Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   GVU Computer gesperrt Trojaner (https://www.trojaner-board.de/131249-gvu-computer-gesperrt-trojaner.html)

Blitzeis 19.02.2013 10:44
GVU Computer gesperrt Trojaner
 
Mein Computer hat sich heute beim surfen gesperrt und zeigt seitdem eine Seite der *GVU* an. Nichts geht mehr. Emsisoft und AntiV haben noch kurz angeschlagen und einen Trojaner angezeigt, aber dann war es schon zu spaet. Ich habe anschliessend auf meinem Laptop eine OTLPE CD erstellt, darueber gebootet und hoffe, dass ich die richtigen files gescannt habe und mir geholfen werden kann.

Code:
OTL logfile created on: 2/19/2013 10:22:23 AM - Run
OTLPE by OldTimer - Version 3.1.48.0    Folder = X:\Programs\OTLPE
64bit-Windows 7 Home Premium Service Pack 1 (Version = 6.1.7601) - Type = System
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 90.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = E: | %SystemRoot% = E:\Windows | %ProgramFiles% = E:\Program Files (x86)
Drive C: | 100.00 Mb Total Space | 74.34 Mb Free Space | 74.35% Space Free | Partition Type: NTFS
Drive D: | 1397.26 Gb Total Space | 1203.96 Gb Free Space | 86.17% Space Free | Partition Type: NTFS
Drive E: | 1397.17 Gb Total Space | 51.07 Gb Free Space | 3.65% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
 
Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001
 
========== Win32 Services (SafeList) ==========
 
SRV:64bit: - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto] -- E:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2013/02/12 01:03:44 | 000,251,248 | ---- | M] (Adobe Systems Incorporated) [On_Demand] -- E:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/01/30 02:14:30 | 003,089,320 | ---- | M] (Emsisoft GmbH) [Auto] -- E:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe -- (a2AntiMalware)
SRV - [2013/01/02 06:30:50 | 000,018,360 | ---- | M] (Overwolf Ltd) [On_Demand] -- E:\Program Files (x86)\Overwolf\OverwolfUpdater.exe -- (OverwolfUpdaterService)
SRV - [2012/10/31 00:56:00 | 000,529,744 | ---- | M] (Valve Corporation) [On_Demand] -- E:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2012/10/02 17:21:00 | 001,258,856 | ---- | M] (NVIDIA Corporation) [Auto] -- E:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe -- (nvUpdatusService)
SRV - [2012/05/08 12:02:03 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto] -- E:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2012/05/08 12:02:03 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto] -- E:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2012/01/18 07:38:28 | 000,155,320 | ---- | M] (Avanquest Software) [On_Demand] -- E:\Program Files (x86)\Sony\Sony PC Companion\PCCService.exe -- (Sony PC Companion)
SRV - [2012/01/17 05:24:10 | 000,055,296 | ---- | M] () [Auto] -- E:\Windows\SysWOW64\ASGT.exe -- (ASGT)
SRV - [2010/07/15 14:53:09 | 002,326,920 | ---- | M] (Acronis) [Auto] -- E:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe -- (afcdpsrv)
SRV - [2010/03/18 06:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto] -- E:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/09/12 11:10:04 | 000,891,848 | ---- | M] (Acronis) [Auto] -- E:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2009/07/26 00:43:14 | 000,025,832 | ---- | M] (BioWare) [On_Demand] -- E:\Program Files (x86)\Dragon Age\bin_ship\daupdatersvc.service.exe -- (DAUpdaterSvc)
SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled] -- E:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/04/01 23:27:27 | 000,090,112 | R--- | M] () [Auto] -- E:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe -- (AsSysCtrlService)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - [2012/10/09 22:13:34 | 000,025,600 | ---- | M] (Razer USA Ltd) [Kernel | On_Demand] -- E:\Windows\System32\drivers\rzdaendpt.sys -- (rzdaendpt)
DRV:64bit: - [2012/10/09 22:13:32 | 000,023,040 | ---- | M] (Razer USA Ltd) [Kernel | On_Demand] -- E:\Windows\System32\drivers\rzvkeyboard.sys -- (rzvkeyboard)
DRV:64bit: - [2012/09/18 01:21:54 | 000,112,640 | ---- | M] (Razer USA Ltd) [Kernel | On_Demand] -- E:\Windows\System32\drivers\rzudd.sys -- (rzudd)
DRV:64bit: - [2012/05/08 12:02:03 | 000,132,832 | ---- | M] (Avira GmbH) [Kernel | System] -- E:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV:64bit: - [2012/05/08 12:02:03 | 000,098,848 | ---- | M] (Avira GmbH) [File_System | Auto] -- E:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV:64bit: - [2011/10/11 08:00:01 | 000,027,760 | ---- | M] (Avira GmbH) [Kernel | System] -- E:\Windows\System32\drivers\avkmgr.sys -- (avkmgr)
DRV:64bit: - [2011/03/21 06:22:06 | 000,452,200 | ---- | M] (Realtek                                            ) [Kernel | On_Demand] -- E:\Windows\System32\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2010/11/20 06:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/07/15 14:53:11 | 000,250,400 | ---- | M] (Acronis) [File_System | On_Demand] -- E:\Windows\System32\drivers\afcdp.sys -- (afcdp)
DRV:64bit: - [2010/07/15 14:53:08 | 001,455,648 | ---- | M] (Acronis) [Kernel | Boot] -- E:\Windows\System32\drivers\tdrpm251.sys -- (tdrpman251) Acronis Try&Decide and Restore Points filter (build 251)
DRV:64bit: - [2010/07/15 14:53:07 | 000,929,312 | ---- | M] (Acronis) [Kernel | Boot] -- E:\Windows\System32\drivers\timntr.sys -- (timounter)
DRV:64bit: - [2010/07/15 14:51:50 | 000,254,496 | ---- | M] (Acronis) [Kernel | Boot] -- E:\Windows\System32\drivers\snapman.sys -- (snapman)
DRV:64bit: - [2010/07/14 05:51:56 | 000,087,600 | ---- | M] (Citrix Systems, Inc.) [Kernel | System] -- E:\Windows\System32\drivers\ctxusbm.sys -- (ctxusbm)
DRV:64bit: - [2009/07/15 22:38:40 | 000,015,416 | ---- | M] () [Kernel | On_Demand] -- E:\Windows\System32\drivers\ASACPI.sys -- (MTsensor)
DRV:64bit: - [2009/06/10 15:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand] -- E:\Windows\System32\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- E:\Windows\system32\DRIVERS\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- E:\Windows\system32\DRIVERS\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2008/05/16 04:33:06 | 000,158,760 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\s0016mdm.sys -- (s0016mdm)
DRV:64bit: - [2008/05/16 04:33:06 | 000,151,592 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\s0016unic.sys -- (s0016unic) Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM)
DRV:64bit: - [2008/05/16 04:33:06 | 000,137,256 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\s0016mgmt.sys -- (s0016mgmt) Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM)
DRV:64bit: - [2008/05/16 04:33:06 | 000,136,744 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\s0016obex.sys -- (s0016obex)
DRV:64bit: - [2008/05/16 04:33:06 | 000,034,344 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\s0016nd5.sys -- (s0016nd5) Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS)
DRV:64bit: - [2008/05/16 04:33:04 | 000,019,496 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\s0016mdfl.sys -- (s0016mdfl)
DRV:64bit: - [2008/05/16 04:32:56 | 000,115,240 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\s0016bus.sys -- (s0016bus) Sony Ericsson Device 0016 driver (WDM)
DRV:64bit: - [2005/09/23 17:18:34 | 000,261,120 | ---- | M] (Pinnacle Systems GmbH) [Kernel | On_Demand] -- E:\Windows\System32\drivers\MarvinBus64.sys -- (MarvinBus)
DRV - [2012/12/03 17:27:31 | 000,027,008 | ---- | M] () [Kernel | On_Demand] -- E:\Users\Faßbender\AppData\Local\Temp\GPU-Z.sys -- (GPU-Z)
DRV - [2012/11/13 15:53:00 | 000,014,544 | ---- | M] (OpenLibSys.org) [File_System | On_Demand] -- E:\Program Files (x86)\Razer\Razer Game Booster\Driver\WinRing0x64.sys -- (WinRing0_1_2_0)
DRV - [2012/04/30 11:45:28 | 000,066,320 | ---- | M] (Emsisoft GmbH) [File_System | On_Demand] -- E:\Program Files (x86)\Emsisoft Anti-Malware\a2accx64.sys -- (a2acc)
DRV - [2012/04/30 11:45:00 | 000,044,688 | ---- | M] (Emsisoft GmbH) [File_System | System] -- E:\Program Files (x86)\Emsisoft Anti-Malware\a2dix64.sys -- (a2injectiondriver)
DRV - [2011/05/19 07:10:34 | 000,023,208 | ---- | M] (Emsi Software GmbH) [Kernel | System] -- E:\Program Files (x86)\Emsisoft Anti-Malware\a2ddax64.sys -- (A2DDA)
DRV - [2010/05/05 02:40:54 | 000,014,720 | ---- | M] (Emsi Software GmbH) [Kernel | System] -- E:\Program Files (x86)\Emsisoft Anti-Malware\a2util64.sys -- (a2util)
DRV - [2002/07/17 09:20:32 | 000,084,832 | ---- | M] (Adaptec) [Kernel | On_Demand] -- E:\Windows\SysWOW64\drivers\ASPI32.SYS -- (ASPI)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\Administrator_ON_E\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\Faßbender_ON_E\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKU\Faßbender_ON_E\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKU\Faßbender_ON_E\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.spiegel.de/
IE - HKU\Faßbender_ON_E\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKU\Faßbender_ON_E\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKU\Faßbender_ON_E\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D6 6F 3A F0 7B 7E CA 01  [binary data]
IE - HKU\Faßbender_ON_E\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
 
 
========== FireFox ==========
 
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.0.1.20090924050608
 
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: E:\Windows\System32\Macromed\Flash\NPSWF64_11_5_502_149.dll ()
FF:64bit: - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: E:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE:  File not found
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer: E:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_149.dll ()
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@canon.com/EPPEX: E:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: E:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: E:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@esn.me/esnsonar,version=0.70.4: E:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll (ESN Social Software AB)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@esn/esnlaunch,version=1.132.0: E:\Program Files (x86)\Battlelog Web Plugins\1.132.0\npesnlaunch.dll (ESN Social Software AB)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@Google.com/GoogleEarthPlugin: E:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: E:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/JavaPlugin,version=10.9.2: E:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE:  File not found
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: E:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: E:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@nvidia.com/3DVision: E:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@nvidia.com/3DVisionStreaming: E:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@SonyCreativeSoftware.com/Media Go,version=1.0: E:\Program Files (x86)\Sony\Media Go\npmediago.dll (Sony Network Entertainment International LLC)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3: E:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9: E:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\Adobe Reader: E:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3:  File not found
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9:  File not found
 
FF - HKEY_LOCAL_MACHINE\software\wow6432node\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2011/11/21 18:35:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\wow6432node\mozilla\Mozilla Firefox 8.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/05/27 02:23:41 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\wow6432node\mozilla\Mozilla Firefox 8.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2013/02/02 01:58:43 | 000,000,000 | ---D | M]
 
[2010/03/12 05:39:55 | 000,000,000 | ---D | M] (No name found) -- E:\Users\Administrator\AppData\Roaming\Mozilla\Extensions
[2011/11/24 13:44:07 | 000,000,000 | ---D | M] (No name found) -- E:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\l3a9x0tc.default\extensions
[2012/02/29 00:33:09 | 000,000,000 | ---D | M] (No name found) -- E:\Program Files (x86)\Mozilla Firefox\extensions
[2009/12/16 06:16:30 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- E:\Program Files (x86)\Mozilla Firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
File not found (No name found) -- E:\PROGRAM FILES (X86)\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
[2011/11/13 03:51:38 | 000,134,104 | ---- | M] (Mozilla Foundation) -- E:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2010/10/12 09:33:32 | 000,124,344 | ---- | M] (Citrix Systems, Inc.) -- E:\Program Files (x86)\mozilla firefox\plugins\CCMSDK.dll
[2010/10/12 09:37:06 | 000,070,592 | ---- | M] (Citrix Systems, Inc.) -- E:\Program Files (x86)\mozilla firefox\plugins\CgpCore.dll
[2010/10/12 09:35:42 | 000,091,576 | ---- | M] (Citrix Systems, Inc.) -- E:\Program Files (x86)\mozilla firefox\plugins\confmgr.dll
[2010/10/12 09:34:56 | 000,022,464 | ---- | M] (Citrix Systems, Inc.) -- E:\Program Files (x86)\mozilla firefox\plugins\ctxlogging.dll
[2010/10/12 11:16:54 | 000,484,768 | ---- | M] () -- E:\Program Files (x86)\mozilla firefox\plugins\npicaN.dll
[2010/01/13 17:46:00 | 000,063,488 | ---- | M] (Nullsoft, Inc.) -- E:\Program Files (x86)\mozilla firefox\plugins\npwachk.dll
[2010/10/12 09:37:02 | 000,024,000 | ---- | M] (Citrix Systems, Inc.) -- E:\Program Files (x86)\mozilla firefox\plugins\TcpPServ.dll
[2011/10/08 02:21:30 | 000,001,392 | ---- | M] () -- E:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml
[2011/10/08 02:21:30 | 000,002,252 | ---- | M] () -- E:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2011/10/08 02:21:30 | 000,001,153 | ---- | M] () -- E:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml
[2011/10/08 02:21:30 | 000,006,805 | ---- | M] () -- E:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml
[2011/10/08 02:21:30 | 000,001,178 | ---- | M] () -- E:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml
[2011/10/08 02:21:30 | 000,001,105 | ---- | M] () -- E:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2009/06/10 16:00:26 | 000,000,824 | ---- | M]) - E:\Windows\System32\drivers\etc\hosts
O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - E:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O2 - BHO: (Octh Class) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - E:\Program Files (x86)\Orbitdownloader\orbitcth.dll (Orbitdownloader.com)
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - E:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (SweetPacks Browser Helper) - {EEE6C35C-6118-11DC-9C72-001320C79847} - E:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - E:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3:64bit: - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKLM\..\Toolbar: (Grab Pro) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - E:\Program Files (x86)\Orbitdownloader\GrabPro.dll ()
O3 - HKLM\..\Toolbar: (SweetPacks Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - E:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3:64bit: - HKU\Faßbender_ON_E\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - E:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3 - HKU\Faßbender_ON_E\..\Toolbar\WebBrowser: (Grab Pro) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - E:\Program Files (x86)\Orbitdownloader\GrabPro.dll ()
O4:64bit: - HKLM..\Run: [Acronis Scheduler2 Service] E:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [APSDaemon] E:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [avgnt] E:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [ConnectionCenter] E:\Program Files (x86)\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.)
O4 - HKLM..\Run: [Cpu Level Up help] E:\Program Files (x86)\ASUS\AI Suite\CpuLevelUpHelp.exe ()
O4 - HKLM..\Run: [DivXUpdate] E:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [emsisoft anti-malware] E:\program files (x86)\emsisoft anti-malware\a2guard.exe (Emsisoft GmbH)
O4 - HKLM..\Run: [QFan Help] E:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe ()
O4 - HKLM..\Run: [Razer Synapse] E:\Program Files (x86)\Razer\Synapse\RzSynapse.exe (Razer USA Ltd)
O4 - HKLM..\Run: [RoccatKone+] E:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.EXE (ROCCAT GmbH)
O4 - HKLM..\Run: [StereoLinksInstall] E:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvstlink.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [Sweetpacks Communicator] E:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe (SweetIM Technologies Ltd.)
O4 - HKLM..\Run: [TrueImageMonitor.exe] E:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O4 - HKU\Faßbender_ON_E..\Run: [Sony PC Companion]  File not found
O4 - HKU\Faßbender_ON_E..\Run: [TBPanel] E:\Program Files (x86)\Vtune\TBPanel.exe ()
O4 - HKU\LocalService_ON_E..\Run: [Sidebar] E:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\NetworkService_ON_E..\Run: [Sidebar] E:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\UpdatusUser_ON_E..\Run: [Sidebar] E:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\LocalService_ON_E..\RunOnce: [mctadmin]  File not found
O4 - HKU\NetworkService_ON_E..\RunOnce: [mctadmin]  File not found
O4 - HKU\UpdatusUser_ON_E..\RunOnce: [mctadmin]  File not found
O4 - Startup: E:\Users\Faßbender\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runctf.lnk ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKU\Administrator_ON_E\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O13:64bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O15:64bit: - .DEFAULT\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15:64bit: - .DEFAULT\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15:64bit: - .DEFAULT\..Trusted Domains: soe.com ([]* in Trusted sites)
O15:64bit: - .DEFAULT\..Trusted Domains: sony.com ([]* in Trusted sites)
O15:64bit: - Administrator_ON_E\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15:64bit: - Administrator_ON_E\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15:64bit: - Administrator_ON_E\..Trusted Domains: soe.com ([]* in Trusted sites)
O15:64bit: - Administrator_ON_E\..Trusted Domains: sony.com ([]* in Trusted sites)
O15:64bit: - Faßbender_ON_E\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15:64bit: - Faßbender_ON_E\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15:64bit: - Faßbender_ON_E\..Trusted Domains: fritz.box ([]* in Local intranet)
O15:64bit: - Faßbender_ON_E\..Trusted Domains: soe.com ([]* in Trusted sites)
O15:64bit: - Faßbender_ON_E\..Trusted Domains: sony.com ([]* in Trusted sites)
O15:64bit: - Faßbender_ON_E\..Trusted Ranges: Range1 ([*] in Local intranet)
O15:64bit: - LocalService_ON_E\..Trusted Domains: clonewarsadventures.com ([]* in )
O15:64bit: - LocalService_ON_E\..Trusted Domains: freerealms.com ([]* in )
O15:64bit: - LocalService_ON_E\..Trusted Domains: soe.com ([]* in )
O15:64bit: - LocalService_ON_E\..Trusted Domains: sony.com ([]* in )
O15:64bit: - NetworkService_ON_E\..Trusted Domains: clonewarsadventures.com ([]* in )
O15:64bit: - NetworkService_ON_E\..Trusted Domains: freerealms.com ([]* in )
O15:64bit: - NetworkService_ON_E\..Trusted Domains: soe.com ([]* in )
O15:64bit: - NetworkService_ON_E\..Trusted Domains: sony.com ([]* in )
O15:64bit: - UpdatusUser_ON_E\..Trusted Domains: clonewarsadventures.com ([]* in )
O15:64bit: - UpdatusUser_ON_E\..Trusted Domains: freerealms.com ([]* in )
O15:64bit: - UpdatusUser_ON_E\..Trusted Domains: soe.com ([]* in )
O15:64bit: - UpdatusUser_ON_E\..Trusted Domains: sony.com ([]* in )
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\application/x-ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\application/x-ica; charset=euc-jp {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\application/x-ica; charset=ISO-8859-1 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\application/x-ica; charset=MS936 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\application/x-ica; charset=MS949 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\application/x-ica; charset=MS950 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\application/x-ica; charset=UTF8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\application/x-ica; charset=UTF-8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\application/x-ica;charset=euc-jp {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\application/x-ica;charset=ISO-8859-1 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\application/x-ica;charset=MS936 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\application/x-ica;charset=MS949 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\application/x-ica;charset=MS950 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\application/x-ica;charset=UTF8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\application/x-ica;charset=UTF-8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - E:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - E:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - E:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
64bit: O35 - HKLM\..comfile [open] -- "%1" %* File not found
64bit: O35 - HKLM\..exefile [open] -- "%1" %* File not found
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013/02/19 03:14:20 | 000,000,000 | ---D | C] -- E:\Users\Administrator\AppData\Local\Razer
[2013/02/13 09:16:45 | 000,176,640 | ---- | C] (Microsoft Corporation) -- E:\Windows\SysWow64\ieui.dll
[2013/02/13 09:16:45 | 000,096,768 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\mshtmled.dll
[2013/02/13 09:16:45 | 000,073,216 | ---- | C] (Microsoft Corporation) -- E:\Windows\SysWow64\mshtmled.dll
[2013/02/13 09:16:44 | 000,248,320 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\ieui.dll
[2013/02/13 09:16:44 | 000,231,936 | ---- | C] (Microsoft Corporation) -- E:\Windows\SysWow64\url.dll
[2013/02/13 09:16:44 | 000,173,056 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\ieUnatt.exe
[2013/02/13 09:16:44 | 000,142,848 | ---- | C] (Microsoft Corporation) -- E:\Windows\SysWow64\ieUnatt.exe
[2013/02/13 09:16:43 | 001,427,968 | ---- | C] (Microsoft Corporation) -- E:\Windows\SysWow64\inetcpl.cpl
[2013/02/13 09:16:43 | 000,237,056 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\url.dll
[2013/02/13 09:16:42 | 002,312,704 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\jscript9.dll
[2013/02/13 09:16:42 | 001,494,528 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\inetcpl.cpl
[2013/02/13 09:16:42 | 000,729,088 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\msfeeds.dll
[2013/02/13 09:16:42 | 000,607,744 | ---- | C] (Microsoft Corporation) -- E:\Windows\SysWow64\msfeeds.dll
[2013/02/13 09:16:40 | 001,800,704 | ---- | C] (Microsoft Corporation) -- E:\Windows\SysWow64\jscript9.dll
[2013/02/13 09:16:40 | 000,816,640 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\jscript.dll
[2013/02/13 09:16:40 | 000,717,824 | ---- | C] (Microsoft Corporation) -- E:\Windows\SysWow64\jscript.dll
[2013/02/13 09:16:40 | 000,599,040 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\vbscript.dll
[2013/02/13 04:51:24 | 005,553,512 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\ntoskrnl.exe
[2013/02/13 04:51:22 | 003,967,848 | ---- | C] (Microsoft Corporation) -- E:\Windows\SysWow64\ntkrnlpa.exe
[2013/02/13 04:51:21 | 003,913,064 | ---- | C] (Microsoft Corporation) -- E:\Windows\SysWow64\ntoskrnl.exe
[2013/02/13 04:50:54 | 000,215,040 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\winsrv.dll
[2013/02/13 04:50:52 | 000,025,600 | ---- | C] (Microsoft Corporation) -- E:\Windows\SysWow64\setup16.exe
[2013/02/13 04:50:52 | 000,014,336 | ---- | C] (Microsoft Corporation) -- E:\Windows\SysWow64\ntvdm64.dll
[2013/02/13 04:50:52 | 000,007,680 | ---- | C] (Microsoft Corporation) -- E:\Windows\SysWow64\instnm.exe
[2013/02/13 04:50:52 | 000,005,120 | ---- | C] (Microsoft Corporation) -- E:\Windows\SysWow64\wow32.dll
[2013/02/13 04:50:50 | 000,002,048 | ---- | C] (Microsoft Corporation) -- E:\Windows\SysWow64\user.exe
[2013/02/13 04:50:43 | 000,288,088 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\drivers\FWPKCLNT.SYS
[2013/02/11 12:40:08 | 000,000,000 | ---D | C] -- E:\ProgramData\Microsoft\Windows\Start Menu\Programs\ROCCAT
[2013/01/30 01:49:40 | 000,000,000 | ---D | C] -- E:\Users\Faßbender\AppData\Local\fontconfig
[2013/01/30 01:49:08 | 000,000,000 | ---D | C] -- E:\Users\Faßbender\AppData\Local\gegl-0.2
[2013/01/30 01:47:32 | 000,000,000 | ---D | C] -- E:\Program Files\GIMP 2
[2 E:\Windows\*.tmp files -> E:\Windows\*.tmp -> ]
[1 E:\Users\Faßbender\Documents\*.tmp files -> E:\Users\Faßbender\Documents\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2045/10/28 06:35:42 | 000,002,725 | ---- | M] () -- E:\Users\Faßbender\Documents\Kill Bill 1.ncd
[2045/10/28 06:26:56 | 000,002,835 | ---- | M] () -- E:\Users\Faßbender\Documents\Toons-1+.ncd
[2045/10/28 06:18:36 | 000,002,606 | ---- | M] () -- E:\Users\Faßbender\Documents\Toons-1.ncd
[2013/02/19 04:10:14 | 000,067,584 | --S- | M] () -- E:\Windows\bootstat.dat
[2013/02/19 04:09:13 | 000,015,024 | -H-- | M] () -- E:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/02/19 04:09:13 | 000,015,024 | -H-- | M] () -- E:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/02/19 04:03:05 | 000,000,884 | ---- | M] () -- E:\Windows\tasks\Adobe Flash Player Updater.job
[2013/02/19 04:00:58 | 4287,930,366 | -HS- | M] () -- E:\hiberfil.sys
[2013/02/19 03:31:46 | 095,023,320 | ---- | M] () -- E:\ProgramData\7094427.pad
[2013/02/19 03:31:09 | 000,001,112 | ---- | M] () -- E:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013/02/19 03:22:01 | 000,001,136 | ---- | M] () -- E:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1487255489-2574314160-2474486194-1000UA.job
[2013/02/19 03:11:35 | 000,000,153 | ---- | M] () -- E:\ProgramData\7094427.reg
[2013/02/19 03:11:35 | 000,000,063 | ---- | M] () -- E:\ProgramData\7094427.bat
[2013/02/19 03:11:34 | 000,001,083 | ---- | M] () -- E:\Users\Faßbender\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runctf.lnk
[2013/02/19 02:40:20 | 000,705,196 | ---- | M] () -- E:\Windows\System32\perfh007.dat
[2013/02/19 02:40:20 | 000,659,212 | ---- | M] () -- E:\Windows\System32\perfh009.dat
[2013/02/19 02:40:20 | 000,151,690 | ---- | M] () -- E:\Windows\System32\perfc007.dat
[2013/02/19 02:40:20 | 000,123,886 | ---- | M] () -- E:\Windows\System32\perfc009.dat
[2013/02/19 02:30:00 | 000,001,116 | ---- | M] () -- E:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013/02/18 14:24:37 | 000,484,585 | ---- | M] () -- E:\Users\Faßbender\Desktop\Niko Frisur.jpg
[2013/02/15 21:22:00 | 000,001,084 | ---- | M] () -- E:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1487255489-2574314160-2474486194-1000Core.job
[2013/02/13 11:39:49 | 000,509,168 | ---- | M] () -- E:\Windows\System32\FNTCACHE.DAT
[2013/02/12 01:03:44 | 000,697,712 | ---- | M] (Adobe Systems Incorporated) -- E:\Windows\SysWow64\FlashPlayerApp.exe
[2013/02/12 01:03:44 | 000,074,096 | ---- | M] (Adobe Systems Incorporated) -- E:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2013/02/11 12:40:08 | 000,000,000 | ---D | M] -- E:\ProgramData\Microsoft\Windows\Start Menu\Programs\ROCCAT
[2013/02/11 04:05:58 | 000,149,595 | ---- | M] () -- E:\Users\Faßbender\Desktop\toller-pullover-fur-aktive-kids-rosa.htm
[2013/02/09 11:08:48 | 000,000,349 | ---- | M] () -- E:\Users\Public\Documents\PCLECHAL.INI
[2013/02/02 01:58:43 | 000,002,441 | ---- | M] () -- E:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader 9.lnk
[2013/02/02 01:58:43 | 000,002,054 | ---- | M] () -- E:\Users\Public\Desktop\Adobe Reader 9.lnk
[2013/02/01 07:18:19 | 000,002,392 | ---- | M] () -- E:\Users\Faßbender\Desktop\Google Chrome.lnk
[2013/01/30 02:01:42 | 000,000,849 | ---- | M] () -- E:\Users\Faßbender\AppData\Local\recently-used.xbel
[2013/01/30 01:48:17 | 000,000,932 | ---- | M] () -- E:\ProgramData\Microsoft\Windows\Start Menu\Programs\GIMP 2.lnk
[2 E:\Windows\*.tmp files -> E:\Windows\*.tmp -> ]
[1 E:\Users\Faßbender\Documents\*.tmp files -> E:\Users\Faßbender\Documents\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2013/02/19 03:11:35 | 000,000,153 | ---- | C] () -- E:\ProgramData\7094427.reg
[2013/02/19 03:11:35 | 000,000,063 | ---- | C] () -- E:\ProgramData\7094427.bat
[2013/02/19 03:11:34 | 000,001,083 | ---- | C] () -- E:\Users\Faßbender\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runctf.lnk
[2013/02/19 03:11:31 | 095,023,320 | ---- | C] () -- E:\ProgramData\7094427.pad
[2013/02/11 04:06:18 | 000,484,585 | ---- | C] () -- E:\Users\Faßbender\Desktop\Niko Frisur.jpg
[2013/02/11 04:05:56 | 000,149,595 | ---- | C] () -- E:\Users\Faßbender\Desktop\toller-pullover-fur-aktive-kids-rosa.htm
[2013/01/30 02:01:42 | 000,000,849 | ---- | C] () -- E:\Users\Faßbender\AppData\Local\recently-used.xbel
[2013/01/30 01:48:17 | 000,000,932 | ---- | C] () -- E:\ProgramData\Microsoft\Windows\Start Menu\Programs\GIMP 2.lnk
[2012/12/03 17:09:34 | 000,007,602 | ---- | C] () -- E:\Users\Faßbender\AppData\Local\Resmon.ResmonCfg
[2012/12/01 03:20:44 | 000,000,022 | ---- | C] () -- E:\Windows\GPU-Z.INI
[2012/01/17 05:24:10 | 000,055,296 | ---- | C] () -- E:\Windows\SysWow64\ASGT.exe
[2011/07/10 00:54:30 | 000,000,431 | ---- | C] () -- E:\Windows\WISO.INI
[2011/06/23 07:14:21 | 000,252,928 | ---- | C] () -- E:\Windows\SysWow64\DShowRdpFilter.dll
[2010/05/14 10:23:15 | 000,000,032 | ---- | C] () -- E:\Windows\Menu.INI
[2010/04/12 13:12:19 | 000,005,120 | ---- | C] () -- E:\Users\Faßbender\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/31 15:59:28 | 001,612,646 | ---- | C] () -- E:\Windows\SysWow64\PerfStringBackup.INI
[2010/02/13 04:15:03 | 000,024,576 | R--- | C] () -- E:\Windows\SysWow64\AsIO.dll
[2010/02/13 04:15:02 | 000,013,368 | R--- | C] () -- E:\Windows\SysWow64\drivers\AsIO.sys
[2010/02/13 04:14:59 | 000,011,832 | ---- | C] () -- E:\Windows\SysWow64\drivers\AsInsHelp64.sys
[2010/02/13 04:14:59 | 000,010,216 | ---- | C] () -- E:\Windows\SysWow64\drivers\AsInsHelp32.sys
[2010/02/13 04:13:56 | 000,001,769 | ---- | C] () -- E:\Windows\Language_trs.ini
[2010/02/13 04:13:55 | 000,023,026 | ---- | C] () -- E:\Windows\Ascd_tmp.ini
[2009/07/14 00:38:36 | 000,067,584 | --S- | C] () -- E:\Windows\bootstat.dat
[2009/07/13 21:35:51 | 000,000,741 | ---- | C] () -- E:\Windows\SysWow64\NOISE.DAT
[2009/07/13 21:34:42 | 000,215,943 | ---- | C] () -- E:\Windows\SysWow64\dssec.dat
[2009/07/13 19:10:29 | 000,043,131 | ---- | C] () -- E:\Windows\mib.bin
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- E:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 17:25:04 | 000,197,632 | ---- | C] () -- E:\Windows\SysWow64\ir32_32.dll
[2009/07/13 16:03:59 | 000,364,544 | ---- | C] () -- E:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 16:26:10 | 000,673,088 | ---- | C] () -- E:\Windows\SysWow64\mlang.dat
[2009/04/02 07:30:14 | 000,010,296 | ---- | C] () -- E:\Windows\SysWow64\drivers\ASUSHWIO.SYS
 
