GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-02-07 20:08:05 Windows 5.1.2600 Service Pack 3 Running: mpf7h3hx.exe; Driver: C:\DOKUME~1\***\LOKALE~1\Temp\ugrcauog.sys ---- System - GMER 1.0.15 ---- SSDT EC8EEDE6 ZwCreateKey SSDT EC8EEDDC ZwCreateThread SSDT EC8EEDEB ZwDeleteKey SSDT EC8EEDF5 ZwDeleteValueKey SSDT EC8EEDFA ZwLoadKey SSDT EC8EEDC8 ZwOpenProcess SSDT EC8EEDCD ZwOpenThread SSDT EC8EEE04 ZwReplaceKey SSDT EC8EEDFF ZwRestoreKey SSDT EC8EEDF0 ZwSetValueKey SSDT EC8EEDD7 ZwTerminateProcess SSDT EC8EEDD2 ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!_abnormal_termination + 1D4 804E2830 1 Byte [FA] .text ntoskrnl.exe!_abnormal_termination + 37C 804E29D8 1 Byte [FF] PAGE ntoskrnl.exe!ZwRenameKey + 2B 8064E879 1 Byte [FD] .text ACPI.sys F83E5B51 1 Byte [F9] PAGE Ntfs.sys F82CB9E1 1 Byte [74] init C:\WINXP\system32\drivers\nvax.sys entry point in "init" section [0xF867EB8D] PAGE ks.sys!KsFreeDeviceHeader + 1470 F7A66B79 1 Byte [7C] .text C:\WINXP\system32\DRIVERS\nv4_mini.sys section is writeable [0xF7686360, 0x24BB1D, 0xE8000020] PAGE mrxsmb.sys EC2EC559 1 Byte [FC] .text win32k.sys!XLATEOBJ_iXlate + 227F BF8635C9 1 Byte [FF] .text win32k.sys!EngStretchBlt + 891D BF86DC39 1 Byte [70] PAGE srv.sys EB862BF9 1 Byte [FB] ---- User code sections - GMER 1.0.15 ---- .text H:\Dassault Systemes\B14\intel_a\code\bin\CATSysDemon.exe[240] kernel32.dll!lstrcmpW + 19D 7C80AC09 1 Byte [F9] .text H:\Dassault Systemes\B14\intel_a\code\bin\CATSysDemon.exe[240] kernel32.dll!FoldStringA + 80 7C877071 1 Byte [F4] .text H:\Dassault Systemes\B14\intel_a\code\bin\CATSysDemon.exe[240] RPCRT4.dll!RpcMgmtSetAuthorizationFn + 4E23 77EA6FE1 1 Byte [F7] .text H:\Dassault Systemes\B14\intel_a\code\bin\CATSysDemon.exe[240] RPCRT4.dll!NdrServerMarshall + 84E8 77EC1E79 1 Byte [FE] .text H:\Dassault Systemes\B14\intel_a\code\bin\CATSysDemon.exe[240] msvcrt.dll!_gmtime64 + D6 77C19819 1 Byte [FF] .text H:\Dassault Systemes\B14\intel_a\code\bin\CATSysDemon.exe[240] USER32.dll!DeregisterShellHookWindow + 6281 7E396541 1 Byte [FE] .text H:\Dassault Systemes\B14\intel_a\code\bin\CATSysDemon.exe[240] USER32.dll!DeregisterShellHookWindow + EAE1 7E39EDA1 1 Byte [70] .text H:\Dassault Systemes\B14\intel_a\code\bin\CATSysDemon.exe[240] USER32.dll!DdeInitializeA + 133 7E3AAA29 1 Byte [FC] .text C:\WINXP\system32\RunDLL32.exe[264] ntdll.dll!RtlAcquireResourceExclusive + 59A 7C9460F1 1 Byte [37] .text C:\WINXP\system32\RunDLL32.exe[264] kernel32.dll!CreateFileW + 1D9 7C8109D9 1 Byte [70] .text C:\WINXP\system32\RunDLL32.exe[264] msvcrt.dll!wscanf + 2213 77C144D9 1 Byte [FE] .text C:\WINXP\system32\RunDLL32.exe[264] msvcrt.dll!modf + 4301 77C24B61 1 Byte [BE] .text C:\WINXP\system32\RunDLL32.exe[264] USER32.dll!CreateDialogIndirectParamAorW + 6A6 7E376EB1 1 Byte [7F] .text C:\WINXP\system32\RunDLL32.exe[264] USER32.dll!DeregisterShellHookWindow + 6281 7E396541 1 Byte [FE] .text C:\WINXP\system32\RunDLL32.exe[264] USER32.dll!DeregisterShellHookWindow + EAE1 7E39EDA1 1 Byte [70] .text C:\WINXP\system32\RunDLL32.exe[264] USER32.dll!CreateIconFromResource + 25D 7E3A7391 1 Byte [FD] .text C:\WINXP\system32\RunDLL32.exe[264] RPCRT4.dll!NdrServerMarshall + 84E8 77EC1E79 1 Byte [FE] .text C:\WINXP\system32\RunDLL32.exe[264] ole32.dll!CoMarshalInterface + 2580 774E0FF1 1 Byte [F5] .text C:\WINXP\system32\RunDLL32.exe[264] ole32.dll!CoWaitForMultipleHandles + 68D0 7752DA21 1 Byte [B5] .text C:\WINXP\system32\RunDLL32.exe[264] ole32.dll!OleRegEnumFormatEtc + 37B 775A4881 1 Byte [FE] .text C:\WINXP\system32\RunDLL32.exe[264] ole32.dll!OleRegEnumFormatEtc + 3B93 775A8099 1 Byte [3E] .text C:\WINXP\system32\RunDLL32.exe[264] SHELL32.dll!SHGetDiskFreeSpaceExW + ED0 7E6AAA61 1 Byte [7F] .text C:\WINXP\system32\RunDLL32.exe[264] SHELL32.dll!SHCreateShellFolderView + 17DF 7E6B2059 1 Byte [7E] .text C:\WINXP\system32\RunDLL32.exe[264] SHELL32.dll!SHCreateDirectoryExA + 1755 7E71C0D1 1 Byte [7E] .text C:\WINXP\system32\RunDLL32.exe[264] SHELL32.dll!CDefFolderMenu_Create2 + 6722 7E7509F1 1 Byte [7E] .text C:\WINXP\system32\RunDLL32.exe[264] SHELL32.dll!SHLoadNonloadedIconOverlayIdentifiers + 284E2 7E7AF111 1 Byte [FD] .text C:\WINXP\system32\RunDLL32.exe[264] SHELL32.dll!StrStrW + 1FC1 7E84EB79 1 Byte [FC] .text C:\Programme\Java\jre6\bin\jusched.exe[280] ntdll.dll!RtlReAllocateHeap + 839 7C929CE9 1 Byte [FE] .text C:\Programme\Java\jre6\bin\jusched.exe[280] ntdll.dll!RtlSelfRelativeToAbsoluteSD + 1B8 7C93D209 1 Byte [70] .text C:\Programme\Java\jre6\bin\jusched.exe[280] ADVAPI32.dll!AbortSystemShutdownW + A806 77DD7C61 1 Byte [FC] .text C:\Programme\Java\jre6\bin\jusched.exe[280] RPCRT4.dll!RpcMgmtSetAuthorizationFn + 4E23 77EA6FE1 1 Byte [F6] .text C:\Programme\Java\jre6\bin\jusched.exe[280] RPCRT4.dll!NdrServerMarshall + 84E8 77EC1E79 1 Byte [FE] .text C:\Programme\Java\jre6\bin\jusched.exe[280] USER32.dll!UpdatePerUserSystemParameters + E1 7E371AA9 1 Byte [FC] .text C:\Programme\Java\jre6\bin\jusched.exe[280] USER32.dll!DeregisterShellHookWindow + 6281 7E396541 1 Byte [FE] .text C:\Programme\Java\jre6\bin\jusched.exe[280] USER32.dll!DeregisterShellHookWindow + EAE1 7E39EDA1 1 Byte [70] .text C:\Programme\Java\jre6\bin\jusched.exe[280] USER32.dll!DdeInitializeA + 133 7E3AAA29 1 Byte [FD] .text C:\Programme\Java\jre6\bin\jusched.exe[280] WININET.dll!InternetSetOptionW + 8B9 408C3D39 1 Byte [FE] .text C:\Programme\Java\jre6\bin\jusched.exe[280] WININET.dll!FindFirstUrlCacheEntryExW + 5946 40909F09 1 Byte [76] .text C:\Programme\Java\jre6\bin\jusched.exe[280] msvcrt.dll!