytes JMP 00000001754808b2
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtQueryKey                                                                                             0000000077cdfa90 5 bytes JMP 000000017548072c
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey                                                                                        0000000077cdfaa8 5 bytes JMP 000000017548083a
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey                                                                                            0000000077cdfb40 5 bytes JMP 00000001754813d1
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile                                                                                   0000000077cdfc38 5 bytes JMP 00000001754853c5
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateKey                                                                                         0000000077cdfd4c 5 bytes JMP 00000001754806b4
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                             0000000077cdfd64 5 bytes JMP 00000001754859b5
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile                                                                                   0000000077cdfd98 5 bytes JMP 0000000175484a3a
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject                                                                                      0000000077cdfe44 5 bytes JMP 0000000175487001
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile                                                                                  0000000077cdfe5c 5 bytes JMP 0000000175485b37
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                           0000000077ce00b4 5 bytes JMP 00000001754857ed
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                                                          0000000077ce01c4 5 bytes JMP 000000017548092a
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtDeleteFile                                                                                           0000000077ce09e4 5 bytes JMP 00000001754855e0
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtDeleteKey                                                                                            0000000077ce09fc 5 bytes JMP 000000017547d7fa
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey                                                                                       0000000077ce0a44 5 bytes JMP 000000017547d8c8
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtFlushKey                                                                                             0000000077ce0b80 5 bytes JMP 000000017547d861
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey                                                                                      0000000077ce0f70 5 bytes JMP 00000001754809a2
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys                                                                             0000000077ce0f88 5 bytes JMP 0000000175480dff
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx                                                                                            0000000077ce1018 5 bytes JMP 000000017548112f
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile                                                                              0000000077ce133c 5 bytes JMP 0000000175485bc7
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey                                                                                0000000077ce147c 5 bytes JMP 0000000175480d83
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtQuerySecurityObject                                                                                  0000000077ce1528 5 bytes JMP 0000000175487397
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey                                                                                            0000000077ce1718 5 bytes JMP 000000017547dd06
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationKey                                                                                    0000000077ce1a58 5 bytes JMP 00000001754807b4
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\ntdll.dll!NtSetSecurityObject                                                                                    0000000077ce1b9c 5 bytes JMP 000000017548712e
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\kernel32.dll!CreateProcessW                                                                                      0000000075ab103d 5 bytes JMP 0000000175459bba
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                                                                      0000000075ab1072 5 bytes JMP 0000000175459cf8
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\kernel32.dll!ReplaceFile                                                                                         0000000075ad0dac 5 bytes JMP 0000000175457e04
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW                                                                                0000000075adc965 5 bytes JMP 0000000175459f2e
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\kernel32.dll!ReplaceFileA                                                                                        0000000075b2eab9 5 bytes JMP 0000000175457d24
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\kernel32.dll!SetDllDirectoryW                                                                                    0000000075b30083 5 bytes JMP 000000017545a851
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\kernel32.dll!SetDllDirectoryA                                                                                    0000000075b3012b 5 bytes JMP 000000017545ab84
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\kernel32.dll!WinExec                                                                                             0000000075b32c51 5 bytes JMP 000000017545a3f3
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\kernel32.dll!AllocConsole                                                                                        0000000075b56afe 5 bytes JMP 0000000175488595
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\kernel32.dll!AttachConsole                                                                                       0000000075b56bc2 5 bytes JMP 00000001754885a7
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                                                                                    0000000075762aa4 5 bytes JMP 000000017545ad8f
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\USER32.dll!CreateWindowExW                                                                                       0000000075888a29 5 bytes JMP 000000017548857d
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\USER32.dll!CreateWindowExA                                                                                       000000007588d22e 5 bytes JMP 0000000175488565
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\GDI32.dll!AddFontResourceW                                                                                       0000000075d0d3c2 5 bytes JMP 00000001754681eb
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\GDI32.dll!AddFontResourceA                                                                                       0000000075d0d8cb 1 byte JMP 00000001754681cf
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\GDI32.dll!AddFontResourceA + 2                                                                                   0000000075d0d8cd 3 bytes {JMP 0xffffffffff75a904}
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ADVAPI32.dll!EnumDependentServicesW                                                                              0000000075a01e3a 7 bytes JMP 000000017546b1d3
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ADVAPI32.dll!EnumServicesStatusExW                                                                               0000000075a0b406 7 bytes JMP 000000017546c0f4
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ADVAPI32.dll!GetServiceKeyNameW                                                                                  0000000075a27897 7 bytes JMP 000000017546b87a
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ADVAPI32.dll!GetServiceDisplayNameW                                                                              0000000075a27953 7 bytes JMP 000000017546ba2b
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ADVAPI32.dll!EnumServicesStatusExA                                                                               0000000075a2a37a 7 bytes JMP 000000017546c1ba
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA                                                                                0000000075a42642 5 bytes JMP 000000017545a070
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ADVAPI32.dll!GetServiceKeyNameA                                                                                  0000000075a61d74 7 bytes JMP 000000017546b932
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ADVAPI32.dll!GetServiceDisplayNameA                                                                              0000000075a61e11 7 bytes JMP 000000017546bae3
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ADVAPI32.dll!EnumServicesStatusA                                                                                 0000000075a62201 7 bytes JMP 000000017546c036
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ADVAPI32.dll!EnumDependentServicesA                                                                              0000000075a622e4 7 bytes JMP 000000017546b28a
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ADVAPI32.dll!EnumServicesStatusW                                                                                 0000000075a62401 5 bytes JMP 000000017546bf78
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!ControlService                                                                                       0000000075e74d5c 7 bytes JMP 000000017546b018
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle                                                                                   0000000075e74dc3 7 bytes JMP 000000017546b341
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!QueryServiceStatus                                                                                   0000000075e74e4b 7 bytes JMP 000000017546b0a4
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!QueryServiceStatusEx                                                                                 0000000075e74eaf 7 bytes JMP 000000017546b137
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!StartServiceW                                                                                        0000000075e74f35 7 bytes JMP 000000017546ae93
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!StartServiceA                                                                                        0000000075e7508d 7 bytes JMP 000000017546af29
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!QueryServiceObjectSecurity                                                                           0000000075e750f4 7 bytes JMP 000000017546be46
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                                                                             0000000075e75181 7 bytes JMP 000000017546bee2
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                                                                 0000000075e75254 7 bytes JMP 000000017546b542
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                                                                 0000000075e753d5 7 bytes JMP 000000017546b45d
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                                                                0000000075e754c2 7 bytes JMP 000000017546b7e4
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                                                                0000000075e755e2 7 bytes JMP 000000017546b74e
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                                                                       0000000075e7567c 7 bytes JMP 000000017546ac75
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                                                                       0000000075e7589f 7 bytes JMP 000000017546ab9f
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!DeleteService                                                                                        0000000075e75a22 7 bytes JMP 000000017546b3cf
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigA                                                                                  0000000075e75a83 7 bytes JMP 000000017546bc75
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW                                                                                  0000000075e75b29 7 bytes JMP 000000017546bbdc
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA                                                                                    0000000075e75ca0 7 bytes JMP 000000017546a34f
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!ControlServiceExW                                                                                    0000000075e75d8c 7 bytes JMP 000000017546a2d6
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!OpenSCManagerW                                                                                       0000000075e763ad 7 bytes JMP 000000017546a89d
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!OpenSCManagerA                                                                                       0000000075e764f0 7 bytes JMP 000000017546a929
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfig2A                                                                                 0000000075e76633 7 bytes JMP 000000017546bdaa
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfig2W                                                                                 0000000075e7680c 7 bytes JMP 000000017546bd0e
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!OpenServiceW                                                                                         0000000075e7714b 7 bytes JMP 000000017546aa12
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\SysWOW64\sechost.dll!OpenServiceA                                                                                         0000000075e77245 7 bytes JMP 000000017546aa9e
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ole32.dll!CoRegisterPSClsid                                                                                      0000000075eec56e 5 bytes JMP 000000017547196d
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ole32.dll!CoResumeClassObjects + 7                                                                               0000000075eeea09 7 bytes JMP 0000000175471f3e
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ole32.dll!OleRun                                                                                                 0000000075ef07de 5 bytes JMP 0000000175471df9
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ole32.dll!CoRegisterClassObject                                                                                  0000000075ef21e1 5 bytes JMP 0000000175472a6e
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ole32.dll!OleUninitialize                                                                                        0000000075efeba1 6 bytes JMP 0000000175471d18
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ole32.dll!OleInitialize                                                                                          0000000075efefd7 5 bytes JMP 0000000175471ca8
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ole32.dll!CoGetPSClsid                                                                                           0000000075f026b9 5 bytes JMP 0000000175471ae5
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ole32.dll!CoGetClassObject                                                                                       0000000075f154ad 5 bytes JMP 0000000175472ffc
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ole32.dll!CoInitializeEx                                                                                         0000000075f209ad 5 bytes JMP 0000000175471b58
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ole32.dll!CoUninitialize                                                                                         0000000075f286d3 5 bytes JMP 0000000175471bda
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ole32.dll!CoCreateInstance                                                                                       0000000075f29d0b 5 bytes JMP 00000001754742ca
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx                                                                                     0000000075f29d4e 5 bytes JMP 0000000175472405
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ole32.dll!CoSuspendClassObjects + 7                                                                              0000000075f4bb09 7 bytes JMP 0000000175471e69
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ole32.dll!CoRevokeClassObject                                                                                    0000000075f6eacf 5 bytes JMP 00000001754713ca
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ole32.dll!CoGetInstanceFromFile                                                                                  0000000075fa340b 5 bytes JMP 00000001754734bc
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\ole32.dll!OleRegEnumFormatEtc                                                                                    0000000075fecfd9 5 bytes JMP 0000000175471d83
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\oleaut32.dll!RegisterActiveObject                                                                                000000007747279e 5 bytes JMP 000000017547165d
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\oleaut32.dll!RevokeActiveObject                                                                                  0000000077473294 5 bytes JMP 000000017547177e
.text  C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5008] C:\Windows\syswow64\oleaut32.dll!GetActiveObject                                                                                     0000000077488f40 5 bytes JMP 00000001754717f1

---- Registry - GMER 2.1 ----

Reg    HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\4cedde6a3c77                                                                                                                                                           
Reg    HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\4cedde6a3c77 (not active ControlSet)                                                                                                                                       

---- Disk sectors - GMER 2.1 ----

Disk   \Device\Harddisk0\DR0                                                                                                                                                                                                                 unknown MBR code

---- EOF - GMER 2.1 ----
         


Alt 02.01.2014, 09:00   #6
schrauber
/// the machine
/// TB-Ausbilder
 

Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig - Standard

Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig



Combofix sollte ausschließlich ausgeführt werden, wenn dies von einem Teammitglied angewiesen wurde!
Downloade dir bitte Combofix vom folgenden Downloadspiegel

Link 1


WICHTIG - Speichere Combofix auf deinem Desktop
  • Deaktiviere bitte all deine Anti Viren sowie Anti Malware/Spyware Scanner. Diese können Combofix bei der Arbeit stören.
Starte die Combofix.exe und folge den Anweisungen auf dem Bildschirm.