========== LOP Check ==========
 
[2010/07/15 14:56:17 | 000,000,000 | ---D | M] -- E:\ProgramData\Acronis
[2009/12/09 18:37:25 | 000,000,000 | -HSD | M] -- E:\ProgramData\Anwendungsdaten
[2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- E:\ProgramData\Application Data
[2011/05/13 01:35:01 | 000,000,000 | ---D | M] -- E:\ProgramData\Avanquest
[2011/05/12 14:54:31 | 000,000,000 | ---D | M] -- E:\ProgramData\avg9
[2010/02/21 02:14:21 | 000,000,000 | ---D | M] -- E:\ProgramData\Azureus
[2011/11/24 03:18:34 | 000,000,000 | ---D | M] -- E:\ProgramData\boost_interprocess
[2011/07/10 01:02:24 | 000,000,000 | ---D | M] -- E:\ProgramData\Buhl Data Service GmbH
[2010/05/25 10:03:57 | 000,000,000 | ---D | M] -- E:\ProgramData\BVRP Software
[2010/02/21 00:22:17 | 000,000,000 | -H-D | M] -- E:\ProgramData\CanonBJ
[2010/02/27 07:11:20 | 000,000,000 | -H-D | M] -- E:\ProgramData\CanonIJScan
[2011/04/08 02:33:55 | 000,000,000 | ---D | M] -- E:\ProgramData\Citrix
[2011/11/10 16:56:21 | 000,000,000 | ---D | M] -- E:\ProgramData\ClubSanDisk
[2011/03/14 15:13:01 | 000,000,000 | -H-D | M] -- E:\ProgramData\Common Files
[2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- E:\ProgramData\Desktop
[2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- E:\ProgramData\Documents
[2009/12/09 18:37:25 | 000,000,000 | -HSD | M] -- E:\ProgramData\Dokumente
[2011/07/25 07:59:19 | 000,000,000 | ---D | M] -- E:\ProgramData\EA Core
[2011/07/25 08:01:13 | 000,000,000 | ---D | M] -- E:\ProgramData\Electronic Arts
[2009/12/09 18:37:25 | 000,000,000 | -HSD | M] -- E:\ProgramData\Favoriten
[2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- E:\ProgramData\Favorites
[2011/05/13 01:35:58 | 000,000,000 | ---D | M] -- E:\ProgramData\MFAData
[2012/09/17 07:51:24 | 000,000,000 | ---D | M] -- E:\ProgramData\mquadr.at
[2013/01/07 13:21:18 | 000,000,000 | ---D | M] -- E:\ProgramData\Overwolf
[2010/02/21 01:06:40 | 000,000,000 | ---D | M] -- E:\ProgramData\Pinnacle
[2010/02/21 01:03:55 | 000,000,000 | ---D | M] -- E:\ProgramData\Pinnacle Studio Plus
[2012/12/01 12:38:11 | 000,000,000 | ---D | M] -- E:\ProgramData\Razer
[2012/12/28 11:28:48 | 000,000,000 | ---D | M] -- E:\ProgramData\ROCCAT
[2012/08/11 02:51:51 | 000,000,000 | ---D | M] -- E:\ProgramData\Sony
[2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- E:\ProgramData\Start Menu
[2009/12/09 18:37:25 | 000,000,000 | -HSD | M] -- E:\ProgramData\Startmenü
[2010/02/21 01:02:02 | 000,000,000 | ---D | M] -- E:\ProgramData\Studio 12
[2012/12/10 01:08:46 | 000,000,000 | ---D | M] -- E:\ProgramData\SweetIM
[2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- E:\ProgramData\Templates
[2009/12/09 18:37:25 | 000,000,000 | -HSD | M] -- E:\ProgramData\Vorlagen
[2013/01/13 11:48:58 | 000,032,640 | ---- | M] () -- E:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 
< End of report >
Vielen Dank!

aharonov 19.02.2013 11:02
Hallo blitzeis und :hallo:

Mein Name ist Leo und ich werde dich durch die Bereinigung deines Rechners begleiten.

Eine Bereinigung beinhaltet nebst dem Entfernen von Malware auch das Schliessen von Sicherheitslücken und sollte gründlich durchgeführt werden. Sie erfolgt deshalb in mehreren Schritten und bedeutet einigen Aufwand für dich.
Beachte: Das Verschwinden der offensichtlichen Symptome bedeutet nicht, dass das System schon sauber ist.
Arbeite daher in deinem eigenen Interesse solange mit, bis du das OK bekommst, dass alles erledigt ist.

Hinweise zum Ablauf
  • Du bekommst von mir jeweils eine individuell auf dich abgestimmte schrittweise Anleitung.
    • Lese diese Anweisungen immer zuerst vollständig durch und frag bei Unklarheiten nach, bevor du beginnst.
    • Arbeite die Anleitungen dann sorgfältig und in der angegebenen Reihenfolge ab und poste deine Rückmeldungen und Logfiles gesammelt in einer Antwort.
    • Füge den Inhalt der Logfiles wenn immer möglich innerhalb von Code-Tags in deine Antwort ein.
    • Sollten Probleme auftauchen, dann brich an dieser Stelle ab und schildere sie so gut wie möglich.
  • Es ist wichtig für mich, dass sich der Zustand deines Systems nicht plötzlich unvorhersehbar ändert. Deshalb: Bitte
    • .. lasse keine Scanner oder Tools ohne Aufforderung laufen. Lösche nichts auf eigene Faust.
    • .. installiere oder deinstalliere während der Bereinigung keine Software.
    • .. frag nicht parallel in anderen Foren nach Hilfe (Crossposting).
  • Ich kann dir keine Garantien geben, dass die Bereinigung schlussendlich erfolgreich sein wird und wir alles finden werden.
    • Ein Formatieren und Neuinstallieren ist meist der schnellere und immer der sicherere Weg.
    • Sollte ich eine schwerwiegende Infektion bei dir finden, werde ich dich nochmals darauf hinweisen. Es bleibt aber deine Entscheidung.
Los geht's: Alle Tools immer auf den Desktop speichern und von dort starten.



Nach Schritt 1 solltest du wieder normal aufstarten können. Mach dann die weiteren Schritte in Windows.


Schritt 1
  • Starte den infizierten Rechner mit der OTLpe-CD und öffne OTLpe.
  • Kopiere nun den folgenden Inhalt aus der Codebox in die http://larusso.trojaner-board.de/Images/otlfix.jpg Textbox.
    Wichtig: Falls du deinen Benutzernamen im Log unkenntlich gemacht hast (z.B. durch ***), dann mach das hier wieder rückgängig.
Code:
:OTL
[2013/02/19 03:11:35 | 000,000,153 | ---- | C] () -- E:\ProgramData\7094427.reg
[2013/02/19 03:11:35 | 000,000,063 | ---- | C] () -- E:\ProgramData\7094427.bat
[2013/02/19 03:11:34 | 000,001,083 | ---- | C] () -- E:\Users\Faßbender\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runctf.lnk
[2013/02/19 03:11:31 | 095,023,320 | ---- | C] () -- E:\ProgramData\7094427.pad
  • Klicke jetzt auf den Fix Button.
  • Starte danach neu und versuche wieder in den normalen Modus von Windows zu booten.
  • Nach dem Neustart findest du ein Textdokument auf deinem Desktop.
    (Auch zu finden unter C:\OTL\MovedFiles\<time_date.log>)
  • Kopiere nun dessen Inhalt hier in deinen Thread.



Schritt 2

Lade dir Gmer herunter (auf den Button Download EXE drücken) und speichere das Programm auf den Desktop.
  • Deaktiviere alle Antivirenprogramme und Malware/Spyware Scanner.
  • Trenne alle bestehenden Verbindungen zu einem Netzwerk/Internet (WLAN nicht vergessen).
  • Schliesse bitte alle anderen Programme.
  • Starte gmer.exe (die Datei hat einen zufälligen Dateinamen).
    Vista und Win7 User mit Rechtsklick "als Administrator starten".
  • Sollte sich ein Fenster mit folgender Warnung öffnen
    WARNING !!!
    GMER has found system modification, which might have been caused by ROOTKIT activity.
    Do you want to fully scan your system ?
    dann klicke unbedingt auf No.
  • Entferne rechts den Haken bei:
    • IAT/EAT
    • Show all
  • Setze rechts den Haken bei deiner Systempartition (normalerweise C:\).
  • Starte den Scan mit einem Klick auf Scan.
  • Mache gar nichts am Computer, während der Scan läuft!
  • Wenn der Scan fertig ist, klicke auf Save und speichere das Logfile unter Gmer.txt auf deinen Desktop.
  • Schliesse dann GMER und führe unmittelbar einen Neustart des Computers durch.
  • Füge bitte den Inhalt des Logfiles hier in deine Thread ein.
Antiviren-Programm und sonstige Scanner wieder einschalten, bevor du ins Netz gehst.



Schritt 3

Downloade dir bitte AdwCleaner und speichere es auf deinen Desktop.
  • Schliesse alle offenen Programme und Browser.
  • Starte die adwcleaner.exe mit einem Doppelklick.
  • Klicke auf Löschen.
  • Bestätige jeweils mit Ok.
  • Dein Rechner wird neu gestartet, je nach Schwere der Infektion auch mehrmals - das ist normal. Nach dem Neustart öffnet sich eine Textdatei.
  • Poste mir den Inhalt mit deiner nächsten Antwort.
  • Die Logdatei findest du auch unter C:\AdwCleaner[S1].txt.



Schritt 4

Lade dir bitte OTL (von Oldtimer) herunter und speichere es auf deinen Desktop.
  • Doppelklick auf die OTL.exe.
  • Unter Extra Registry, wähle bitte Use SafeList.
  • Setze den Haken bei Scan all Users.
  • Klicke nun auf Run Scan.
  • Wenn der Scan beendet ist, werden 2 Logfiles (OTL.txt und Extras.txt) erstellt.
  • Poste den Inhalt dieser Logfiles hier in den Thread.



Bitte poste in deiner nächsten Antwort:
  • Fixlog von OTLpe
  • Log von Gmer
  • Log von AdwCleaner
  • Logs von OTL

Blitzeis 19.02.2013 11:21
Zunächst vielen herzlichen Dank für die schnelle Antwort.

Das time_date.log zeigt folgenden Inhalt:

Code:
========== OTL ==========
E:\ProgramData\7094427.reg moved successfully.
E:\ProgramData\7094427.bat moved successfully.
E:\Users\Faßbender\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runctf.lnk moved successfully.
E:\ProgramData\7094427.pad moved successfully.
 
OTLPE by OldTimer - Version 3.1.48.0 log created on 02192013_111247
Edit: Sorry letzten Absatz nicht gelesen. Mache nun mit Schritt 2 weiter.

aharonov 19.02.2013 11:23
Kannst du denn jetzt wieder normal nach Windows starten ohne diesen Sperrbildschirm?
Falls ja, dann kannst du gleich die Schritte 2 bis 4 in Angriff nehmen.

Blitzeis 19.02.2013 13:30
So, es hat ein bisschen gedauert.

Gmer Log:

Code:
GMER 2.1.18952 - hxxp://www.gmer.net
Rootkit scan 2013-02-19 12:38:25
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T1L0-7 SAMSUNG_HD154UI rev.1AG01118 1397,27GB
Running: xut43mt5.exe; Driver: C:\Users\FABEND~1\AppData\Local\Temp\uxlyiuob.sys