_gmtime64 + D6 77C19819 1 Byte [FF] .text C:\Programme\Java\jre6\bin\jusched.exe[280] ole32.dll!CoMarshalInterface + 2580 774E0FF1 1 Byte [F4] .text C:\Programme\Java\jre6\bin\jusched.exe[280] ole32.dll!StgOpenStorageEx + 1AB9 77520839 1 Byte [FF] .text C:\Programme\Java\jre6\bin\jusched.exe[280] SHELL32.dll!SHCreateShellFolderView + 17DF 7E6B2059 1 Byte [7E] .text C:\Programme\Java\jre6\bin\jusched.exe[280] SHELL32.dll!SHCreateDirectoryExA + 1755 7E71C0D1 1 Byte [7E] .text C:\Programme\Java\jre6\bin\jusched.exe[280] SHELL32.dll!SHGetInstanceExplorer + 2D47 7E776ED9 1 Byte [74] .text C:\Programme\Java\jre6\bin\jusched.exe[280] SHELL32.dll!SHCreateLocalServerRunDll + CB5C 7E81B1F1 1 Byte [7E] .text C:\Programme\Java\jre6\bin\jusched.exe[280] SHELL32.dll!StrStrW + 1FC1 7E84EB79 1 Byte [FC] .text C:\WINXP\system32\ctfmon.exe[316] kernel32.dll!ValidateLocale + 2F1 7C839B19 1 Byte [FE] .text C:\WINXP\system32\ctfmon.exe[316] kernel32.dll!BaseCleanupAppcompatCacheSupport + 16EF 7C86E6B9 1 Byte [70] .text C:\WINXP\system32\ctfmon.exe[316] msvcrt.dll!wscanf + 34BB 77C15781 1 Byte [FF] .text C:\WINXP\system32\ctfmon.exe[316] RPCRT4.dll!NdrServerMarshall + 84E8 77EC1E79 1 Byte [FE] .text C:\WINXP\system32\ctfmon.exe[316] USER32.dll!DeregisterShellHookWindow + 6281 7E396541 1 Byte [FE] .text C:\WINXP\system32\ctfmon.exe[316] USER32.dll!DeregisterShellHookWindow + EAE1 7E39EDA1 1 Byte [70] .text C:\WINXP\system32\ctfmon.exe[316] ole32.dll!CoWaitForMultipleHandles + 18608 7753F759 1 Byte [FF] .text C:\WINXP\system32\ctfmon.exe[316] ole32.dll!StgConvertPropertyToVariant + 7726 775BDCF1 1 Byte [7C] .text C:\WINXP\system32\ctfmon.exe[316] SHELL32.dll!SHCreateDirectoryExA + 1755 7E71C0D1 1 Byte [7E] .text C:\WINXP\system32\ctfmon.exe[316] SHELL32.dll!SHGetInstanceExplorer + 2D47 7E776ED9 1 Byte [74] .text C:\WINXP\system32\ctfmon.exe[316] SHELL32.dll!CallCPLEntry16 + F62F 7E7E5A59 1 Byte [77] .text C:\WINXP\system32\ctfmon.exe[316] SHELL32.dll!SHCreateLocalServerRunDll + CB5C 7E81B1F1 1 Byte [7F] .text C:\WINXP\system32\ctfmon.exe[316] SHELL32.dll!StrStrW + 1FC1 7E84EB79 1 Byte [FC] .text H:\Cisco Systems\cvpnd.exe[380] ntdll.dll!RtlRemoveVectoredExceptionHandler + 37A 7C947061 1 Byte [FC] .text H:\Cisco Systems\cvpnd.exe[380] kernel32.dll!CreateFileW + 1D9 7C8109D9 1 Byte [70] .text H:\Cisco Systems\cvpnd.exe[380] ADVAPI32.dll!AbortSystemShutdownW + A806 77DD7C61 1 Byte [FC] .text H:\Cisco Systems\cvpnd.exe[380] RPCRT4.dll!NdrServerMarshall + 84E8 77EC1E79 1 Byte [FE] .text H:\Cisco Systems\cvpnd.exe[380] msvcrt.dll!wscanf + 2213 77C144D9 1 Byte [FE] .text H:\Cisco Systems\cvpnd.exe[380] USER32.dll!DeregisterShellHookWindow + 6281 7E396541 1 Byte [FE] .text H:\Cisco Systems\cvpnd.exe[380] USER32.dll!DeregisterShellHookWindow + EAE1 7E39EDA1 1 Byte [70] .text H:\Cisco Systems\cvpnd.exe[380] USER32.dll!CreateIconFromResource + 25D 7E3A7391 1 Byte [FD] .text H:\Cisco Systems\cvpnd.exe[380] WININET.dll!InternetSetOptionW + 8B9 408C3D39 1 Byte [FE] .text H:\Cisco Systems\cvpnd.exe[380] WININET.dll!FindFirstUrlCacheEntryExW + B07E 4090F641 1 Byte [FD] .text H:\Cisco Systems\cvpnd.exe[380] ole32.dll!CoMarshalInterface + 2580 774E0FF1 1 Byte [F4] .text H:\Cisco Systems\cvpnd.exe[380] ole32.dll!CoWaitForMultipleHandles + 17D88 7753EED9 1 Byte [FF] .text H:\Cisco Systems\cvpnd.exe[380] ole32.dll!CoPopServiceDomain + 88 7755CCB9 1 Byte [7C] .text H:\Cisco Systems\cvpnd.exe[380] ole32.dll!DoDragDrop + D84 775A18F1 1 Byte [F9] .text H:\Cisco Systems\cvpnd.exe[380] ole32.dll!StgConvertPropertyToVariant + 7726 775BDCF1 1 Byte [7D] .text C:\Programme\Java\jre6\bin\jqs.exe[432] kernel32.dll!ValidateLocale + 2F1 7C839B19 1 Byte [FE] .text C:\Programme\Java\jre6\bin\jqs.exe[432] ADVAPI32.dll!CredReadDomainCredentialsW + 80 77DE8499 1 Byte [FD] .text C:\Programme\Java\jre6\bin\jqs.exe[432] RPCRT4.dll!RpcSsContextLockExclusive + 5A8 77E811E9 1 Byte [FD] .text C:\Programme\Java\jre6\bin\jqs.exe[432] RPCRT4.dll!NdrServerMarshall + 84E8 77EC1E79 1 Byte [FE] .text C:\Programme\Java\jre6\bin\jqs.exe[432] msvcrt.dll!_Gettnames + 82A 77C18DF1 1 Byte [36] .text C:\Programme\Java\jre6\bin\jqs.exe[432] msvcrt.dll!modf + 4301 77C24B61 1 Byte [BF] .text C:\Programme\Java\jre6\bin\jqs.exe[432] ole32.dll!CoPopServiceDomain + 88 7755CCB9 1 Byte [7C] .text C:\Programme\Java\jre6\bin\jqs.exe[432] ole32.dll!OleRegEnumFormatEtc + 3B93 775A8099 1 Byte [3E] .text C:\Programme\Java\jre6\bin\jqs.exe[432] GDI32.dll!PlayMetaFile + 6E3 77F157E1 1 Byte [FE] .text C:\Programme\Java\jre6\bin\jqs.exe[432] USER32.dll!DeregisterShellHookWindow + 6281 7E396541 1 Byte [FE] .text C:\Programme\Java\jre6\bin\jqs.exe[432] USER32.dll!DeregisterShellHookWindow + EAE1 7E39EDA1 1 Byte [70] .text C:\Programme\Java\jre6\bin\jqs.exe[432] SHELL32.dll!SHCreateQueryCancelAutoPlayMoniker + 14D13 7E706CD9 1 Byte [7E] .text C:\Programme\Java\jre6\bin\jqs.exe[432] SHELL32.dll!SHCreateDirectoryExA + 1755 7E71C0D1 1 Byte [7E] .text C:\Programme\Java\jre6\bin\jqs.exe[432] SHELL32.dll!SHCreateLocalServerRunDll + 517C 7E813811 1 Byte [7E] .text C:\Programme\Java\jre6\bin\jqs.exe[432] SHELL32.dll!StrStrW + 1FC1 7E84EB79 1 Byte [FC] .text C:\Programme\Java\jre6\bin\jqs.exe[432] SHELL32.dll!StrStrW + 163E9 7E862FA1 1 Byte [F7] .text C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE[452] ADVAPI32.dll!CryptSetProviderExA + 248 77DE2571 1 Byte [FF] .text C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE[452] RPCRT4.dll!NdrServerMarshall + 