Wenn Combofix fertig ist, wird es eine Logfile erstellen. Bitte poste die C:\Combofix.txt in deiner nächsten Antwort.


Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten
Zitat:
Es wurde versucht, einen Registrierungsschlüssel einem ungültigen Vorgang zu unterziehen, der zum Löschen markiert wurde.
starte den Rechner einfach neu. Dies sollte das Problem beheben.
__________________
--> Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig

Alt 02.01.2014, 19:26   #7
StefanA
 
Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig - Standard

Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig



Hallo Schrauber,

vielen Dank für Deine kompetente und schnelle Hilfe. Ich denke, dass Übel ist beseitigt.

Anhängend noch das Log.

Gruss, Stefan

Combofix Logfile:
Code:
ATTFilter
ComboFix 14-01-01.01 - Kathlen 02.01.2014  18:45:22.1.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.49.1031.18.4010.2826 [GMT 1:00]
ausgeführt von:: d:\users\Kathlen\Desktop\ComboFix.exe
AV: F-Secure Internet Security 2011 10.51 *Disabled/Updated* {15414183-282E-D62C-CA37-EF24860A2F17}
FW: F-Secure Internet Security 2011 10.51 *Enabled* {2D7AC0A6-6241-D774-E168-461178D9686C}
SP: F-Secure Internet Security 2011 10.51 *Disabled/Updated* {AE20A067-0E14-D9A2-F087-D456FD8D65AA}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((   Dateien erstellt von 2013-12-02 bis 2014-01-02  ))))))))))))))))))))))))))))))
.
.
2014-01-02 17:52 . 2014-01-02 17:52	--------	d-----w-	c:\users\Default\AppData\Local\temp
2014-01-01 11:44 . 2013-12-04 03:28	10315576	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{D525CC62-397A-4191-8C92-1504F45F414D}\mpengine.dll
2013-12-30 17:45 . 2013-12-30 17:45	--------	d-----w-	C:\FRST
2013-12-19 16:05 . 2013-12-19 16:05	--------	d-----w-	c:\users\Kathlen\AppData\Local\SoftwareUpdater
2013-12-15 13:22 . 2013-10-14 17:00	28368	----a-w-	c:\windows\system32\IEUDINIT.EXE
2013-12-12 21:19 . 2013-05-10 05:56	12625920	----a-w-	c:\windows\system32\wmploc.DLL
2013-12-12 21:19 . 2013-05-10 04:56	12625408	----a-w-	c:\windows\SysWow64\wmploc.DLL
2013-12-12 21:19 . 2013-05-10 04:30	167424	----a-w-	c:\program files\Windows Media Player\wmplayer.exe
2013-12-12 21:19 . 2013-05-10 03:48	164864	----a-w-	c:\program files (x86)\Windows Media Player\wmplayer.exe
2013-12-12 21:19 . 2013-05-10 05:56	14631424	----a-w-	c:\windows\system32\wmp.dll
2013-12-12 21:16 . 2013-10-12 02:32	150016	----a-w-	c:\windows\system32\wshom.ocx
2013-12-12 21:16 . 2013-10-12 02:31	202752	----a-w-	c:\windows\system32\scrrun.dll
2013-12-12 21:16 . 2013-10-12 02:04	121856	----a-w-	c:\windows\SysWow64\wshom.ocx
2013-12-12 21:16 . 2013-10-12 01:33	156160	----a-w-	c:\windows\system32\cscript.exe
2013-12-12 21:16 . 2013-10-12 02:03	163840	----a-w-	c:\windows\SysWow64\scrrun.dll
2013-12-12 21:16 . 2013-10-12 01:33	168960	----a-w-	c:\windows\system32\wscript.exe
2013-12-12 21:16 . 2013-10-12 01:15	141824	----a-w-	c:\windows\SysWow64\wscript.exe
2013-12-12 21:16 . 2013-10-12 01:15	126976	----a-w-	c:\windows\SysWow64\cscript.exe
2013-12-12 21:15 . 2013-10-30 02:32	335360	----a-w-	c:\windows\system32\msieftp.dll
2013-12-12 21:15 . 2013-10-30 02:19	301568	----a-w-	c:\windows\SysWow64\msieftp.dll
2013-12-12 21:15 . 2013-10-30 01:24	3155968	----a-w-	c:\windows\system32\win32k.sys
2013-12-12 21:15 . 2013-11-23 18:26	417792	----a-w-	c:\windows\SysWow64\WMPhoto.dll
2013-12-12 21:15 . 2013-11-23 17:47	465920	----a-w-	c:\windows\system32\WMPhoto.dll
2013-12-12 21:15 . 2013-10-19 02:18	81408	----a-w-	c:\windows\system32\imagehlp.dll
2013-12-12 21:15 . 2013-10-19 01:36	159232	----a-w-	c:\windows\SysWow64\imagehlp.dll
2013-12-12 21:15 . 2013-11-12 02:23	2048	----a-w-	c:\windows\system32\tzres.dll
2013-12-12 21:15 . 2013-11-12 02:07	2048	----a-w-	c:\windows\SysWow64\tzres.dll
2013-12-12 21:15 . 2013-10-04 02:16	116736	----a-w-	c:\windows\system32\drivers\drmk.sys
2013-12-12 21:15 . 2013-10-04 01:36	230400	----a-w-	c:\windows\system32\drivers\portcls.sys
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-12-15 13:45 . 2012-07-22 09:40	90708896	----a-w-	c:\windows\system32\MRT.exe
2013-12-10 20:57 . 2012-10-30 20:57	692616	----a-w-	c:\windows\SysWow64\FlashPlayerApp.exe
2013-12-10 20:57 . 2011-10-21 15:43	71048	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-11-19 02:33 . 2011-10-21 14:34	267936	------w-	c:\windows\system32\MpSigStub.exe
2013-10-12 02:30 . 2013-11-14 16:59	830464	----a-w-	c:\windows\system32\nshwfp.dll
2013-10-12 02:29 . 2013-11-14 16:59	859648	----a-w-	c:\windows\system32\IKEEXT.DLL
2013-10-12 02:29 . 2013-11-14 16:59	324096	----a-w-	c:\windows\system32\FWPUCLNT.DLL
2013-10-12 02:03 . 2013-11-14 16:59	656896	----a-w-	c:\windows\SysWow64\nshwfp.dll
2013-10-12 02:01 . 2013-11-14 16:59	216576	----a-w-	c:\windows\SysWow64\FWPUCLNT.DLL
2013-10-05 20:25 . 2013-11-14 17:00	1474048	----a-w-	c:\windows\system32\crypt32.dll
2013-10-05 19:57 . 2013-11-14 17:00	1168384	----a-w-	c:\windows\SysWow64\crypt32.dll
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl10"="c:\program files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe" [2010-09-20 87336]
"TrueImageMonitor.exe"="c:\program files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe" [2011-09-22 5587832]
"F-Secure Manager"="c:\program files (x86)\F-Secure\Common\FSM32.EXE" [2011-10-21 201384]
"F-Secure TNB"="c:\program files (x86)\F-Secure\FSGUI\TNBUtil.exe" [2011-10-21 1655464]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R2 SystemStoreService;System Store;c:\program files (x86)\SoftwareUpdater\SystemStore.exe  -displayname System Store -servicename SystemStoreService;c:\program files (x86)\SoftwareUpdater\SystemStore.exe  -displayname System Store -servicename SystemStoreService [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 Samsung UPD Service;Samsung UPD Service;c:\windows\System32\SUPDSvc.exe;c:\windows\SYSNATIVE\SUPDSvc.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TurboBoost;Intel(R) Turbo Boost Technology Monitor 2.0;c:\program files\Intel\TurboBoost\TurboBoost.exe;c:\program files\Intel\TurboBoost\TurboBoost.exe [x]
R3 VBoxUSB;VirtualBox USB;c:\windows\system32\Drivers\VBoxUSB.sys;c:\windows\SYSNATIVE\Drivers\VBoxUSB.sys [x]
R3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 fsbts;fsbts;c:\windows\system32\Drivers\fsbts.sys;c:\windows\SYSNATIVE\Drivers\fsbts.sys [x]
S0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);c:\windows\system32\DRIVERS\tdrpm273.sys;c:\windows\SYSNATIVE\DRIVERS\tdrpm273.sys [x]
S1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files (x86)\F-Secure\HIPS\drivers\fshs.sys;c:\program files (x86)\F-Secure\HIPS\drivers\fshs.sys [x]
S1 FSES;F-Secure Email Scanning Driver;c:\windows\system32\drivers\fses.sys;c:\windows\SYSNATIVE\drivers\fses.sys [x]
S1 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys;c:\windows\SYSNATIVE\drivers\fsdfw.sys [x]
S1 fsvista;F-Secure Vista Support Driver;c:\program files (x86)\F-Secure\Anti-Virus\minifilter\fsvista.sys;c:\program files (x86)\F-Secure\Anti-Virus\minifilter\fsvista.sys [x]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys;c:\windows\SYSNATIVE\Drivers\SABI.sys [x]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxDrv.sys [x]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxUSBMon.sys [x]
S2 afcdpsrv;Acronis Nonstop Backup-Dienst;c:\program files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe;c:\program files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [x]
S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys;c:\windows\SYSNATIVE\DRIVERS\TurboB.sys [x]
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [x]
S3 afcdp;afcdp;c:\windows\system32\DRIVERS\afcdp.sys;c:\windows\SYSNATIVE\DRIVERS\afcdp.sys [x]
S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys;c:\windows\SYSNATIVE\DRIVERS\clwvd.sys [x]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys;c:\windows\SYSNATIVE\DRIVERS\ETD.sys [x]
S3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files (x86)\F-Secure\Anti-Virus\minifilter\fsgk.sys;c:\program files (x86)\F-Secure\Anti-Virus\minifilter\fsgk.sys [x]
S3 FSORSPClient;F-Secure ORSP Client;c:\program files (x86)\F-Secure\ORSP Client\fsorsp.exe;c:\program files (x86)\F-Secure\ORSP Client\fsorsp.exe [x]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [x]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxNetAdp.sys [x]
S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxNetFlt.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt	REG_MULTI_SZ   	hpqcxs08 hpqddsvc
.
Inhalt des "geplante Tasks" Ordners
.
2014-01-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-30 20:57]
.
2014-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-21 18:34]
.
2014-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-21 18:34]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-02-27 11780712]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-03-14 167960]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-03-14 391704]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-03-14 418328]
"Acronis Scheduler2 Service"="c:\program files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe" [2011-09-22 395344]
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:tabs
uDefault_Search_URL = hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=
mDefault_Search_URL = hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=
mStart Page = about:tabs
mLocal Page = c:\windows\SysWOW64\blank.htm
mSearch Page = hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=
mSearch Bar = hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
LSP: c:\program files (x86)\F-Secure\FSPS\program\FSLSP.DLL
TCP: DhcpNameServer = 192.168.178.1
FF - ProfilePath - c:\users\Kathlen\AppData\Roaming\Mozilla\Firefox\Profiles\l2abf66u.default\
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: !HIDDEN! 2011-12-29 17:54; smartwebprinting@hp.com; c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Toolbar-Locked - (no file)
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
Toolbar-Locked - (no file)
HKLM-Run-ETDCtrl - c:\program files (x86)\Elantech\ETDCtrl.exe
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{722b3793-5367-4446-b6bb-db89b05c1f24}\LocalServer32]
@DACL=(02 0000)
@=expand:"%SystemRoot%\\System32\\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {722b3793-5367-4446-b6bb-db89b05c1f24}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2014-01-02  18:54:48
ComboFix-quarantined-files.txt  2014-01-02 17:54
.
Vor Suchlauf: 9 Verzeichnis(se), 58.582.933.504 Bytes frei
Nach Suchlauf: 15 Verzeichnis(se), 58.503.217.152 Bytes frei
.
- - End Of File - - 1CE41B937BE04D4BE50009AE93676363
         