---- User code sections - GMER 2.1 ----

.text  C:\Windows\system32\taskhost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                        00000000773c1570 6 bytes {JMP QWORD [RIP+0x8d7eac0]}
.text  C:\Windows\system32\taskhost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                          00000000773c1640 6 bytes {JMP QWORD [RIP+0x8dbe9f0]}
.text  C:\Windows\system32\taskhost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                        00000000773c1860 6 bytes {JMP QWORD [RIP+0x8d9e7d0]}
.text  C:\Windows\system32\taskhost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                        00000000773c1910 6 bytes {JMP QWORD [RIP+0x8d3e720]}
.text  C:\Windows\system32\taskhost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey                                                    00000000773c1ea0 6 bytes {JMP QWORD [RIP+0x8d5e190]}
.text  C:\Windows\system32\taskhost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                  00000000773c2840 6 bytes {JMP QWORD [RIP+0x8ddd7f0]}
.text  C:\Windows\system32\taskhost.exe[1784] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                            000007fefdb3b915 3 bytes [F5, 46, 25]
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                      000000007756fc00 3 bytes JMP 718a000a
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4                  000000007756fc04 2 bytes JMP 718a000a
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                        000000007756fd44 3 bytes JMP 7184000a
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                    000000007756fd48 2 bytes JMP 7184000a
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                      0000000077570094 3 bytes JMP 7187000a
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                  0000000077570098 2 bytes JMP 7187000a
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                      00000000775701a4 3 bytes JMP 7190000a
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4                  00000000775701a8 2 bytes JMP 7190000a
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey                  0000000077570a24 3 bytes JMP 718d000a
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4              0000000077570a28 2 bytes JMP 718d000a
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                0000000077571900 3 bytes JMP 7181000a
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4            0000000077571904 2 bytes JMP 7181000a
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[1156] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493          0000000074d92c91 4 bytes CALL 71af0000
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[1156] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                  0000000075ab712c 6 bytes JMP 7193000a
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[1156] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                  0000000075ad3158 6 bytes JMP 7196000a
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[1156] C:\Windows\syswow64\USER32.dll!SendMessageW                      0000000074f19679 6 bytes JMP 719f000a
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[1156] C:\Windows\syswow64\USER32.dll!PostMessageW                      0000000074f212a5 6 bytes JMP 7199000a
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[1156] C:\Windows\syswow64\USER32.dll!PostMessageA                      0000000074f23baa 6 bytes JMP 719c000a
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[1156] C:\Windows\syswow64\USER32.dll!SendMessageA                      0000000074f2612e 6 bytes JMP 71a2000a
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[1156] C:\Windows\syswow64\USER32.dll!SendInput                        0000000074f3ff4a 3 bytes JMP 71a5000a
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[1156] C:\Windows\syswow64\USER32.dll!SendInput + 4                    0000000074f3ff4e 2 bytes JMP 71a5000a
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[1156] C:\Windows\syswow64\USER32.dll!mouse_event                      0000000074f7027b 6 bytes JMP 71ab000a
.text  C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[1156] C:\Windows\syswow64\USER32.dll!keybd_event                      0000000074f702bf 6 bytes JMP 71a8000a
.text  C:\Windows\system32\Dwm.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                            00000000773c1570 6 bytes {JMP QWORD [RIP+0x8d7eac0]}
.text  C:\Windows\system32\Dwm.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                00000000773c1640 6 bytes {JMP QWORD [RIP+0x8dbe9f0]}
.text  C:\Windows\system32\Dwm.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                              00000000773c1860 6 bytes {JMP QWORD [RIP+0x8d9e7d0]}
.text  C:\Windows\system32\Dwm.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                            00000000773c1910 6 bytes {JMP QWORD [RIP+0x8d3e720]}
.text  C:\Windows\system32\Dwm.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey                                                          00000000773c1ea0 6 bytes {JMP QWORD [RIP+0x8d5e190]}
.text  C:\Windows\system32\Dwm.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                        00000000773c2840 6 bytes {JMP QWORD [RIP+0x8ddd7f0]}
.text  C:\Windows\system32\Dwm.exe[2584] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                000007fefdb3b915 3 bytes CALL 2002a18
.text  C:\Windows\Explorer.EXE[2596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                00000000773c1570 6 bytes {JMP QWORD [RIP+0x8d7eac0]}
.text  C:\Windows\Explorer.EXE[2596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                    00000000773c1640 6 bytes {JMP QWORD [RIP+0x8dbe9f0]}
.text  C:\Windows\Explorer.EXE[2596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                  00000000773c1860 6 bytes {JMP QWORD [RIP+0x8d9e7d0]}
.text  C:\Windows\Explorer.EXE[2596] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                                00000000773c1910 6 bytes {JMP QWORD [RIP+0x8d3e720]}
.text  C:\Windows\Explorer.EXE[2596] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey                                                              00000000773c1ea0 6 bytes {JMP QWORD [RIP+0x8d5e190]}
.text  C:\Windows\Explorer.EXE[2596] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                            00000000773c2840 6 bytes {JMP QWORD [RIP+0x8ddd7f0]}
.text  C:\Windows\Explorer.EXE[2596] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                    000007fefdb3b915 3 bytes [F5, 46, 25]
.text  C:\Windows\Explorer.EXE[2596] C:\Windows\system32\msi.dll!MsiSetInternalUI                                                                000007fef7335cd0 6 bytes {JMP QWORD [RIP+0x68a360]}
.text  C:\Windows\Explorer.EXE[2596] C:\Windows\system32\msi.dll!MsiInstallProductA                                                              000007fef73b0f20 6 bytes {JMP QWORD [RIP+0x3af110]}
.text  C:\Windows\Explorer.EXE[2596] C:\Windows\system32\msi.dll!MsiInstallProductW                                                              000007fef73bfaa8 6 bytes JMP 0
.text  C:\Windows\Explorer.EXE[2596] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorA                                                          000007fefa7c7b34 6 bytes {JMP QWORD [RIP+0x884fc]}
.text  C:\Windows\Explorer.EXE[2596] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorW                                                          000007fefa7d03c0 6 bytes {JMP QWORD [RIP+0x9fc70]}
.text  C:\Windows\Explorer.EXE[2596] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW                                                      0000000005243030 6 bytes {JMP QWORD [RIP+0x2fd000]}
.text  C:\Windows\Explorer.EXE[2596] C:\Windows\system32\WS2_32.dll!connect + 1                                                                  00000000052445c1 5 bytes JMP 8f
.text  C:\Windows\Explorer.EXE[2596] C:\Windows\system32\WS2_32.dll!listen                                                                      0000000005248290 6 bytes {JMP QWORD [RIP+0x1d7da0]}
.text  C:\Program Files (x86)\Vtune\TBPANEL.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                                000000007756fc00 3 bytes JMP 7184000a
.text  C:\Program Files (x86)\Vtune\TBPANEL.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4                                            000000007756fc04 2 bytes JMP 7184000a
.text  C:\Program Files (x86)\Vtune\TBPANEL.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                  000000007756fd44 3 bytes JMP 717e000a
.text  C:\Program Files (x86)\Vtune\TBPANEL.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                              000000007756fd48 2 bytes JMP 717e000a
.text  C:\Program Files (x86)\Vtune\TBPANEL.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                0000000077570094 3 bytes JMP 7181000a
.text  C:\Program Files (x86)\Vtune\TBPANEL.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                            0000000077570098 2 bytes JMP 7181000a
.text  C:\Program Files (x86)\Vtune\TBPANEL.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                00000000775701a4 3 bytes JMP 718a000a
.text  C:\Program Files (x86)\Vtune\TBPANEL.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4                                            00000000775701a8 2 bytes JMP 718a000a
.text  C:\Program Files (x86)\Vtune\TBPANEL.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey                                            0000000077570a24 3 bytes JMP 7187000a
.text  C:\Program Files (x86)\Vtune\TBPANEL.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4                                        0000000077570a28 2 bytes JMP 7187000a
.text  C:\Program Files (x86)\Vtune\TBPANEL.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                          0000000077571900 3 bytes JMP 717b000a
.text  C:\Program Files (x86)\Vtune\TBPANEL.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4                                      0000000077571904 2 bytes JMP 717b000a
.text  C:\Program Files (x86)\Vtune\TBPANEL.exe[2828] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                    0000000074d92c91 4 bytes CALL 71af0000
.text  C:\Program Files (x86)\Vtune\TBPANEL.exe[2828] C:\Windows\syswow64\USER32.dll!SendMessageW                                                0000000074f19679 6 bytes JMP 7199000a
.text  C:\Program Files (x86)\Vtune\TBPANEL.exe[2828] C:\Windows\syswow64\USER32.dll!PostMessageW                                                0000000074f212a5 6 bytes JMP 7193000a
.text  C:\Program Files (x86)\Vtune\TBPANEL.exe[2828] C:\Windows\syswow64\USER32.dll!PostMessageA                                                0000000074f23baa 6 bytes JMP 7196000a
.text  C:\Program Files (x86)\Vtune\TBPANEL.exe[2828] C:\Windows\syswow64\USER32.dll!SendMessageA                                                0000000074f2612e 6 bytes JMP 719c000a
.text  C:\Program Files (x86)\Vtune\TBPANEL.exe[2828] C:\Windows\syswow64\USER32.dll!SendInput                                                  0000000074f3ff4a 3 bytes JMP 719f000a
.text  C:\Program Files (x86)\Vtune\TBPANEL.exe[2828] C:\Windows\syswow64\USER32.dll!SendInput + 4                                              0000000074f3ff4e 2 bytes JMP 719f000a
.text  C:\Program Files (x86)\Vtune\TBPANEL.exe[2828] C:\Windows\syswow64\USER32.dll!mouse_event                                                0000000074f7027b 6 bytes JMP 71a5000a
.text  C:\Program Files (x86)\Vtune\TBPANEL.exe[2828] C:\Windows\syswow64\USER32.dll!keybd_event                                                0000000074f702bf 6 bytes JMP 71a2000a
.text  C:\Program Files (x86)\Vtune\TBPANEL.exe[2828] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                            0000000075ab712c 6 bytes JMP 718d000a
.text  C:\Program Files (x86)\Vtune\TBPANEL.exe[2828] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                                            0000000075ad3158 6 bytes JMP 7190000a
.text  C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess          000000007756fc00 3 bytes [FF, 25, 1E]
.text  C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4      000000007756fc04 2 bytes [89, 71]
.text  C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile              000000007756fd44 3 bytes [FF, 25, 1E]
.text  C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4          000000007756fd48 2 bytes [83, 71]
.text  C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile            0000000077570094 3 bytes JMP 7187000a
.text  C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4        0000000077570098 2 bytes JMP 7187000a
.text  C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey          00000000775701a4 3 bytes JMP 7190000a
.text  C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4      00000000775701a8 2 bytes JMP 7190000a
.text  C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey        0000000077570a24 3 bytes [FF, 25, 1E]
.text  C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4    0000000077570a28 2 bytes [8C, 71]
.text  C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread      0000000077571900 3 bytes [FF, 25, 1E]
.text  C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4  0000000077571904 2 bytes [80, 71]
.text  C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                  00000000773c1570 6 bytes {JMP QWORD [RIP+0x8d7eac0]}
.text  C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                    00000000773c1640 6 bytes {JMP QWORD [RIP+0x8dbe9f0]}
.text  C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                  00000000773c1860 6 bytes {JMP QWORD [RIP+0x8d9e7d0]}
.text  C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                  00000000773c1910 6 bytes {JMP QWORD [RIP+0x8d3e720]}
.text  C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey                              00000000773c1ea0 6 bytes {JMP QWORD [RIP+0x8d5e190]}
.text  C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                            00000000773c2840 6 bytes {JMP QWORD [RIP+0x8ddd7f0]}
.text  C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2980] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                      000007fefdb3b915 3 bytes CALL 0
.text  C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2980] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorA                          000007fefa7c7b34 6 bytes {JMP QWORD [RIP+0x1284fc]}
.text  C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2980] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorW                          000007fefa7d03c0 6 bytes {JMP QWORD [RIP+0x13fc70]}
.text  C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2980] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW                        000007feff3a3030 6 bytes JMP 4e005c
.text  C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2980] C:\Windows\system32\WS2_32.dll!connect + 1                                  000007feff3a45c1 5 bytes JMP 0
.text  C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2980] C:\Windows\system32\WS2_32.dll!listen                                        000007feff3a8290 6 bytes JMP 0
.text  C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe[3700] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                000000007756fc00 3 bytes JMP 718a000a
.text  C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe[3700] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4                            000000007756fc04 2 bytes JMP 718a000a
.text  C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe[3700] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                    000000007756fd44 3 bytes JMP 7184000a
.text  C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe[3700] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                000000007756fd48 2 bytes JMP 7184000a
.text  C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe[3700] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                  0000000077570094 3 bytes JMP 7187000a
.text  C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe[3700] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                              0000000077570098 2 bytes JMP 7187000a
.text  C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe[3700] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                00000000775701a4 3 bytes JMP 7190000a
.text  C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe[3700] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4                            00000000775701a8 2 bytes JMP 7190000a
.text  C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe[3700] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey                              0000000077570a24 3 bytes JMP 718d000a
.text  C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe[3700] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4                          0000000077570a28 2 bytes JMP 718d000a
.text  C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe[3700] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                            0000000077571900 3 bytes JMP 7181000a
.text  C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe[3700] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4                        0000000077571904 2 bytes JMP 7181000a
.text  C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe[3700] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                    0000000074d92c91 4 bytes CALL 71af0000
.text  C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe[3700] C:\Windows\syswow64\USER32.dll!SendMessageW                                0000000074f19679 6 bytes JMP 719f000a
.text  C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe[3700] C:\Windows\syswow64\USER32.dll!PostMessageW                                0000000074f212a5 6 bytes JMP 7199000a
.text  C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe[3700] C:\Windows\syswow64\USER32.dll!PostMessageA                                0000000074f23baa 6 bytes JMP 719c000a
.text  C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe[3700] C:\Windows\syswow64\USER32.dll!SendMessageA                                0000000074f2612e 6 bytes JMP 71a2000a
.text  C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe[3700] C:\Windows\syswow64\USER32.dll!SendInput                                    0000000074f3ff4a 3 bytes JMP 71a5000a
.text  C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe[3700] C:\Windows\syswow64\USER32.dll!SendInput + 4                                0000000074f3ff4e 2 bytes JMP 71a5000a
.text  C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe[3700] C:\Windows\syswow64\USER32.dll!mouse_event                                  0000000074f7027b 6 bytes JMP 71ab000a
.text  C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe[3700] C:\Windows\syswow64\USER32.dll!keybd_event                                  0000000074f702bf 6 bytes JMP 71a8000a
.text  C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe[3700] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                            0000000075ab712c 6 bytes JMP 7193000a
.text  C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe[3700] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                            0000000075ad3158 6 bytes JMP 7196000a
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                      000000007756fc00 3 bytes JMP 718a000a
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4                  000000007756fc04 2 bytes JMP 718a000a
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                          000000007756fd44 3 bytes JMP 7184000a
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                      000000007756fd48 2 bytes JMP 7184000a
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                        0000000077570094 3 bytes JMP 7187000a
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                    0000000077570098 2 bytes JMP 7187000a
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                      00000000775701a4 3 bytes [FF, 25, 1E]
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4                  00000000775701a8 2 bytes [8F, 71]
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey                    0000000077570a24 3 bytes [FF, 25, 1E]
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4                0000000077570a28 2 bytes [8C, 71]
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                  0000000077571900 3 bytes [FF, 25, 1E]
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3748] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4              0000000077571904 2 bytes [80, 71]
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3748] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493          0000000074d92c91 4 bytes CALL 71af0000
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3748] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                  0000000075ab712c 6 bytes {JMP QWORD [RIP+0x7192001e]}
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3748] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                  0000000075ad3158 6 bytes {JMP QWORD [RIP+0x7195001e]}
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3748] C:\Windows\syswow64\USER32.dll!SendMessageW                      0000000074f19679 6 bytes {JMP QWORD [RIP+0x719e001e]}
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3748] C:\Windows\syswow64\USER32.dll!PostMessageW                      0000000074f212a5 6 bytes {JMP QWORD [RIP+0x7198001e]}
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3748] C:\Windows\syswow64\USER32.dll!PostMessageA                      0000000074f23baa 6 bytes {JMP QWORD [RIP+0x719b001e]}
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3748] C:\Windows\syswow64\USER32.dll!SendMessageA                      0000000074f2612e 6 bytes {JMP QWORD [RIP+0x71a1001e]}
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3748] C:\Windows\syswow64\USER32.dll!SendInput                          0000000074f3ff4a 3 bytes [FF, 25, 1E]
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3748] C:\Windows\syswow64\USER32.dll!SendInput + 4                      0000000074f3ff4e 2 bytes [A4, 71]
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3748] C:\Windows\syswow64\USER32.dll!mouse_event                        0000000074f7027b 6 bytes {JMP QWORD [RIP+0x71aa001e]}
.text  C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe[3748] C:\Windows\syswow64\USER32.dll!keybd_event                        0000000074f702bf 6 bytes {JMP QWORD [RIP+0x71a7001e]}
.text  C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[3760] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                  000000007756fc00 3 bytes JMP 7181000a
.text  C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[3760] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4                              000000007756fc04 2 bytes JMP 7181000a
.text  C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[3760] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                      000000007756fd44 3 bytes JMP 717b000a
.text  C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[3760] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                  000000007756fd48 2 bytes JMP 717b000a
.text  C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[3760] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                    0000000077570094 3 bytes JMP 717e000a
.text  C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[3760] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                0000000077570098 2 bytes JMP 717e000a
.text  C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[3760] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                  00000000775701a4 3 bytes JMP 7187000a
.text  C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[3760] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4                              00000000775701a8 2 bytes JMP 7187000a
.text  C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[3760] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey                                0000000077570a24 3 bytes JMP 7184000a
.text  C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[3760] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4                            0000000077570a28 2 bytes JMP 7184000a
.text  C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[3760] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                              0000000077571900 3 bytes JMP 7178000a
.text  C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[3760] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4                          0000000077571904 2 bytes JMP 7178000a
.text  C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[3760] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                      0000000074d92c91 4 bytes CALL 71af0000
.text  C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[3760] C:\Windows\syswow64\USER32.dll!SendMessageW                                  0000000074f19679 6 bytes JMP 7196000a
.text  C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[3760] C:\Windows\syswow64\USER32.dll!PostMessageW                                  0000000074f212a5 6 bytes JMP 7190000a
.text  C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[3760] C:\Windows\syswow64\USER32.dll!PostMessageA                                  0000000074f23baa 6 bytes JMP 7193000a
.text  C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[3760] C:\Windows\syswow64\USER32.dll!SendMessageA                                  0000000074f2612e 6 bytes JMP 7199000a
.text  C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[3760] C:\Windows\syswow64\USER32.dll!SendInput                                      0000000074f3ff4a 3 bytes JMP 719c000a
.text  C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[3760] C:\Windows\syswow64\USER32.dll!SendInput + 4                                  0000000074f3ff4e 2 bytes JMP 719c000a
.text  C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[3760] C:\Windows\syswow64\USER32.dll!mouse_event                                    0000000074f7027b 6 bytes JMP 71a2000a
.text  C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[3760] C:\Windows\syswow64\USER32.dll!keybd_event                                    0000000074f702bf 6 bytes JMP 719f000a
.text  C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[3760] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                              0000000075ab712c 6 bytes JMP 718a000a
.text  C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[3760] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                              0000000075ad3158 6 bytes JMP 718d000a
.text  C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[3760] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW                        000000007522575a 6 bytes JMP 71a5000a
.text  C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[3760] C:\Windows\syswow64\WS2_32.dll!connect                                        0000000075226bdd 6 bytes JMP 71ab000a
.text  C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[3760] C:\Windows\syswow64\WS2_32.dll!listen                                        000000007522b001 6 bytes JMP 71a8000a
.text  C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                  000000007756fc00 3 bytes JMP 718a000a
.text  C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4                              000000007756fc04 2 bytes JMP 718a000a
.text  C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                    000000007756fd44 3 bytes JMP 7184000a
.text  C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                000000007756fd48 2 bytes JMP 7184000a
.text  C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                  0000000077570094 3 bytes JMP 7187000a
.text  C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                              0000000077570098 2 bytes JMP 7187000a
.text  C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                  00000000775701a4 3 bytes JMP 7190000a
.text  C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4                              00000000775701a8 2 bytes JMP 7190000a
.text  C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey                              0000000077570a24 3 bytes JMP 718d000a
.text  C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4                          0000000077570a28 2 bytes JMP 718d000a
.text  C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                            0000000077571900 3 bytes JMP 7181000a
.text  C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4                        0000000077571904 2 bytes JMP 7181000a
.text  C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3804] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                      0000000074d92c91 4 bytes CALL 71af0000
.text  C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3804] C:\Windows\syswow64\USER32.dll!SendMessageW                                  0000000074f19679 6 bytes JMP 719f000a
.text  C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3804] C:\Windows\syswow64\USER32.dll!PostMessageW                                  0000000074f212a5 6 bytes JMP 7199000a
.text  C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3804] C:\Windows\syswow64\USER32.dll!PostMessageA                                  0000000074f23baa 6 bytes JMP 719c000a
.text  C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3804] C:\Windows\syswow64\USER32.dll!SendMessageA                                  0000000074f2612e 6 bytes JMP 71a2000a
.text  C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3804] C:\Windows\syswow64\USER32.dll!SendInput                                    0000000074f3ff4a 3 bytes JMP 71a5000a
.text  C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3804] C:\Windows\syswow64\USER32.dll!SendInput + 4                                0000000074f3ff4e 2 bytes JMP 71a5000a
.text  C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3804] C:\Windows\syswow64\USER32.dll!mouse_event                                  0000000074f7027b 6 bytes JMP 71ab000a
.text  C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3804] C:\Windows\syswow64\USER32.dll!keybd_event                                  0000000074f702bf 6 bytes JMP 71a8000a
.text  C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3804] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                              0000000075ab712c 6 bytes JMP 7193000a
.text  C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3804] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                              0000000075ad3158 6 bytes JMP 7196000a
.text  C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3804] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW                        000000007522575a 6 bytes JMP 7178000a
.text  C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3804] C:\Windows\syswow64\WS2_32.dll!connect                                      0000000075226bdd 6 bytes JMP 717e000a
.text  C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3804] C:\Windows\syswow64\WS2_32.dll!listen                                        000000007522b001 6 bytes JMP 717b000a
.text  C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3804] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                      00000000751c1465 2 bytes [1C, 75]
.text  C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3804] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                    00000000751c14bb 2 bytes [1C, 75]
.text  ...                                                                                                                                      * 2
.text  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3896] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                        000000007756fc00 3 bytes JMP 718a000a
.text  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3896] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4                    000000007756fc04 2 bytes JMP 718a000a
.text  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3896] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                          000000007756fd44 3 bytes JMP 7184000a
.text  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3896] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                      000000007756fd48 2 bytes JMP 7184000a
.text  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3896] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                        0000000077570094 3 bytes JMP 7187000a
.text  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3896] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                    0000000077570098 2 bytes JMP 7187000a
.text  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3896] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                        00000000775701a4 3 bytes JMP 7190000a
.text  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3896] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4                    00000000775701a8 2 bytes JMP 7190000a
.text  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3896] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey                    0000000077570a24 3 bytes JMP 718d000a
.text  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3896] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4                0000000077570a28 2 bytes JMP 718d000a
.text  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3896] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                  0000000077571900 3 bytes JMP 7181000a
.text  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3896] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4              0000000077571904 2 bytes JMP 7181000a
.text  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3896] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493            0000000074d92c91 4 bytes CALL 71af0000
.text  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3896] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                    0000000075ab712c 6 bytes JMP 7193000a
.text  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3896] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                    0000000075ad3158 6 bytes JMP 7196000a
.text  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3896] C:\Windows\syswow64\USER32.dll!SendMessageW                        0000000074f19679 6 bytes JMP 719f000a
.text  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3896] C:\Windows\syswow64\USER32.dll!PostMessageW                        0000000074f212a5 6 bytes JMP 7199000a
.text  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3896] C:\Windows\syswow64\USER32.dll!PostMessageA                        0000000074f23baa 6 bytes JMP 719c000a
.text  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3896] C:\Windows\syswow64\USER32.dll!SendMessageA                        0000000074f2612e 6 bytes JMP 71a2000a
.text  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3896] C:\Windows\syswow64\USER32.dll!SendInput                          0000000074f3ff4a 3 bytes JMP 71a5000a
.text  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3896] C:\Windows\syswow64\USER32.dll!SendInput + 4                      0000000074f3ff4e 2 bytes JMP 71a5000a
.text  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3896] C:\Windows\syswow64\USER32.dll!mouse_event                        0000000074f7027b 6 bytes JMP 71ab000a
.text  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3896] C:\Windows\syswow64\USER32.dll!keybd_event                        0000000074f702bf 6 bytes JMP 71a8000a
.text  C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3924] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                      000000007756fc00 3 bytes JMP 718a000a
.text  C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3924] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4                                  000000007756fc04 2 bytes JMP 718a000a
.text  C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3924] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                        000000007756fd44 3 bytes JMP 7184000a
.text  C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3924] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                    000000007756fd48 2 bytes JMP 7184000a
.text  C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3924] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                      0000000077570094 3 bytes JMP 7187000a
.text  C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3924] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                  0000000077570098 2 bytes JMP 7187000a
.text  C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3924] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                      00000000775701a4 3 bytes JMP 7190000a
.text  C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3924] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4                                  00000000775701a8 2 bytes JMP 7190000a
.text  C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3924] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey                                  0000000077570a24 3 bytes JMP 718d000a
.text  C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3924] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4                              0000000077570a28 2 bytes JMP 718d000a
.text  C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3924] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                0000000077571900 3 bytes JMP 7181000a
.text  C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3924] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4                            0000000077571904 2 bytes JMP 7181000a
.text  C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3924] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                          0000000074d92c91 4 bytes CALL 71af0000
.text  C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3924] C:\Windows\syswow64\USER32.dll!SendMessageW                                      0000000074f19679 6 bytes JMP 719f000a
.text  C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3924] C:\Windows\syswow64\USER32.dll!PostMessageW                                      0000000074f212a5 6 bytes JMP 7199000a
.text  C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3924] C:\Windows\syswow64\USER32.dll!PostMessageA                                      0000000074f23baa 6 bytes JMP 719c000a
.text  C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3924] C:\Windows\syswow64\USER32.dll!SendMessageA                                      0000000074f2612e 6 bytes JMP 71a2000a
.text  C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3924] C:\Windows\syswow64\USER32.dll!SendInput                                        0000000074f3ff4a 3 bytes JMP 71a5000a
.text  C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3924] C:\Windows\syswow64\USER32.dll!SendInput + 4                                    0000000074f3ff4e 2 bytes JMP 71a5000a
.text  C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3924] C:\Windows\syswow64\USER32.dll!mouse_event                                      0000000074f7027b 6 bytes JMP 71ab000a
.text  C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3924] C:\Windows\syswow64\USER32.dll!keybd_event                                      0000000074f702bf 6 bytes JMP 71a8000a
.text  C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3924] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                  0000000075ab712c 6 bytes JMP 7193000a
.text  C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3924] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                                  0000000075ad3158 6 bytes JMP 7196000a
.text  C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3924] C:\Windows\syswow64\ws2_32.dll!WSALookupServiceBeginW                            000000007522575a 6 bytes JMP 7178000a
.text  C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3924] C:\Windows\syswow64\ws2_32.dll!connect                                          0000000075226bdd 6 bytes JMP 717e000a
.text  C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3924] C:\Windows\syswow64\ws2_32.dll!listen                                            000000007522b001 6 bytes JMP 717b000a
.text  C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3924] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                          00000000751c1465 2 bytes [1C, 75]
.text  C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe[3924] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                        00000000751c14bb 2 bytes [1C, 75]
.text  ...                                                                                                                                      * 2
.text  C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[4028] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                000000007756fc00 3 bytes JMP 7181000a
.text  C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[4028] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4            000000007756fc04 2 bytes JMP 7181000a
.text  C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[4028] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                    000000007756fd44 3 bytes JMP 717b000a
.text  C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[4028] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                000000007756fd48 2 bytes JMP 717b000a
.text  C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[4028] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                  0000000077570094 3 bytes JMP 717e000a
.text  C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[4028] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4              0000000077570098 2 bytes JMP 717e000a
.text  C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[4028] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                00000000775701a4 3 bytes JMP 7187000a
.text  C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[4028] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4            00000000775701a8 2 bytes JMP 7187000a
.text  C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[4028] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey              0000000077570a24 3 bytes JMP 7184000a
.text  C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[4028] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4          0000000077570a28 2 bytes JMP 7184000a
.text  C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[4028] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread            0000000077571900 3 bytes JMP 7178000a
.text  C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[4028] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4        0000000077571904 2 bytes JMP 7178000a
.text  C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[4028] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493    0000000074d92c91 4 bytes CALL 71af0000
.text  C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[4028] C:\Windows\syswow64\USER32.dll!SendMessageW                0000000074f19679 6 bytes JMP 7196000a
.text  C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[4028] C:\Windows\syswow64\USER32.dll!PostMessageW                0000000074f212a5 6 bytes JMP 7190000a
.text  C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[4028] C:\Windows\syswow64\USER32.dll!PostMessageA                0000000074f23baa 6 bytes JMP 7193000a
.text  C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[4028] C:\Windows\syswow64\USER32.dll!SendMessageA                0000000074f2612e 6 bytes JMP 7199000a
.text  C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[4028] C:\Windows\syswow64\USER32.dll!SendInput                    0000000074f3ff4a 3 bytes JMP 719c000a
.text  C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[4028] C:\Windows\syswow64\USER32.dll!SendInput + 4                0000000074f3ff4e 2 bytes JMP 719c000a
.text  C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[4028] C:\Windows\syswow64\USER32.dll!mouse_event                  0000000074f7027b 6 bytes JMP 71a2000a
.text  C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[4028] C:\Windows\syswow64\USER32.dll!keybd_event                  0000000074f702bf 6 bytes JMP 719f000a
.text  C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[4028] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW            0000000075ab712c 6 bytes JMP 718a000a
.text  C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[4028] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA            0000000075ad3158 6 bytes JMP 718d000a
.text  C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[4028] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW      000000007522575a 6 bytes JMP 71a5000a
.text  C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[4028] C:\Windows\syswow64\WS2_32.dll!connect                      0000000075226bdd 6 bytes JMP 71ab000a
.text  C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[4028] C:\Windows\syswow64\WS2_32.dll!listen                      000000007522b001 6 bytes JMP 71a8000a
.text  C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[4028] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69    00000000751c1465 2 bytes [1C, 75]
.text  C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[4028] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155    00000000751c14bb 2 bytes [1C, 75]
.text  ...                                                                                                                                      * 2
.text  C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                          000000007756fc00 3 bytes JMP 7184000a
.text  C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4                      000000007756fc04 2 bytes JMP 7184000a
.text  C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                            000000007756fd44 3 bytes JMP 717e000a
.text  C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                        000000007756fd48 2 bytes JMP 717e000a
.text  C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                          0000000077570094 3 bytes JMP 7181000a
.text  C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                      0000000077570098 2 bytes JMP 7181000a
.text  C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                          00000000775701a4 3 bytes JMP 718a000a
.text  C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4                      00000000775701a8 2 bytes JMP 718a000a
.text  C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey                      0000000077570a24 3 bytes JMP 7187000a
.text  C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4                  0000000077570a28 2 bytes JMP 7187000a
.text  C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                    0000000077571900 3 bytes JMP 717b000a
.text  C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4                0000000077571904 2 bytes JMP 717b000a
.text  C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[4040] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493              0000000074d92c91 4 bytes CALL 71af0000
.text  C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[4040] C:\Windows\syswow64\USER32.dll!SendMessageW                          0000000074f19679 6 bytes JMP 7199000a
.text  C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[4040] C:\Windows\syswow64\USER32.dll!PostMessageW                          0000000074f212a5 6 bytes JMP 7193000a
.text  C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[4040] C:\Windows\syswow64\USER32.dll!PostMessageA                          0000000074f23baa 6 bytes JMP 7196000a
.text  C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[4040] C:\Windows\syswow64\USER32.dll!SendMessageA                          0000000074f2612e 6 bytes JMP 719c000a
.text  C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[4040] C:\Windows\syswow64\USER32.dll!SendInput                            0000000074f3ff4a 3 bytes JMP 719f000a
.text  C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[4040] C:\Windows\syswow64\USER32.dll!SendInput + 4                        0000000074f3ff4e 2 bytes JMP 719f000a
.text  C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[4040] C:\Windows\syswow64\USER32.dll!mouse_event                          0000000074f7027b 6 bytes JMP 71a5000a
.text  C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[4040] C:\Windows\syswow64\USER32.dll!keybd_event                          0000000074f702bf 6 bytes JMP 71a2000a
.text  C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[4040] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                      0000000075ab712c 6 bytes JMP 718d000a
.text  C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe[4040] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                      0000000075ad3158 6 bytes JMP 7190000a
.text  C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                  000000007756fc00 3 bytes JMP 7181000a
.text  C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4                              000000007756fc04 2 bytes JMP 7181000a
.text  C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                      000000007756fd44 3 bytes JMP 717b000a
.text  C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                  000000007756fd48 2 bytes JMP 717b000a
.text  C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                    0000000077570094 3 bytes JMP 717e000a
.text  C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                0000000077570098 2 bytes JMP 717e000a
.text  C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                  00000000775701a4 3 bytes JMP 7187000a
.text  C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4                              00000000775701a8 2 bytes JMP 7187000a
.text  C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey                                0000000077570a24 3 bytes JMP 7184000a
.text  C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4                            0000000077570a28 2 bytes JMP 7184000a
.text  C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                              0000000077571900 3 bytes JMP 7178000a
.text  C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4                          0000000077571904 2 bytes JMP 7178000a
.text  C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[3084] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                      0000000074d92c91 4 bytes CALL 71af0000
.text  C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[3084] C:\Windows\syswow64\USER32.dll!SendMessageW                                  0000000074f19679 6 bytes JMP 7196000a
.text  C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[3084] C:\Windows\syswow64\USER32.dll!PostMessageW                                  0000000074f212a5 6 bytes JMP 7190000a
.text  C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[3084] C:\Windows\syswow64\USER32.dll!PostMessageA                                  0000000074f23baa 6 bytes JMP 7193000a
.text  C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[3084] C:\Windows\syswow64\USER32.dll!SendMessageA                                  0000000074f2612e 6 bytes JMP 7199000a
.text  C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[3084] C:\Windows\syswow64\USER32.dll!SendInput                                      0000000074f3ff4a 3 bytes JMP 719c000a
.text  C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[3084] C:\Windows\syswow64\USER32.dll!SendInput + 4                                  0000000074f3ff4e 2 bytes JMP 719c000a
.text  C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[3084] C:\Windows\syswow64\USER32.dll!mouse_event                                    0000000074f7027b 6 bytes JMP 71a2000a
.text  C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[3084] C:\Windows\syswow64\USER32.dll!keybd_event                                    0000000074f702bf 6 bytes JMP 719f000a
.text  C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[3084] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                              0000000075ab712c 6 bytes JMP 718a000a
.text  C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[3084] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                              0000000075ad3158 6 bytes JMP 718d000a
.text  C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[3084] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW                        000000007522575a 6 bytes JMP 71a5000a
.text  C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[3084] C:\Windows\syswow64\WS2_32.dll!connect                                        0000000075226bdd 6 bytes JMP 71ab000a
.text  C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[3084] C:\Windows\syswow64\WS2_32.dll!listen                                        000000007522b001 6 bytes JMP 71a8000a
.text  C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                  00000000773c1570 6 bytes {JMP QWORD [RIP+0x8d7eac0]}
.text  C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                      00000000773c1640 6 bytes {JMP QWORD [RIP+0x8dbe9f0]}
.text  C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                    00000000773c1860 6 bytes {JMP QWORD [RIP+0x8d9e7d0]}
.text  C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                  00000000773c1910 6 bytes {JMP QWORD [RIP+0x8d3e720]}
.text  C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey                                                00000000773c1ea0 6 bytes {JMP QWORD [RIP+0x8d5e190]}
.text  C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                              00000000773c2840 6 bytes {JMP QWORD [RIP+0x8ddd7f0]}
.text  C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                      000007fefdb3b915 3 bytes CALL 55005c00
.text  C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW                                        000007feff3a3030 6 bytes JMP 29d020
.text  C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\system32\WS2_32.dll!connect + 1                                                    000007feff3a45c1 5 bytes JMP 0
.text  C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\system32\WS2_32.dll!listen                                                        000007feff3a8290 6 bytes JMP 0
.text  C:\Users\Faßbender\Desktop\xut43mt5.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                                000000007756fc00 3 bytes JMP 718a000a
.text  C:\Users\Faßbender\Desktop\xut43mt5.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4                                            000000007756fc04 2 bytes JMP 718a000a
.text  C:\Users\Faßbender\Desktop\xut43mt5.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                    000000007756fd44 3 bytes JMP 7184000a
.text  C:\Users\Faßbender\Desktop\xut43mt5.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                000000007756fd48 2 bytes JMP 7184000a
.text  C:\Users\Faßbender\Desktop\xut43mt5.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                  0000000077570094 3 bytes JMP 7187000a
.text  C:\Users\Faßbender\Desktop\xut43mt5.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                              0000000077570098 2 bytes JMP 7187000a
.text  C:\Users\Faßbender\Desktop\xut43mt5.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                00000000775701a4 3 bytes JMP 7190000a
.text  C:\Users\Faßbender\Desktop\xut43mt5.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4                                            00000000775701a8 2 bytes JMP 7190000a
.text  C:\Users\Faßbender\Desktop\xut43mt5.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey                                              0000000077570a24 3 bytes JMP 718d000a
.text  C:\Users\Faßbender\Desktop\xut43mt5.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4                                          0000000077570a28 2 bytes JMP 718d000a
.text  C:\Users\Faßbender\Desktop\xut43mt5.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                            0000000077571900 3 bytes JMP 7181000a
.text  C:\Users\Faßbender\Desktop\xut43mt5.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4                                        0000000077571904 2 bytes JMP 7181000a
.text  C:\Users\Faßbender\Desktop\xut43mt5.exe[4784] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                    0000000074d92c91 4 bytes CALL 71af0000
.text  C:\Users\Faßbender\Desktop\xut43mt5.exe[4784] C:\Windows\syswow64\USER32.dll!SendMessageW                                                0000000074f19679 6 bytes JMP 719f000a
.text  C:\Users\Faßbender\Desktop\xut43mt5.exe[4784] C:\Windows\syswow64\USER32.dll!PostMessageW                                                0000000074f212a5 6 bytes JMP 7199000a
.text  C:\Users\Faßbender\Desktop\xut43mt5.exe[4784] C:\Windows\syswow64\USER32.dll!PostMessageA                                                0000000074f23baa 6 bytes JMP 719c000a
.text  C:\Users\Faßbender\Desktop\xut43mt5.exe[4784] C:\Windows\syswow64\USER32.dll!SendMessageA                                                0000000074f2612e 6 bytes JMP 71a2000a
.text  C:\Users\Faßbender\Desktop\xut43mt5.exe[4784] C:\Windows\syswow64\USER32.dll!SendInput                                                    0000000074f3ff4a 3 bytes JMP 71a5000a
.text  C:\Users\Faßbender\Desktop\xut43mt5.exe[4784] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                0000000074f3ff4e 2 bytes JMP 71a5000a
.text  C:\Users\Faßbender\Desktop\xut43mt5.exe[4784] C:\Windows\syswow64\USER32.dll!mouse_event                                                  0000000074f7027b 6 bytes JMP 71ab000a
.text  C:\Users\Faßbender\Desktop\xut43mt5.exe[4784] C:\Windows\syswow64\USER32.dll!keybd_event                                                  0000000074f702bf 6 bytes JMP 71a8000a
.text  C:\Users\Faßbender\Desktop\xut43mt5.exe[4784] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                            0000000075ab712c 6 bytes JMP 7193000a
.text  C:\Users\Faßbender\Desktop\xut43mt5.exe[4784] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                                            0000000075ad3158 6 bytes JMP 7196000a