84E8 77EC1E79 1 Byte [FE] .text C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE[452] ole32.dll!CoPopServiceDomain + 88 7755CCB9 1 Byte [7D] .text C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE[452] ole32.dll!StgConvertPropertyToVariant + 7726 775BDCF1 1 Byte [7D] .text C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE[452] USER32.dll!DeregisterShellHookWindow + 6281 7E396541 1 Byte [FE] .text C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE[452] USER32.dll!DeregisterShellHookWindow + EAE1 7E39EDA1 1 Byte [70] .text C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE[452] USER32.dll!CreateIconFromResource + 25D 7E3A7391 1 Byte [FC] .text C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE[452] SHELL32.dll!SHCreateShellFolderView + 17DF 7E6B2059 1 Byte [7E] .text C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE[452] SHELL32.dll!SHCreateDirectoryExA + 1755 7E71C0D1 1 Byte [7E] .text C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE[452] SHELL32.dll!SHGetInstanceExplorer + 2D47 7E776ED9 1 Byte [74] .text C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE[452] SHELL32.dll!SHLoadNonloadedIconOverlayIdentifiers + 434C2 7E7CA0F1 1 Byte [77] .text C:\WINXP\system32\nvsvc32.exe[484] kernel32.dll!ValidateLocale + 2F1 7C839B19 1 Byte [FF] .text C:\WINXP\system32\nvsvc32.exe[484] kernel32.dll!BaseCleanupAppcompatCacheSupport + 16EF 7C86E6B9 1 Byte [70] .text C:\WINXP\system32\nvsvc32.exe[484] USER32.dll!DeregisterShellHookWindow + 6281 7E396541 1 Byte [FE] .text C:\WINXP\system32\nvsvc32.exe[484] USER32.dll!DeregisterShellHookWindow + EAE1 7E39EDA1 1 Byte [70] .text C:\WINXP\system32\nvsvc32.exe[484] RPCRT4.dll!NdrServerMarshall + 84E8 77EC1E79 1 Byte [FE] .text C:\WINXP\system32\nvsvc32.exe[484] msvcrt.dll!wscanf + 2213 77C144D9 1 Byte [FE] .text C:\WINXP\system32\nvsvc32.exe[484] ole32.dll!CoMarshalInterface + 2580 774E0FF1 1 Byte [F4] .text C:\WINXP\system32\nvsvc32.exe[484] ole32.dll!CoGetPSClsid + 3A89 774ED279 1 Byte [FE] .text C:\WINXP\system32\nvsvc32.exe[484] ole32.dll!StgOpenStorageEx + 1AB9 77520839 1 Byte [FF] .text C:\WINXP\system32\nvsvc32.exe[484] CRYPT32.dll!CryptSignAndEncryptMessage + 26D 77A95691 1 Byte [37] .text C:\WINXP\system32\svchost.exe[536] RPCRT4.dll!NdrServerMarshall + 84E8 77EC1E79 1 Byte [FE] .text C:\WINXP\system32\svchost.exe[536] USER32.dll!DeregisterShellHookWindow + 6281 7E396541 1 Byte [FE] .text C:\WINXP\system32\svchost.exe[536] USER32.dll!DeregisterShellHookWindow + EAE1 7E39EDA1 1 Byte [70] .text C:\WINXP\system32\svchost.exe[536] ole32.dll!CoMarshalInterface + 2580 774E0FF1 1 Byte [F5] .text C:\WINXP\system32\svchost.exe[536] ole32.dll!CoGetPSClsid + 3A89 774ED279 1 Byte [FE] .text C:\WINXP\system32\svchost.exe[536] ole32.dll!StgOpenStorageEx + 1AB9 77520839 1 Byte [FE] .text C:\WINXP\system32\svchost.exe[536] ole32.dll!CoWaitForMultipleHandles + 17D88 7753EED9 1 Byte [FF] .text C:\WINXP\system32\svchost.exe[536] ole32.dll!OleRegEnumFormatEtc + 3B93 775A8099 1 Byte [3E] .text C:\WINXP\system32\svchost.exe[536] ole32.dll!StgConvertPropertyToVariant + 7726 775BDCF1 1 Byte [7D] .text C:\WINXP\system32\svchost.exe[536] msvcrt.dll!wscanf + 2213 77C144D9 1 Byte [FE] .text C:\WINXP\system32\svchost.exe[536] msvcrt.dll!wscanf + 34BB 77C15781 1 Byte [FF] .text C:\WINXP\system32\svchost.exe[536] SHELL32.dll!SHCreateQueryCancelAutoPlayMoniker + 10DB3 7E702D79 1 Byte [B4] .text C:\WINXP\system32\svchost.exe[536] SHELL32.dll!SHCreateDirectoryExA + 1755 7E71C0D1 1 Byte [7E] .text C:\WINXP\system32\svchost.exe[536] SHELL32.dll!CDefFolderMenu_Create2 + 6722 7E7509F1 1 Byte [7F] .text C:\WINXP\system32\svchost.exe[536] SHELL32.dll!SHGetInstanceExplorer + 2D47 7E776ED9 1 Byte [74] .text C:\WINXP\system32\svchost.exe[536] SHELL32.dll!SHLoadNonloadedIconOverlayIdentifiers + 434C2 7E7CA0F1 1 Byte [77] .text C:\WINXP\system32\svchost.exe[536] SHELL32.dll!StrStrW + 1FC1 7E84EB79 1 Byte [FC] .text C:\WINXP\system32\wuauclt.exe[636] kernel32.dll!ValidateLocale + 2F1 7C839B19 1 Byte [FF] .text C:\WINXP\system32\wuauclt.exe[636] msvcrt.dll!wscanf + 2213 77C144D9 1 Byte [FE] .text C:\WINXP\system32\wuauclt.exe[636] msvcrt.dll!_gmtime64 + D6 77C19819 1 Byte [FE] .text C:\WINXP\system32\wuauclt.exe[636] ole32.dll!CoGetPSClsid + 3A89 774ED279 1 Byte [FF] .text C:\WINXP\system32\wuauclt.exe[636] ole32.dll!CoWaitForMultipleHandles + 18608 7753F759 1 Byte [FF] .text C:\WINXP\system32\wuauclt.exe[636] ole32.dll!OleRegEnumFormatEtc + 3B93 775A8099 1 Byte [3E] .text C:\WINXP\system32\wuauclt.exe[636] RPCRT4.dll!NdrServerMarshall + 84E8 77EC1E79 1 Byte [FE] .text C:\WINXP\system32\wuauclt.exe[636] USER32.dll!DeregisterShellHookWindow + 6281 7E396541 1 Byte [FE] .text C:\WINXP\system32\wuauclt.exe[636] USER32.dll!DeregisterShellHookWindow + EAE1 7E39EDA1 1 Byte [70] .text C:\WINXP\system32\wuauclt.exe[636] SHELL32.dll!SHCreateShellFolderView + 17DF 7E6B2059 1 Byte [7E] .text C:\WINXP\system32\wuauclt.exe[636] SHELL32.dll!SHCreateDirectoryExA + 1755 7E71C0D1 1 Byte [7E] .text C:\WINXP\system32\wuauclt.exe[636] SHELL32.dll!SHGetInstanceExplorer + 2D47 7E776ED9 1 Byte [74] .text C:\WINXP\system32\wuauclt.exe[636] SHELL32.dll!SHLoadNonloadedIconOverlayIdentifiers + 284E2 7E7AF111 1 Byte [FC] .text C:\WINXP\system32\csrss.exe[800] winsrv.dll!