--- --- ---

Alt 03.01.2014, 12:37   #8
schrauber
/// the machine
/// TB-Ausbilder
 

Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig - Standard

Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig



Downloade Dir bitte Malwarebytes Anti-Malware
  • Installiere das Programm in den vorgegebenen Pfad. (Bebilderte Anleitung zu MBAM)
  • Starte Malwarebytes' Anti-Malware (MBAM).
  • Klicke im Anschluss auf Scannen, wähle den Bedrohungssuchlauf aus und klicke auf Suchlauf starten.
  • Lass am Ende des Suchlaufs alle Funde (falls vorhanden) in die Quarantäne verschieben. Klicke dazu auf Auswahl entfernen.
  • Lass deinen Rechner ggf. neu starten, um die Bereinigung abzuschließen.
  • Starte MBAM, klicke auf Verlauf und dann auf Anwendungsprotokolle.
  • Wähle das neueste Scan-Protokoll aus und klicke auf Export. Wähle Textdatei (.txt) aus und speichere die Datei als mbam.txt auf dem Desktop ab. Das Logfile von MBAM findest du hier.
  • Füge den Inhalt der mbam.txt mit deiner nächsten Antwort hinzu.


Downloade Dir bitte AdwCleaner Logo Icon AdwCleaner auf deinen Desktop.
  • Schließe alle offenen Programme und Browser. Bebilderte Anleitung zu AdwCleaner.
  • Starte die AdwCleaner.exe mit einem Doppelklick.
  • Stimme den Nutzungsbedingungen zu.
  • Klicke auf Optionen und vergewissere dich, dass die folgenden Punkte ausgewählt sind:
    • "Tracing" Schlüssel löschen
    • Winsock Einstellungen zurücksetzen
    • Proxy Einstellungen zurücksetzen
    • Internet Explorer Richtlinien zurücksetzen
    • Chrome Richtlinien zurücksetzen
    • Stelle sicher, dass alle 5 Optionen wie hier dargestellt, ausgewählt sind
  • Klicke auf Suchlauf und warte bis dieser abgeschlossen ist.
  • Klicke nun auf Löschen und bestätige auftretende Hinweise mit Ok.
  • Dein Rechner wird automatisch neu gestartet. Nach dem Neustart öffnet sich eine Textdatei. Poste mir deren Inhalt mit deiner nächsten Antwort.
  • Die Logdatei findest du auch unter C:\AdwCleaner\AdwCleaner[Cx].txt. (x = fortlaufende Nummer).

Beende bitte Deine Schutzsoftware um eventuelle Konflikte zu vermeiden.
Bitte lade Junkware Removal Tool auf Deinen Desktop

  • Starte das Tool mit Doppelklick. Ab Windows Vista (oder höher) bitte mit Rechtsklick "als Administrator ausführen" starten.
  • Drücke eine beliebige Taste, um das Tool zu starten.
  • Je nach System kann der Scan eine Weile dauern.
  • Wenn das Tool fertig ist wird das Logfile (JRT.txt) auf dem Desktop gespeichert und automatisch geöffnet.
  • Bitte poste den Inhalt der JRT.txt in Deiner nächsten Antwort.


und ein frisches FRST log bitte.
__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Alt 06.01.2014, 19:14   #9
StefanA
 
Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig - Standard

Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig



Hallo Schrauber,
ich habe nun die angewiesenen Schritte ausgeführt.
Malwarebytes: hat funktioniert, Log nachfolgend.
AdwCleaner: hat funktioniert, Log nachfolgend.
Junkware Removal Tool: hat leider nicht funktioniert. Ich habe es neuste Version JRT_6.0.8 gefunden, welches ich als Admin gestartet habe. Daraufhin wurde das Versionaupdate erfragt, das ich mit "y" bestätigt habe. Leider bekomme ich die Meldung "the tool was not able to download to the desktop". F-Secure war ausgeschaltet.

Danke und Grüße,
Stefan

Code:
ATTFilter
 Malwarebytes Anti-Malware  (Test) 1.75.0.1300
www.malwarebytes.org

Datenbank Version: v2014.01.06.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16476
Kathlen :: KATHLEN-PC [Administrator]

Schutz: Aktiviert

06.01.2014 16:53:34
mbam-log-2014-01-06 (16-53-34).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|)
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 400742
Laufzeit: 1 Stunde(n), 26 Minute(n), 43 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 4
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68B81CCD-A80C-4060-8947-5AE69ED01199} (PUP.Optional.Iminent.A) -> Erfolgreich gelöscht und in Quarantäne gestellt.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E6B969FB-6D33-48d2-9061-8BBD4899EB08} (PUP.Optional.Iminent.A) -> Erfolgreich gelöscht und in Quarantäne gestellt.
HKCU\Software\Iminent (PUP.Optional.Iminent.A) -> Erfolgreich gelöscht und in Quarantäne gestellt.
HKLM\Software\Iminent (PUP.Optional.Iminent.A) -> Erfolgreich gelöscht und in Quarantäne gestellt.

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 6
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Default_Search_URL (Hijack.SearchPage) -> Bösartig: (hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=) Gut: (hxxp://www.google.com) -> Erfolgreich ersetzt und in Quarantäne gestellt.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Search|Default_Search_URL (Hijack.SearchPage) -> Bösartig: (hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=) Gut: (hxxp://www.google.com/) -> Erfolgreich ersetzt und in Quarantäne gestellt.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Default_Search_URL (Hijack.SearchPage) -> Bösartig: (hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=) Gut: (hxxp://www.google.com) -> Erfolgreich ersetzt und in Quarantäne gestellt.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Search Page (Hijack.SearchPage) -> Bösartig: (hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=) Gut: (hxxp://www.google.com) -> Erfolgreich ersetzt und in Quarantäne gestellt.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Search Bar (Hijack.SearchPage) -> Bösartig: (hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=) Gut: (hxxp://www.google.com) -> Erfolgreich ersetzt und in Quarantäne gestellt.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search|Default_Search_URL (Hijack.SearchPage) -> Bösartig: (hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=) Gut: (hxxp://www.google.com/) -> Erfolgreich ersetzt und in Quarantäne gestellt.

Infizierte Verzeichnisse: 2
C:\Users\Kathlen\AppData\Local\DownloadGuide (PUP.Optional.DownloadGuide.A) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Users\Kathlen\AppData\Local\DownloadGuide\Offers (PUP.Optional.DownloadGuide.A) -> Erfolgreich gelöscht und in Quarantäne gestellt.

Infizierte Dateien: 7
C:\Users\Kathlen\AppData\Local\DownloadGuide\Offers\HomeTab.exe (PUP.Optional.HomeTab.A) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Users\Kathlen\AppData\Local\DownloadGuide\Offers\iminent.exe (PUP.Optional.Iminent.A) -> Erfolgreich gelöscht und in Quarantäne gestellt.
D:\Users\Kathlen\Downloads\ZipExtractorSetup.exe (PUP.Optional.InstallCore) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Users\Kathlen\AppData\Local\DownloadGuide\amazon.ico (PUP.Optional.DownloadGuide.A) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Users\Kathlen\AppData\Local\DownloadGuide\FreeSystemUtilities.exe (PUP.Optional.DownloadGuide.A) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Users\Kathlen\AppData\Local\DownloadGuide\Offers\autocompletepro.exe (PUP.Optional.DownloadGuide.A) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Users\Kathlen\AppData\Local\DownloadGuide\Offers\gutscheincodes.exe (PUP.Optional.DownloadGuide.A) -> Erfolgreich gelöscht und in Quarantäne gestellt.

