GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-02-08 13:44:17 Windows 5.1.2600 Service Pack 3 Running: mpf7h3hx.exe; Driver: C:\DOKUME~1\***\LOKALE~1\Temp\ugrcauog.sys ---- System - GMER 1.0.15 ---- SSDT F22A5B9E ZwCreateKey SSDT F22A5B94 ZwCreateThread SSDT F22A5BA3 ZwDeleteKey SSDT F22A5BAD ZwDeleteValueKey SSDT F22A5BB2 ZwLoadKey SSDT F22A5B80 ZwOpenProcess SSDT F22A5B85 ZwOpenThread SSDT F22A5BBC ZwReplaceKey SSDT F22A5BB7 ZwRestoreKey SSDT F22A5BA8 ZwSetValueKey SSDT F22A5B8F ZwTerminateProcess SSDT F22A5B8A ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.15 ---- init C:\WINXP\system32\drivers\nvax.sys entry point in "init" section [0xF868EB8D] .text C:\WINXP\system32\DRIVERS\nv4_mini.sys section is writeable [0xF7779360, 0x24BB1D, 0xE8000020] .text netbt.sys EBE67EA9 1 Byte [F8] PAGE mrxsmb.sys EBDE5D91 1 Byte [FE] .text win32k.sys!EngFreeUserMem + 311E BF80C369 1 Byte [FD] ---- User code sections - GMER 1.0.15 ---- .text H:\Dassault Systemes\B14\intel_a\code\bin\CATSysDemon.exe[264] ntdll.dll!memchr + 61 7C911CC1 1 Byte [FF] .text C:\WINXP\system32\RunDLL32.exe[296] RPCRT4.dll!I_RpcServerUseProtseq2A + 731 77E7BA49 1 Byte [FC] .text C:\WINXP\system32\RunDLL32.exe[296] ole32.dll!StgConvertPropertyToVariant + 7726 775BDCF1 1 Byte [7D] .text C:\WINXP\system32\RunDLL32.exe[296] SHELL32.dll!SHCreateLocalServerRunDll + CA54 7E81B0E9 1 Byte [FE] .text C:\Programme\Java\jre6\bin\jusched.exe[348] ntdll.dll!strchr + 154 7C91E961 1 Byte [FF] .text C:\Programme\Java\jre6\bin\jusched.exe[348] RPCRT4.dll!I_RpcServerUseProtseq2A + 731 77E7BA49 1 Byte [FC] .text C:\Programme\Java\jre6\bin\jusched.exe[348] WININET.dll!FindFirstUrlCacheEntryExW + 5946 40909F09 1 Byte [76] .text C:\WINXP\system32\ctfmon.exe[392] msvcrt.dll!modf + 4301 77C24B61 1 Byte [BE] .text C:\WINXP\system32\ctfmon.exe[392] ADVAPI32.dll!AbortSystemShutdownW + A806 77DD7C61 1 Byte [FC] .text C:\WINXP\system32\ctfmon.exe[392] RPCRT4.dll!I_RpcServerUseProtseq2A + 731 77E7BA49 1 Byte [FC] .text C:\WINXP\system32\ctfmon.exe[392] USER32.dll!CreateDialogIndirectParamAorW + 73E 7E376F49 1 Byte [FC] .text H:\Cisco Systems\cvpnd.exe[412] RPCRT4.dll!I_RpcServerUseProtseq2A + 731 77E7BA49 1 Byte [FC] .text H:\Cisco Systems\cvpnd.exe[412] WININET.dll!FindFirstUrlCacheEntryExW + 5946 40909F09 1 Byte [76] .text C:\Programme\Java\jre6\bin\jqs.exe[476] RPCRT4.dll!I_RpcServerUseProtseq2A + 731 77E7BA49 1 Byte [FC] .text C:\Programme\Java\jre6\bin\jqs.exe[476] SHLWAPI.dll!PathUndecorateW + 796C 77F74881 1 Byte [FF] .text C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE[496] ADVAPI32.dll!AbortSystemShutdownW + A806 77DD7C61 1 Byte [FD] .text C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE[496] RPCRT4.dll!I_RpcServerUseProtseq2A + 731 77E7BA49 1 Byte [FC] .text C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE[496] msvcrt.dll!modf + 4371 77C24BD1 1 Byte [BF] .text C:\WINXP\system32\nvsvc32.exe[540] USER32.dll!IsCharLowerA + 5C0 7E38BE49 1 Byte [7F] .text C:\WINXP\system32\nvsvc32.exe[540] USER32.dll!CreateIconFromResource + 25D 7E3A7391 1 Byte [FC] .text C:\WINXP\system32\nvsvc32.exe[540] ADVAPI32.dll!AbortSystemShutdownW + A806 77DD7C61 1 Byte [FD] .text C:\WINXP\system32\nvsvc32.exe[540] RPCRT4.dll!I_RpcServerUseProtseq2A + 731 77E7BA49 1 Byte [FC] .text C:\WINXP\system32\nvsvc32.exe[540] SHLWAPI.dll!wvnsprintfA + 87 77F48089 1 Byte [FC] .text C:\WINXP\system32\svchost.exe[596] RPCRT4.dll!I_RpcServerUseProtseq2A + 731 77E7BA49 1 Byte [FC] .text C:\WINXP\System32\smss.exe[688] ntdll.dll!RtlAcquireResourceExclusive + 59A 7C9460F1 1 Byte [37] .text C:\WINXP\system32\wuauclt.exe[780] RPCRT4.dll!I_RpcServerUseProtseq2A + 731 77E7BA49 1 Byte [FC] .text C:\WINXP\system32\wuauclt.exe[780] SHLWAPI.dll!PathUndecorateW + 6B74 77F73A89 1 Byte [FF] .text C:\WINXP\system32\csrss.exe[800] winsrv.dll!