---- EOF - GMER 2.1 ----

Adware Log:

Code:
# AdwCleaner v2.112 - Datei am 19/02/2013 um 12:40:49 erstellt
# Aktualisiert am 10/02/2013 von Xplode
# Betriebssystem : Windows 7 Home Premium Service Pack 1 (64 bits)
# Benutzer : Faßbender - FAßBENDER-PC
# Bootmodus : Normal
# Ausgeführt unter : C:\Users\Faßbender\Desktop\adwcleaner0.exe
# Option [Löschen]


**** [Dienste] ****


***** [Dateien / Ordner] *****

Datei Gelöscht : C:\Users\Faßbender\AppData\Roaming\Mozilla\Firefox\Profiles\1vfnccjm.default\searchplugins\SearchResults.xml
Datei Gelöscht : C:\Users\Faßbender\AppData\Roaming\Mozilla\Firefox\Profiles\1vfnccjm.default\searchplugins\SweetIm.xml
Ordner Gelöscht : C:\Program Files (x86)\SweetIM
Ordner Gelöscht : C:\ProgramData\boost_interprocess
Ordner Gelöscht : C:\ProgramData\SweetIM
Ordner Gelöscht : C:\Users\Faßbender\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcdgjdiieiljkfkdcloehkohchhpekkn
Ordner Gelöscht : C:\Users\Faßbender\AppData\LocalLow\boost_interprocess
Ordner Gelöscht : C:\Users\Faßbender\AppData\Roaming\Mozilla\Firefox\Profiles\1vfnccjm.default\extensions\staged
Ordner Gelöscht : C:\Windows\Installer\{C3E85EE9-5892-4142-B537-BCEB3DAC4C3D}

***** [Registrierungsdatenbank] *****

Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35B-6118-11DC-9C72-001320C79847}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35C-6118-11DC-9C72-001320C79847}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35B-6118-11DC-9C72-001320C79847}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35C-6118-11DC-9C72-001320C79847}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2413}
Schlüssel Gelöscht : HKLM\Software\Classes\Installer\Features\9EE58E3C298524145B73CBBED3CAC4D3
Schlüssel Gelöscht : HKLM\Software\Classes\Installer\Features\EB6AF8AEEB922FA4392548F13812E50B
Schlüssel Gelöscht : HKLM\Software\Classes\Installer\Products\9EE58E3C298524145B73CBBED3CAC4D3
Schlüssel Gelöscht : HKLM\Software\Classes\Installer\Products\EB6AF8AEEB922FA4392548F13812E50B
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar.1
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook.1
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Toolbar3.sweetie
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Toolbar3.sweetie.1
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASAPI32
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASMANCS
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASAPI32
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASMANCS
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\SweetIM_2_RASAPI32
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\SweetIM_2_RASMANCS
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\SweetIM_RASAPI32
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\SweetIM_RASMANCS
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\SweetPacksUpdateManager_RASAPI32
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\SweetPacksUpdateManager_RASMANCS
Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{99079A25-328F-4BD4-BE04-00955ACAA0A7}
Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{EEE6C35B-6118-11DC-9C72-001320C79847}
Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{EEE6C35C-6118-11DC-9C72-001320C79847}
Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{EEE6C35D-6118-11DC-9C72-001320C79847}
Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{EEE6C358-6118-11DC-9C72-001320C79847}
Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{EEE6C359-6118-11DC-9C72-001320C79847}
Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{EEE6C35A-6118-11DC-9C72-001320C79847}
Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jcdgjdiieiljkfkdcloehkohchhpekkn
Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EEE6C367-6118-11DC-9C72-001320C79847}
Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2413}
Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}
Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C3E85EE9-5892-4142-B537-BCEB3DAC4C3D}
Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{EA8FA6BE-29BE-4AF2-9352-841F83215EB0}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{EEE6C358-6118-11DC-9C72-001320C79847}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{EEE6C359-6118-11DC-9C72-001320C79847}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{EEE6C35A-6118-11DC-9C72-001320C79847}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2413}
Wert Gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Sweetpacks Communicator]
Wert Gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs [C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgHelperApp.exe]
Wert Gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs [C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarProxy.dll]
Wert Gelöscht : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{EEE6C35B-6118-11DC-9C72-001320C79847}]
Wert Gelöscht : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [10]
Wert Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [10]

***** [Internet Browser] *****

-\\ Internet Explorer v9.0.8112.16464

[OK] Die Registrierungsdatenbank ist sauber.

-\\ Mozilla Firefox v8.0 (de)

Datei : C:\Users\Faßbender\AppData\Roaming\Mozilla\Firefox\Profiles\1vfnccjm.default\prefs.js

Gelöscht : user_pref("browser.search.defaultenginename", "Searchqu Web Search");
Gelöscht : user_pref("browser.search.order.1", "Searchqu Web Search");
Gelöscht : user_pref("browser.search.selectedEngine", "Searchqu Web Search");
Gelöscht : user_pref("extensions.snipit.askTbInstalled", true);
Gelöscht : user_pref("keyword.URL", "hxxp://www.searchqu.com/web?src=ffb&appid=0&systemid=413&sr=0&q=");

Datei : C:\Users\Faßbender\AppData\Roaming\Mozilla\Firefox\Profiles\lem4z7ft.default\prefs.js

[OK] Die Datei ist sauber.

Datei : C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\l3a9x0tc.default\prefs.js

[OK] Die Datei ist sauber.

-\\ Google Chrome v24.0.1312.57

Datei : C:\Users\Faßbender\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] Die Datei ist sauber.

*************************

AdwCleaner[S1].txt - [7283 octets] - [19/02/2013 12:40:49]

########## EOF - C:\AdwCleaner[S1].txt - [7343 octets] ##########

Blitzeis 19.02.2013 13:32
Teil 2:


OTL-Log:

Code:
OTL logfile created on: 19.02.2013 13:09:20 - Run 1
OTL by OldTimer - Version 3.2.69.0    Folder = C:\Users\Faßbender\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
15,99 Gb Total Physical Memory | 13,02 Gb Available Physical Memory | 81,43% Memory free
31,98 Gb Paging File | 28,84 Gb Available in Paging File | 90,17% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 1397,17 Gb Total Space | 50,94 Gb Free Space | 3,65% Space Free | Partition Type: NTFS
Drive E: | 1397,26 Gb Total Space | 1203,96 Gb Free Space | 86,17% Space Free | Partition Type: NTFS
 
Computer Name: FAßBENDER-PC | User Name: Faßbender | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2013.02.19 13:06:27 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Faßbender\Desktop\OTL (1).exe
PRC - [2013.01.30 08:14:30 | 003,089,320 | ---- | M] (Emsisoft GmbH) -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe
PRC - [2013.01.30 08:14:27 | 003,365,288 | ---- | M] (Emsisoft GmbH) -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2guard.exe
PRC - [2012.10.11 10:55:32 | 000,336,304 | ---- | M] (Razer USA Ltd) -- C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe
PRC - [2012.08.08 19:36:37 | 000,348,664 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
PRC - [2012.05.08 18:02:03 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
PRC - [2012.05.08 18:02:03 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
PRC - [2012.01.17 11:24:10 | 000,055,296 | ---- | M] () -- C:\Windows\SysWOW64\ASGT.exe
PRC - [2011.07.29 00:08:12 | 001,259,376 | ---- | M] () -- C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
PRC - [2011.07.12 15:29:00 | 000,552,960 | ---- | M] (ROCCAT GmbH) -- C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe
PRC - [2010.10.12 16:28:26 | 000,726,456 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
PRC - [2010.10.12 16:24:38 | 000,304,568 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
PRC - [2010.07.15 20:53:09 | 002,326,920 | ---- | M] (Acronis) -- C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
PRC - [2009.10.05 18:05:12 | 002,158,592 | ---- | M] () -- C:\Program Files (x86)\Vtune\TBPANEL.exe
PRC - [2009.09.12 17:09:48 | 000,357,800 | ---- | M] (Acronis) -- C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
PRC - [2009.09.12 17:09:14 | 005,082,488 | ---- | M] (Acronis) -- C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
PRC - [2009.07.01 20:19:18 | 000,601,088 | ---- | M] () -- C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe
PRC - [2009.04.02 05:27:27 | 000,090,112 | R--- | M] () -- C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2013.02.13 15:22:51 | 013,199,360 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\39f4c7717661667c68f9af8c4f6402b9\System.Windows.Forms.ni.dll
MOD - [2013.01.26 03:35:06 | 000,460,240 | ---- | M] () -- C:\Users\Faßbender\AppData\Local\Google\Chrome\Application\24.0.1312.57\ppGoogleNaClPluginChrome.dll
MOD - [2013.01.26 03:35:04 | 004,012,496 | ---- | M] () -- C:\Users\Faßbender\AppData\Local\Google\Chrome\Application\24.0.1312.57\pdf.dll
MOD - [2013.01.26 03:34:19 | 000,597,968 | ---- | M] () -- C:\Users\Faßbender\AppData\Local\Google\Chrome\Application\24.0.1312.57\libglesv2.dll
MOD - [2013.01.26 03:34:18 | 000,124,368 | ---- | M] () -- C:\Users\Faßbender\AppData\Local\Google\Chrome\Application\24.0.1312.57\libegl.dll
MOD - [2013.01.26 03:34:16 | 001,552,848 | ---- | M] () -- C:\Users\Faßbender\AppData\Local\Google\Chrome\Application\24.0.1312.57\ffmpegsumo.dll
MOD - [2013.01.10 23:08:05 | 001,218,560 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\ac9e3eca6c148504588e7c6d09fe83e3\System.Management.ni.dll
MOD - [2013.01.10 23:06:34 | 001,021,952 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runtime.Dura#\e7b4706dfe18f29486dbaf5d35e01765\System.Runtime.DurableInstancing.ni.dll
MOD - [2013.01.10 23:06:34 | 000,143,360 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics\ef7642a4f2724135d445e2ea36582e78\SMDiagnostics.ni.dll
MOD - [2013.01.10 23:06:33 | 002,647,040 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runtime.Seri#\910fe53ec2122cf3a2ad11c2b2f5cbfd\System.Runtime.Serialization.ni.dll
MOD - [2013.01.10 23:06:31 | 000,393,216 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq\d01a925ecd339eae8ea1da8488eb2283\System.Xml.Linq.ni.dll
MOD - [2013.01.10 23:06:14 | 001,801,728 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\866894ebe5258bf9f45d6b063229e990\System.Xaml.ni.dll
MOD - [2013.01.10 07:27:46 | 018,002,944 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationFramewo#\14f511c47523f19ca591eb207e9e2084\PresentationFramework.ni.dll
MOD - [2013.01.10 07:27:35 | 011,451,904 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\e10fd15441d278c04a03302880a3e231\PresentationCore.ni.dll
MOD - [2013.01.10 07:27:30 | 007,069,696 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\27dcf04ed7a3506045597c02a5a1fc31\System.Core.ni.dll
MOD - [2013.01.10 07:27:28 | 005,617,664 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\43cd41484df96d15df949eb17dd88152\System.Xml.ni.dll
MOD - [2013.01.10 07:27:28 | 001,667,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\b573c6a62bb88df0ee2af59b6a8ca910\System.Drawing.ni.dll
MOD - [2013.01.10 07:27:27 | 003,858,944 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\7a9ff5ce3a909d075179a2ac70d8f388\WindowsBase.ni.dll
MOD - [2013.01.10 07:27:27 | 000,595,968 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationFramewo#\dfeff31ab1e7cd3480c8942290c92f5d\PresentationFramework.Aero.ni.dll
MOD - [2013.01.10 07:27:26 | 000,982,528 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\5de5d8c1c02e33789e3cf7e3f54c0ec9\System.Configuration.ni.dll
MOD - [2013.01.10 07:27:25 | 009,094,656 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System\15872842e3e63ddf0f720f406706198e\System.ni.dll
MOD - [2013.01.10 07:27:20 | 014,412,800 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\3f95a6d480ed1ebe45cf27b770ba94ed\mscorlib.ni.dll
MOD - [2011.07.29 00:09:42 | 000,096,112 | ---- | M] () -- C:\Program Files (x86)\DivX\DivX Update\DivXUpdateCheck.dll
MOD - [2011.07.29 00:08:12 | 001,259,376 | ---- | M] () -- C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
MOD - [2010.06.22 13:50:52 | 000,061,440 | ---- | M] () -- C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\hiddriver.dll
MOD - [2009.10.05 18:05:12 | 002,158,592 | ---- | M] () -- C:\Program Files (x86)\Vtune\TBPANEL.exe
MOD - [2009.07.01 20:19:18 | 000,601,088 | ---- | M] () -- C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe
MOD - [2006.01.10 09:50:20 | 000,024,576 | R--- | M] () -- C:\Windows\SysWOW64\AsIO.dll
MOD - [1998.10.31 04:55:56 | 000,005,120 | ---- | M] () -- C:\Program Files (x86)\Vtune\TBManage.dll
 