(Ende)
         
AdwCleaner Logfile:
Code:
ATTFilter
# AdwCleaner v3.016 - Bericht erstellt am 06/01/2014 um 18:47:19
# Aktualisiert 23/12/2013 von Xplode
# Betriebssystem : Windows 7 Home Premium Service Pack 1 (64 bits)
# Benutzername : Kathlen - KATHLEN-PC
# Gestartet von : D:\Users\Kathlen\Desktop\adwcleaner_3.016.exe
# Option : Löschen

***** [ Dienste ] *****

[#] Dienst Gelöscht : SystemStoreService

***** [ Dateien / Ordner ] *****

Ordner Gelöscht : C:\Program Files (x86)\GutscheinFinder
Ordner Gelöscht : C:\Program Files (x86)\Iminent
Ordner Gelöscht : C:\Program Files (x86)\Protected Search
Ordner Gelöscht : C:\Users\Kathlen\AppData\Local\Software_Updater
Ordner Gelöscht : C:\Users\Kathlen\AppData\Local\SoftwareUpdater
Ordner Gelöscht : C:\Users\Kathlen\AppData\LocalLow\SimplyTech
Datei Gelöscht : C:\Users\Kathlen\AppData\Roaming\Mozilla\Firefox\Profiles\l2abf66u.default\searchplugins\Web Search.xml
Datei Gelöscht : C:\Program Files (x86)\Mozilla Firefox\searchplugins\Web Search.xml
Datei Gelöscht : C:\Windows\System32\Tasks\Software Updater Ui
Datei Gelöscht : C:\Windows\System32\Tasks\Software Updater

***** [ Verknüpfungen ] *****


***** [ Registrierungsdatenbank ] *****

Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\iMesh.AudioCD
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\HomeTab_RASAPI32
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\HomeTab_RASMANCS
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\Iminent_RASAPI32
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\Iminent_RASMANCS
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{02054E11-5113-4BE3-8153-AA8DFB5D3761}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{3BF72F68-72D8-461D-A884-329D936C5581}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{78E9D883-93CD-4072-BEF3-38EE581E2839}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{83AC1413-FCE4-4A46-9DD5-4F31F306E71F}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{021B4049-F57D-4565-A693-FD3B04786BFA}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{0362AA09-808D-48E9-B360-FB51A8CBCE09}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{06844020-CD0B-3D3D-A7FE-371153013E49}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{0ADC01BB-303B-3F8E-93DA-12C140E85460}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{10D3722F-23E6-3901-B6C1-FF6567121920}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{1675E62B-F911-3B7B-A046-EB57261212F3}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{192929F2-9273-3894-91B0-F54671C4C861}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{2932897E-3036-43D9-8A64-B06447992065}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{2DE92D29-A042-3C37-BFF8-07C7D8893EFA}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{32B80AD6-1214-45F4-994E-78A5D482C000}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{3A8E103F-B2B7-3BEF-B3B0-88E29B2420E4}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{478CE5D3-D38E-3FFE-8DBE-8C4A0F1C4D8D}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{48B7DA4E-69ED-39E3-BAD5-3E3EFF22CFB0}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{5982F405-44E4-3BBB-BAC4-CF8141CBBC5C}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{5D8C3CC3-3C05-38A1-B244-924A23115FE9}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{641593AF-D9FD-30F7-B783-36E16F7A2E08}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{711FC48A-1356-3932-94D8-A8B733DBC7E4}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{72227B7F-1F02-3560-95F5-592E68BACC0C}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{7B5E8CE3-4722-4C0E-A236-A6FF731BEF37}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{890D4F59-5ED0-3CB4-8E0E-74A5A86E7ED0}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{8C68913C-AC3C-4494-8B9C-984D87C85003}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{8D019513-083F-4AA5-933F-7D43A6DA82C4}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{923F6FB8-A390-370E-A0D2-DD505432481D}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{9BBB26EF-B178-35D6-9D3D-B485F4279FE5}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{A62DDBE0-8D2A-339A-B089-8CBCC5CD322A}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{A82AD04D-0B8E-3A49-947B-6A69A8A9C96D}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{ADEB3CC9-A05D-4FCC-BD09-9025456AA3EA}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{B06D4521-D09C-3F41-8E39-9D784CCA2A75}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{C06DAD42-6F39-4CE1-83CC-9A8B9105E556}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{C2E799D0-43A5-3477-8A98-FC5F3677F35C}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{D16107CD-2AD5-46A8-BA59-303B7C32C500}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{D25B101F-8188-3B43-9D85-201F372BC205}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{D2BA7595-5E44-3F1E-880F-03B3139FA5ED}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{D35F5C81-17D9-3E1C-A1FC-4472542E1D25}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{D8FA96CA-B250-312C-AF34-4FF1DD72589D}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{DAFC1E63-3359-416D-9BC2-E7DCA6F7B0F3}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{DC5E5C44-80FD-3697-9E65-9F286D92F3E7}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{E1B4C9DE-D741-385F-981E-6745FACE6F01}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{E7B623F5-9715-3F9F-A671-D1485A39F8A2}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{ED916A7B-7C68-3198-B87D-2DABC30A5587}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{EFA1BDB2-BB3D-3D9A-8EB5-D0D22E0F64F4}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{F4CBF4DD-F8FE-35BA-BB7E-68304DAAB70B}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{FC32005D-E27C-32E0-ADFA-152F598B75E7}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\TypeLib\{2BF2028E-3F3C-4C05-AB45-B2F1DCFE0759}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\TypeLib\{C4C4F1F4-3074-4CB6-9FB8-0A64273166F0}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\TypeLib\{DB538320-D3C5-433C-BCA9-C4081A054FCF}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0FB6A909-6086-458F-BD92-1F8EE10042A0}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{0FB6A909-6086-458F-BD92-1F8EE10042A0}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7C3B01BC-53A5-48A0-A43B-0C67731134B9}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0ABE0FED-50E7-4E42-A125-57C0A11DBCDE}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CFD485F0-96BD-47CD-BB6D-CD7DDA95F102}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{021B4049-F57D-4565-A693-FD3B04786BFA}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{0362AA09-808D-48E9-B360-FB51A8CBCE09}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{06844020-CD0B-3D3D-A7FE-371153013E49}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{0ADC01BB-303B-3F8E-93DA-12C140E85460}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{10D3722F-23E6-3901-B6C1-FF6567121920}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{1675E62B-F911-3B7B-A046-EB57261212F3}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{192929F2-9273-3894-91B0-F54671C4C861}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{2932897E-3036-43D9-8A64-B06447992065}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{2DE92D29-A042-3C37-BFF8-07C7D8893EFA}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{32B80AD6-1214-45F4-994E-78A5D482C000}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{3A8E103F-B2B7-3BEF-B3B0-88E29B2420E4}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{478CE5D3-D38E-3FFE-8DBE-8C4A0F1C4D8D}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{48B7DA4E-69ED-39E3-BAD5-3E3EFF22CFB0}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{5982F405-44E4-3BBB-BAC4-CF8141CBBC5C}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{5D8C3CC3-3C05-38A1-B244-924A23115FE9}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{641593AF-D9FD-30F7-B783-36E16F7A2E08}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{711FC48A-1356-3932-94D8-A8B733DBC7E4}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{72227B7F-1F02-3560-95F5-592E68BACC0C}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{7B5E8CE3-4722-4C0E-A236-A6FF731BEF37}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{890D4F59-5ED0-3CB4-8E0E-74A5A86E7ED0}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{8C68913C-AC3C-4494-8B9C-984D87C85003}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{8D019513-083F-4AA5-933F-7D43A6DA82C4}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{923F6FB8-A390-370E-A0D2-DD505432481D}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{9BBB26EF-B178-35D6-9D3D-B485F4279FE5}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{A62DDBE0-8D2A-339A-B089-8CBCC5CD322A}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{A82AD04D-0B8E-3A49-947B-6A69A8A9C96D}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{ADEB3CC9-A05D-4FCC-BD09-9025456AA3EA}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{B06D4521-D09C-3F41-8E39-9D784CCA2A75}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{C06DAD42-6F39-4CE1-83CC-9A8B9105E556}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{C2E799D0-43A5-3477-8A98-FC5F3677F35C}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{D16107CD-2AD5-46A8-BA59-303B7C32C500}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{D25B101F-8188-3B43-9D85-201F372BC205}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{D2BA7595-5E44-3F1E-880F-03B3139FA5ED}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{D35F5C81-17D9-3E1C-A1FC-4472542E1D25}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{D8FA96CA-B250-312C-AF34-4FF1DD72589D}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{DAFC1E63-3359-416D-9BC2-E7DCA6F7B0F3}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{DC5E5C44-80FD-3697-9E65-9F286D92F3E7}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{E1B4C9DE-D741-385F-981E-6745FACE6F01}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{E7B623F5-9715-3F9F-A671-D1485A39F8A2}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{ED916A7B-7C68-3198-B87D-2DABC30A5587}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{EFA1BDB2-BB3D-3D9A-8EB5-D0D22E0F64F4}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{F4CBF4DD-F8FE-35BA-BB7E-68304DAAB70B}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{FC32005D-E27C-32E0-ADFA-152F598B75E7}
Schlüssel Gelöscht : HKCU\Software\simplytech
Schlüssel Gelöscht : HKCU\Software\AppDataLow\Software\simplytech
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchTheWebARP

***** [ Browser ] *****

-\\ Internet Explorer v11.0.9600.16428

Einstellung Wiederhergestellt : HKCU\Software\Microsoft\Internet Explorer\Search [Search Bar]
Einstellung Wiederhergestellt : HKCU\Software\Microsoft\Internet Explorer\Search [Search Page]
Einstellung Wiederhergestellt : HKLM\SOFTWARE\Microsoft\Internet Explorer\Search [Search Bar]
Einstellung Wiederhergestellt : HKLM\SOFTWARE\Microsoft\Internet Explorer\Search [Search Page]
Einstellung Wiederhergestellt : HKCU\Software\Microsoft\Internet Explorer\SearchUrl [(Default)]
Einstellung Wiederhergestellt : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchUrl [(Default)]