_UserTestTokenForInteractive + 5CE5 75B1A889 1 Byte [FC] .text C:\WINXP\system32\csrss.exe[800] winsrv.dll!_UserTestTokenForInteractive + 1CFA5 75B31B49 1 Byte [F3] .text C:\WINXP\system32\csrss.exe[800] USER32.dll!IsCharLowerA + 5C0 7E38BE49 1 Byte [7E] .text C:\WINXP\system32\csrss.exe[800] RPCRT4.dll!I_RpcServerUseProtseq2A + 731 77E7BA49 1 Byte [FC] .text C:\WINXP\system32\winlogon.exe[824] ntdll.dll!towlower + 613 7C939AE1 1 Byte [FE] .text C:\WINXP\system32\winlogon.exe[824] RPCRT4.dll!I_RpcServerUseProtseq2A + 731 77E7BA49 1 Byte [FC] .text C:\WINXP\system32\lsass.exe[880] RPCRT4.dll!I_RpcServerUseProtseq2A + 731 77E7BA49 1 Byte [FC] .text C:\WINXP\system32\lsass.exe[880] ole32.dll!StgConvertPropertyToVariant + 7726 775BDCF1 1 Byte [7C] .text C:\WINXP\system32\svchost.exe[1044] RPCRT4.dll!I_RpcServerUseProtseq2A + 731 77E7BA49 1 Byte [FC] .text C:\WINXP\system32\svchost.exe[1044] SHELL32.dll!SHCreateQueryCancelAutoPlayMoniker + 18AC3 7E70AA89 1 Byte [FC] .text C:\WINXP\System32\alg.exe[1148] RPCRT4.dll!I_RpcServerUseProtseq2A + 731 77E7BA49 1 Byte [FC] .text C:\WINXP\System32\alg.exe[1148] SHELL32.dll!DAD_ShowDragImage + 2405 7E6C1AE9 1 Byte [7E] .text C:\WINXP\System32\alg.exe[1148] SHELL32.dll!SHLoadNonloadedIconOverlayIdentifiers + 284E2 7E7AF111 1 Byte [FC] .text C:\WINXP\System32\alg.exe[1148] SHLWAPI.dll!wvnsprintfA + 87 77F48089 1 Byte [FC] .text C:\WINXP\system32\svchost.exe[1444] RPCRT4.dll!I_RpcBCacheAllocate + 1200 77E6CB41 1 Byte [B6] .text C:\WINXP\system32\svchost.exe[1444] RPCRT4.dll!I_RpcServerUseProtseq2A + 731 77E7BA49 1 Byte [FC] .text C:\WINXP\system32\svchost.exe[1444] SHELL32.dll!SHCreateQueryCancelAutoPlayMoniker + 1A9B 7E6F3A61 1 Byte [FE] .text C:\WINXP\System32\svchost.exe[1476] RPCRT4.dll!I_RpcServerUseProtseq2A + 731 77E7BA49 1 Byte [FC] .text C:\WINXP\System32\svchost.exe[1476] USER32.dll!CreateIconFromResource + 25D 7E3A7391 1 Byte [FC] .text C:\WINXP\System32\svchost.exe[1476] SHELL32.dll!SHGetRealIDL + 2BC0 7E6EB9C1 1 Byte [77] .text C:\WINXP\System32\svchost.exe[1476] WININET.dll!RetrieveUrlCacheEntryStreamW + 3B3C 408F6751 1 Byte [FE] .text C:\WINXP\System32\svchost.exe[1476] WININET.dll!FindFirstUrlCacheEntryExW + 5946 40909F09 1 Byte [76] .text C:\WINXP\System32\svchost.exe[1476] WININET.dll!UrlZonesDetach + 2247 40941B41 1 Byte [FF] .text C:\WINXP\system32\svchost.exe[1516] ADVAPI32.dll!ElfFlushEventLog + 1F68 77E0AAE9 1 Byte [FD] .text C:\WINXP\system32\svchost.exe[1516] RPCRT4.dll!I_RpcServerUseProtseq2A + 731 77E7BA49 1 Byte [FC] .text C:\WINXP\system32\svchost.exe[1516] SHELL32.dll!DAD_ShowDragImage + 2405 7E6C1AE9 1 Byte [7E] .text C:\Dokumente und Einstellungen\***\Desktop\mpf7h3hx.exe[1688] RPCRT4.dll!I_RpcServerUseProtseq2A + 731 77E7BA49 1 Byte [FC] .text C:\Dokumente und Einstellungen\***\Desktop\mpf7h3hx.exe[1688] ole32.dll!CoWaitForMultipleHandles + 8C78 7752FDC9 1 Byte [FD] .text C:\WINXP\Explorer.EXE[1728] RPCRT4.dll!I_RpcServerUseProtseq2A + 731 77E7BA49 1 Byte [FC] .text C:\WINXP\Explorer.EXE[1728] USER32.dll!IsCharLowerA + 5C0 7E38BE49 1 Byte [7E] .text C:\WINXP\Explorer.EXE[1728] NETAPI32.dll!NetServerEnumEx + 186 597E5429 1 Byte [7C] .text C:\WINXP\Explorer.EXE[1728] WININET.dll!FindFirstUrlCacheEntryExW + 5946 40909F09 1 Byte [76] .text C:\WINXP\Explorer.EXE[1728] WININET.dll!InternetConfirmZoneCrossing + A46B 409550C1 1 Byte [FE] .text C:\WINXP\system32\svchost.exe[1776] RPCRT4.dll!I_RpcServerUseProtseq2A + 731 77E7BA49 1 Byte [FC] .