 
========== Services (SafeList) ==========
 
SRV - [2013.02.12 07:03:44 | 000,251,248 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013.01.30 08:14:30 | 003,089,320 | ---- | M] (Emsisoft GmbH) [Auto | Running] -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe -- (a2AntiMalware)
SRV - [2013.01.02 12:30:50 | 000,018,360 | ---- | M] (Overwolf Ltd) [On_Demand | Stopped] -- C:\Program Files (x86)\Overwolf\OverwolfUpdater.exe -- (OverwolfUpdaterService)
SRV - [2012.10.31 06:56:00 | 000,529,744 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2012.10.02 23:21:00 | 001,258,856 | ---- | M] (NVIDIA Corporation) [Auto | Stopped] -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe -- (nvUpdatusService)
SRV - [2012.05.08 18:02:03 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2012.05.08 18:02:03 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2012.01.18 13:38:28 | 000,155,320 | ---- | M] (Avanquest Software) [On_Demand | Stopped] -- C:\Program Files (x86)\Sony\Sony PC Companion\PCCService.exe -- (Sony PC Companion)
SRV - [2012.01.17 11:24:10 | 000,055,296 | ---- | M] () [Auto | Running] -- C:\Windows\SysWOW64\ASGT.exe -- (ASGT)
SRV - [2010.07.15 20:53:09 | 002,326,920 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe -- (afcdpsrv)
SRV - [2010.03.18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009.09.12 17:10:04 | 000,891,848 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2009.07.26 06:43:14 | 000,025,832 | ---- | M] (BioWare) [On_Demand | Stopped] -- C:\Program Files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe -- (DAUpdaterSvc)
SRV - [2009.06.10 22:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009.04.02 05:27:27 | 000,090,112 | R--- | M] () [Auto | Running] -- C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe -- (AsSysCtrlService)
SRV - [2009.03.30 17:19:56 | 002,297,216 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - [2012.10.10 04:13:34 | 000,025,600 | ---- | M] (Razer USA Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rzdaendpt.sys -- (rzdaendpt)
DRV:64bit: - [2012.10.10 04:13:32 | 000,023,040 | ---- | M] (Razer USA Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rzvkeyboard.sys -- (rzvkeyboard)
DRV:64bit: - [2012.09.18 07:21:54 | 000,112,640 | ---- | M] (Razer USA Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rzudd.sys -- (rzudd)
DRV:64bit: - [2012.05.08 18:02:03 | 000,132,832 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avipbb.sys -- (avipbb)
DRV:64bit: - [2012.05.08 18:02:03 | 000,098,848 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\avgntflt.sys -- (avgntflt)
DRV:64bit: - [2012.03.01 07:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011.10.11 14:00:01 | 000,027,760 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avkmgr.sys -- (avkmgr)
DRV:64bit: - [2011.03.21 12:22:06 | 000,452,200 | ---- | M] (Realtek                                            ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2011.03.11 07:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011.03.11 07:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010.11.20 14:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010.11.20 12:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010.07.15 20:53:11 | 000,250,400 | ---- | M] (Acronis) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\afcdp.sys -- (afcdp)
DRV:64bit: - [2010.07.15 20:53:08 | 001,455,648 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\tdrpm251.sys -- (tdrpman251)
DRV:64bit: - [2010.07.15 20:53:07 | 000,929,312 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\timntr.sys -- (timounter)
DRV:64bit: - [2010.07.15 20:51:50 | 000,254,496 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\snapman.sys -- (snapman)
DRV:64bit: - [2010.07.14 11:51:56 | 000,087,600 | ---- | M] (Citrix Systems, Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\ctxusbm.sys -- (ctxusbm)
DRV:64bit: - [2009.07.16 04:38:40 | 000,015,416 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ASACPI.sys -- (MTsensor)
DRV:64bit: - [2009.07.14 02:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009.07.14 02:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009.07.14 02:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009.06.10 21:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009.06.10 21:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009.06.10 21:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009.06.10 21:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2008.05.16 10:33:06 | 000,158,760 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s0016mdm.sys -- (s0016mdm)
DRV:64bit: - [2008.05.16 10:33:06 | 000,151,592 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s0016unic.sys -- (s0016unic)
DRV:64bit: - [2008.05.16 10:33:06 | 000,137,256 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s0016mgmt.sys -- (s0016mgmt)
DRV:64bit: - [2008.05.16 10:33:06 | 000,136,744 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s0016obex.sys -- (s0016obex)
DRV:64bit: - [2008.05.16 10:33:06 | 000,034,344 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s0016nd5.sys -- (s0016nd5)
DRV:64bit: - [2008.05.16 10:33:04 | 000,019,496 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s0016mdfl.sys -- (s0016mdfl)
DRV:64bit: - [2008.05.16 10:32:56 | 000,115,240 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s0016bus.sys -- (s0016bus)
DRV:64bit: - [2005.09.23 23:18:34 | 000,261,120 | ---- | M] (Pinnacle Systems GmbH) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\MarvinBus64.sys -- (MarvinBus)
DRV - [2012.12.03 23:27:31 | 000,027,008 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Users\FABEND~1\AppData\Local\Temp\GPU-Z.sys -- (GPU-Z)
DRV - [2012.11.13 21:53:00 | 000,014,544 | ---- | M] (OpenLibSys.org) [File_System | On_Demand | Stopped] -- C:\Program Files (x86)\Razer\Razer Game Booster\Driver\WinRing0x64.sys -- (WinRing0_1_2_0)
DRV - [2012.04.30 17:45:28 | 000,066,320 | ---- | M] (Emsisoft GmbH) [File_System | On_Demand | Running] -- C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2accx64.sys -- (a2acc)
DRV - [2012.04.30 17:45:00 | 000,044,688 | ---- | M] (Emsisoft GmbH) [File_System | System | Running] -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2dix64.sys -- (a2injectiondriver)
DRV - [2011.05.19 13:10:34 | 000,023,208 | ---- | M] (Emsi Software GmbH) [Kernel | System | Running] -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2ddax64.sys -- (A2DDA)
DRV - [2010.05.05 08:40:54 | 000,014,720 | ---- | M] (Emsi Software GmbH) [Kernel | System | Running] -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2util64.sys -- (a2util)
DRV - [2009.07.14 02:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
DRV - [2002.07.17 15:20:32 | 000,084,832 | ---- | M] (Adaptec) [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\ASPI32.SYS -- (ASPI)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE:64bit: - HKLM\..\SearchScopes,DefaultScope =
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE:64bit: - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
 
 
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope =
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =
 
IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =
 
IE - HKU\S-1-5-21-1487255489-2574314160-2474486194-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKU\S-1-5-21-1487255489-2574314160-2474486194-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKU\S-1-5-21-1487255489-2574314160-2474486194-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.spiegel.de/
IE - HKU\S-1-5-21-1487255489-2574314160-2474486194-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-1487255489-2574314160-2474486194-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKU\S-1-5-21-1487255489-2574314160-2474486194-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D6 6F 3A F0 7B 7E CA 01  [binary data]
IE - HKU\S-1-5-21-1487255489-2574314160-2474486194-1000\..\SearchScopes,DefaultScope = {2FF4B2BD-2D28-4FFE-8EA6-8937C22EC19D}
IE - HKU\S-1-5-21-1487255489-2574314160-2474486194-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-1487255489-2574314160-2474486194-1000\..\SearchScopes\{2FF4B2BD-2D28-4FFE-8EA6-8937C22EC19D}: "URL" = hxxp://www.google.de/search?q={searchTerms}&rlz=1I7ADFA_deDE496
IE - HKU\S-1-5-21-1487255489-2574314160-2474486194-1000\..\SearchScopes\{3F45630C-CEC6-4E8D-B8EE-3DA195AE637C}: "URL" = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKU\S-1-5-21-1487255489-2574314160-2474486194-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKU\S-1-5-21-1487255489-2574314160-2474486194-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.search.defaulturl: "hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
FF - prefs.js..browser.startup.homepage: "hxxp://www.spiegel.de/"
FF - prefs.js..extensions.enabledAddons: {BAEBEF65-9289-47c5-8524-C345CC5D860D}:1.10
FF - prefs.js..extensions.enabledAddons: ich@maltegoetz.de:1.3.4
FF - prefs.js..extensions.enabledAddons: {FCAB6FDD-5585-425b-95C1-5ED856F3FD08}:6.7
FF - prefs.js..extensions.enabledAddons: 2020Player_IKEA@2020Technologies.com:5.0.94.0
FF - prefs.js..extensions.enabledAddons: {6e84150a-d526-41f1-a480-a67d3fed910d}:1.5.1
FF - prefs.js..extensions.enabledItems: {6e84150a-d526-41f1-a480-a67d3fed910d}:1.4.5.1
FF - prefs.js..extensions.enabledItems: {FCAB6FDD-5585-425b-95C1-5ED856F3FD08}:6.1
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.872
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..network.proxy.http: "localhost"
FF - prefs.js..network.proxy.http_port: 4444
FF - user.js - File not found
 
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_5_502_149.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_149.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/EPPEX: C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@esn.me/esnsonar,version=0.70.4: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll (ESN Social Software AB)
FF - HKLM\Software\MozillaPlugins\@esn/esnlaunch,version=1.132.0: C:\Program Files (x86)\Battlelog Web Plugins\1.132.0\npesnlaunch.dll (ESN Social Software AB)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.9.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@SonyCreativeSoftware.com/Media Go,version=1.0: C:\Program Files (x86)\Sony\Media Go\npmediago.dll (Sony Network Entertainment International LLC)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Faßbender\AppData\Local\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Faßbender\AppData\Local\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2011.11.22 00:35:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012.05.27 08:23:41 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2013.02.02 07:58:43 | 000,000,000 | ---D | M]
 
[2011.11.24 19:40:15 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Faßbender\AppData\Roaming\mozilla\Extensions
[2013.02.19 12:41:02 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Faßbender\AppData\Roaming\mozilla\Firefox\Profiles\1vfnccjm.default\extensions
[2010.09.28 13:20:24 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Faßbender\AppData\Roaming\mozilla\Firefox\Profiles\1vfnccjm.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010.02.20 20:47:16 | 000,000,000 | ---D | M] ("SwitchProxy Tool") -- C:\Users\Faßbender\AppData\Roaming\mozilla\Firefox\Profiles\1vfnccjm.default\extensions\{27A2FD41-CB23-4518-AB5C-C25BAFFDE531}
[2011.07.07 18:44:27 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Users\Faßbender\AppData\Roaming\mozilla\Firefox\Profiles\1vfnccjm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2011.12.26 17:36:50 | 000,000,000 | ---D | M] ("Free YouTube Download (Free Studio) Menu") -- C:\Users\Faßbender\AppData\Roaming\mozilla\Firefox\Profiles\1vfnccjm.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
[2012.04.29 04:48:44 | 000,000,000 | ---D | M] (20-20 3D Viewer - IKEA) -- C:\Users\Faßbender\AppData\Roaming\mozilla\Firefox\Profiles\1vfnccjm.default\extensions\2020Player_IKEA@2020Technologies.com
[2011.12.26 17:36:50 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Faßbender\AppData\Roaming\mozilla\Firefox\Profiles\lem4z7ft.default\extensions
[2010.02.13 12:18:33 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Users\Faßbender\AppData\Roaming\mozilla\Firefox\Profiles\lem4z7ft.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2009.12.16 12:54:48 | 000,000,000 | ---D | M] (Minimap Addon) -- C:\Users\Faßbender\AppData\Roaming\mozilla\Firefox\Profiles\lem4z7ft.default\extensions\{398e77b8-2304-11dc-8314-0800200c9a66}
[2011.12.26 17:36:50 | 000,000,000 | ---D | M] ("Free YouTube Download (Free Studio) Menu") -- C:\Users\Faßbender\AppData\Roaming\mozilla\Firefox\Profiles\lem4z7ft.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
[2010.02.13 10:40:27 | 000,000,000 | ---D | M] (Easy Youtube Video Downloader) -- C:\Users\Faßbender\AppData\Roaming\mozilla\Firefox\Profiles\lem4z7ft.default\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}
[2009.12.16 12:54:48 | 000,000,000 | ---D | M] ("NetVideoHunter") -- C:\Users\Faßbender\AppData\Roaming\mozilla\Firefox\Profiles\lem4z7ft.default\extensions\netvideohunter@netvideohunter.com
[2011.11.22 00:28:21 | 000,550,833 | ---- | M] () (No name found) -- C:\Users\Faßbender\AppData\Roaming\mozilla\firefox\profiles\1vfnccjm.default\extensions\DivXWebPlayer@divx.com.xpi
[2012.02.04 13:14:26 | 000,018,684 | ---- | M] () (No name found) -- C:\Users\Faßbender\AppData\Roaming\mozilla\firefox\profiles\1vfnccjm.default\extensions\ich@maltegoetz.de.xpi
[2012.04.29 05:02:03 | 000,081,104 | ---- | M] () (No name found) -- C:\Users\Faßbender\AppData\Roaming\mozilla\firefox\profiles\1vfnccjm.default\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}.xpi
[2012.02.04 13:12:25 | 000,145,881 | ---- | M] () (No name found) -- C:\Users\Faßbender\AppData\Roaming\mozilla\firefox\profiles\1vfnccjm.default\extensions\{BAEBEF65-9289-47c5-8524-C345CC5D860D}.xpi
[2012.02.05 18:39:02 | 000,321,344 | ---- | M] () (No name found) -- C:\Users\Faßbender\AppData\Roaming\mozilla\firefox\profiles\1vfnccjm.default\extensions\{FCAB6FDD-5585-425b-95C1-5ED856F3FD08}.xpi
[2012.02.29 06:33:09 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions
[2009.12.16 12:16:30 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Program Files (x86)\mozilla firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
File not found (No name found) -- C:\USERS\FAßBENDER\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\1VFNCCJM.DEFAULT\EXTENSIONS\{6E84150A-D526-41F1-A480-A67D3FED910D}.XPI
File not found (No name found) -- C:\USERS\FAßBENDER\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\1VFNCCJM.DEFAULT\EXTENSIONS\{BAEBEF65-9289-47C5-8524-C345CC5D860D}.XPI
File not found (No name found) -- C:\USERS\FAßBENDER\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\1VFNCCJM.DEFAULT\EXTENSIONS\{FCAB6FDD-5585-425B-95C1-5ED856F3FD08}.XPI
File not found (No name found) -- C:\USERS\FAßBENDER\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\1VFNCCJM.DEFAULT\EXTENSIONS\2020PLAYER_IKEA@2020TECHNOLOGIES.COM
File not found (No name found) -- C:\USERS\FAßBENDER\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\1VFNCCJM.DEFAULT\EXTENSIONS\ICH@MALTEGOETZ.DE.XPI
[2011.11.13 09:51:38 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2010.10.12 15:33:32 | 000,124,344 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\CCMSDK.dll
[2010.10.12 15:37:06 | 000,070,592 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\CgpCore.dll
[2010.10.12 15:35:42 | 000,091,576 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\confmgr.dll
[2010.10.12 15:34:56 | 000,022,464 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\ctxlogging.dll
[2010.10.12 17:16:54 | 000,484,768 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\plugins\npicaN.dll
[2010.01.13 23:46:00 | 000,063,488 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npwachk.dll
[2010.10.12 15:37:02 | 000,024,000 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\TcpPServ.dll
[2011.10.08 08:21:30 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml
[2011.10.08 08:21:30 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2011.10.08 08:21:30 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml
[2011.10.08 08:21:30 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml
[2011.10.08 08:21:30 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml
[2011.10.08 08:21:30 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml
 
========== Chrome  ==========
 
CHR - homepage:
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter},
CHR - homepage:
CHR - plugin: Shockwave Flash (Disabled) = C:\Users\Fa\u00DFbender\AppData\Local\Google\Chrome\Application\24.0.1312.57\PepperFlash\pepflashplayer.dll
CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\Fa\u00DFbender\AppData\Local\Google\Chrome\Application\24.0.1312.57\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Fa\u00DFbender\AppData\Local\Google\Chrome\Application\24.0.1312.57\pdf.dll
CHR - plugin: SweetIM GC Helper (Disabled) = C:\Users\Fa\u00DFbender\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcdgjdiieiljkfkdcloehkohchhpekkn\1.1.0.1_0\mgHelperGCFB.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: 2007 Microsoft Office system (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\NPOFF12.DLL
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: Winamp Application Detector (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npwachk.dll
CHR - plugin: ESN Launch Mozilla Plugin (Enabled) = C:\Program Files (x86)\Battlelog Web Plugins\1.132.0\npesnlaunch.dll
CHR - plugin: ESN Sonar API (Enabled) = C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll
CHR - plugin: DivX VOD Helper Plug-in (Enabled) = C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
CHR - plugin: DivX Plus Web Player (Enabled) = C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll
CHR - plugin: Java(TM) Platform SE 7 U9 (Enabled) = C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
CHR - plugin: Microsoft Office Live Plug-in for Firefox (Enabled) = C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll
CHR - plugin: NVIDIA 3D Vision (Enabled) = C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
CHR - plugin: NVIDIA 3D VISION (Enabled) = C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
CHR - plugin: Media Go Detector (Enabled) = C:\Program Files (x86)\Sony\Media Go\npmediago.dll
CHR - plugin: CANON iMAGE GATEWAY Album Plugin Utility (Enabled) = C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_135.dll
CHR - plugin: Java Deployment Toolkit 7.0.70.11 (Enabled) = C:\Windows\SysWOW64\npDeployJava1.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll
CHR - Extension: Turn Off the Lights = C:\Users\Faßbender\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfbmjmiodbnnpllbbbfblcplfjjepjdn\2.1.0.30_0\
CHR - Extension: Wetter von wetter.com = C:\Users\Faßbender\AppData\Local\Google\Chrome\User Data\Default\Extensions\bgapkfcninhaogfjjoohaleiclbhjmnp\1.21_0\
CHR - Extension: Forecastfox = C:\Users\Faßbender\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihffmkcfkejomlfnilnmkokcpgclhfeg\2.0.10_0\
CHR - Extension: Grey Ghost - Elegance WineRed = C:\Users\Faßbender\AppData\Local\Google\Chrome\User Data\Default\Extensions\mebibalmkbcbjhmdmgjddaigbcpelknc\1_0\
CHR - Extension: Google Mail-Checker = C:\Users\Faßbender\AppData\Local\Google\Chrome\User Data\Default\Extensions\mihcahmgecmbnbcchbopgniflfhgnkff\4.4.0_0\
CHR - Extension: Quick Note = C:\Users\Faßbender\AppData\Local\Google\Chrome\User Data\Default\Extensions\mijlebbfndhelmdpmllgcfadlkankhok\1.4.3_0\
CHR - Extension: Mehr Leistung und Videoformate f\u00FCr dein HTML5 \u003Cvideo\u003E = C:\Users\Faßbender\AppData\Local\Google\Chrome\User Data\Default\Extensions\nneajnkjbffgblleaoojgaacokifdkhm\2.1.2.145_0\
CHR - Extension: Turn Off the Lights = C:\Users\Faßbender\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfbmjmiodbnnpllbbbfblcplfjjepjdn\2.1.0.30_0\
CHR - Extension: Wetter von wetter.com = C:\Users\Faßbender\AppData\Local\Google\Chrome\User Data\Default\Extensions\bgapkfcninhaogfjjoohaleiclbhjmnp\1.21_0\
CHR - Extension: Forecastfox = C:\Users\Faßbender\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihffmkcfkejomlfnilnmkokcpgclhfeg\2.0.10_0\
CHR - Extension: Grey Ghost - Elegance WineRed = C:\Users\Faßbender\AppData\Local\Google\Chrome\User Data\Default\Extensions\mebibalmkbcbjhmdmgjddaigbcpelknc\1_0\
CHR - Extension: Google Mail-Checker = C:\Users\Faßbender\AppData\Local\Google\Chrome\User Data\Default\Extensions\mihcahmgecmbnbcchbopgniflfhgnkff\4.4.0_0\
CHR - Extension: Quick Note = C:\Users\Faßbender\AppData\Local\Google\Chrome\User Data\Default\Extensions\mijlebbfndhelmdpmllgcfadlkankhok\1.4.3_0\
CHR - Extension: Mehr Leistung und Videoformate f\u00FCr dein HTML5 \u003Cvideo\u003E = C:\Users\Faßbender\AppData\Local\Google\Chrome\User Data\Default\Extensions\nneajnkjbffgblleaoojgaacokifdkhm\2.1.2.145_0\
 