-\\ Mozilla Firefox v26.0 (de)

[ Datei : C:\Users\Kathlen\AppData\Roaming\Mozilla\Firefox\Profiles\l2abf66u.default\prefs.js ]

Zeile gelöscht : user_pref("browser.search.defaultengine", "Web Search");
Zeile gelöscht : user_pref("browser.search.defaultenginename", "Web Search");
Zeile gelöscht : user_pref("browser.search.order.1", "Web Search");
Zeile gelöscht : user_pref("browser.search.selectedEngine", "Web Search");
Zeile gelöscht : user_pref("iminent.webbooster.scripts.minibar.ROOTEXTENSION", "chrome://iminentwebbooster/content/minibar");
Zeile gelöscht : user_pref("iminent.webbooster.scripts.minibar.Services.BHPCode", "01");
Zeile gelöscht : user_pref("iminent.webbooster.scripts.minibar.Services.DefaultEvent", "000");
Zeile gelöscht : user_pref("iminent.webbooster.scripts.minibar.Services.DefaultWebSite", "000");
Zeile gelöscht : user_pref("iminent.webbooster.scripts.minibar.Services.IminentClientCode", "11");
Zeile gelöscht : user_pref("iminent.webbooster.scripts.minibar.Services.SmartFavCode", "02");
Zeile gelöscht : user_pref("iminent.webbooster.scripts.minibar.registerToolbarEvent102", "1368292009788");
Zeile gelöscht : user_pref("keyword.URL", "hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=");

*************************

AdwCleaner[R0].txt - [14969 octets] - [06/01/2014 18:45:09]
AdwCleaner[S0].txt - [13698 octets] - [06/01/2014 18:47:19]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [13759 octets] ##########
         
--- --- ---


AdwCleaner Logfile:
Code:
ATTFilter
# AdwCleaner v3.016 - Bericht erstellt am 06/01/2014 um 18:45:09
# Aktualisiert 23/12/2013 von Xplode
# Betriebssystem : Windows 7 Home Premium Service Pack 1 (64 bits)
# Benutzername : Kathlen - KATHLEN-PC
# Gestartet von : D:\Users\Kathlen\Desktop\adwcleaner_3.016.exe
# Option : Suchen

***** [ Dienste ] *****

Dienst Gefunden : SystemStoreService

***** [ Dateien / Ordner ] *****

Datei Gefunden : C:\Program Files (x86)\Mozilla Firefox\searchplugins\Web Search.xml
Datei Gefunden : C:\Users\Kathlen\AppData\Roaming\Mozilla\Firefox\Profiles\l2abf66u.default\searchplugins\Web Search.xml
Datei Gefunden : C:\Windows\System32\Tasks\Software Updater
Datei Gefunden : C:\Windows\System32\Tasks\Software Updater Ui
Ordner Gefunden C:\Program Files (x86)\GutscheinFinder
Ordner Gefunden C:\Program Files (x86)\Iminent
Ordner Gefunden C:\Program Files (x86)\Protected Search
Ordner Gefunden C:\Users\Kathlen\AppData\Local\Software_Updater
Ordner Gefunden C:\Users\Kathlen\AppData\Local\SoftwareUpdater
Ordner Gefunden C:\Users\Kathlen\AppData\LocalLow\SimplyTech

***** [ Verknüpfungen ] *****


***** [ Registrierungsdatenbank ] *****

Schlüssel Gefunden : HKCU\Software\AppDataLow\Software\simplytech
Schlüssel Gefunden : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Schlüssel Gefunden : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{0FB6A909-6086-458F-BD92-1F8EE10042A0}
Schlüssel Gefunden : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0FB6A909-6086-458F-BD92-1F8EE10042A0}
Schlüssel Gefunden : HKCU\Software\simplytech
Schlüssel Gefunden : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Schlüssel Gefunden : [x64] HKCU\Software\simplytech
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\CLSID\{02054E11-5113-4BE3-8153-AA8DFB5D3761}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\CLSID\{3BF72F68-72D8-461D-A884-329D936C5581}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\CLSID\{78E9D883-93CD-4072-BEF3-38EE581E2839}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\CLSID\{83AC1413-FCE4-4A46-9DD5-4F31F306E71F}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\iMesh.AudioCD
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{021B4049-F57D-4565-A693-FD3B04786BFA}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{0362AA09-808D-48E9-B360-FB51A8CBCE09}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{06844020-CD0B-3D3D-A7FE-371153013E49}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{0ADC01BB-303B-3F8E-93DA-12C140E85460}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{10D3722F-23E6-3901-B6C1-FF6567121920}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{1675E62B-F911-3B7B-A046-EB57261212F3}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{192929F2-9273-3894-91B0-F54671C4C861}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{2932897E-3036-43D9-8A64-B06447992065}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{2DE92D29-A042-3C37-BFF8-07C7D8893EFA}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{32B80AD6-1214-45F4-994E-78A5D482C000}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{3A8E103F-B2B7-3BEF-B3B0-88E29B2420E4}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{478CE5D3-D38E-3FFE-8DBE-8C4A0F1C4D8D}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{48B7DA4E-69ED-39E3-BAD5-3E3EFF22CFB0}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{5982F405-44E4-3BBB-BAC4-CF8141CBBC5C}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{5D8C3CC3-3C05-38A1-B244-924A23115FE9}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{641593AF-D9FD-30F7-B783-36E16F7A2E08}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{711FC48A-1356-3932-94D8-A8B733DBC7E4}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{72227B7F-1F02-3560-95F5-592E68BACC0C}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{7B5E8CE3-4722-4C0E-A236-A6FF731BEF37}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{890D4F59-5ED0-3CB4-8E0E-74A5A86E7ED0}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{8C68913C-AC3C-4494-8B9C-984D87C85003}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{8D019513-083F-4AA5-933F-7D43A6DA82C4}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{923F6FB8-A390-370E-A0D2-DD505432481D}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{9BBB26EF-B178-35D6-9D3D-B485F4279FE5}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{A62DDBE0-8D2A-339A-B089-8CBCC5CD322A}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{A82AD04D-0B8E-3A49-947B-6A69A8A9C96D}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{ADEB3CC9-A05D-4FCC-BD09-9025456AA3EA}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{B06D4521-D09C-3F41-8E39-9D784CCA2A75}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{C06DAD42-6F39-4CE1-83CC-9A8B9105E556}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{C2E799D0-43A5-3477-8A98-FC5F3677F35C}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{D16107CD-2AD5-46A8-BA59-303B7C32C500}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{D25B101F-8188-3B43-9D85-201F372BC205}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{D2BA7595-5E44-3F1E-880F-03B3139FA5ED}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{D35F5C81-17D9-3E1C-A1FC-4472542E1D25}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{D8FA96CA-B250-312C-AF34-4FF1DD72589D}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{DAFC1E63-3359-416D-9BC2-E7DCA6F7B0F3}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{DC5E5C44-80FD-3697-9E65-9F286D92F3E7}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{E1B4C9DE-D741-385F-981E-6745FACE6F01}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{E7B623F5-9715-3F9F-A671-D1485A39F8A2}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{ED916A7B-7C68-3198-B87D-2DABC30A5587}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{EFA1BDB2-BB3D-3D9A-8EB5-D0D22E0F64F4}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{F4CBF4DD-F8FE-35BA-BB7E-68304DAAB70B}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{FC32005D-E27C-32E0-ADFA-152F598B75E7}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\TypeLib\{2BF2028E-3F3C-4C05-AB45-B2F1DCFE0759}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\TypeLib\{C4C4F1F4-3074-4CB6-9FB8-0A64273166F0}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\TypeLib\{DB538320-D3C5-433C-BCA9-C4081A054FCF}
Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0ABE0FED-50E7-4E42-A125-57C0A11DBCDE}
Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CFD485F0-96BD-47CD-BB6D-CD7DDA95F102}
Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Tracing\HomeTab_RASAPI32
Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Tracing\HomeTab_RASMANCS
Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Tracing\Iminent_RASAPI32
Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Tracing\Iminent_RASMANCS
Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7C3B01BC-53A5-48A0-A43B-0C67731134B9}
Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchTheWebARP
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{021B4049-F57D-4565-A693-FD3B04786BFA}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{0362AA09-808D-48E9-B360-FB51A8CBCE09}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{06844020-CD0B-3D3D-A7FE-371153013E49}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{0ADC01BB-303B-3F8E-93DA-12C140E85460}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{10D3722F-23E6-3901-B6C1-FF6567121920}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{1675E62B-F911-3B7B-A046-EB57261212F3}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{192929F2-9273-3894-91B0-F54671C4C861}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{2932897E-3036-43D9-8A64-B06447992065}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{2DE92D29-A042-3C37-BFF8-07C7D8893EFA}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{32B80AD6-1214-45F4-994E-78A5D482C000}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{3A8E103F-B2B7-3BEF-B3B0-88E29B2420E4}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{478CE5D3-D38E-3FFE-8DBE-8C4A0F1C4D8D}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{48B7DA4E-69ED-39E3-BAD5-3E3EFF22CFB0}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{5982F405-44E4-3BBB-BAC4-CF8141CBBC5C}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{5D8C3CC3-3C05-38A1-B244-924A23115FE9}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{641593AF-D9FD-30F7-B783-36E16F7A2E08}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{711FC48A-1356-3932-94D8-A8B733DBC7E4}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{72227B7F-1F02-3560-95F5-592E68BACC0C}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{7B5E8CE3-4722-4C0E-A236-A6FF731BEF37}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{890D4F59-5ED0-3CB4-8E0E-74A5A86E7ED0}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{8C68913C-AC3C-4494-8B9C-984D87C85003}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{8D019513-083F-4AA5-933F-7D43A6DA82C4}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{923F6FB8-A390-370E-A0D2-DD505432481D}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{9BBB26EF-B178-35D6-9D3D-B485F4279FE5}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{A62DDBE0-8D2A-339A-B089-8CBCC5CD322A}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{A82AD04D-0B8E-3A49-947B-6A69A8A9C96D}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{ADEB3CC9-A05D-4FCC-BD09-9025456AA3EA}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{B06D4521-D09C-3F41-8E39-9D784CCA2A75}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{C06DAD42-6F39-4CE1-83CC-9A8B9105E556}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{C2E799D0-43A5-3477-8A98-FC5F3677F35C}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{D16107CD-2AD5-46A8-BA59-303B7C32C500}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{D25B101F-8188-3B43-9D85-201F372BC205}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{D2BA7595-5E44-3F1E-880F-03B3139FA5ED}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{D35F5C81-17D9-3E1C-A1FC-4472542E1D25}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{D8FA96CA-B250-312C-AF34-4FF1DD72589D}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{DAFC1E63-3359-416D-9BC2-E7DCA6F7B0F3}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{DC5E5C44-80FD-3697-9E65-9F286D92F3E7}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{E1B4C9DE-D741-385F-981E-6745FACE6F01}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{E7B623F5-9715-3F9F-A671-D1485A39F8A2}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{ED916A7B-7C68-3198-B87D-2DABC30A5587}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{EFA1BDB2-BB3D-3D9A-8EB5-D0D22E0F64F4}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{F4CBF4DD-F8FE-35BA-BB7E-68304DAAB70B}
Schlüssel Gefunden : [x64] HKLM\SOFTWARE\Classes\Interface\{FC32005D-E27C-32E0-ADFA-152F598B75E7}