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1988] RPCRT4.dll!I_RpcServerUseProtseq2A + 731 77E7BA49 1 Byte [FC] .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1988] Secur32.dll!RevertSecurityContext + 4F6 77FC5A61 1 Byte [F6] .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1988] msvcrt.dll!modf + 4301 77C24B61 1 Byte [BE] .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1988] SHELL32.dll!DAD_ShowDragImage + 2405 7E6C1AE9 1 Byte [7F] .text C:\Programme\Avira\AntiVir Desktop\sched.exe[1988] SHELL32.dll!CallCPLEntry16 + 31B57 7E807F81 1 Byte [BD] .text C:\WINXP\system32\svchost.exe[2028] RPCRT4.dll!I_RpcServerUseProtseq2A + 731 77E7BA49 1 Byte [FC] .text C:\WINXP\system32\svchost.exe[2028] USER32.dll!CreateDialogIndirectParamAorW + 73E 7E376F49 1 Byte [FC] .text C:\WINXP\system32\svchost.exe[2028] SHELL32.dll!SHCreateQueryCancelAutoPlayMoniker + 18AC3 7E70AA89 1 Byte [FD] .text C:\WINXP\system32\svchost.exe[2028] WININET.dll!FindFirstUrlCacheEntryExW + 5946 40909F09 1 Byte [76] ---- User IAT/EAT - GMER 1.0.15 ---- IAT H:\Cisco Systems\cvpnd.exe[412] @ C:\WINXP\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [00EE2BC8] C:\WINXP\system32\VSINIT.dll (TrueVector Service/Zone Labs, LLC) IAT H:\Cisco Systems\cvpnd.exe[412] @ C:\WINXP\system32\msvcrt.dll [KERNEL32.dll!UnhandledExceptionFilter] [00EE2CE9] C:\WINXP\system32\VSINIT.dll (TrueVector Service/Zone Labs, LLC) IAT H:\Cisco Systems\cvpnd.exe[412] @ C:\WINXP\system32\msvcrt.dll [KERNEL32.dll!TerminateProcess] [00EE2CB8] C:\WINXP\system32\VSINIT.dll (TrueVector Service/Zone Labs, LLC) IAT C:\WINXP\Explorer.EXE[1728] @ C:\WINXP\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINXP\Explorer.EXE[1728] @ C:\WINXP\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINXP\Explorer.EXE[1728] @ C:\WINXP\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINXP\Explorer.EXE[1728] @ C:\WINXP\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINXP\Explorer.EXE[1728] @ C:\WINXP\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINXP\Explorer.EXE[1728] @ C:\WINXP\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINXP\Explorer.EXE[1728] @ C:\WINXP\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINXP\Explorer.EXE[1728] @ C:\WINXP\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINXP\Explorer.EXE[1728] @ C:\WINXP\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINXP\Explorer.EXE[1728] @ C:\WINXP\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINXP\Explorer.EXE[1728] @ C:\WINXP\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINXP\Explorer.EXE[1728] @ C:\WINXP\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINXP\Explorer.EXE[1728] @ C:\WINXP\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINXP\Explorer.EXE[1728] @ C:\WINXP\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINXP\Explorer.EXE[1728] @ C:\WINXP\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINXP\Explorer.EXE[1728] @ C:\WINXP\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINXP\Explorer.EXE[1728] @ C:\WINXP\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CF07774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group) AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Services - GMER 1.0.15 ---- Service C:\WINXP\system32\spoolsv.exe (*** hidden *** ) [AUTO] Sqooler <-- ROOTKIT !!! Service C:\WINXP\system32\svchost.exe (*** hidden *** ) [AUTO] suisvc <-- ROOTKIT !!! Service C:\WINXP\system32\svchost.exe (*** hidden *** ) [MANUAL] uqnphost <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDD 0x6B 0x51 0xBF ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programme\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x14 0xF3 0xF3 0x66 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x5B 0x15 0x23 0x84 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xA1 0x9F 0xE9 0x6C ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0x75 0xBE 0xFC 0x69 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3@hdf12 0x33 0xDB 0x81 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\ssservice@Type 32 Reg HKLM\SYSTEM\ControlSet001\Services\ssservice@Start 2 Reg HKLM\SYSTEM\ControlSet001\Services\ssservice@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet001\Services\ssservice@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet001\Services\ssservice@DisplayName Systemwiederherstellungsdienst Reg HKLM\SYSTEM\ControlSet001\Services\ssservice@DependOnService RpcSs? Reg HKLM\SYSTEM\ControlSet001\Services\ssservice@DependOnGroup Reg HKLM\SYSTEM\ControlSet001\Services\ssservice@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet001\Services\ssservice@Description F?hrt Systemwiederherstellungsfunktionen durch. Deaktivieren Sie "Systemwiederherstellung" auf der Systemwiederherstellungsregisterkarte in Arbeitsplatz->Eigenschaften, um den Dienst zu beenden. Reg HKLM\SYSTEM\ControlSet001\Services\ssservice\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\ssservice\Parameters@ServiceDll C:\WINXP\system32\srsvc.dll Reg HKLM\SYSTEM\ControlSet001\Services\ssservice\Security (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\ssservice\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler@DependOnService RPCSS? Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler@Description L?dt die Dateien in den Arbeitsspeicher, um sie sp?ter zu drucken. Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler@DisplayName Druckwarteschlange Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler@Group SpoolerGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler@ImagePath %SystemRoot%\system32\spoolsv.exe Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler@Type 272 Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler\Performance Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler\Performance@Close PerfClose Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler\Performance@Collect PerfCollect Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler\Performance@Collect Timeout 2000 Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler\Performance@Library winspool.drv Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler\Performance@Object List 1450 Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler\Performance@Open PerfOpen Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler\Performance@Open Timeout 4000 Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler\Performance@WbemAdapFileSignature 0xE1 0x2D 0x14 0x94 