O1 HOSTS File: ([2009.06.10 22:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (Windows Live ID-Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O2 - BHO: (Octh Class) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files (x86)\Orbitdownloader\orbitcth.dll (Orbitdownloader.com)
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Grab Pro) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files (x86)\Orbitdownloader\GrabPro.dll ()
O3:64bit: - HKU\S-1-5-21-1487255489-2574314160-2474486194-1000\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3 - HKU\S-1-5-21-1487255489-2574314160-2474486194-1000\..\Toolbar\WebBrowser: (Grab Pro) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files (x86)\Orbitdownloader\GrabPro.dll ()
O4:64bit: - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [ConnectionCenter] C:\Program Files (x86)\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.)
O4 - HKLM..\Run: [Cpu Level Up help] C:\Program Files (x86)\ASUS\AI Suite\CpuLevelUpHelp.exe ()
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [emsisoft anti-malware] c:\program files (x86)\emsisoft anti-malware\a2guard.exe (Emsisoft GmbH)
O4 - HKLM..\Run: [QFan Help] C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe ()
O4 - HKLM..\Run: [Razer Synapse] C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe (Razer USA Ltd)
O4 - HKLM..\Run: [RoccatKone+] C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.EXE (ROCCAT GmbH)
O4 - HKLM..\Run: [StereoLinksInstall] C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvstlink.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1487255489-2574314160-2474486194-1000..\Run: [Sony PC Companion] "C:\Program Files (x86)\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe" /Background File not found
O4 - HKU\S-1-5-21-1487255489-2574314160-2474486194-1000..\Run: [TBPanel] C:\Program Files (x86)\Vtune\TBPanel.exe ()
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8:64bit: - Extra context menu item: &Download by Orbit - C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8:64bit: - Extra context menu item: &Grab video by Orbit - C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8:64bit: - Extra context menu item: Do&wnload selected by Orbit - C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8:64bit: - Extra context menu item: Down&load all by Orbit - C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8:64bit: - Extra context menu item: Free YouTube Download - C:\Users\Faßbender\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubedownload.htm ()
O8:64bit: - Extra context menu item: Free YouTube to MP3 Converter - C:\Users\Faßbender\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm ()
O8:64bit: - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: &Download by Orbit - C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: &Grab video by Orbit - C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Do&wnload selected by Orbit - C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Down&load all by Orbit - C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Free YouTube Download - C:\Users\Faßbender\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubedownload.htm ()
O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Users\Faßbender\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm ()
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000 File not found
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000005 [] - C:\Programme\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000006 [] - C:\Programme\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKU\.DEFAULT\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-19\..Trusted Domains: clonewarsadventures.com ([]* in )
O15 - HKU\S-1-5-19\..Trusted Domains: freerealms.com ([]* in )
O15 - HKU\S-1-5-19\..Trusted Domains: soe.com ([]* in )
O15 - HKU\S-1-5-19\..Trusted Domains: sony.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: clonewarsadventures.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: freerealms.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: soe.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: sony.com ([]* in )
O15 - HKU\S-1-5-21-1487255489-2574314160-2474486194-1000\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-1487255489-2574314160-2474486194-1000\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-1487255489-2574314160-2474486194-1000\..Trusted Domains: fritz.box ([]* in Local intranet)
O15 - HKU\S-1-5-21-1487255489-2574314160-2474486194-1000\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-1487255489-2574314160-2474486194-1000\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-1487255489-2574314160-2474486194-1000\..Trusted Ranges: Range1 ([*] in Local intranet)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FC7FDEB3-F060-4807-AE95-1C6ADE606A7D}: DhcpNameServer = 192.168.2.1
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Overwolf\SKYPE4~2.DLL (Skype Technologies)
O18:64bit: - Protocol\Filter\application/x-ica - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica; charset=euc-jp - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica; charset=ISO-8859-1 - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica; charset=MS936 - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica; charset=MS949 - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica; charset=MS950 - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica; charset=UTF8 - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica; charset=UTF-8 - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica;charset=euc-jp - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica;charset=ISO-8859-1 - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica;charset=MS936 - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica;charset=MS949 - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica;charset=MS950 - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica;charset=UTF8 - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica;charset=UTF-8 - No CLSID value found
O18:64bit: - Protocol\Filter\ica - No CLSID value found
O18:64bit: - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O18 - Protocol\Filter\application/x-ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=euc-jp {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=ISO-8859-1 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=MS936 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=MS949 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=MS950 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=UTF8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=UTF-8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=euc-jp {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=ISO-8859-1 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=MS936 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=MS949 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=MS950 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=UTF8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=UTF-8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{0c11b7e9-917c-11df-855f-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{0c11b7e9-917c-11df-855f-806e6f6e6963}\Shell\AutoRun\command - "" = D:\CheckID.exe
O33 - MountPoints2\{4949fa0a-1478-11e2-bfed-90e6ba3c84a4}\Shell - "" = AutoRun
O33 - MountPoints2\{4949fa0a-1478-11e2-bfed-90e6ba3c84a4}\Shell\AutoRun\command - "" = F:\Startme.exe
O33 - MountPoints2\{70f8a8de-acd5-11df-897b-90e6ba3c84a4}\Shell - "" = AutoRun
O33 - MountPoints2\{70f8a8de-acd5-11df-897b-90e6ba3c84a4}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\H\Shell - "" = AutoRun
O33 - MountPoints2\H\Shell\AutoRun\command - "" = H:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013.02.19 17:12:47 | 000,000,000 | ---D | C] -- C:\_OTL
[2013.02.19 13:07:47 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Faßbender\Desktop\OTL (1).exe
[2013.02.13 15:16:45 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2013.02.13 15:16:45 | 000,096,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2013.02.13 15:16:45 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2013.02.13 15:16:44 | 000,248,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2013.02.13 15:16:44 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[2013.02.13 15:16:44 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2013.02.13 15:16:44 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2013.02.13 15:16:43 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2013.02.13 15:16:43 | 000,237,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2013.02.13 15:16:42 | 002,312,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2013.02.13 15:16:42 | 001,494,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2013.02.13 15:16:42 | 000,729,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2013.02.13 15:16:40 | 000,816,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2013.02.13 15:16:40 | 000,717,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2013.02.13 15:16:40 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll
[2013.02.13 10:51:24 | 005,553,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe
[2013.02.13 10:51:22 | 003,967,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe
[2013.02.13 10:51:21 | 003,913,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe
[2013.02.13 10:50:54 | 000,215,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winsrv.dll
[2013.02.13 10:50:52 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\setup16.exe
[2013.02.13 10:50:52 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntvdm64.dll
[2013.02.13 10:50:52 | 000,007,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\instnm.exe
[2013.02.13 10:50:52 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wow32.dll
[2013.02.13 10:50:50 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\user.exe
[2013.02.13 10:50:43 | 000,288,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\FWPKCLNT.SYS
[2013.02.11 18:40:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ROCCAT
[2013.01.30 07:51:06 | 000,000,000 | ---D | C] -- C:\Users\Faßbender\.thumbnails
[2013.01.30 07:49:40 | 000,000,000 | ---D | C] -- C:\Users\Faßbender\AppData\Local\fontconfig
[2013.01.30 07:49:08 | 000,000,000 | ---D | C] -- C:\Users\Faßbender\AppData\Local\gegl-0.2
[2013.01.30 07:49:08 | 000,000,000 | ---D | C] -- C:\Users\Faßbender\.gimp-2.8
[2013.01.30 07:47:32 | 000,000,000 | ---D | C] -- C:\Program Files\GIMP 2
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Users\Faßbender\Documents\*.tmp files -> C:\Users\Faßbender\Documents\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2045.10.28 12:35:42 | 000,002,725 | ---- | M] () -- C:\Users\Faßbender\Documents\Kill Bill 1.ncd
[2045.10.28 12:26:56 | 000,002,835 | ---- | M] () -- C:\Users\Faßbender\Documents\Toons-1+.ncd
[2045.10.28 12:18:36 | 000,002,606 | ---- | M] () -- C:\Users\Faßbender\Documents\Toons-1.ncd
[2013.02.19 13:10:10 | 000,015,024 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013.02.19 13:10:10 | 000,015,024 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013.02.19 13:06:27 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Faßbender\Desktop\OTL (1).exe
[2013.02.19 13:03:53 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013.02.19 13:01:41 | 000,001,112 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013.02.19 13:01:08 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013.02.19 13:01:01 | 4287,930,366 | -HS- | M] () -- C:\hiberfil.sys
[2013.02.19 12:30:10 | 000,001,116 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013.02.19 12:22:10 | 000,001,136 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1487255489-2574314160-2474486194-1000UA.job
[2013.02.19 11:23:14 | 000,587,671 | ---- | M] () -- C:\Users\Faßbender\Desktop\adwcleaner0.exe
[2013.02.19 11:22:01 | 000,374,784 | ---- | M] () -- C:\Users\Faßbender\Desktop\xut43mt5.exe
[2013.02.19 09:11:31 | 000,096,256 | ---- | M] () -- C:\Users\Faßbender\7244907.dll
[2013.02.19 08:40:20 | 001,635,688 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2013.02.19 08:40:20 | 000,705,196 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat
[2013.02.19 08:40:20 | 000,659,212 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2013.02.19 08:40:20 | 000,151,690 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat
[2013.02.19 08:40:20 | 000,123,886 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2013.02.18 20:24:37 | 000,484,585 | ---- | M] () -- C:\Users\Faßbender\Desktop\Niko Frisur.jpg
[2013.02.16 03:22:00 | 000,001,084 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1487255489-2574314160-2474486194-1000Core.job
[2013.02.13 17:39:49 | 000,509,168 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2013.02.12 07:03:44 | 000,697,712 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2013.02.12 07:03:44 | 000,074,096 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2013.02.11 10:05:58 | 000,149,595 | ---- | M] () -- C:\Users\Faßbender\Desktop\toller-pullover-fur-aktive-kids-rosa.htm
[2013.02.09 17:08:48 | 000,000,349 | ---- | M] () -- C:\Users\Public\Documents\PCLECHAL.INI
[2013.02.02 07:58:43 | 000,002,054 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2013.02.01 13:18:19 | 000,002,392 | ---- | M] () -- C:\Users\Faßbender\Desktop\Google Chrome.lnk
[2013.01.30 08:01:42 | 000,000,849 | ---- | M] () -- C:\Users\Faßbender\AppData\Local\recently-used.xbel
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Users\Faßbender\Documents\*.tmp files -> C:\Users\Faßbender\Documents\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2013.02.19 11:23:28 | 000,587,671 | ---- | C] () -- C:\Users\Faßbender\Desktop\adwcleaner0.exe
[2013.02.19 11:22:31 | 000,374,784 | ---- | C] () -- C:\Users\Faßbender\Desktop\xut43mt5.exe
[2013.02.19 09:11:30 | 000,096,256 | ---- | C] () -- C:\Users\Faßbender\7244907.dll
[2013.02.11 10:06:18 | 000,484,585 | ---- | C] () -- C:\Users\Faßbender\Desktop\Niko Frisur.jpg
[2013.02.11 10:05:56 | 000,149,595 | ---- | C] () -- C:\Users\Faßbender\Desktop\toller-pullover-fur-aktive-kids-rosa.htm
[2013.01.30 08:01:42 | 000,000,849 | ---- | C] () -- C:\Users\Faßbender\AppData\Local\recently-used.xbel
[2013.01.30 07:48:17 | 000,000,932 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GIMP 2.lnk
[2012.12.03 23:09:34 | 000,007,602 | ---- | C] () -- C:\Users\Faßbender\AppData\Local\Resmon.ResmonCfg
[2012.12.01 09:20:44 | 000,000,022 | ---- | C] () -- C:\Windows\GPU-Z.INI
[2012.01.17 11:24:10 | 000,055,296 | ---- | C] () -- C:\Windows\SysWow64\ASGT.exe
[2011.07.25 14:01:19 | 000,004,089 | ---- | C] () -- C:\Users\Faßbender\KeyBindings.ini
[2011.07.10 06:54:30 | 000,000,431 | ---- | C] () -- C:\Windows\WISO.INI
[2010.04.12 19:12:19 | 000,005,120 | ---- | C] () -- C:\Users\Faßbender\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009.05.11 12:08:15 | 000,000,174 | ---- | C] () -- C:\Users\Faßbender\default.pls
 
========== ZeroAccess Check ==========
 
[2009.07.14 05:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012.06.09 06:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 05:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 02:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.20 13:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 02:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

< End of report >

OTL-Log (Extras):

Code:
OTL Extras logfile created on: 19.02.2013 13:09:20 - Run 1
OTL by OldTimer - Version 3.2.69.0    Folder = C:\Users\Faßbender\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
15,99 Gb Total Physical Memory | 13,02 Gb Available Physical Memory | 81,43% Memory free
31,98 Gb Paging File | 28,84 Gb Available in Paging File | 90,17% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 1397,17 Gb Total Space | 50,94 Gb Free Space | 3,65% Space Free | Partition Type: NTFS
Drive E: | 1397,26 Gb Total Space | 1203,96 Gb Free Space | 86,17% Space Free | Partition Type: NTFS
 
Computer Name: FAßBENDER-PC | User Name: Faßbender | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
 