_UserTestTokenForInteractive + 4075 75B18C19 1 Byte [FF] .text C:\WINXP\system32\csrss.exe[800] KERNEL32.dll!GetCurrencyFormatW + 1E57 7C87E661 1 Byte [BF] .text C:\WINXP\system32\csrss.exe[800] USER32.dll!DeregisterShellHookWindow + 6281 7E396541 1 Byte [FE] .text C:\WINXP\system32\csrss.exe[800] USER32.dll!DeregisterShellHookWindow + EAE1 7E39EDA1 1 Byte [70] .text C:\WINXP\system32\csrss.exe[800] ADVAPI32.dll!AbortSystemShutdownW + A806 77DD7C61 1 Byte [FC] .text C:\WINXP\system32\csrss.exe[800] RPCRT4.dll!NdrCreateServerInterfaceFromStub + F3A 77EAA319 1 Byte [77] .text C:\WINXP\system32\csrss.exe[800] RPCRT4.dll!NdrServerMarshall + 84E8 77EC1E79 1 Byte [FE] .text C:\WINXP\system32\winlogon.exe[824] ntdll.dll!wcstombs + 2B80 7C984D09 1 Byte [F4] .text C:\WINXP\system32\winlogon.exe[824] kernel32.dll!GetDiskFreeSpaceA + 2C 7C830321 1 Byte [FE] .text C:\WINXP\system32\winlogon.exe[824] RPCRT4.dll!NdrServerMarshall + 84E8 77EC1E79 1 Byte [FE] .text C:\WINXP\system32\winlogon.exe[824] msvcrt.dll!wscanf + 2213 77C144D9 1 Byte [FE] .text C:\WINXP\system32\winlogon.exe[824] msvcrt.dll!modf + 4301 77C24B61 1 Byte [BE] .text C:\WINXP\system32\winlogon.exe[824] USER32.dll!DeregisterShellHookWindow + 6281 7E396541 1 Byte [FE] .text C:\WINXP\system32\winlogon.exe[824] USER32.dll!DeregisterShellHookWindow + EAE1 7E39EDA1 1 Byte [70] .text C:\WINXP\system32\winlogon.exe[824] USERENV.dll!RsopSetPolicySettingStatus + 440 766B0151 1 Byte [FE] .text C:\WINXP\system32\winlogon.exe[824] SHELL32.dll!SHCreateDirectoryExA + 1755 7E71C0D1 1 Byte [7E] .text C:\WINXP\system32\winlogon.exe[824] SHELL32.dll!StrStrW + 1FC1 7E84EB79 1 Byte [FC] .text C:\WINXP\system32\winlogon.exe[824] ole32.dll!CoMarshalInterface + 2580 774E0FF1 1 Byte [F4] .text C:\WINXP\system32\winlogon.exe[824] ole32.dll!StgOpenStorageEx + 1AB9 77520839 1 Byte [FE] .text C:\WINXP\system32\winlogon.exe[824] ole32.dll!CoWaitForMultipleHandles + 68D0 7752DA21 1 Byte [B5] .text C:\WINXP\system32\winlogon.exe[824] ole32.dll!DoDragDrop + D84 775A18F1 1 Byte [F9] .text C:\WINXP\system32\winlogon.exe[824] ole32.dll!OleRegEnumFormatEtc + 3B93 775A8099 1 Byte [3E] .text C:\WINXP\system32\services.exe[868] RPCRT4.dll!NdrServerMarshall + 84E8 77EC1E79 1 Byte [FE] .text C:\WINXP\system32\services.exe[868] USER32.dll!DeregisterShellHookWindow + 6281 7E396541 1 Byte [FE] .text C:\WINXP\system32\services.exe[868] USER32.dll!DeregisterShellHookWindow + EAE1 7E39EDA1 1 Byte [70] .text C:\WINXP\system32\services.exe[868] USERENV.dll!UnregisterGPNotification + AA1D 766442B1 1 Byte [FC] .text C:\WINXP\system32\lsass.exe[880] ntdll.dll!strchr + 154 7C91E961 1 Byte [FF] .text C:\WINXP\system32\lsass.exe[880] ntdll.dll!towlower + 613 7C939AE1 1 Byte [FE] .text C:\WINXP\system32\lsass.exe[880] RPCRT4.dll!NdrServerMarshall + 84E8 77EC1E79 1 Byte [FE] .text C:\WINXP\system32\lsass.exe[880] LSASRV.dll!LsarLookupPrivilegeValue + 8C2 753FDDB9 1 Byte [FE] .text C:\WINXP\system32\lsass.exe[880] LSASRV.dll!LsaIDsNotifiedObjectChange + B58 754314D1 1 Byte [75] .text C:\WINXP\system32\lsass.exe[880] LSASRV.dll!LsaIQueryForestTrustInfo + 379 75436979 1 Byte [7C] .text C:\WINXP\system32\lsass.exe[880] LSASRV.dll!LsaICryptUnprotectData + C228 754692F9 1 Byte [FE] .text C:\WINXP\system32\lsass.exe[880] USER32.dll!DeregisterShellHookWindow + 6281 7E396541 1 Byte [FE] .text C:\WINXP\system32\lsass.exe[880] USER32.dll!DeregisterShellHookWindow + EAE1 7E39EDA1 1 Byte [70] .text C:\WINXP\system32\lsass.exe[880] USER32.dll!CreateIconFromResource + 25D 7E3A7391 1 Byte [FD] .text C:\WINXP\system32\lsass.exe[880] msvcrt.dll!wscanf + 2213 77C144D9 1 Byte [FE] .text C:\WINXP\system32\lsass.exe[880] ole32.dll!CoPopServiceDomain + 88 7755CCB9 1 Byte [7D] .text C:\WINXP\system32\lsass.exe[880] ole32.dll!OleRegEnumFormatEtc + 3B93 775A8099 1 Byte [3E] .text C:\WINXP\system32\lsass.exe[880] ole32.dll!StgConvertPropertyToVariant + 7726 775BDCF1 1 Byte [7D] .text C:\WINXP\system32\lsass.exe[880] SHELL32.dll!SHCreateQueryCancelAutoPlayMoniker + 10DB3 7E702D79 1 Byte [B4] .text C:\WINXP\system32\lsass.exe[880] SHELL32.dll!SHCreateQueryCancelAutoPlayMoniker + 14D13 7E706CD9 1 Byte [7E] .text C:\WINXP\system32\lsass.exe[880] SHELL32.dll!SHCreateDirectoryExA + 1755 7E71C0D1 1 Byte [7E] .text C:\WINXP\system32\svchost.exe[1044] kernel32.dll!ValidateLocale + 2F1 7C839B19 1 Byte [FF] .text C:\WINXP\system32\svchost.exe[1044] ADVAPI32.dll!AbortSystemShutdownW + A806 77DD7C61 1 Byte [FD] .text C:\WINXP\system32\svchost.exe[1044] RPCRT4.dll!NdrServerMarshall + 84E8 77EC1E79 1 Byte [FE] .text C:\WINXP\system32\svchost.exe[1044] USER32.dll!DeregisterShellHookWindow + 6281 7E396541 1 Byte [FE] .text C:\WINXP\system32\svchost.exe[1044] USER32.dll!DeregisterShellHookWindow + EAE1 7E39EDA1 1 Byte [70] .text C:\WINXP\system32\svchost.exe[1044] USER32.dll!CreateIconFromResource + 25D 7E3A7391 1 Byte [FC] .text C:\WINXP\system32\svchost.exe[1044] ole32.dll!StgOpenStorageEx + 1AB9 77520839 1 Byte [FE] .text C:\WINXP\system32\svchost.exe[1044] ole32.dll!StgConvertPropertyToVariant + 7726 775BDCF1 1 Byte [7D] .text C:\WINXP\system32\svchost.exe[1044] msvcrt.dll!wscanf + 2213 77C144D9 1 Byte [FE] .text C:\WINXP\system32\svchost.exe[1044] SHELL32.dll!SHCreateShellFolderView + 17DF 7E6B2059 1 Byte [7F] .text C:\WINXP\system32\svchost.exe[1044] SHELL32.dll!SHCreateDirectoryExA + 1755 7E71C0D1 1 Byte [7E] .text C:\WINXP\system32\svchost.exe[1044] SHELL32.dll!SHGetInstanceExplorer + 2D47 7E776ED9 1 Byte [74] .text C:\WINXP\system32\svchost.exe[1044] SHELL32.dll!StrStrW + 1FC1 7E84EB79 1 Byte [FC] .text C:\WINXP\System32\alg.exe[1120] msvcrt.dll!wscanf + 2213 77C144D9 1 Byte [FE] .text C:\WINXP\System32\alg.exe[1120] msvcrt.dll!