***** [ Browser ] *****

-\\ Internet Explorer v11.0.9600.16428

Einstellung Gefunden : HKCU\Software\Microsoft\Internet Explorer\Search [Search Bar] - hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=
Einstellung Gefunden : HKCU\Software\Microsoft\Internet Explorer\Search [Search Page] - hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=
Einstellung Gefunden : HKLM\SOFTWARE\Microsoft\Internet Explorer\Search [Search Bar] - hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=
Einstellung Gefunden : HKLM\SOFTWARE\Microsoft\Internet Explorer\Search [Search Page] - hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=
Einstellung Gefunden : HKCU\Software\Microsoft\Internet Explorer\SearchUrl [(Default)] - hxxp://search.certified-toolbar.com?si=&st=bs&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=%s
Einstellung Gefunden : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchUrl [(Default)] - hxxp://search.certified-toolbar.com?si=&st=bs&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=%s

-\\ Mozilla Firefox v26.0 (de)

[ Datei : C:\Users\Kathlen\AppData\Roaming\Mozilla\Firefox\Profiles\l2abf66u.default\prefs.js ]

Zeile gefunden : user_pref("browser.search.defaultengine", "Web Search");
Zeile gefunden : user_pref("browser.search.defaultenginename", "Web Search");
Zeile gefunden : user_pref("browser.search.order.1", "Web Search");
Zeile gefunden : user_pref("browser.search.selectedEngine", "Web Search");
Zeile gefunden : user_pref("iminent.webbooster.scripts.minibar.ROOTEXTENSION", "chrome://iminentwebbooster/content/minibar");
Zeile gefunden : user_pref("iminent.webbooster.scripts.minibar.Services.BHPCode", "01");
Zeile gefunden : user_pref("iminent.webbooster.scripts.minibar.Services.DefaultEvent", "000");
Zeile gefunden : user_pref("iminent.webbooster.scripts.minibar.Services.DefaultWebSite", "000");
Zeile gefunden : user_pref("iminent.webbooster.scripts.minibar.Services.IminentClientCode", "11");
Zeile gefunden : user_pref("iminent.webbooster.scripts.minibar.Services.SmartFavCode", "02");
Zeile gefunden : user_pref("iminent.webbooster.scripts.minibar.registerToolbarEvent102", "1368292009788");
Zeile gefunden : user_pref("keyword.URL", "hxxp://search.certified-toolbar.com?si=&st=chrome&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q=");

*************************

AdwCleaner[R0].txt - [14647 octets] - [06/01/2014 18:45:09]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [14708 octets] ##########
         
--- --- ---

Alt 07.01.2014, 10:19   #10
schrauber
/// the machine
/// TB-Ausbilder
 

Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig - Standard

Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig




ESET Online Scanner

  • Hier findest du eine bebilderte Anleitung zu ESET Online Scanner
  • Lade und starte Eset Online Scanner
  • Setze einen Haken bei Ja, ich bin mit den Nutzungsbedingungen einverstanden und klicke auf Starten.
  • Aktiviere die "Erkennung von eventuell unerwünschten Anwendungen" und wähle folgende Einstellungen.
  • Klicke auf Starten.
  • Die Signaturen werden heruntergeladen, der Scan beginnt automatisch.
  • Klicke am Ende des Suchlaufs auf Fertig stellen.
  • Schließe das Fenster von ESET.
  • Explorer öffnen.
  • C:\Programme\Eset\EsetOnlineScanner\log.txt (bei 64 Bit auch C:\Programme (x86)\Eset\EsetOnlineScanner\log.txt) suchen und mit Deinem Editor öffnen (bebildert).
  • Logfile hier posten.
  • Deinstallation: Systemsteuerung => Software / Programme deinstallieren => Eset Online Scanner V3 entfernen.
  • Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset


Downloade Dir bitte SecurityCheck und:

  • Speichere es auf dem Desktop.
  • Starte SecurityCheck.exe und folge den Anweisungen in der DOS-Box.
  • Wenn der Scan beendet wurde sollte sich ein Textdokument (checkup.txt) öffnen.
Poste den Inhalt bitte hier.

und ein frisches FRST log bitte. Noch Probleme?
__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Alt 12.01.2014, 13:13   #11
StefanA
 
Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig - Standard

Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig



Hallo Schrauber.

Ich bin leider bis Feb. zeitlich nicht in der Lage die nächsten Schritte durchzuführen. Wenn irgendwie möglich, bitte den Threat noch nicht schliessen. Ich melde mich dann mit dem Ergebnisprotokoll.

Danke, Grüße,
Stefan

Alt 13.01.2014, 10:11   #12
schrauber
/// the machine
/// TB-Ausbilder
 

Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig - Standard

Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig



alles klar
__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Alt 09.02.2014, 18:18   #13
StefanA
 
Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig - Standard

Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig



Hallo Schrauber,

danke, dass der Post offen geblieben ist. Habe ESET installiert und für alle Laufwerke ausgeführt, Log anhängend.

Grüße,
Stefan

Code:
ATTFilter
ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=bfac543b41dc0b44922c1e0aa9c62607
# engine=17003
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2014-02-09 03:51:55
# local_time=2014-02-09 04:51:55 (+0100, Mitteleuropäische Zeit)
# country="Germany"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=2310 16777213 100 94 24073 72750106 0 0
# compatibility_mode=5893 16776573 100 94 104402 143590965 0 0
# scanned=212570
# found=0
# cleaned=0
# scan_time=10881
         