========== Shell Spawning ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
http [open] -- Reg Error: Key error.
https [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "C:\Program Files (x86)\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)
Directory [Winamp.Enqueue] -- "C:\Program Files (x86)\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)
Directory [Winamp.Play] -- "C:\Program Files (x86)\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
http [open] -- Reg Error: Key error.
https [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "C:\Program Files (x86)\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)
Directory [Winamp.Enqueue] -- "C:\Program Files (x86)\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)
Directory [Winamp.Play] -- "C:\Program Files (x86)\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01  [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files (x86)\Orbitdownloader\orbitdm.exe" = C:\Program Files (x86)\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit -- (Orbitdownloader.com)
"C:\Program Files (x86)\Orbitdownloader\orbitnet.exe" = C:\Program Files (x86)\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit -- (Orbitdownloader.com)
"C:\Program Files (x86)\Orbitdownloader\orbitdm.exe" = C:\Program Files (x86)\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit -- (Orbitdownloader.com)
"C:\Program Files (x86)\Orbitdownloader\orbitnet.exe" = C:\Program Files (x86)\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit -- (Orbitdownloader.com)
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{06264517-069F-4B52-82B1-F71C965A5562}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{0F49246D-FB47-47A6-8B53-8D324C81F5E5}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{1530A07A-04C8-4527-B253-09A7DAEB4DDD}" = rport=138 | protocol=17 | dir=out | app=system |
"{1FE4C238-EB87-4B45-A588-14EE0C220B18}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{227A2E30-1BBE-49D1-88C5-49538AABB26B}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{279502D9-C94A-434F-962F-FDF02E824E8D}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{2D9FFACB-FEBD-4AAA-9C64-93098285264B}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{372804DE-44D2-4334-A2FB-549F88A4C1F2}" = lport=445 | protocol=6 | dir=in | app=system |
"{396C5DEA-A73F-4F1E-BF23-C369181ED6AF}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{407535E1-8160-40C2-9D15-5CFD66E0E0AA}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{46C72F86-FE80-494B-A4DB-038C32D407AD}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{494CDA03-75C1-43A3-A726-758D1AD07267}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{5298B593-FE10-4FA6-8795-2B1E1A1BF15F}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{685F413A-47FB-45DA-90ED-C4F6934B7910}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{6907DEDA-E0CD-48F9-8DFE-1BF2B9570893}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{6B531A32-6DB2-4095-8144-D545984E1AC4}" = lport=10243 | protocol=6 | dir=in | app=system |
"{6BDDB02C-B435-4296-A4A3-F8E16E7B9FCF}" = lport=139 | protocol=6 | dir=in | app=system |
"{8C334EEA-67BB-41FD-BFDA-DB3C981F4EC7}" = lport=137 | protocol=17 | dir=in | app=system |
"{8E8278F8-6F91-422C-B84E-E59181131965}" = lport=6004 | protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office12\outlook.exe |
"{A07C9A71-80E8-4FC3-A813-CA6BD44F0F6E}" = rport=137 | protocol=17 | dir=out | app=system |
"{AB39B8F8-DD65-4129-9CF9-4888FF47A93B}" = lport=138 | protocol=17 | dir=in | app=system |
"{AEF4F4BC-BE51-4FCA-8AAB-C9ECBB3A768B}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{B47B5035-B8A0-4190-BEB8-819E851D5497}" = rport=139 | protocol=6 | dir=out | app=system |
"{CBE6B488-6046-487F-8A0E-06EAC953ACA2}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{D38BC61F-3A84-44C3-B8B2-2222796C84CC}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{D8E3CA9F-8A02-471A-937A-F39982994C93}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{DC10203D-8B64-4487-A895-8832B96AAB3B}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{DC9CBE23-8A80-4B92-B83F-07587BCFA680}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{ECA68B40-1BD9-4364-AF19-641244ACBD46}" = rport=10243 | protocol=6 | dir=out | app=system |
"{F4544712-243A-45EC-BB0C-5645B7E06C13}" = lport=2869 | protocol=6 | dir=in | app=system |
"{FDBDD0BC-87EC-4563-B19F-9FB0E7F186E2}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{FE2C2117-B382-4B62-867E-8F367B269FE2}" = rport=445 | protocol=6 | dir=out | app=system |
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{072A14B1-80D6-4A41-A4CA-39D5F2E841EA}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{07646CFC-A603-4C88-9CBF-2D026D310D14}" = protocol=17 | dir=in | app=c:\program files (x86)\battlelog web plugins\sonar\0.70.4\sonarhost.exe |
"{0ABE9C75-7181-4048-8463-E3B700A2D393}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steam.exe |
"{0FEBD30A-D10A-4178-98F9-E8D2553B035C}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{141C5021-5DBD-4E65-BFDC-92656BD4A452}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\skyrim\skyrimlauncher.exe |
"{14649362-89BC-453D-82D9-282D31B22426}" = protocol=17 | dir=in | app=c:\program files (x86)\sweetim\communicator\sweetpacksupdatemanager.exe |
"{17C7E59B-D655-46C6-AD92-2CBAB2174298}" = protocol=17 | dir=in | app=c:\program files (x86)\pinnacle12\programs\studio.exe |
"{1B0CBAFC-E073-4A53-A097-F67EA7B4C776}" = protocol=17 | dir=in | app=c:\program files (x86)\dragon age\bin_ship\daorigins.exe |
"{1EE6C78C-8929-4C60-A900-31756427C3C2}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{2015C1F1-EB8C-4344-92C0-553E63E2979A}" = protocol=6 | dir=in | app=c:\program files (x86)\dragon age 2\dragonage2launcher.exe |
"{24825DC9-05E7-47A5-8599-ED3C84E0D5C6}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{294D268C-5B22-4DF2-947C-65EAA4B54448}" = protocol=17 | dir=in | app=c:\windows\syswow64\msiexec.exe |
"{2E83A519-D212-4AFA-BACB-ACB213766A4E}" = dir=in | app=c:\program files (x86)\common files\apple\apple application support\webkit2webprocess.exe |
"{2F064D9D-E78D-48E8-9E46-C9ADB3C48D5F}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\r.u.s.e\ruse.exe |
"{3273E336-773F-4FAB-9528-28E9C9CEDE0F}" = protocol=17 | dir=in | app=c:\program files (x86)\dragon age\daoriginslauncher.exe |
"{384348FB-4FEC-4123-8AAA-FA77489CB8E6}" = protocol=6 | dir=in | app=c:\program files (x86)\battlelog web plugins\sonar\0.70.4\sonarhost.exe |
"{3AFCE906-D06D-4F95-AC69-B5C2F4DC859E}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{427DF615-3D36-40A7-93BF-C353D0C6262D}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{4287FDCB-9B3E-4DA9-8C0B-4A2C22E8554D}" = protocol=17 | dir=in | app=c:\program files (x86)\pinnacle12\programs\umi.exe |
"{4DFA1C36-0F24-4A1A-9253-495364CF0925}" = protocol=17 | dir=in | app=c:\program files (x86)\pinnacle12\programs\rm.exe |
"{4F2526F7-6A27-4760-A64C-BB2ECB589139}" = protocol=6 | dir=out | app=system |
"{53735C46-84B2-4B81-AEF9-6A7C1E6F753E}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steam.exe |
"{5493CF65-A421-439F-B246-ED6CD90E076D}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{5B3FBDD9-F74B-4512-9ACA-C178396803A5}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{652ACCEE-1BD7-4132-A0E1-ED990CE34FCD}" = protocol=6 | dir=in | app=c:\program files (x86)\sony ericsson\update engine\sony ericsson update engine.exe |
"{68208501-3FCB-450C-9887-158D5D2619B6}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{6862F5A8-1B65-4978-8B9E-1BB3C15E5625}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{6B47EB4C-B13F-4160-A7EB-3AF05DEB562C}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\r.u.s.e\ruse.exe |
"{702AF1D4-74CC-4D29-A516-7709CC648A4C}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{7764037E-6255-46A0-B301-0DFB942D8631}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{8B008004-2567-46B8-B29E-DEF6806019DD}" = protocol=6 | dir=in | app=c:\program files (x86)\dragon age\daoriginslauncher.exe |
"{8D519E6B-8DD9-4947-A812-F2E9921F79CE}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{8D79502C-D959-4765-A35A-6255F0A57943}" = protocol=6 | dir=in | app=c:\program files (x86)\pinnacle12\programs\umi.exe |
"{90C856A9-4254-40CC-BDE5-096F25FBF26E}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{9425C894-3E41-473A-BF88-0D110C75F768}" = protocol=6 | dir=in | app=c:\program files (x86)\dragon age\bin_ship\daupdatersvc.service.exe |
"{A4E1C733-2E73-4A03-80AB-159A45F4750D}" = protocol=6 | dir=in | app=c:\program files (x86)\sweetim\communicator\sweetpacksupdatemanager.exe |
"{A782FF2B-8571-4FFD-B025-326328AC92EE}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{B2FEDF68-49C9-4EAB-A16C-43411E946D2F}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{B6208106-548A-4065-A46D-BF6226294E29}" = protocol=6 | dir=in | app=c:\program files (x86)\dragon age 2\bin_ship\dragonage2.exe |
"{B6AAB71B-2156-44C5-91F5-FF26ED2A3F57}" = protocol=6 | dir=in | app=c:\program files (x86)\pinnacle12\programs\studio.exe |
"{BC48EB07-6598-4729-AC36-057C57EB71F6}" = protocol=6 | dir=in | app=c:\program files (x86)\pinnacle12\programs\rm.exe |
"{C19FA35B-E94B-462B-AD41-EF70F36666D5}" = protocol=17 | dir=in | app=c:\program files (x86)\deepinvent\mailstore home\mailstorelocal.exe |
"{C8A25334-B610-4290-8616-8FE8282DE03D}" = protocol=17 | dir=in | app=c:\program files (x86)\dragon age 2\dragonage2launcher.exe |
"{C8D5A16F-EBFB-4335-A224-20E65BAAF3CA}" = protocol=6 | dir=in | app=c:\windows\syswow64\msiexec.exe |
"{D35B4707-F5BD-4696-95A6-6CD8A501398B}" = protocol=17 | dir=in | app=c:\program files (x86)\sony ericsson\update engine\sony ericsson update engine.exe |
"{D4A7C4CE-9C1E-433D-A54D-3770F8865B73}" = protocol=17 | dir=in | app=c:\program files (x86)\dragon age 2\bin_ship\dragonage2.exe |
"{D6CBFADC-040A-42D4-86A6-144F74B2D596}" = protocol=6 | dir=in | app=c:\program files (x86)\deepinvent\mailstore home\mailstorelocal.exe |
"{D98FA44F-93FC-464D-8665-681220B2E843}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{DBADD96E-6A20-4B60-BD21-07B7FBA3DE06}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{EA54441A-CE67-45DC-AA32-20A22FEF6E31}" = protocol=6 | dir=in | app=c:\program files (x86)\dragon age\bin_ship\daorigins.exe |
"{EC25B814-1013-4970-A9DE-20BC2FB1B041}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{F7100E21-EB20-4B65-92AD-528E1C573DFA}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\skyrim\skyrimlauncher.exe |
"{FFEFE04C-E837-4070-8BC6-89E98EA9C963}" = protocol=17 | dir=in | app=c:\program files (x86)\dragon age\bin_ship\daupdatersvc.service.exe |
"TCP Query User{061196F6-5CAB-41BB-8557-763975A2F977}C:\program files (x86)\orbitdownloader\orbitnet.exe" = protocol=6 | dir=in | app=c:\program files (x86)\orbitdownloader\orbitnet.exe |
"TCP Query User{26714CB7-105A-444E-B01C-3BF40C4BFE00}C:\program files (x86)\java\jre6\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files (x86)\java\jre6\bin\javaw.exe |
"TCP Query User{335CC2C1-AF88-4041-A319-EA717E342389}C:\program files (x86)\java\jre6\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files (x86)\java\jre6\bin\javaw.exe |
"TCP Query User{46B89716-3ED0-4A43-915B-83844426F864}C:\program files (x86)\bittorrent\bittorrent.exe" = protocol=6 | dir=in | app=c:\program files (x86)\bittorrent\bittorrent.exe |
"TCP Query User{4A536358-D615-473D-BB53-CC3AA5AEF24D}C:\program files (x86)\google\google earth\client\googleearth.exe" = protocol=6 | dir=in | app=c:\program files (x86)\google\google earth\client\googleearth.exe |
"TCP Query User{4CB54770-7F51-4F79-A951-3E3237DA4FD8}C:\users\public\sony online entertainment\installed games\planetside 2 beta\planetside2.exe" = protocol=6 | dir=in | app=c:\users\public\sony online entertainment\installed games\planetside 2 beta\planetside2.exe |
"TCP Query User{59D51B95-57A2-48E0-A4FA-8EB1C97DECC6}C:\program files (x86)\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files (x86)\internet explorer\iexplore.exe |
"TCP Query User{719C98D9-CE36-4819-B47D-67D8D2D4B369}C:\program files (x86)\orbitdownloader\orbitnet.exe" = protocol=6 | dir=in | app=c:\program files (x86)\orbitdownloader\orbitnet.exe |
"TCP Query User{7D7B79BB-AEDE-4392-B915-79C707FFFF08}C:\program files (x86)\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files (x86)\internet explorer\iexplore.exe |
"TCP Query User{9070BCCE-034A-4940-AA42-A3E1C8AA7DE9}C:\program files (x86)\2k games\gearbox software\borderlands\binaries\borderlands.exe" = protocol=6 | dir=in | app=c:\program files (x86)\2k games\gearbox software\borderlands\binaries\borderlands.exe |
"TCP Query User{92AEF9E3-37F0-4821-B833-DC5899375F4B}C:\program files (x86)\java\jre7\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files (x86)\java\jre7\bin\javaw.exe |
"TCP Query User{DC275527-9BB1-4F71-BDD0-9B29D7EF6D19}C:\users\public\sony online entertainment\installed games\planetside 2\planetside2.exe" = protocol=6 | dir=in | app=c:\users\public\sony online entertainment\installed games\planetside 2\planetside2.exe |
"UDP Query User{0A26A9B7-7209-4CD5-9369-6599EBF4F5E9}C:\program files (x86)\2k games\gearbox software\borderlands\binaries\borderlands.exe" = protocol=17 | dir=in | app=c:\program files (x86)\2k games\gearbox software\borderlands\binaries\borderlands.exe |
"UDP Query User{0EE01EAA-71B0-4C41-B968-F85F6BB1336F}C:\users\public\sony online entertainment\installed games\planetside 2\planetside2.exe" = protocol=17 | dir=in | app=c:\users\public\sony online entertainment\installed games\planetside 2\planetside2.exe |
"UDP Query User{35861F72-EB59-4A12-8189-AD38690B45C8}C:\program files (x86)\orbitdownloader\orbitnet.exe" = protocol=17 | dir=in | app=c:\program files (x86)\orbitdownloader\orbitnet.exe |
"UDP Query User{42899FB3-BD58-48C6-B18A-C22E12569735}C:\program files (x86)\java\jre7\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files (x86)\java\jre7\bin\javaw.exe |
"UDP Query User{90C4B90F-2445-4B7C-9EDB-B4A669343486}C:\program files (x86)\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files (x86)\internet explorer\iexplore.exe |
"UDP Query User{B6BA873B-B1AB-45A4-A143-20B3D70AEDCD}C:\program files (x86)\java\jre6\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files (x86)\java\jre6\bin\javaw.exe |
"UDP Query User{B987BFD8-D032-4FBD-94DD-26E10B266AC6}C:\program files (x86)\google\google earth\client\googleearth.exe" = protocol=17 | dir=in | app=c:\program files (x86)\google\google earth\client\googleearth.exe |
"UDP Query User{C0573286-5501-4DED-8C13-ED4D87A1FAC5}C:\program files (x86)\bittorrent\bittorrent.exe" = protocol=17 | dir=in | app=c:\program files (x86)\bittorrent\bittorrent.exe |
"UDP Query User{D10B1778-3299-4205-8052-A98324E3A789}C:\program files (x86)\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files (x86)\internet explorer\iexplore.exe |
"UDP Query User{D9C3DC5C-AA03-4628-8D19-9871D0CDD79F}C:\users\public\sony online entertainment\installed games\planetside 2 beta\planetside2.exe" = protocol=17 | dir=in | app=c:\users\public\sony online entertainment\installed games\planetside 2 beta\planetside2.exe |
"UDP Query User{E1023BBF-C9AD-48B2-B845-6A234195D052}C:\program files (x86)\java\jre6\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files (x86)\java\jre6\bin\javaw.exe |
"UDP Query User{F1A57C03-81B8-489F-B7E0-59DBB66419EC}C:\program files (x86)\orbitdownloader\orbitnet.exe" = protocol=17 | dir=in | app=c:\program files (x86)\orbitdownloader\orbitnet.exe |
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02382870-19C7-3ACD-BBAE-F6E3760947DC}" = Microsoft .NET Framework 4 Extended DEU Language Pack
"{0E3DAF3D-FF69-345A-A99E-1FED304CA083}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"{3D3E663D-4E7E-4577-A560-7ECDDD45548A}" = PVSonyDll
"{6DE721A5-5E89-4D74-994C-652BB3C0672E}" = Pinnacle Video Treiber
"{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended
"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
"{90120000-002A-0407-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (German) 2007
"{B0EFB716-085B-4564-8060-212E41F5CE50}" = Windows Live ID-Anmelde-Assistent
"{B2FE1952-0186-46c3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Systemsteuerung 306.97
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Grafiktreiber 306.97
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB" = NVIDIA 3D Vision Controller-Treiber 306.97
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX-Systemsoftware 9.12.0604
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.10.8
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"GIMP-2_is1" = GIMP 2.8.2
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft .NET Framework 4 Extended DEU Language Pack" = Microsoft .NET Framework 4 Extended DEU Language Pack
"TeraCopy_is1" = TeraCopy 2.12
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{0D78BEE2-F8FF-4498-AF1A-3FF81CED8AC6}" = Razer Synapse 2.0
"{0E0DF90C-D0BA-4C89-9262-AD78D1A3DE51}" = HP USB Disk Storage Format Tool
"{0E532C84-4275-41B3-9D81-D4A1A20D8EE7}" = PlayStation(R)Store
"{0E64B098-8018-4256-BA23-C316A43AD9B0}" = QuickTime
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{199C20D6-10D3-4210-B361-4760209F56AE}" = Citrix Online Plug-in (Web)
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83217007FF}" = Java 7 Update 9
"{27CC6AB1-E72B-4179-AF1A-EAE507EBAF51}_is1" = ConvertHelper 2.2
"{2FDBBCEA-62DB-45F4-B6E5-0E1FB2A1F29D}" = Visual C++ 8.0 Runtime Setup Package (x64)
"{2FDD750F-49B7-40C1-9D5E-D2955BC0E2D8}" = NVIDIA PhysX
"{310BC5E2-31AF-49BB-904D-E71EB93645DC}" = AI Suite
"{3ECCB578-504E-4F7A-A8B4-CF4F3B939B44}" = Citrix Online Plug-in (USB)
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{52B65911-1559-4ED5-9461-46957FDD48CD}" = Borderlands
"{5310C7A5-A385-6E26-66E9-C0F0CA5A7E45}" = BeatportDownloader
"{532F6E8A-AF97-41C3-915F-39F718EC07D1}" = ASUS GPU Tweak
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}" = Google Earth
"{678094A1-6250-476B-9AFF-4376E48F135C}" = Citrix Online Plug-in (DV)
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}" = Avanquest update
"{7748AC8C-18E3-43BB-959B-088FAEA16FB2}" = Nero StartSmart
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{88F0F4FF-B514-4E32-9C17-CAF96D60EAFC}" = Razer Game Booster
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2007
"{90120000-0015-0407-0000-0000000FF1CE}_PROHYBRIDR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
"{90120000-0016-0407-0000-0000000FF1CE}_PROHYBRIDR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
"{90120000-0018-0407-0000-0000000FF1CE}_PROHYBRIDR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2007
"{90120000-0019-0407-0000-0000000FF1CE}_PROHYBRIDR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2007
"{90120000-001A-0407-0000-0000000FF1CE}_PROHYBRIDR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
"{90120000-001B-0407-0000-0000000FF1CE}_PROHYBRIDR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_PROHYBRIDR_{928D7B99-2BEA-49F9-83B8-20FA57860643}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROHYBRIDR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROHYBRIDR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-001F-0410-0000-0000000FF1CE}_PROHYBRIDR_{A23BFC95-4A73-410F-9248-4C2B48E38C49}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-002A-0000-1000-0000000FF1CE}_PROHYBRIDR_{664655D8-B9BB-455D-8A58-7EAF7B0B2862}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-002A-0407-1000-0000000FF1CE}_PROHYBRIDR_{A6353E8F-5B8D-47CC-8737-DFF032ED3973}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}_PROHYBRIDR_{A6353E8F-5B8D-47CC-8737-DFF032ED3973}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91120000-0031-0000-0000-0000000FF1CE}" = Microsoft Office Professional Hybrid 2007
"{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{933B4015-4618-4716-A828-5289FC03165F}" = VC80CRTRedist - 8.0.50727.6195
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1031-7B44-A95000000001}" = Adobe Reader 9.5.3 - Deutsch
"{AEC81925-9C76-4707-84A9-40696C613ED3}" = Dragon Age: Origins
"{B2EC4A38-B545-4A00-8214-13FE0E915E6D}" = Advertising Center
"{B6659DD8-00A7-4A24-BBFB-C1F6982E5D66}" = PlayStation(R)Network Downloader
"{B99CB207-4704-4C51-9309-0FA90AA26DD4}" = ROCCAT Kone[+] Mouse Driver
"{BC30E5E7-047D-4232-A7E8-F2CB7CC7B2E0}_is1" = Emsisoft Anti-Malware
"{bd42242a-4ffa-47fe-a370-ee4efd41fbb9}" = Nero 9 Lite
"{BD5CA0DA-71AD-43DA-B19E-6EEE0C9ADC9A}" = Nero ControlCenter
"{BE4F388F-E7B6-43E8-8856-6B74AC375A87}" = Media Go
"{C05DB3EA-72D9-4EF0-9D19-B0864AF582A5}" = WISO Haushaltsbuch 2009
"{C1212AE3-DBB9-4365-8473-F8ABC7B06BBB}" = Pinnacle Instant DVD Recorder
"{C2F1F96A-057E-5819-B52E-FEA1D1D2933B}" = Acronis*True*Image*Home
"{C81A2FE0-3574-00A9-CED4-BDAA334CBE8E}" = Nero Online Upgrade
"{C8508BC4-52AF-46A9-986D-814775FC6670}" = Overwolf
"{CAAB0192-5704-469F-A0BE-2D842D70E93B}_is1" = Sothink FLV Player
"{D041EB9E-890A-4098-8F94-51DA194AC72A}" = Pinnacle Studio 12
"{E8A80433-302B-4FF1-815D-FCC8EAC482FF}" = Nero Installer
"{EB879750-CCBD-4013-BFD5-0294D4DA5BD0}" = Apple Application Support
"{F09EF8F2-0976-42C1-8D9D-8DF78337C6E3}" = Sony PC Companion 2.10.115
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
"{F2E23139-3404-4E3C-9855-7724415D62A5}" = Dragon Age II
"{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5
"{FA365307-1963-4D16-BD44-113C8F037AAD}" = Citrix Online Plug-in (HDX)
"{FCDBEA60-79F0-4FAE-BBA8-55A26C609A49}" = Visual Studio 2008 x64 Redistributables
"{FE23D063-934D-4829-A0D8-00634CE79B4A}" = Adobe AIR
"4Musics MPC to MP3 Converter 4.6_is1" = 4Musics MPC to MP3 Converter 4.6
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"ALDI Bestellsoftware" = ALDI Bestellsoftware 4.11.0
"Amazon MP3-Downloader" = Amazon MP3-Downloader 1.0.9
"AudioConverter Studio_is1" = AudioConverter Studio 6.1
"Avira AntiVir Desktop" = Avira Free Antivirus
"Battlelog Web Plugins" = Battlelog Web Plugins
"BeatportDownloader.EE670286545758FAB4A69D4439CF6054F83E0AC2.1" = BeatportDownloader
"BitTorrent" = BitTorrent
"CitrixOnlinePluginPackWeb" = Citrix Online Plug-in - Web
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2007-07-22
"DivX Setup" = DivX-Setup
"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
"ESN Sonar-0.70.4" = ESN Sonar
"EVEREST Home Edition_is1" = EVEREST Home Edition v2.20
"FLV Player" = FLV Player 2.0 (build 25)
"Free 3GP Video Converter_is1" = Free 3GP Video Converter version 3.4
"Free FLV Converter_is1" = Free FLV Converter V 7.2.0
"Free YouTube Download_is1" = Free YouTube Download version 3.0.19.1206
"Free YouTube to MP3 Converter_is1" = Free YouTube to MP3 Converter version 3.10.17.221
"GimpLqRPlugIn" = GIMP LqR Plug-In
"HPR_WEG" = Praxishandbuch Wohnungseigentum
"InstallShield_{532F6E8A-AF97-41C3-915F-39F718EC07D1}" = ASUS GPU Tweak
"MailStore Home_is1" = MailStore Home 4.0.4.3791
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware Version 1.51.2.1300
"Mozilla Firefox 8.0 (x86 de)" = Mozilla Firefox 8.0 (x86 de)
"MP Navigator EX 2.0" = Canon MP Navigator EX 2.0
"Mp3tag" = Mp3tag v2.45a
"NVIDIA StereoUSB Driver" = NVIDIA 3D Vision Controller Driver
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"Orbit_is1" = Orbit Downloader
"PROHYBRIDR" = 2007 Microsoft Office system
"Steam App 218230" = PlanetSide 2
"Steam App 21970" = R.U.S.E
"Steam App 72850" = The Elder Scrolls V: Skyrim
"SystemRequirementsLab" = System Requirements Lab
"TeamSpeak 3 Client" = TeamSpeak 3 Client
"Uninstall_is1" = Uninstall 1.0.0.1
"Update Engine" = Sony Ericsson Update Engine
"VLC media player" = VLC media player 2.0.0-rc1-20120201-0207
"Vtune_is1" = Vtune 7.6
"Winamp" = Winamp
"WinRAR archiver" = WinRAR
"XMedia Recode" = XMedia Recode 3.0.6.0
 
========== HKEY_USERS Uninstall List ==========
 
[HKEY_USERS\S-1-5-21-1487255489-2574314160-2474486194-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"SOE-C:/Users/Faßbender/AppData/Local/Sony Online Entertainment/ApplicationUpdater" = applicationupdater
"SOE-C:/Users/Public/Sony Online Entertainment/Installed Games/PlanetSide 2" = gamelauncher-ps2-live
"SOE-C:/Users/Public/Sony Online Entertainment/Installed Games/PlanetSide 2 Beta" = gamelauncher-code4344-beta
"soe-PlanetSide 2" = PlanetSide 2
"SOE-PlanetSide 2 Beta" = PlanetSide 2 Beta
"Winamp Detect" = Winamp Erkennungs-Plug-in
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 30.03.2012 15:01:01 | Computer Name = Faßbender-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: iexplore.exe, Version: 8.0.7601.17514,
 Zeitstempel: 0x4ce7a313  Name des fehlerhaften Moduls: mshtml.dll, Version: 8.0.7601.17744,
 Zeitstempel: 0x4eeb0360  Ausnahmecode: 0xc0000005  Fehleroffset: 0x0000000000343f12
ID
 des fehlerhaften Prozesses: 0xbd8  Startzeit der fehlerhaften Anwendung: 0x01cd0e74623454e6
Pfad
 der fehlerhaften Anwendung: C:\Program Files\Internet Explorer\iexplore.exe  Pfad
 des fehlerhaften Moduls: C:\Windows\System32\mshtml.dll  Berichtskennung: b06bea6e-7a9a-11e1-9443-90e6ba3c84a4
 
Error - 02.04.2012 14:53:53 | Computer Name = Faßbender-PC | Source = Windows Backup | ID = 4103
Description =
 
Error - 08.04.2012 13:00:10 | Computer Name = Faßbender-PC | Source = Windows Backup | ID = 4103
Description =
 
Error - 09.04.2012 08:25:40 | Computer Name = Faßbender-PC | Source = Application Hang | ID = 1002
Description = Programm iexplore.exe, Version 8.0.7601.17514 kann nicht mehr unter
 Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf
in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem
 zu suchen.    Prozess-ID: c2c    Startzeit: 01cd1615524dfde4    Endzeit: 0    Anwendungspfad: C:\Program
 Files\Internet Explorer\iexplore.exe    Berichts-ID: 
 
Error - 15.04.2012 13:00:17 | Computer Name = Faßbender-PC | Source = Windows Backup | ID = 4103
Description =
 
Error - 20.04.2012 12:52:10 | Computer Name = Faßbender-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: IEXPLORE.EXE, Version: 8.0.7601.17514,
 Zeitstempel: 0x4ce79912  Name des fehlerhaften Moduls: GrabPro.dll, Version: 1.0.0.29,
 Zeitstempel: 0x4e09365d  Ausnahmecode: 0xc0000409  Fehleroffset: 0x00074539  ID des fehlerhaften
 Prozesses: 0x1300  Startzeit der fehlerhaften Anwendung: 0x01cd1efa283ea971  Pfad der
 fehlerhaften Anwendung: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE  Pfad
 des fehlerhaften Moduls: C:\Program Files (x86)\Orbitdownloader\GrabPro.dll  Berichtskennung:
 2b78b3e6-8b09-11e1-80ef-90e6ba3c84a4
 
Error - 22.04.2012 13:00:01 | Computer Name = Faßbender-PC | Source = Windows Backup | ID = 4103
Description =
 
Error - 29.04.2012 13:00:01 | Computer Name = Faßbender-PC | Source = Windows Backup | ID = 4103
Description =
 
Error - 01.05.2012 08:55:13 | Computer Name = Faßbender-PC | Source = Application Hang | ID = 1002
Description = Programm javaw.exe, Version 6.0.310.5 kann nicht mehr unter Windows
 ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung,
 um nach weiteren Informationen zum Problem zu suchen.    Prozess-ID: 47c    Startzeit:
01cd275f833a08db    Endzeit: 16    Anwendungspfad: C:\Program Files (x86)\Java\jre6\bin\javaw.exe

Berichts-ID:
 c7f3eebc-938c-11e1-a44a-90e6ba3c84a4 
 
Error - 04.05.2012 14:32:34 | Computer Name = Faßbender-PC | Source = Application Hang | ID = 1002
Description = Programm iexplore.exe, Version 8.0.7601.17514 kann nicht mehr unter
 Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf
in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem
 zu suchen.    Prozess-ID: fe4    Startzeit: 01cd2a1e48c831e2    Endzeit: 6    Anwendungspfad: C:\Program
 Files\Internet Explorer\iexplore.exe    Berichts-ID: 727d35de-9617-11e1-8efc-90e6ba3c84a4

 
Error - 06.05.2012 13:00:10 | Computer Name = Faßbender-PC | Source = Windows Backup | ID = 4103
Description =
 
[ OSession Events ]
Error - 17.03.2010 04:56:21 | Computer Name = Faßbender-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
 12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1346
 seconds with 240 seconds of active time.  This session ended with a crash.
 
Error - 31.03.2010 16:55:17 | Computer Name = Faßbender-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
 12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 219
 seconds with 180 seconds of active time.  This session ended with a crash.
 
Error - 06.01.2012 17:03:05 | Computer Name = Faßbender-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 9
 seconds with 0 seconds of active time.  This session ended with a crash.
 
Error - 16.02.2012 12:03:44 | Computer Name = Faßbender-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 5
 seconds with 0 seconds of active time.  This session ended with a crash.
 
Error - 27.10.2012 16:33:43 | Computer Name = Faßbender-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
 12.0.6661.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 1
 seconds with 0 seconds of active time.  This session ended with a crash.
 
Error - 20.11.2012 14:23:40 | Computer Name = Faßbender-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
 12.0.6665.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 1
 seconds with 0 seconds of active time.  This session ended with a crash.
 
Error - 18.12.2012 03:21:55 | Computer Name = Faßbender-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
 12.0.6665.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 1
 seconds with 0 seconds of active time.  This session ended with a crash.
 
Error - 05.02.2013 04:42:56 | Computer Name = Faßbender-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
 12.0.6665.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 9431
 seconds with 780 seconds of active time.  This session ended with a crash.
 
[ System Events ]
Error - 19.02.2013 04:59:30 | Computer Name = Faßbender-PC | Source = Service Control Manager | ID = 7000
Description = Der Dienst "TBPanel" wurde aufgrund folgenden Fehlers nicht gestartet:
  %%2
 
Error - 19.02.2013 05:01:46 | Computer Name = Faßbender-PC | Source = Service Control Manager | ID = 7000
Description = Der Dienst "TBPanel" wurde aufgrund folgenden Fehlers nicht gestartet:
  %%2
 
Error - 19.02.2013 05:04:09 | Computer Name = Faßbender-PC | Source = Service Control Manager | ID = 7038
Description = Der Dienst "nvUpdatusService" konnte sich nicht als ".\UpdatusUser"
 mit dem aktuellen Kennwort aufgrund des folgenden Fehlers anmelden:  %%1330    Vergewissern
 Sie sich, dass der Dienst richtig konfiguriert ist im Dienste-Snap-In in der Microsoft
 Management Console (MMC).
 