_gmtime64 + D6 77C19819 1 Byte [FF] .text C:\WINXP\System32\alg.exe[1120] USER32.dll!DeregisterShellHookWindow + 6281 7E396541 1 Byte [FE] .text C:\WINXP\System32\alg.exe[1120] USER32.dll!DeregisterShellHookWindow + EAE1 7E39EDA1 1 Byte [70] .text C:\WINXP\System32\alg.exe[1120] USER32.dll!CreateIconFromResource + 25D 7E3A7391 1 Byte [FD] .text C:\WINXP\System32\alg.exe[1120] RPCRT4.dll!NdrServerMarshall + 12A0 77EBAC31 1 Byte [FD] .text C:\WINXP\System32\alg.exe[1120] RPCRT4.dll!NdrServerMarshall + 84E8 77EC1E79 1 Byte [FE] .text C:\WINXP\System32\alg.exe[1120] ole32.dll!CoGetPSClsid + 3A89 774ED279 1 Byte [FE] .text C:\WINXP\System32\alg.exe[1120] ole32.dll!OleRegEnumFormatEtc + 3B93 775A8099 1 Byte [3E] .text C:\WINXP\System32\alg.exe[1120] SHELL32.dll!SHCreateDirectoryExA + 1755 7E71C0D1 1 Byte [7E] .text C:\WINXP\System32\alg.exe[1120] SHELL32.dll!SHGetInstanceExplorer + 2D47 7E776ED9 1 Byte [74] .text C:\WINXP\System32\alg.exe[1120] SHELL32.dll!StrStrW + 1FC1 7E84EB79 1 Byte [FC] .text C:\WINXP\system32\svchost.exe[1476] ntdll.dll!wcstombs + 2B80 7C984D09 1 Byte [F5] .text C:\WINXP\system32\svchost.exe[1476] RPCRT4.dll!RpcMgmtSetAuthorizationFn + 4E23 77EA6FE1 1 Byte [F7] .text C:\WINXP\system32\svchost.exe[1476] RPCRT4.dll!NdrCreateServerInterfaceFromStub + F3A 77EAA319 1 Byte [77] .text C:\WINXP\system32\svchost.exe[1476] RPCRT4.dll!NdrServerMarshall + 84E8 77EC1E79 1 Byte [FE] .text C:\WINXP\system32\svchost.exe[1476] USER32.dll!DeregisterShellHookWindow + 6281 7E396541 1 Byte [FE] .text C:\WINXP\system32\svchost.exe[1476] USER32.dll!DeregisterShellHookWindow + EAE1 7E39EDA1 1 Byte [70] .text C:\WINXP\system32\svchost.exe[1476] USER32.dll!CreateIconFromResource + 25D 7E3A7391 1 Byte [FC] .text C:\WINXP\system32\svchost.exe[1476] ole32.dll!CoPopServiceDomain + 88 7755CCB9 1 Byte [7C] .text C:\WINXP\system32\svchost.exe[1476] ole32.dll!StgConvertPropertyToVariant + 68F6 775BCEC1 1 Byte [7D] .text C:\WINXP\system32\svchost.exe[1476] msvcrt.dll!wscanf + 2213 77C144D9 1 Byte [FE] .text C:\WINXP\system32\svchost.exe[1476] SHELL32.dll!SHCreateShellFolderView + 17DF 7E6B2059 1 Byte [7F] .text C:\WINXP\system32\svchost.exe[1476] SHELL32.dll!DAD_ShowDragImage + 2405 7E6C1AE9 1 Byte [7F] .text C:\WINXP\system32\svchost.exe[1476] SHELL32.dll!SHCreateDirectoryExA + 1755 7E71C0D1 1 Byte [7E] .text C:\WINXP\system32\svchost.exe[1476] SHELL32.dll!SHGetInstanceExplorer + 2D47 7E776ED9 1 Byte [74] .text C:\WINXP\system32\svchost.exe[1476] SHELL32.dll!SHCreateLocalServerRunDll + 517C 7E813811 1 Byte [7F] .text C:\WINXP\system32\svchost.exe[1476] SHELL32.dll!StrStrW + 1FC1 7E84EB79 1 Byte [FC] .text C:\WINXP\system32\svchost.exe[1476] SHLWAPI.dll!wvnsprintfA + 87 77F48089 1 Byte [FC] .text C:\WINXP\system32\svchost.exe[1476] USERENV.dll!UnregisterGPNotification + AA1D 766442B1 1 Byte [FD] .text C:\WINXP\System32\svchost.exe[1508] RPCRT4.dll!NdrCreateServerInterfaceFromStub + F3A 77EAA319 1 Byte [77] .text C:\WINXP\System32\svchost.exe[1508] RPCRT4.dll!NdrServerMarshall + 84E8 77EC1E79 1 Byte [FE] .text C:\WINXP\System32\svchost.exe[1508] USER32.dll!DeregisterShellHookWindow + 6281 7E396541 1 Byte [FE] .text C:\WINXP\System32\svchost.exe[1508] USER32.dll!DeregisterShellHookWindow + EAE1 7E39EDA1 1 Byte [70] .text C:\WINXP\System32\svchost.exe[1508] GDI32.dll!EnumMetaFile + 1C6 77F05D21 1 Byte [FC] .text C:\WINXP\System32\svchost.exe[1508] ole32.dll!CoWaitForMultipleHandles + 18608 7753F759 1 Byte [FF] .text C:\WINXP\System32\svchost.exe[1508] ole32.dll!OleRegEnumFormatEtc + 3B93 775A8099 1 Byte [3E] .text C:\WINXP\System32\svchost.exe[1508] msvcrt.dll!wscanf + 2213 77C144D9 1 Byte [FE] .text C:\WINXP\System32\svchost.exe[1508] msvcrt.dll!_gmtime64 + D6 77C19819 1 Byte [FF] .text C:\WINXP\System32\svchost.exe[1508] SHELL32.dll!PathProcessCommand + 28A6 7E6C7779 1 Byte [7D] .text C:\WINXP\System32\svchost.exe[1508] SHELL32.dll!SHCreateDirectoryExA + 1755 7E71C0D1 1 Byte [7E] .text C:\WINXP\System32\svchost.exe[1508] SHELL32.dll!SHGetInstanceExplorer + 2D47 7E776ED9 1 Byte [74] .text C:\WINXP\System32\svchost.exe[1508] SHELL32.dll!SHCreateLocalServerRunDll + 517C 7E813811 1 Byte [7E] .text C:\WINXP\System32\svchost.exe[1508] SHELL32.dll!StrStrW + 1FC1 7E84EB79 1 Byte [FC] .text C:\WINXP\System32\svchost.exe[1508] WININET.dll!InternetSetOptionW + 8B9 408C3D39 1 Byte [FE] .text C:\WINXP\system32\svchost.exe[1584] ADVAPI32.dll!WmiMofEnumerateResourcesA + 5E25 77E02B21 1 Byte [F4] .text C:\WINXP\system32\svchost.exe[1584] RPCRT4.dll!NdrServerMarshall + 84E8 77EC1E79 1 Byte [FE] .text C:\WINXP\system32\svchost.exe[1584] USER32.dll!DeregisterShellHookWindow + 6281 7E396541 1 Byte [FE] .text C:\WINXP\system32\svchost.exe[1584] USER32.dll!DeregisterShellHookWindow + EAE1 7E39EDA1 1 Byte [70] .text C:\WINXP\system32\svchost.exe[1584] ole32.dll!CoMarshalInterface + 2580 774E0FF1 1 Byte [F5] .text C:\WINXP\system32\svchost.exe[1584] ole32.dll!CoPopServiceDomain + 88 7755CCB9 1 Byte [7D] .text C:\WINXP\system32\svchost.exe[1584] msvcrt.dll!wscanf + 2213 77C144D9 1 Byte [FE] .text C:\WINXP\system32\svchost.exe[1584] msvcrt.dll!