Und hier der SecurityCheck...
Code:
ATTFilter
 Results of screen317's Security Check version 0.99.78  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
F-Secure Internet Security 2011 10.51   
 Antivirus up to date!  (On Access scanning disabled!) 
`````````Anti-malware/Other Utilities Check:````````` 
 Adobe Flash Player 11.9.900.170  
 Adobe Reader XI  
 Mozilla Firefox (26.0) 
````````Process Check: objlist.exe by Laurent````````  
 F-Secure Anti-Virus fsgk32st.exe  
 F-Secure Anti-Virus FSGK32.EXE  
 F-Secure Anti-Virus fssm32.exe  
 F-Secure Anti-Virus fsav32.exe  
 Acronis TrueImageHome OnlineBackupStandalone TrueImageMonitor.exe 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  
````````````````````End of Log``````````````````````
         

Alt 10.02.2014, 12:47   #14
schrauber
/// the machine
/// TB-Ausbilder
 

Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig - Standard

Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig



Frisches FRST fehlt noch. Noch Probleme?
__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Alt 15.02.2014, 12:04   #15
StefanA
 
Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig - Standard

Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig



Hallo Schrauber,

hier hab ich auch noch das FRST.

Danke für Deine Hilfe,
Stefan


FRST Logfile:
Code:
ATTFilter
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-02-2014 01
Ran by Kathlen (administrator) on KATHLEN-PC on 15-02-2014 11:53:15
Running from D:\Users\Kathlen\Downloads
Windows 7 Home Premium Service Pack 1 (X64) OS Language: German Standard
Internet Explorer Version 11
Boot Mode: Normal


==================== Processes (Whitelisted) =================

(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Anti-Virus\fsgk32st.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Common\FSMA32.EXE
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Anti-Virus\FSGK32.EXE
() C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Common\FSHDLL32.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Common\FSHDLL64.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\FWES\Program\fsdfwd.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\ORSP Client\fsorsp.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Anti-Virus\fssm32.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Anti-Virus\fsav32.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
(CyberLink) C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe
(SRS Labs, Inc.) C:\Program Files\SRS Labs\SRS Control Panel\srspanel_64.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe
(Acronis) C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Common\FSM32.EXE
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Acronis) C:\Program Files (x86)\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe
(Intel® Corporation) C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Spam Control\fsscoepl_x64.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
(SEC) C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Samsung Electronics Co., Ltd.) C:\Program Files\Samsung\SamsungFastStart\SmartRestarter.exe
(Microsoft Corporation) C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
(Intel(R) Corporation) C:\Program Files\Intel\TurboBoost\TurboBoost.exe
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Samsung Electronics) C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe
(SAMSUNG Electronics) C:\Program Files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11780712 2011-02-27] (Realtek Semiconductor)
HKLM\...\Run: [ETDCtrl] - C:\Program Files\Elantech\ETDCtrl.exe [2588968 2010-11-12] (ELAN Microelectronics Corp.)
HKLM\...\Run: [Acronis Scheduler2 Service] - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe [395344 2011-09-22] (Acronis)
HKLM\...\Run: [IntelTBRunOnce] - C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs [4526 2010-10-08] ()
HKLM-x32\...\Run: [RemoteControl10] - C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe [87336 2010-09-20] (CyberLink Corp.)
HKLM-x32\...\Run: [TrueImageMonitor.exe] - C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe [5587832 2011-09-22] (Acronis)
HKLM-x32\...\Run: [F-Secure Manager] - C:\Program Files (x86)\F-Secure\Common\FSM32.EXE [201384 2011-10-21] (F-Secure Corporation)
HKLM-x32\...\Run: [F-Secure TNB] - C:\Program Files (x86)\F-Secure\FSGUI\TNBUtil.exe [1655464 2011-10-21] (F-Secure Corporation)
HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-10] (Hewlett-Packard)
HKLM-x32\...\Run: [SAOB Monitor] - C:\Program Files (x86)\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe [2571032 2011-09-22] (Acronis)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Startup: C:\Users\Kathlen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe (No File)
Startup: C:\Users\Kathlen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Überwachungstool für die Intel® Turbo-Boost-Technik 2.0.lnk
ShortcutTarget: Überwachungstool für die Intel® Turbo-Boost-Technik 2.0.lnk -> C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe (Intel® Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:tabs
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:tabs
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.google.com/search?q={sear
SearchScopes: HKCU - {7AF10BB5-1A3E-4F5E-9FA5-21102412DB25} URL = hxxp://search.certified-toolbar.com?si=&st=bs&tid=3580&ver=3.5&ts=1368346548639&tguid=43169-3580-1368346548639-C7A7C70CED0BD778E6208155C231CFB5&q={searchTerms}
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Samsung BHO Class - {AA609D72-8482-4076-8991-8CDAE5B93BCB} - C:\Program Files\Samsung AnyWeb Print\W2PBrowser.dll ()
BHO-x32: Browsing Protection Class - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files (x86)\F-Secure\NRS\iescript\baselitmus.dll (F-Secure Corporation)
BHO-x32: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
Toolbar: HKLM-x32 - Browsing Protection Toolbar - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files (x86)\F-Secure\NRS\iescript\baselitmus.dll (F-Secure Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Winsock: Catalog9 01 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation)
Winsock: Catalog9 02 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation)
Winsock: Catalog9 03 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation)
Winsock: Catalog9 04 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation)
Winsock: Catalog9 05 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation)
Winsock: Catalog9 06 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation)
Winsock: Catalog9 07 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation)
Winsock: Catalog9 08 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation)
Winsock: Catalog9 09 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation)
Winsock: Catalog9 10 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation)
Winsock: Catalog9 11 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation)
Winsock: Catalog9 23 C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL [194232] (F-Secure Corporation)
Winsock: Catalog9-x64 01 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation)
Winsock: Catalog9-x64 02 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation)
Winsock: Catalog9-x64 03 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation)
Winsock: Catalog9-x64 04 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation)
Winsock: Catalog9-x64 05 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation)
Winsock: Catalog9-x64 06 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation)
Winsock: Catalog9-x64 07 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation)
Winsock: Catalog9-x64 08 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation)
Winsock: Catalog9-x64 09 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation)
Winsock: Catalog9-x64 10 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation)
Winsock: Catalog9-x64 11 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation)
Winsock: Catalog9-x64 23 C:\Program Files (x86)\F-Secure\FSPS\program\fslsp_x64.dll [224952] (F-Secure Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1

FireFox:
========
FF ProfilePath: C:\Users\Kathlen\AppData\Roaming\Mozilla\Firefox\Profiles\l2abf66u.default
FF Homepage: about:home
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_9_900_170.dll ()
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_44.dll ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 - C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=10.15.2 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\amazondotcom-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\eBay-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\leo_ende_de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\yahoo-de.xml
FF HKLM-x32\...\Firefox\Extensions: [litmus-ff@f-secure.com] - C:\Program Files (x86)\F-Secure\NRS\litmus-ff@f-secure.com
FF Extension: Browsing Protection - C:\Program Files (x86)\F-Secure\NRS\litmus-ff@f-secure.com [2011-10-21]
FF HKLM-x32\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011-12-29]
FF HKCU\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011-12-29]

==================== Services (Whitelisted) =================

R2 F-Secure Gatekeeper Handler Starter; C:\Program Files (x86)\F-Secure\Anti-Virus\fsgk32st.exe [221864 2011-10-21] (F-Secure Corporation)
R3 FSDFWD; C:\Program Files (x86)\F-Secure\FWES\Program\fsdfwd.exe [849576 2011-10-21] (F-Secure Corporation)
R2 FSMA; C:\Program Files (x86)\F-Secure\Common\FSMA32.EXE [189096 2011-10-21] (F-Secure Corporation)
R3 FSORSPClient; C:\Program Files (x86)\F-Secure\ORSP Client\fsorsp.exe [60352 2013-06-06] (F-Secure Corporation)
R2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [244904 2009-12-01] ()

==================== Drivers (Whitelisted) ====================

R3 F-Secure Gatekeeper; C:\Program Files (x86)\F-Secure\Anti-Virus\minifilter\fsgk.sys [202176 2013-07-10] (F-Secure Corporation)
R1 F-Secure HIPS; C:\Program Files (x86)\F-Secure\HIPS\drivers\fshs.sys [61960 2011-10-21] (F-Secure Corporation)
R0 fsbts; C:\Windows\System32\Drivers\fsbts.sys [56016 2012-08-20] ()
R0 fsbts; C:\Windows\SysWOW64\Drivers\fsbts.sys [42672 2011-10-21] ()
R1 FSES; C:\Windows\System32\drivers\fses.sys [46664 2011-10-21] (F-Secure Corporation)
R1 FSFW; C:\Windows\System32\drivers\fsdfw.sys [95784 2011-10-21] (F-Secure Corporation)
R1 fsvista; C:\Program Files (x86)\F-Secure\Anti-Virus\minifilter\fsvista.sys [15016 2011-10-21] ()
S3 VBoxUSB; C:\Windows\System32\Drivers\VBoxUSB.sys [117040 2011-10-03] (Oracle Corporation)
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-02-15 11:37 - 2014-02-15 11:37 - 00003324 _____ () C:\Windows\System32\Tasks\SamsungSupportCenter
2014-02-15 11:37 - 2014-02-15 11:37 - 00002078 _____ () C:\Users\Public\Desktop\Samsung Support Center.lnk
2014-02-13 22:14 - 2013-12-21 10:53 - 00548864 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-02-13 22:14 - 2013-12-21 09:56 - 00454656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-02-13 22:13 - 2014-02-06 13:16 - 23170048 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-02-13 22:13 - 2014-02-06 12:30 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-02-13 22:13 - 2014-02-06 12:30 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-02-13 22:13 - 2014-02-06 12:12 - 02765824 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-02-13 22:13 - 2014-02-06 12:07 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-02-13 22:13 - 2014-02-06 12:06 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-02-13 22:13 - 2014-02-06 11:57 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-02-13 22:13 - 2014-02-06 11:56 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-02-13 22:13 - 2014-02-06 11:52 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-02-13 22:13 - 2014-02-06 11:49 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-02-13 22:13 - 2014-02-06 11:48 - 00708608 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-02-13 22:13 - 2014-02-06 11:48 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-02-13 22:13 - 2014-02-06 11:38 - 17103872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-02-13 22:13 - 2014-02-06 11:32 - 00218624 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-02-13 22:13 - 2014-02-06 11:20 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-02-13 22:13 - 2014-02-06 11:17 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-02-13 22:13 - 2014-02-06 11:11 - 05768704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-02-13 22:13 - 2014-02-06 11:01 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-02-13 22:13 - 2014-02-06 11:00 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-02-13 22:13 - 2014-02-06 10:57 - 02168320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-02-13 22:13 - 2014-02-06 10:57 - 00627200 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-02-13 22:13 - 2014-02-06 10:52 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-02-13 22:13 - 2014-02-06 10:52 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-02-13 22:13 - 2014-02-06 10:50 - 02041856 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-02-13 22:13 - 2014-02-06 10:49 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-02-13 22:13 - 2014-02-06 10:47 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-02-13 22:13 - 2014-02-06 10:46 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-02-13 22:13 - 2014-02-06 10:25 - 04244480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-02-13 22:13 - 2014-02-06 10:25 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-02-13 22:13 - 2014-02-06 10:24 - 02334208 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-02-13 22:13 - 2014-02-06 10:22 - 13051392 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-02-13 22:13 - 2014-02-06 10:13 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-02-13 22:13 - 2014-02-06 10:09 - 01964032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-02-13 22:13 - 2014-02-06 10:03 - 11266048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-02-13 22:13 - 2014-02-06 09:55 - 01393664 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-02-13 22:13 - 2014-02-06 09:41 - 01820160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-02-13 22:13 - 2014-02-06 09:40 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-02-13 22:13 - 2014-02-06 09:36 - 01156096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-02-13 22:13 - 2014-02-06 09:34 - 00703488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-02-13 22:09 - 2014-01-01 00:05 - 00420008 _____ () C:\Windows\SysWOW64\locale.nls