Error - 19.02.2013 05:04:09 | Computer Name = Faßbender-PC | Source = Service Control Manager | ID = 7000
Description = Der Dienst "NVIDIA Update Service Daemon" wurde aufgrund folgenden
 Fehlers nicht gestartet:  %%1069
 
Error - 19.02.2013 06:15:11 | Computer Name = Faßbender-PC | Source = Service Control Manager | ID = 7000
Description = Der Dienst "TBPanel" wurde aufgrund folgenden Fehlers nicht gestartet:
  %%2
 
Error - 19.02.2013 06:18:11 | Computer Name = Faßbender-PC | Source = Service Control Manager | ID = 7038
Description = Der Dienst "nvUpdatusService" konnte sich nicht als ".\UpdatusUser"
 mit dem aktuellen Kennwort aufgrund des folgenden Fehlers anmelden:  %%1330    Vergewissern
 Sie sich, dass der Dienst richtig konfiguriert ist im Dienste-Snap-In in der Microsoft
 Management Console (MMC).
 
Error - 19.02.2013 06:18:11 | Computer Name = Faßbender-PC | Source = Service Control Manager | ID = 7000
Description = Der Dienst "NVIDIA Update Service Daemon" wurde aufgrund folgenden
 Fehlers nicht gestartet:  %%1069
 
Error - 19.02.2013 08:01:14 | Computer Name = Faßbender-PC | Source = Service Control Manager | ID = 7000
Description = Der Dienst "TBPanel" wurde aufgrund folgenden Fehlers nicht gestartet:
  %%2
 
Error - 19.02.2013 08:04:30 | Computer Name = Faßbender-PC | Source = Service Control Manager | ID = 7038
Description = Der Dienst "nvUpdatusService" konnte sich nicht als ".\UpdatusUser"
 mit dem aktuellen Kennwort aufgrund des folgenden Fehlers anmelden:  %%1330    Vergewissern
 Sie sich, dass der Dienst richtig konfiguriert ist im Dienste-Snap-In in der Microsoft
 Management Console (MMC).
 
Error - 19.02.2013 08:04:30 | Computer Name = Faßbender-PC | Source = Service Control Manager | ID = 7000
Description = Der Dienst "NVIDIA Update Service Daemon" wurde aufgrund folgenden
 Fehlers nicht gestartet:  %%1069
 
 
< End of report >
Soweit ich sehe, läuft alles wieder. Vielen Dank! :)

Ich warte dann noch auf dein OK.

aharonov 19.02.2013 13:46
Hallo,

wir sollten noch eine Kontrolle machen und dann Sicherheitslücken schliessen, um solchen Malwareeinfall in Zukunft zu verhindern.


Hinweis: Mehrere AV-Hintergrundwächter

Mir ist aufgefallen, dass du mehr als ein Antivirus-Programm mit Hintergrundwächter laufen hast:
  • Avira Free Antivirus
  • Emsisoft Anti-Malware
Das ist gefährlich, da sich die verschiedenen Hintergrundwächter gegenseitig in die Quere kommen können und dadurch in ihrer Summe nicht mehr sondern weniger Schutz bieten. Ausserdem bremst das auch das System aus.

Entscheide dich für eines dieser Programme und deinstalliere die anderen über Start -> Systemsteuerung -> Programme und Funktionen (Vista & Win 7) bzw. Start -> Systemsteuerung -> Software (Win XP).



Schritt 1
  • Starte bitte die OTL.exe.
  • Kopiere nun den folgenden Inhalt aus der Codebox in die http://larusso.trojaner-board.de/Images/otlfix.jpg Textbox.
    Wichtig: Falls du deinen Benutzernamen im Log unkenntlich gemacht hast (z.B. durch ***), dann mach das hier wieder rückgängig.
Code:
:OTL
[2013.02.19 09:11:31 | 000,096,256 | ---- | M] () -- C:\Users\Faßbender\7244907.dll

:commands
[emptytemp]
  • Schliesse nun bitte alle anderen Programme.
  • Klicke jetzt auf den Fix Button.
  • OTL kann gegebenfalls einen Neustart verlangen. Diesen bitte zulassen.
  • Nach dem Neustart findest du ein Textdokument auf deinem Desktop.
    (Auch zu finden unter C:\_OTL\MovedFiles\<date_time>.log)
  • Kopiere nun dessen Inhalt hier in deinen Thread.



Schritt 2
  • Öffne das Programm Malwarebytes Anti-Malware.
    Vista und Win7 User mit Rechtsklick "als Administrator starten".
  • Klicke auf Aktualisierung --> Suche nach Aktualisierung.
  • Wenn das Update beendet wurde, aktiviere im Reiter Suchlauf die Option Quick-Scan durchführen und drücke auf Scannen.
  • Wenn der Scan fertig ist, klicke auf Ergebnisse anzeigen.
  • Versichere dich, dass alle Funde markiert sind und drücke Entferne Auswahl.
  • Poste das Logfile, welches sich in Notepad öffnet, hier in den Thread.
  • Nachträglich kannst du den Bericht unter dem Reiter Logdateien finden.



Schritt 3

Lade das Setup des ESET Online Scanners herunter und speichere es auf den Desktop.
  • Schliesse evtl. vorhandene externe Festplatten und USB-Sticks an den Rechner an.
  • Deaktiviere jetzt temporär für diesen Scan dein Antivirenprogramm und die Firewall.
    (Danach nicht vergessen, sie wieder einzuschalten.)
  • Starte nun die heruntergeladene esetsmartinstaller_enu.exe.
  • Setze den Haken bei Yes, I accept the Terms of Use und drücke Start.
  • Warte bis die Komponenten heruntergeladen sind.
  • Setze den Haken bei Scan archives.
  • Gehe sicher, dass bei Remove found Threats kein Haken gesetzt ist.
  • Drücke dann auf Start.
  • Die Signaturen werden heruntergeladen und der Scan startet automatisch.
    Hinweis: Dieser Scan kann unter Umständen ziemlich lange dauern!
  • Falls nach Beendigung des Scans Funde angezeigt werden, dann:
    • Drücke auf List of found threats.
    • Klicke dann auf Export to text file... und speichere die Textdatei als ESET.txt auf den Desktop.
    • Drücke danach auf << Back.
  • Schliesse nun den Scanner mit einem Klick auf Finish.
Poste bitte den Inhalt der ESET.txt oder teile mir mit, wenn es keine Funde gegeben hat.



Schritt 4

Downloade dir bitte SecurityCheck (Link 1, Link 2).
  • Speichere es auf dem Desktop.
  • Starte SecurityCheck.exe und folge den Anweisungen in der DOS-Box.
    Vista und Win7 User mit Rechtsklick "als Administrator starten"
  • Wenn der Scan beendet wurde, sollte sich ein Textdokument (checkup.txt) öffnen.
Poste den Inhalt bitte hier.



Bitte poste in deiner nächsten Antwort:
  • Fixlog von OTL
  • Log von MBAM
  • Log von ESET
  • Log von SecurityCheck

Blitzeis 19.02.2013 16:07
Ok, also hier die Ergebnisse:

OTL:

Code:
All processes killed
========== OTL ==========
C:\Users\Faßbender\7244907.dll moved successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 297476 bytes
->Temporary Internet Files folder emptied: 191772 bytes
->FireFox cache emptied: 31210767 bytes
->Flash cache emptied: 434 bytes
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56475 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Faßbender
->Temp folder emptied: 2246265362 bytes
->Temporary Internet Files folder emptied: 8717992276 bytes
->Java cache emptied: 8170026 bytes
->FireFox cache emptied: 547442113 bytes
->Google Chrome cache emptied: 449963223 bytes
->Flash cache emptied: 276652 bytes
 
User: ABCD
 
User: Public
 
User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 356352 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 626845968 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50501 bytes
RecycleBin emptied: 3207461 bytes
 
Total Files Cleaned = 12.047,00 mb
 
 
OTL by OldTimer - Version 3.2.69.0 log created on 02192013_135943

Files\Folders moved on Reboot...
C:\Users\Faßbender\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Faßbender\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0 moved successfully.
C:\Users\Faßbender\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1 moved successfully.
C:\Users\Faßbender\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2 moved successfully.
C:\Users\Faßbender\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3 moved successfully.
C:\Users\Faßbender\AppData\Local\Google\Chrome\User Data\Default\Cache\data_4 moved successfully.
C:\Users\Faßbender\AppData\Local\Google\Chrome\User Data\Default\Cache\data_5 moved successfully.
C:\Users\Faßbender\AppData\Local\Google\Chrome\User Data\Default\Cache\index moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Malwarebytes:

Code:
Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Datenbank Version: v2013.02.19.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Faßbender :: FAßBENDER-PC [Administrator]

19.02.2013 14:27:08
mbam-log-2013-02-19 (14-27-08).txt

Art des Suchlaufs: Quick-Scan
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 265067
Laufzeit: 10 Minute(n), 24 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 0
(Keine bösartigen Objekte gefunden)

(Ende)
Eset:

Keine Funde

SecurityCheck:

Code:
Results of screen317's Security Check version 0.99.58 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 9 
``````````````Antivirus/Firewall Check:``````````````
Emsisoft Anti-Malware 
 Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware Version 1.70.0.1100 
 Java 7 Update 9 
 Java version out of Date!
  Adobe Flash Player 11.5.502.149 Flash Player out of Date! 
 Adobe Reader 9 Adobe Reader out of Date!
 Mozilla Firefox 8.0 Firefox out of Date! 
 Google Chrome 24.0.1312.56 
 Google Chrome 24.0.1312.57 
````````Process Check: objlist.exe by Laurent```````` 
 Emsisoft Anti-Malware a2service.exe 
 EMSISOFT ANTI-MALWARE a2guard.exe 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 
````````````````````End of Log``````````````````````

aharonov 19.02.2013 16:16
Ok, dann bring noch deine Software auf den neusten Stand und wir räumen hier auf.


Hinweis: Filesharing / P2P

Ich sehe, dass du sogenannte Peer-to-Peer oder Filesharing Programme verwendest.

In deinem Fall ist es BitTorrent.

Diese Programme erlauben es dir, Dateien mit anderen Usern auszutauschen.

Leider wird p2p oder Filesharing oft dazu benutzt, infizierte Dateien zu verteilen und ist auch mit ein Grund, warum sich Malware so schnell verbreitet.
Du kannst niemals wissen, woher die heruntergeladenen Dateien stammen und was wirklich drin ist. Auch eine Überprüfung durch ein Antivirenprogramm ist nur bedingt aussagekräftig. Daher sollte diese Art Software mit äusserster Vorsicht benutzt werden.

Ein weiterer Punkt ist, dass das Verbreiten von Media und Entertainment Dateien in den meisten Ländern der Welt gegen Copyright-Gesetze verstösst.
Natürlich gibt es auch legale Wege, solche Programme zu nutzen, wie zum Beispiel zum Downloaden von Linux Distributionen oder Open Office.

Dennoch würde ich dir empfehlen, diese Art von Software nicht weiterhin zu verwenden und sie über
Start --> Systemsteuerung --> Software (bei Windows XP)
Start --> Systemsteuerung --> Programme und Funktionen (bei Vista / Win 7)
zu deinstallieren.



Schritt 1

Dein Java ist nicht mehr aktuell. Ältere Versionen enthalten Sicherheitslücken, die von Malware zur Infizierung per Drive-by Download missbraucht werden können.

Die aktuelle Version ist Java 7 Update 13.
  • Gehe zu
    Start --> Systemsteuerung --> Programme und Funktionen (bei Vista / Win 7)
    Start --> Systemsteuerung --> Software (bei Win XP)
    und deinstalliere alle älteren Java-Versionen.
In wenigen Fällen wird Java wirklich benötigt. Auch werden immer wieder neue, noch nicht geschlossene Sicherheitslücken ausgenutzt.
Überleg dir also, ob du eine Java-Installation wirklich brauchst.
Falls du Java weiterhin verwenden möchtest, dann:
  • Lade dir die neueste Java-Version herunter.
  • Schliesse alle laufenden Programme, speziell den Browser.
  • Starte die heruntergeladene jxpiinstall.exe und folge den Anweisungen.
  • Entferne während der Installation den Haken bei "Installieren Sie die Ask-Toolbar ...".



Schritt 2

Die Version deines Adobe PDF Readers ist veraltet, wir müssen ihn updaten:
  • Deinstalliere bitte deine aktuelle Version von Adobe Reader über
    Start --> Systemsteuerung --> Software (bei Windows XP)
    Start --> Systemsteuerung --> Programme und Funktionen (bei Vista / Windows 7)
  • Besuche diese Seite von Adobe.
  • Entferne gegebenenfalls den Haken bei McAfee Security Scan bzw. Google Chrome.
  • Drücke auf Jetzt herunterladen und installiere die neuste Version.



Schritt 3

Dein Firefox ist veraltet. Deinstalliere Mozilla Firefox 8.0 und downloade die neuste Version, wenn du ihn weiterhin verwenden möchtest.



Schritt 4

Den ESET Online Scanner kannst du behalten, um ab und zu für eine Zweitmeinung dein System damit zu scannen.
Falls du ESET aber deinstallieren möchtest, dann:

Drücke bitte die http://larusso.trojaner-board.de/Images/windows.jpg + R Taste, kopiere folgenden Text in das Ausführen Fenster
Code:
"%ProgramFiles%\Eset\Eset Online Scanner\OnlineScannerUninstaller.exe"
und drücke OK.



Schritt 5

Downloade dir bitte delfix auf deinen Desktop.
  • Schliesse alle offenen Programme.
  • Starte die delfix.exe mit einem Doppelklick.
  • Setze vor jede Funktion ein Häkchen.
  • Klicke auf Start.
  • DelFix entfernt u.a. alle von uns verwendeten Programme und löscht sich anschliessend selbst.
    Sollte denoch etwas übrig bleiben, kannst du es manuell löschen.




>> OK <<
Wir sind durch, deine Logs sehen für mich im Moment sauber aus. :daumenhoc

Ich habe dir nachfolgend ein paar Hinweise und Tipps zusammengestellt, die dazu beitragen sollen, dass du in Zukunft unsere Hilfe nicht mehr brauchen wirst.

Bitte gib mir danach noch eine kurze Rückmeldung, wenn auch von deiner Seite keine Probleme oder Fragen mehr offen sind, damit ich dieses Thema als erledigt betrachten kann.




Epilog: Tipps, Dos & Don'ts

Aktualität von System und Software

Das Betriebsystem Windows muss zwingend immer auf dem neusten Stand sein. Stelle sicher, dass die automatischen Updates aktiviert sind:
  • Windows XP: Start --> Systemsteuerung --> Doppelklick auf Automatische Updates
  • Windows Vista / 7: Start --> Systemsteuerung --> System und Sicherheit --> Automatische Updates aktivieren oder deaktivieren

Auch die installierte Software sollte immer in der aktuellsten Version vorliegen.
Speziell gilt das für den Browser, Java, Flash-Player und PDF-Reader, denn bekannte Sicherheitslücken in deren alten Versionen werden dazu ausgenutzt, um beim blossen Besuch einer präparierten Website per Drive-by Download Malware zu installieren. Das kann sogar auf normalerweise legitimen Websites geschehen, wenn es einem Angreifer gelungen ist, seinen Code in die Seite einzuschleusen, und ist deshalb relativ unberechenbar.
  • Mit diesem kleinen Plugin-Check kannst du regelmässig diese Komponenten auf deren Aktualität überprüfen.
  • Achte auch darauf, dass alte, nicht mehr verwendete Versionen deinstalliert sind.
  • Optional: Das Programm Secunia Personal Software Inspector kann dich dabei unterstützen, stets die aktuellen Versionen sämtlicher installierter Software zu nutzen.

Sicherheits-Software

Eine Bemerkung vorneweg: Jede Softwarelösung hat ihre Schwächen. Die gesamte Verantwortung für die Sicherheit auf Software zu übertragen und einen Rundum-Schutz zu erwarten, wäre eine gefährliche Illusion. Bei unbedachtem oder bewusst risikoreichem Verhalten wird auch das beste Programm früher oder später seinen Dienst versagen (z.B. ein Virenscanner, der eine verseuchte Datei nicht erkennt).
Trotzdem ist entsprechende Software natürlich wichtig und hilft dir in Kombination mit einem gut gewarteten (up-to-date) System und durchdachtem Verhalten, deinen Rechner sauber zu halten.
  • Nutze einen Virenscanner mit Hintergrundwächter mit stets aktueller Datenbank. Welches Produkt gewählt wird, spielt keine so entscheidende Rolle. Es gibt kommerzielle Versionen, aber ein kostenloser Scanner mit den Grundfunktionen wie beispielsweise Avast! Free Antivirus sollte ausreichen. Betreibe aber keinesfalls zwei Wächter parallel, die würden sich gegenseitig behindern.
  • Aktiviere eine Firewall. Die in Windows integrierte genügt im Normalfall völlig.
  • Zusätzlich zum Virenscanner kannst du dein System regelmässig mit einem On-Demand Antimalwareprogramm scannen. Empfehlenswert ist die Free-Version von Malwarebytes Anti-Malware. Vor jedem Scan die Datenbank updaten.
  • Optional: Das Programm Sandboxie führt Anwendungen in einer isolierten Umgebung ("Sandkasten") aus, so dass keine Änderungen am System vorgenommen werden können. Wenn du deinen Browser darin startest, vermindert sich die Chance, dass beim Surfen eingefangene Malware sich dauerhaft im System festsetzen kann.
  • Optional: Das Addon WOT (web of trust) warnt dich vor einer als schädlich gemeldeten Website, bevor sie geladen wird. Für verschiedene Browser erhältlich.

Es liegt in der Natur der Sache, dass die am weitesten verbreitete Anwendungs-Software auch am häufigsten von Malware-Autoren attackiert wird. Es kann daher bereits einen kleinen Sicherheitsgewinn darstellen, wenn man alternative Software (z.B. einen alternativen PDF Reader) benutzt.
Anstelle des Internet Explorers kann man beispielsweise den Mozilla Firefox einsetzen, für welchen es zwei nützliche Addons zur Empfehlung gibt:
  • NoScript verhindert standardmässig das Ausführen von aktiven Inhalten (Java, JavaScript, Flash, ..) für sämtliche Websites. Du kannst selber nach dem Prinzip einer Whitelist festlegen, welchen Seiten du vertrauen und Scripts erlauben willst, auch temporär.
  • Adblock Plus blockt die meisten Werbebanner weg. Solche Banner können nebst ihrer störenden Erscheinung auch als Infektionsherde fungieren.

(Un-)Sicheres Verhalten im Internet

Nebst unbemerkten Drive-by Installationen wird Malware aber auch oft mehr oder weniger aktiv vom Benutzer selbst installiert.

Der Besuch zwielichtiger Websites kann bereits Risiken bergen. Und Downloads aus dubiosen Quellen sind immer russisches Roulette. Auch wenn der Virenscanner im Moment darin keine Bedrohung erkennt, muss das nichts bedeuten.
  • Illegale Cracks, Keygens und Serials sind ein ausgesprochen einfacher (und ein beliebter) Weg, um Malware zu verbreiten.
  • Bei Dateien aus Peer-to-Peer- und Filesharingprogrammen oder von Filehostern kannst du dir nie sicher sein, ob auch wirklich drin ist, was drauf steht.

Oft wird auch versucht, den Benutzer mit mehr oder weniger trickreichen Methoden dazu zu bringen, eine für ihn verhängnisvolle Handlung selbst auszuführen (Überbegriff Social Engineering).
  • Surfe mit Vorsicht und lass dich nicht von irgendwie interessant erscheinenden Elementen zu einem vorschnellen Klick verleiten. Lass dich nicht von Popups täuschen, die aussehen wie System- oder Virenmeldungen.
  • Sei skeptisch bei unerwarteten E-Mails, insbesondere wenn sie Anhänge enthalten. Auch wenn sie auf den ersten Blick authentisch wirken, persönliche Daten von dir enthalten oder vermeintlich von einem bekannten Absender stammen: Lieber nochmals in Ruhe überdenken oder nachfragen, anstatt einfach mal Links oder ausführbare Anhänge öffnen oder irgendwo deine Daten eingeben.
  • Auch in sozialen Netzwerken oder über Instant Messaging Systeme können schädliche Links oder Dateien die Runde machen. Erhältst du von einem deiner Freunde eine Nachricht, die merkwürdig ist oder so sensationell interessant oder skandalös tönt, dass man einfach draufklicken muss, dann hat bei ihm/ihr wahrscheinlich Neugier über Verstand gesiegt und du solltest nicht denselben Fehler machen.
  • Lass die Dateiendungen anzeigen, so dass du dich nicht täuschen lässt, wenn eine ausführbare Datei über ein doppelte Dateiendung kaschiert wird, z.B. Nacktfoto.jpg.exe.

Nervige Adware (Werbung) und unnötige Toolbars werden auch meist durch den Benutzer selbst mitinstalliert.
  • Lade Software in erster Priorität immer direkt vom Hersteller herunter. Viele Softwareportale (z.B. Softonic) packen noch unnützes Zeug mit in die Installation. Alternativ dazu wähle ein sauberes Portal wie Filepony oder heise.
  • Wähle beim Installieren von Software immer die benutzerdefinierte Option und entferne den Haken bei allen optional angebotenen Toolbars oder sonstigen fürs Programm irrelevanten Ergänzungen.

Allgemeine Hinweise

Abschliessend noch ein paar grundsätzliche Bemerkungen:
  • Dein Benutzerkonto für den alltäglichen Gebrauch sollte nicht über Administratorenrechte verfügen. Nutze ein Konto mit eingeschränkten Rechten (Windows XP) bzw. aktiviere die Benutzerkontensteuerung (UAC) auf der höchsten Stufe (Windows Vista / 7).
  • Erstelle regelmässig Backups deiner Daten und Dokumente auf externen Datenträgern, bei wichtigen Dateien mindestens zweifach. Nicht nur ein Malwarebefall kann schmerzhaften Datenverlust nach sich ziehen sondern auch ein gewöhnlicher Festplattendefekt.
  • Die Autorun/Autoplay-Funktion stellt ein Risiko dar, denn sie ermöglicht es, dass beispielsweise beim Einstecken eines entsprechend infizierten USB-Sticks der Befall auf den Rechner überspringt. Überlege dir, ob du diese Funktion nicht besser deaktivieren möchtest.
  • Wähle deine Passwörter gemäss den gängigen Regeln, um besser gegen Brute-Force- und Wörterbuchattacken gewappnet zu sein. Benutze jedes deiner Passwörter nur einmal und ändere sie regelmässig.
  • Der Nutzen von Registry-Cleanern zur Performancesteigerung ist umstritten. Auf jeden Fall lässt sich damit grosser Schaden anrichten, wenn man nicht weiss, was man tut. Wir empfehlen deshalb, die Finger von der Registry zu lassen. Um von Zeit zu Zeit die temporären Dateien zu löschen, genügt TFC.

Wenn du möchtest, kannst du das Forum mit einer kleinen Spende unterstützen.
Es bleibt mir nur noch, dir unbeschwertes und sicheres Surfen zu wünschen und dass wir uns hier so bald nicht wiedersehen. ;)

Blitzeis 19.02.2013 16:35
So ich habe deine Tipps befolgt und habe keine Fragen mehr.
Vielen Dank & alles Gute!

aharonov 19.02.2013 16:43
Danke für die Rückmeldung.
Alles Gute auch dir.


Freut mich, dass wir helfen konnten. :abklatsch:

Dieses Thema scheint erledigt und wird aus meinen Abos gelöscht. Ich bekomme somit keine Benachrichtigung mehr über neue Antworten.
Solltest du das Thema erneut brauchen, schicke mir bitte eine PM und wir machen hier weiter.

Jeder andere bitte diese Anleitung lesen und einen eigenen Thread erstellen.


Alle Zeitangaben in WEZ +1. Es ist jetzt 00:33 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132