_gmtime64 + D6 77C19819 1 Byte [FF] .text C:\WINXP\system32\svchost.exe[1584] SHELL32.dll!SHCreateShellFolderView + 17DF 7E6B2059 1 Byte [7E] .text C:\WINXP\system32\svchost.exe[1584] SHELL32.dll!SHCreateDirectoryExA + 1755 7E71C0D1 1 Byte [7E] .text C:\WINXP\system32\svchost.exe[1584] SHELL32.dll!CDefFolderMenu_Create2 + 6722 7E7509F1 1 Byte [7F] .text C:\WINXP\system32\svchost.exe[1584] SHELL32.dll!SHGetInstanceExplorer + 2D47 7E776ED9 1 Byte [74] .text C:\WINXP\system32\svchost.exe[1584] SHELL32.dll!StrStrW + 1FC1 7E84EB79 1 Byte [FC] .text C:\Dokumente und Einstellungen\***\Desktop\mpf7h3hx.exe[1632] RPCRT4.dll!NdrServerMarshall + 84E8 77EC1E79 1 Byte [FE] .text C:\Dokumente und Einstellungen\***\Desktop\mpf7h3hx.exe[1632] USER32.dll!DeregisterShellHookWindow + 6281 7E396541 1 Byte [FE] .text C:\Dokumente und Einstellungen\***\Desktop\mpf7h3hx.exe[1632] USER32.dll!DeregisterShellHookWindow + EAE1 7E39EDA1 1 Byte [70] .text C:\Dokumente und Einstellungen\***\Desktop\mpf7h3hx.exe[1632] USER32.dll!CreateIconFromResource + 25D 7E3A7391 1 Byte [FC] .text C:\Dokumente und Einstellungen\***\Desktop\mpf7h3hx.exe[1632] msvcrt.dll!wscanf + 2213 77C144D9 1 Byte [FE] .text C:\WINXP\system32\wbem\wmiprvse.exe[1692] ntdll.dll!RtlAcquireResourceExclusive + 59A 7C9460F1 1 Byte [37] .text C:\WINXP\system32\wbem\wmiprvse.exe[1692] ntdll.dll!_splitpath + C1 7C981A81 1 Byte [FD] .text C:\WINXP\system32\wbem\wmiprvse.exe[1692] msvcrt.dll!wscanf + 2213 77C144D9 1 Byte [FE] .text C:\WINXP\system32\wbem\wmiprvse.exe[1692] msvcrt.dll!wscanf + 34BB 77C15781 1 Byte [FF] .text C:\WINXP\system32\wbem\wmiprvse.exe[1692] msvcrt.dll!_gmtime64 + D6 77C19819 1 Byte [FE] .text C:\WINXP\system32\wbem\wmiprvse.exe[1692] RPCRT4.dll!NdrServerMarshall + 84E8 77EC1E79 1 Byte [FE] .text C:\WINXP\system32\wbem\wmiprvse.exe[1692] USER32.dll!DeregisterShellHookWindow + 6281 7E396541 1 Byte [FE] .text C:\WINXP\system32\wbem\wmiprvse.exe[1692] USER32.dll!DeregisterShellHookWindow + EAE1 7E39EDA1 1 Byte [70] .text C:\WINXP\system32\wbem\wmiprvse.exe[1692] ole32.dll!CoMarshalInterface + 2580 774E0FF1 1 Byte [F4] .text C:\WINXP\system32\wbem\wmiprvse.exe[1692] ole32.dll!CoWaitForMultipleHandles + 17D88 7753EED9 1 Byte [FE] .text C:\WINXP\system32\wbem\wmiprvse.exe[1692] SHELL32.dll!SHCreateDirectoryExA + 1755 7E71C0D1 1 Byte [7E] .text C:\WINXP\system32\wbem\wmiprvse.exe[1692] SHELL32.dll!SHGetInstanceExplorer + 2D47 7E776ED9 1 Byte [74] .text C:\WINXP\system32\wbem\wmiprvse.exe[1692] SHELL32.dll!SHCreateLocalServerRunDll + 517C 7E813811 1 Byte [7E] .text C:\WINXP\system32\wbem\wmiprvse.exe[1692] SHELL32.dll!StrStrW + 1FC1 7E84EB79 1 Byte [FC] .text C:\WINXP\Explorer.EXE[1724] Explorer.EXE 01031611 1 Byte [77] .text C:\WINXP\Explorer.EXE[1724] ADVAPI32.dll!AbortSystemShutdownW + A806 77DD7C61 1 Byte [FC] .text C:\WINXP\Explorer.EXE[1724] RPCRT4.dll!NdrServerMarshall + 84E8 77EC1E79 1 Byte [FE] .text C:\WINXP\Explorer.EXE[1724] USER32.dll!DeregisterShellHookWindow + 6281 7E396541 1 Byte [FE] .text C:\WINXP\Explorer.EXE[1724] USER32.dll!DeregisterShellHookWindow + EAE1 7E39EDA1 1 Byte [70] .text C:\WINXP\Explorer.EXE[1724] USER32.dll!CreateIconFromResource + 25D 7E3A7391 1 Byte [FD] .text C:\WINXP\Explorer.EXE[1724] msvcrt.dll!wscanf + 2213 77C144D9 1 Byte [FE] .text C:\WINXP\Explorer.EXE[1724] ole32.dll!CoMarshalInterface + 2580 774E0FF1 1 Byte [F5] .text C:\WINXP\Explorer.EXE[1724] ole32.dll!CoQueryAuthenticationServices + 3DC 77556029 1 Byte [7C] .text C:\WINXP\Explorer.EXE[1724] ole32.dll!OleRegEnumFormatEtc + 3B93 775A8099 1 Byte [3E] .text C:\WINXP\Explorer.EXE[1724] WININET.dll!InternetSetOptionW + 8B9 408C3D39 1 Byte [FE] .text C:\WINXP\Explorer.EXE[1724] SHELL32.dll!DllGetClassObject + 11B8 7E6A3A61 1 Byte [77] .text C:\WINXP\Explorer.EXE[1724] SHELL32.dll!SHCreateShellFolderView + 17DF 7E6B2059 1 Byte [7E] .text C:\WINXP\Explorer.EXE[1724] SHELL32.dll!SHCreateDirectoryExA + 1755 7E71C0D1 1 Byte [7E] .text C:\WINXP\Explorer.EXE[1724] SHELL32.dll!SHGetInstanceExplorer + 76F 7E774901 1 Byte [7E] .text C:\WINXP\Explorer.EXE[1724] SHELL32.dll!StrStrW + 1FC1 7E84EB79 1 Byte [FC] .text C:\WINXP\system32\svchost.exe[1812] RPCRT4.dll!NdrServerMarshall + 84E8 77EC1E79 1 Byte [FE] .text C:\WINXP\system32\svchost.exe[1812] USER32.dll!DeregisterShellHookWindow + 6281 7E396541 1 Byte [FE] .text C:\WINXP\system32\svchost.exe[1812] USER32.dll!DeregisterShellHookWindow + EAE1 7E39EDA1 1 Byte [70] .text C:\WINXP\system32\svchost.exe[1812] ole32.dll!CoMarshalInterface + 2580 774E0FF1 1 Byte [F5] .text C:\WINXP\system32\svchost.exe[1812] ole32.dll!OleRegEnumFormatEtc + 3B93 775A8099 1 Byte [3E] .text C:\WINXP\system32\svchost.exe[1812] ole32.dll!StgConvertPropertyToVariant + 7726 775BDCF1 1 Byte [7D] .text C:\WINXP\system32\svchost.exe[1812] msvcrt.dll!wscanf + 2213 77C144D9 1 Byte [FE] .text C:\WINXP\system32\svchost.exe[1812] SHELL32.dll!SHCreateDirectoryExA + 1755 7E71C0D1 1 Byte [7E] .text C:\WINXP\system32\svchost.exe[1812] SHELL32.dll!CDefFolderMenu_Create2 + 6722 7E7509F1 1 Byte [7E] .text C:\WINXP\system32\svchost.exe[1812] SHELL32.dll!SHGetInstanceExplorer + 2D47 7E776ED9 1 Byte [74] .text C:\WINXP\system32\svchost.exe[1812] SHELL32.dll!SHPropStgCreate + 12E 7E7847E1 1 Byte [F4] .text C:\WINXP\system32\svchost.exe[1812] SHELL32.dll!StrStrW + 1FC1 7E84EB79 1 Byte [FC] .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1988] ntdll.dll!RtlAcquireResourceExclusive + 59A 7C9460F1 1 Byte [36] .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1988] ntdll.dll!wcstombs + 1618 7C9837A1 1 Byte [FE] .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1988] RPCRT4.dll!NdrServerMarshall + 84E8 77EC1E79 1 Byte [FE] .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1988] msvcrt.dll!wscanf + 2213 77C144D9 1 Byte [FE] .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1988] USER32.dll!DeregisterShellHookWindow + 6281 7E396541 1 Byte [FE] .