2014-02-13 22:09 - 2014-01-01 00:04 - 00420008 _____ () C:\Windows\system32\locale.nls
2014-02-13 22:09 - 2013-12-25 00:09 - 01987584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10warp.dll
2014-02-13 22:09 - 2013-12-24 23:48 - 02565120 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
2014-02-13 22:09 - 2013-12-06 03:30 - 01882112 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2014-02-13 22:09 - 2013-12-06 03:30 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2014-02-13 22:09 - 2013-12-06 03:02 - 01237504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2014-02-13 22:09 - 2013-12-06 03:02 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2014-02-13 22:09 - 2013-12-04 03:27 - 00488448 _____ (Microsoft Corporation) C:\Windows\system32\secproc.dll
2014-02-13 22:09 - 2013-12-04 03:27 - 00485888 _____ (Microsoft Corporation) C:\Windows\system32\secproc_isv.dll
2014-02-13 22:09 - 2013-12-04 03:27 - 00123392 _____ (Microsoft Corporation) C:\Windows\system32\secproc_ssp_isv.dll
2014-02-13 22:09 - 2013-12-04 03:27 - 00123392 _____ (Microsoft Corporation) C:\Windows\system32\secproc_ssp.dll
2014-02-13 22:09 - 2013-12-04 03:26 - 00528384 _____ (Microsoft Corporation) C:\Windows\system32\msdrm.dll
2014-02-13 22:09 - 2013-12-04 03:16 - 00658432 _____ (Microsoft Corporation) C:\Windows\system32\RMActivate_isv.exe
2014-02-13 22:09 - 2013-12-04 03:16 - 00626176 _____ (Microsoft Corporation) C:\Windows\system32\RMActivate.exe
2014-02-13 22:09 - 2013-12-04 03:16 - 00553984 _____ (Microsoft Corporation) C:\Windows\system32\RMActivate_ssp.exe
2014-02-13 22:09 - 2013-12-04 03:16 - 00552960 _____ (Microsoft Corporation) C:\Windows\system32\RMActivate_ssp_isv.exe
2014-02-13 22:09 - 2013-12-04 03:03 - 00428032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secproc.dll
2014-02-13 22:09 - 2013-12-04 03:03 - 00423936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secproc_isv.dll
2014-02-13 22:09 - 2013-12-04 03:03 - 00087040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secproc_ssp_isv.dll
2014-02-13 22:09 - 2013-12-04 03:03 - 00087040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secproc_ssp.dll
2014-02-13 22:09 - 2013-12-04 03:02 - 00390144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msdrm.dll
2014-02-13 22:09 - 2013-12-04 02:54 - 00594944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RMActivate_isv.exe
2014-02-13 22:09 - 2013-12-04 02:54 - 00572416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RMActivate.exe
2014-02-13 22:09 - 2013-12-04 02:54 - 00510976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RMActivate_ssp.exe
2014-02-13 22:09 - 2013-12-04 02:54 - 00508928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RMActivate_ssp_isv.exe
2014-02-13 22:09 - 2013-11-26 09:16 - 03419136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d2d1.dll
2014-02-13 22:09 - 2013-11-22 23:48 - 03928064 _____ (Microsoft Corporation) C:\Windows\system32\d2d1.dll

==================== One Month Modified Files and Folders =======

2014-02-15 11:53 - 2013-12-30 18:45 - 00000000 ____D () C:\FRST
2014-02-15 11:40 - 2012-10-30 21:57 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-02-15 11:37 - 2014-02-15 11:37 - 00003324 _____ () C:\Windows\System32\Tasks\SamsungSupportCenter
2014-02-15 11:37 - 2014-02-15 11:37 - 00002078 _____ () C:\Users\Public\Desktop\Samsung Support Center.lnk
2014-02-15 11:37 - 2011-03-17 05:38 - 00000000 ____D () C:\Program Files (x86)\Samsung
2014-02-15 11:36 - 2011-10-21 19:36 - 00001112 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-02-15 11:33 - 2011-03-17 05:36 - 01358413 _____ () C:\Windows\WindowsUpdate.log
2014-02-15 11:30 - 2009-07-14 05:45 - 00014144 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-02-15 11:30 - 2009-07-14 05:45 - 00014144 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-02-15 11:25 - 2011-10-21 19:35 - 00001108 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-02-15 11:24 - 2013-10-09 18:33 - 00008512 _____ () C:\Windows\setupact.log
2014-02-15 11:24 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-02-13 22:23 - 2011-03-17 22:00 - 00661980 _____ () C:\Windows\system32\perfh007.dat
2014-02-13 22:23 - 2011-03-17 22:00 - 00133678 _____ () C:\Windows\system32\perfc007.dat
2014-02-13 22:23 - 2009-07-14 06:13 - 01544098 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-02-11 17:32 - 2014-01-02 19:00 - 00003804 _____ () C:\Windows\PFRO.log
2014-02-10 23:02 - 2011-10-21 17:42 - 00000000 ____D () C:\Users\Kathlen\AppData\Roaming\SoftGrid Client
2014-02-08 12:40 - 2012-10-30 21:57 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-02-08 12:40 - 2012-10-30 21:57 - 00003822 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-02-08 12:40 - 2011-10-21 16:43 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-02-06 13:16 - 2014-02-13 22:13 - 23170048 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-02-06 12:30 - 2014-02-13 22:13 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-02-06 12:30 - 2014-02-13 22:13 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-02-06 12:12 - 2014-02-13 22:13 - 02765824 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-02-06 12:07 - 2014-02-13 22:13 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-02-06 12:06 - 2014-02-13 22:13 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-02-06 11:57 - 2014-02-13 22:13 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-02-06 11:56 - 2014-02-13 22:13 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-02-06 11:52 - 2014-02-13 22:13 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-02-06 11:49 - 2014-02-13 22:13 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-02-06 11:48 - 2014-02-13 22:13 - 00708608 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-02-06 11:48 - 2014-02-13 22:13 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-02-06 11:38 - 2014-02-13 22:13 - 17103872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-02-06 11:32 - 2014-02-13 22:13 - 00218624 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-02-06 11:20 - 2014-02-13 22:13 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-02-06 11:17 - 2014-02-13 22:13 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-02-06 11:11 - 2014-02-13 22:13 - 05768704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-02-06 11:01 - 2014-02-13 22:13 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-02-06 11:00 - 2014-02-13 22:13 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-02-06 10:57 - 2014-02-13 22:13 - 02168320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-02-06 10:57 - 2014-02-13 22:13 - 00627200 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-02-06 10:52 - 2014-02-13 22:13 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-02-06 10:52 - 2014-02-13 22:13 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-02-06 10:50 - 2014-02-13 22:13 - 02041856 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-02-06 10:49 - 2014-02-13 22:13 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-02-06 10:47 - 2014-02-13 22:13 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-02-06 10:46 - 2014-02-13 22:13 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-02-06 10:25 - 2014-02-13 22:13 - 04244480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-02-06 10:25 - 2014-02-13 22:13 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-02-06 10:24 - 2014-02-13 22:13 - 02334208 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-02-06 10:22 - 2014-02-13 22:13 - 13051392 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-02-06 10:13 - 2014-02-13 22:13 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-02-06 10:09 - 2014-02-13 22:13 - 01964032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-02-06 10:03 - 2014-02-13 22:13 - 11266048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-02-06 09:55 - 2014-02-13 22:13 - 01393664 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-02-06 09:41 - 2014-02-13 22:13 - 01820160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-02-06 09:40 - 2014-02-13 22:13 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-02-06 09:36 - 2014-02-13 22:13 - 01156096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-02-06 09:34 - 2014-02-13 22:13 - 00703488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-01-23 18:55 - 2011-10-21 15:59 - 00000000 ____D () C:\Users\Kathlen\AppData\Roaming\Acronis
2014-01-20 18:49 - 2009-07-14 06:08 - 00032632 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-01-20 09:27 - 2011-10-31 13:26 - 00000000 ____D () C:\Windows\pss
2014-01-20 09:27 - 2011-10-21 15:22 - 00000000 ___RD () C:\Users\Kathlen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Some content of TEMP:
====================
C:\Users\Kathlen\AppData\Local\Temp\Quarantine.exe


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-02-09 10:44

==================== End Of Log ============================
         
--- --- ---

Antwort

Themen zu Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig
anwendung, ausgeführt, defogger, erschein, erscheint, f-secure, gestoppt, hartnäckig, hijack.searchpage, logfiles, manuell, nicht mehr, popup, pup.optional.downloadguide.a, pup.optional.hometab.a, pup.optional.iminent.a, pup.optional.installcore, software.updater.ui.exe, taskmanager, trojaner, weihnachtsgeschenke, windows, windows7



Ähnliche Themen: Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig


  1. Software.Updater.Ui
    Log-Analyse und Auswertung - 27.03.2015 (7)
  2. APN Updater Fenster öffnet sich alle 5 Sekunden, erscheint vielfach und kann man nicht wegklicken
    Plagegeister aller Art und deren Bekämpfung - 28.02.2015 (1)
  3. PUP.Optional.InstallCore.A Updater.exe erscheint trotz löschen wieder
    Plagegeister aller Art und deren Bekämpfung - 15.10.2014 (13)
  4. Trojaner Software.Updater.UI.exe dank Schreiber entfernt
    Lob, Kritik und Wünsche - 20.03.2014 (0)
  5. Win 7: Software Updater Malware ?
    Plagegeister aller Art und deren Bekämpfung - 08.02.2014 (7)
  6. Software-Updater beim Hochfahren
    Log-Analyse und Auswertung - 29.01.2014 (10)
  7. Hilfe bei trojaner Software Updater Ui.exe
    Log-Analyse und Auswertung - 17.11.2013 (10)
  8. Software Updater UI, benötigte Unterstützung bei Entfernung
    Log-Analyse und Auswertung - 02.11.2013 (1)
  9. Software Updater.ui ebenfalls eingefangen :/
    Plagegeister aller Art und deren Bekämpfung - 15.10.2013 (2)
  10. Software Updater.ui .exe/ windows vista
    Plagegeister aller Art und deren Bekämpfung - 12.10.2013 (13)
  11. software.updater.ui.exe legt Rechner komplett Lahm
    Plagegeister aller Art und deren Bekämpfung - 09.10.2013 (17)
  12. Laptop langsam - Gescannt und gereinigt - software.updater.exe gefunden
    Log-Analyse und Auswertung - 07.10.2013 (7)
  13. Windows Vista : Software Updater.ui
    Plagegeister aller Art und deren Bekämpfung - 30.09.2013 (7)
  14. Software.Updater.ui.exe nun auf dem Rechner meiner Freundin nach dem Hochfahren
    Plagegeister aller Art und deren Bekämpfung - 15.08.2013 (9)
  15. Software Updater UI.exe wie entferne ich das von meinem Laptop?
    Plagegeister aller Art und deren Bekämpfung - 08.08.2013 (11)
  16. software.updater.ui.exe Netzwerk bricht ab
    Plagegeister aller Art und deren Bekämpfung - 04.07.2013 (12)
  17. Software.updater.ui.exe möchte an meinen Laptop
    Plagegeister aller Art und deren Bekämpfung - 21.06.2013 (9)

Zum Thema Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig - Guten Tag, ich bekomme seit ein paar Tagen immer ein Popup, welches nicht mehr verschwindet. Es fordert mich auf irgendwelche Weihnachtsgeschenke abzurufen. Im Taskmanager finde ich die Anwendung „Software.Updater.UI.exe“, die - Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig...
Archiv
Du betrachtest: Windows7, Trojaner Software.Updater.UI.exe, Popup erscheint hartnäckig auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.