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler\Performance@WbemAdapFileTime 0x00 0x00 0x90 0x89 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler\Performance@WbemAdapFileSize 146944 Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler\Performance@WbemAdapStatus 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\Sqooler\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDD 0x6B 0x51 0xBF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programme\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x14 0xF3 0xF3 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x5B 0x15 0x23 0x84 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xA1 0x9F 0xE9 0x6C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0x75 0xBE 0xFC 0x69 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3@hdf12 0x33 0xDB 0x81 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\suisvc@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\Services\suisvc@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\suisvc@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\suisvc@ImagePath %SystemRoot%\system32\svchost.exe -k imgsvc Reg HKLM\SYSTEM\CurrentControlSet\Services\suisvc@DisplayName Windows-Bilderfassung (WIA) Reg HKLM\SYSTEM\CurrentControlSet\Services\suisvc@DependOnService RpcSs? Reg HKLM\SYSTEM\CurrentControlSet\Services\suisvc@DependOnGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\suisvc@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\suisvc@Description Bietet Bilderfassungsdienste f?r Scanner und Kameras. Reg HKLM\SYSTEM\CurrentControlSet\Services\uqnphost@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\Services\uqnphost@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\uqnphost@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\uqnphost@ImagePath %SystemRoot%\system32\svchost.exe -k LocalService Reg HKLM\SYSTEM\CurrentControlSet\Services\uqnphost@DisplayName Universeller Plug & Play-Ger?tehost Reg HKLM\SYSTEM\CurrentControlSet\Services\uqnphost@DependOnService SSDPSRV?HTTP? Reg HKLM\SYSTEM\CurrentControlSet\Services\uqnphost@DependOnGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\uqnphost@ObjectName NT AUTHORITY\LocalService Reg HKLM\SYSTEM\CurrentControlSet\Services\uqnphost@Description Erm?glicht es, den Computer als Host f?r universelle Plug & Play-Ger?te einzurichten. Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDD 0x6B 0x51 0xBF ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programme\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x14 0xF3 0xF3 0x66 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x5B 0x15 0x23 0x84 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xA1 0x9F 0xE9 0x6C ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0x75 0xBE 0xFC 0x69 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3@hdf12 0x33 0xDB 0x81 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2171BC8913C5F5BD0BF18C3B9B1A1EE8@2171BC8913C5F5BD0BF18C3B9B\xee60Ç\xed5a 02:\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.94_x-ww_0dJ????@A?????????MZ???????????????????? Reg HKLM\SOFTWARE\Classes\Adobe.Illustrator.EPS\shell\oqen Reg HKLM\SOFTWARE\Classes\Adobe.Illustrator.EPS\shell\oqen@ Reg HKLM\SOFTWARE\Classes\Adobe.Illustrator.EPS\shell\oqen\command Reg HKLM\SOFTWARE\Classes\Adobe.Illustrator.EPS\shell\oqen\command@ "H:\AICS4\Adobe Illustrator CS4\Support Files\Contents\Windows\Illustrator.exe" "%1" ---- EOF - GMER 1.0.15 ----