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1988] USER32.dll!DeregisterShellHookWindow + EAE1 7E39EDA1 1 Byte [70] .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1988] USER32.dll!CreateIconFromResource + 25D 7E3A7391 1 Byte [FD] .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1988] SHELL32.dll!DllGetClassObject + 11B8 7E6A3A61 1 Byte [77] .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1988] SHELL32.dll!SHCreateDirectoryExA + 1755 7E71C0D1 1 Byte [7E] .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1988] SHELL32.dll!CDefFolderMenu_Create2 + 6722 7E7509F1 1 Byte [7E] .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1988] SHELL32.dll!SHGetInstanceExplorer + 2D47 7E776ED9 1 Byte [74] .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1988] SHELL32.dll!SHLoadNonloadedIconOverlayIdentifiers + 1AC6A 7E7A1899 1 Byte [36] .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1988] SHELL32.dll!StrStrW + 1FC1 7E84EB79 1 Byte [FC] .text C:\WINXP\system32\svchost.exe[2028] ntdll.dll!wcstombs + 8CC8 7C98AE51 1 Byte [FA] .text C:\WINXP\system32\svchost.exe[2028] RPCRT4.dll!NdrServerMarshall + 84E8 77EC1E79 1 Byte [FE] .text C:\WINXP\system32\svchost.exe[2028] USER32.dll!DeregisterShellHookWindow + 6281 7E396541 1 Byte [FE] .text C:\WINXP\system32\svchost.exe[2028] USER32.dll!DeregisterShellHookWindow + EAE1 7E39EDA1 1 Byte [70] .text C:\WINXP\system32\svchost.exe[2028] USER32.dll!CreateIconFromResource + 25D 7E3A7391 1 Byte [FD] .text C:\WINXP\system32\svchost.exe[2028] ole32.dll!CoPopServiceDomain + 88 7755CCB9 1 Byte [7C] .text C:\WINXP\system32\svchost.exe[2028] ole32.dll!OleRegEnumFormatEtc + 3B93 775A8099 1 Byte [3E] .text C:\WINXP\system32\svchost.exe[2028] msvcrt.dll!wscanf + 2213 77C144D9 1 Byte [FE] .text C:\WINXP\system32\svchost.exe[2028] msvcrt.dll!modf + 4301 77C24B61 1 Byte [BF] .text C:\WINXP\system32\svchost.exe[2028] SHELL32.dll!PathProcessCommand + A26 7E6C58F9 1 Byte [FD] .text C:\WINXP\system32\svchost.exe[2028] SHELL32.dll!SHCreateDirectoryExA + 1755 7E71C0D1 1 Byte [7E] .text C:\WINXP\system32\svchost.exe[2028] SHELL32.dll!CDefFolderMenu_Create2 + 6722 7E7509F1 1 Byte [7E] .text C:\WINXP\system32\svchost.exe[2028] SHELL32.dll!SHGetInstanceExplorer + 2D47 7E776ED9 1 Byte [74] .text C:\WINXP\system32\svchost.exe[2028] SHELL32.dll!StrStrW + 1FC1 7E84EB79 1 Byte [FC] .text C:\WINXP\system32\svchost.exe[2028] USERENV.dll!UnregisterGPNotification + AA1D 766442B1 1 Byte [FD] .text C:\WINXP\system32\svchost.exe[2028] WININET.dll!InternetSetOptionW + 8B9 408C3D39 1 Byte [FE] ---- User IAT/EAT - GMER 1.0.15 ---- IAT H:\Cisco Systems\cvpnd.exe[380] @ C:\WINXP\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [00EE2BC8] C:\WINXP\system32\VSINIT.dll (TrueVector Service/Zone Labs, LLC) IAT H:\Cisco Systems\cvpnd.exe[380] @ C:\WINXP\system32\msvcrt.dll [KERNEL32.dll!UnhandledExceptionFilter] [00EE2CE9] C:\WINXP\system32\VSINIT.dll (TrueVector Service/Zone Labs, LLC) IAT H:\Cisco Systems\cvpnd.exe[380] @ C:\WINXP\system32\msvcrt.dll [KERNEL32.dll!TerminateProcess] [00EE2CB8] C:\WINXP\system32\VSINIT.dll (TrueVector Service/Zone Labs, LLC) IAT C:\WINXP\Explorer.EXE[1724] @ C:\WINXP\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINXP\Explorer.EXE[1724] @ C:\WINXP\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINXP\Explorer.EXE[1724] @ C:\WINXP\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINXP\Explorer.EXE[1724] @ C:\WINXP\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINXP\Explorer.EXE[1724] @ C:\WINXP\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINXP\Explorer.EXE[1724] @ C:\WINXP\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINXP\Explorer.EXE[1724] @ C:\WINXP\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINXP\Explorer.EXE[1724] @ C:\WINXP\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINXP\Explorer.EXE[1724] @ C:\WINXP\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINXP\Explorer.EXE[1724] @ C:\WINXP\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINXP\Explorer.EXE[1724] @ C:\WINXP\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINXP\Explorer.EXE[1724] @ C:\WINXP\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINXP\Explorer.EXE[1724] @ C:\WINXP\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINXP\Explorer.EXE[1724] @ C:\WINXP\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINXP\Explorer.EXE[1724] @ C:\WINXP\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINXP\Explorer.EXE[1724] @ C:\WINXP\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINXP\Explorer.EXE[1724] @ C:\WINXP\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group) AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Services - GMER 1.0.15 ---- Service C:\WINXP\system32\spoolsv.exe (*** hidden *** ) [AUTO] Sqooler <-- ROOTKIT !!! Service C:\WINXP\system32\svchost.exe (*** hidden *** ) [AUTO] suisvc <-- ROOTKIT !!! Service C:\WINXP\system32\svchost.exe (*** hidden *** ) [MANUAL] uqnphost <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDD 0x6B 0x51 0xBF ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programme\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x14 0xF3 0xF3 0x66 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x5B 0x15 0x23 0x84 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xA1 0x9F 0xE9 0x6C ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0x75 0xBE 0xFC 0x69 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3@hdf12 0x33 0xDB 0x81 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\ssservice@Type 32 Reg HKLM\SYSTEM\ControlSet001\Services\ssservice@Start 2 Reg HKLM\SYSTEM\ControlSet001\Services\ssservice@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet001\Services\ssservice@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet001\Services\ssservice@DisplayName Systemwiederherstellungsdienst Reg HKLM\SYSTEM\ControlSet001\Services\ssservice@DependOnService RpcSs? Reg HKLM\SYSTEM\ControlSet001\Services\ssservice@DependOnGroup Reg HKLM\SYSTEM\ControlSet001\Services\ssservice@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet001\Services\ssservice@Description F?hrt Systemwiederherstellungsfunktionen durch. Deaktivieren Sie "Systemwiederherstellung" auf der Systemwiederherstellungsregisterkarte in Arbeitsplatz->Eigenschaften, um den Dienst zu beenden. Reg HKLM\SYSTEM\ControlSet001\Services\ssservice\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\ssservice\Parameters@ServiceDll C:\WINXP\system32\srsvc.dll Reg HKLM\SYSTEM\ControlSet001\Services\ssservice\Security (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\ssservice\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler@DependOnService RPCSS? Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler@Description L?dt die Dateien in den Arbeitsspeicher, um sie sp?ter zu drucken. Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler@DisplayName Druckwarteschlange Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler@Group SpoolerGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler@ImagePath %SystemRoot%\system32\spoolsv.exe Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler@Type 272 Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler\Performance Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler\Performance@Close PerfClose Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler\Performance@Collect PerfCollect Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler\Performance@Collect Timeout 2000 Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler\Performance@Library winspool.drv Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler\Performance@Object List 1450 Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler\Performance@Open PerfOpen Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler\Performance@Open Timeout 4000 Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler\Performance@WbemAdapFileSignature 0xE1 0x2D 0x14 0x94 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler\Performance@WbemAdapFileTime 0x00 0x00 0x90 0x89 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler\Performance@WbemAdapFileSize 146944 Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler\Performance@WbemAdapStatus 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDD 0x6B 0x51 0xBF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programme\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x14 0xF3 0xF3 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x5B 0x15 0x23 0x84 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xA1 0x9F 0xE9 0x6C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0x75 0xBE 0xFC 0x69 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3@hdf12 0x33 0xDB 0x81 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\suisvc@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\Services\suisvc@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\suisvc@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\suisvc@ImagePath %SystemRoot%\system32\svchost.exe -k imgsvc Reg HKLM\SYSTEM\CurrentControlSet\Services\suisvc@DisplayName Windows-Bilderfassung (WIA) Reg HKLM\SYSTEM\CurrentControlSet\Services\suisvc@DependOnService RpcSs? Reg HKLM\SYSTEM\CurrentControlSet\Services\suisvc@DependOnGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\suisvc@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\suisvc@Description Bietet Bilderfassungsdienste f?r Scanner und Kameras. Reg HKLM\SYSTEM\CurrentControlSet\Services\uqnphost@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\Services\uqnphost@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\uqnphost@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\uqnphost@ImagePath %SystemRoot%\system32\svchost.exe -k LocalService Reg HKLM\SYSTEM\CurrentControlSet\Services\uqnphost@DisplayName Universeller Plug & Play-Ger?tehost Reg HKLM\SYSTEM\CurrentControlSet\Services\uqnphost@DependOnService SSDPSRV?HTTP? Reg HKLM\SYSTEM\CurrentControlSet\Services\uqnphost@DependOnGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\uqnphost@ObjectName NT AUTHORITY\LocalService Reg HKLM\SYSTEM\CurrentControlSet\Services\uqnphost@Description Erm?glicht es, den Computer als Host f?r universelle Plug & Play-Ger?te einzurichten. Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDD 0x6B 0x51 0xBF ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programme\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x14 0xF3 0xF3 0x66 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x5B 0x15 0x23 0x84 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xA1 0x9F 0xE9 0x6C ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0x75 0xBE 0xFC 0x69 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3@hdf12 0x33 0xDB 0x81 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2171BC8913C5F5BD0BF18C3B9B1A1EE8@2171BC8913C5F5BD0BF18C3B9B\xee60Ç\xed5a 02:\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.94_x-ww_0dJ????@A?????????MZ???????????????????? ---- EOF - GMER 1.0.15 ----