| |
| |||||||
Log-Analyse und Auswertung: Malware Infizierung "page has moved, redirecting...", Werbeeinblendungen FirefoxWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
10.04.2013, 13:00
| #1 |
 |  Malware Infizierung "page has moved, redirecting...", Werbeeinblendungen Firefox Hallo Liebes Trojaner Board Team. Das ist das erste Mal, dass es mich nicht freut, dass ich ein Forum erneut besuche(n muss). Das heißt, ich war schonmal hier, damals wurde mir sehr kompetent geholfen  Hier erstmal der Link zum alten Thread http://www.trojaner-board.de/130341-...g-firefox.html Das selbe Problem habe ich wieder. Beim Klicken auf irgendwelche Links kommt in unregelmäßigen Abständen die Meldung: "document has moved, redirecting..." und führt mich dann auf irgendeine Seite, aber nicht die, die ich wollte.  Aber dieses Problem ist hier ja sicher schon bekannt.Außerdem kann ich auch weiterhin bei google den suchtext nicht markieren: Zitat aus dem alten Thread, etwas überarbeitet: "Wenn ich bei Google etwas eingebe, und das dann markieren möchte, funktioniert das einfach nicht. der Cursor bleibt einfach hinter dem Geschriebenen stehen. Nicht nur das Markieren funktioniert nicht, auch die Position des Cursors ansich lässt sich per Mausklick nicht verändern. Per pos1 - Taste bzw. mit den Pfeiltasten lässt sich die Cursorposition jedoch verändern. Ich hoffe das war jetzt einigermaßen verständlich." Ob diese Infizierung damals wirklich gelöst wurde und es jetzt zu einer erneuten Infizierung kam, oder ob sie eigentlich nie richtig weg war, weis ich nicht. Die Symptome jedoch waren kurzzeitig verschwunden. Seit kurzem hab ich ein weiteres Problem: Beim öffnen jeder Seite im Browser erscheint unten links eine Werbeeinblendung. Diese kann ich zwar mit dem [x] einfach schließen, doch mit der Zeit ist es sehr nervig. Lediglich bei google.de und facebook.de geschieht das nicht. Auf dem Dorf mit sehr langsamen Internet konnte ich erkennen, das links unten im Browser sehr lange die Adresse imgads.night-hawk.net lädt, bevor die Werbung erscheint. Viel seltener erscheint anstatt der Werbeeinblendung unten links eine Werbeeinblendung in der Mitte unten, die einfach den Titel der aufgerufenen Seite nimmt und dann fragt: "looking for 'Titel der Seite'" Auch diese kann ganz einfach per [x] geschlossen werden. Beide Phänomene habe ich als Screenshot im Anhang gespeichert. Außerdem quält mich Smart Suggestor. Im gesamten Browser sind scheinbar willkürlich Wörter mit irgendwelchen Werbungen verlinkt. Bei den Addons ist es nicht zu finden, auch jede andere Möglichkeit, es zu deinstallieren/löschen, scheiterte. EDIT: OTL hat irgendwie nur die OTL.txt ausgespuckt, Extras.txt fehlt leider. Hier noch die Logs: Code:
ATTFilter OTL logfile created on: 10.04.2013 00:20:43 - Run 4 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Steini\Desktop 64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 7,90 Gb Total Physical Memory | 4,22 Gb Available Physical Memory | 53,45% Memory free 15,80 Gb Paging File | 11,79 Gb Available in Paging File | 74,64% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 909,03 Gb Total Space | 636,85 Gb Free Space | 70,06% Space Free | Partition Type: NTFS Drive D: | 22,19 Gb Total Space | 2,36 Gb Free Space | 10,63% Space Free | Partition Type: NTFS Drive F: | 7,14 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: CDFS Drive G: | 3,73 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: CDFS Drive I: | 15,35 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: CDFS Drive J: | 13,94 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: CDFS Computer Name: HP-STEINI | User Name: Steini | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - File not found PRC - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe (Adobe Systems, Inc.) PRC - C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) PRC - C:\Users\Steini\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Windows\SysWOW64\PnkBstrA.exe () PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated) PRC - C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe () PRC - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation) PRC - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (Intel Corporation) PRC - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Intel Corporation) PRC - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe (Intel Corporation) PRC - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe () PRC - C:\Program Files (x86)\HP SimplePass\TrueSuiteService.exe (HP) PRC - C:\Program Files (x86)\HP SimplePass\TouchControl.exe (AuthenTec Inc.) PRC - C:\Program Files (x86)\HP SimplePass\BioMonitor.exe (HP) PRC - C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe (Intel Corporation) PRC - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation) PRC - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe (Hewlett-Packard Development Company, L.P.) PRC - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe (Hewlett-Packard Development Company, L.P.) PRC - C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corporation) PRC - C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe (Microsoft Corporation) PRC - C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe (Hewlett-Packard Development Company, L.P.) PRC - C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe (Hewlett-Packard Development Company, L.P.) PRC - C:\Program Files (x86)\Norton Internet Security\Engine\19.1.0.28\ccSvcHst.exe (Symantec Corporation) PRC - C:\Windows\SysWOW64\ezSharedSvcHost.exe (EasyBits Software AS) PRC - C:\Windows\SysWOW64\ezSharedSvcHost.exe (EasyBits Software AS) PRC - C:\Windows\SysWOW64\ezSharedSvcHost.exe (EasyBits Software AS) PRC - C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe () ========== Modules (No Company Name) ========== MOD - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_180.dll () MOD - C:\Program Files (x86)\Mozilla Firefox\mozjs.dll () MOD - C:\Program Files (x86)\DivX\DivX Update\DivXUpdateCheck.dll () MOD - C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe () MOD - C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe () ========== Services (SafeList) ========== SRV:64bit: - (hpsrv) -- C:\Windows\SysNative\hpservice.exe (Hewlett-Packard Company) SRV - (Steam Client Service) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe (Valve Corporation) SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated) SRV - (MozillaMaintenance) -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation) SRV - (PnkBstrA) -- C:\Windows\SysWOW64\PnkBstrA.exe () SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated) SRV - (HP Support Assistant Service) -- C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe (Hewlett-Packard Company) SRV - (SkypeUpdate) -- C:\Program Files (x86)\Skype\Updater\Updater.exe (Skype Technologies) SRV - (EPSON_PM_RPCV4_04) -- C:\Programme\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE (SEIKO EPSON CORPORATION) SRV - (nvUpdatusService) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation) SRV - (cphs) -- C:\Windows\SysWOW64\IntelCpHeciSvc.exe (Intel Corporation) SRV - (STacSV) -- C:\Programme\IDT\WDM\stacsv64.exe (IDT, Inc.) SRV - (UNS) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (Intel Corporation) SRV - (LMS) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Intel Corporation) SRV - (jhi_service) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe (Intel Corporation) SRV - (Intel(R) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe () SRV - (FPLService) -- C:\Program Files (x86)\HP SimplePass\TrueSuiteService.exe (HP) SRV - (TrueService) -- C:\Programme\Common Files\AuthenTec\TrueService.exe (AuthenTec, Inc.) SRV - (Intel(R) -- C:\Programme\Intel\iCLS Client\HeciServer.exe (Intel(R) Corporation) SRV - (btwdins) -- C:\Programme\WIDCOMM\Bluetooth Software\btwdins.exe (Broadcom Corporation.) SRV - (IAStorDataMgrSvc) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation) SRV - (HPWMISVC) -- C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe (Hewlett-Packard Development Company, L.P.) SRV - (sftvsa) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corporation) SRV - (sftlist) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe (Microsoft Corporation) SRV - (NIS) -- C:\Program Files (x86)\Norton Internet Security\Engine\19.1.0.28\ccSvcHst.exe (Symantec Corporation) SRV - (wlidsvc) -- C:\Programme\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE (Microsoft Corp.) SRV - (GamesAppService) -- C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe (WildTangent, Inc.) SRV - (HPClientSvc) -- C:\Programme\Hewlett-Packard\HP Client Services\HPClientServices.exe (Hewlett-Packard Company) SRV - (wlcrasvc) -- C:\Programme\Windows Live\Mesh\wlcrasvc.exe (Microsoft Corporation) SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation) SRV - (osppsvc) -- C:\Programme\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE (Microsoft Corporation) SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation) ========== Driver Services (SafeList) ========== DRV:64bit: - (dtsoftbus01) -- C:\Windows\SysNative\drivers\dtsoftbus01.sys (DT Soft Ltd) DRV:64bit: - (dg_ssudbus) -- C:\Windows\SysNative\drivers\ssudbus.sys (DEVGURU Co., LTD.(www.devguru.co.kr)) DRV:64bit: - (ssudmdm) -- C:\Windows\SysNative\drivers\ssudmdm.sys (DEVGURU Co., LTD.(www.devguru.co.kr)) DRV:64bit: - (SymEvent) -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS (Symantec Corporation) DRV:64bit: - (BCM43XX) -- C:\Windows\SysNative\drivers\BCMWL664.SYS (Broadcom Corporation) DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation) DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices) DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices) DRV:64bit: - (nvpciflt) -- C:\Windows\SysNative\drivers\nvpciflt.sys (NVIDIA Corporation) DRV:64bit: - (igfx) -- C:\Windows\SysNative\drivers\igdkmd64.sys (Intel Corporation) DRV:64bit: - (STHDA) -- C:\Windows\SysNative\drivers\stwrt64.sys (IDT, Inc.) DRV:64bit: - (IntcDAud) -- C:\Windows\SysNative\drivers\IntcDAud.sys (Intel(R) Corporation) DRV:64bit: - (iusb3xhc) -- C:\Windows\SysNative\drivers\iusb3xhc.sys (Intel Corporation) DRV:64bit: - (iusb3hub) -- C:\Windows\SysNative\drivers\iusb3hub.sys (Intel Corporation) DRV:64bit: - (iusb3hcs) -- C:\Windows\SysNative\drivers\iusb3hcs.sys (Intel Corporation) DRV:64bit: - (btwampfl) -- C:\Windows\SysNative\drivers\btwampfl.sys (Broadcom Corporation.) DRV:64bit: - (iaStor) -- C:\Windows\SysNative\drivers\iaStor.sys (Intel Corporation) DRV:64bit: - (MEIx64) -- C:\Windows\SysNative\drivers\HECIx64.sys (Intel Corporation) DRV:64bit: - (REN2CAP_DRIVER) -- C:\Windows\SysNative\drivers\ren2cap.sys () DRV:64bit: - (bcbtums) -- C:\Windows\SysNative\drivers\bcbtums.sys (Broadcom Corporation.) DRV:64bit: - (RSP2STOR) -- C:\Windows\SysNative\drivers\RtsP2Stor.sys (Realtek Semiconductor Corp.) DRV:64bit: - (SynTP) -- C:\Windows\SysNative\drivers\SynTP.sys (Synaptics Incorporated) DRV:64bit: - (SmbDrv) -- C:\Windows\SysNative\drivers\Smb_driver.sys (Synaptics Incorporated) DRV:64bit: - (Sftvol) -- C:\Windows\SysNative\drivers\Sftvollh.sys (Microsoft Corporation) DRV:64bit: - (Sftplay) -- C:\Windows\SysNative\drivers\Sftplaylh.sys (Microsoft Corporation) DRV:64bit: - (Sftredir) -- C:\Windows\SysNative\drivers\Sftredirlh.sys (Microsoft Corporation) DRV:64bit: - (Sftfs) -- C:\Windows\SysNative\drivers\Sftfslh.sys (Microsoft Corporation) DRV:64bit: - (RTL8167) -- C:\Windows\SysNative\drivers\Rt64win7.sys (Realtek ) DRV:64bit: - (ccSet_NIS) -- C:\Windows\SysNative\drivers\NISx64\1301000.01C\ccSetx64.sys (Symantec Corporation) DRV:64bit: - (SRTSP) -- C:\Windows\SysNative\drivers\NISx64\1301000.01C\srtsp64.sys (Symantec Corporation) DRV:64bit: - (SRTSPX) -- C:\Windows\SysNative\drivers\NISx64\1301000.01C\srtspx64.sys (Symantec Corporation) DRV:64bit: - (SymEFA) -- C:\Windows\SysNative\drivers\NISx64\1301000.01C\SymEFA64.sys (Symantec Corporation) DRV:64bit: - (SymNetS) -- C:\Windows\SysNative\drivers\NISx64\1301000.01C\symnets.sys (Symantec Corporation) DRV:64bit: - (SymDS) -- C:\Windows\SysNative\drivers\NISx64\1301000.01C\SymDS64.sys (Symantec Corporation) DRV:64bit: - (SymIRON) -- C:\Windows\SysNative\drivers\NISx64\1301000.01C\Ironx64.sys (Symantec Corporation) DRV:64bit: - (btwaudio) -- C:\Windows\SysNative\drivers\btwaudio.sys (Broadcom Corporation.) DRV:64bit: - (btwavdt) -- C:\Windows\SysNative\drivers\btwavdt.sys (Broadcom Corporation.) DRV:64bit: - (btwrchid) -- C:\Windows\SysNative\drivers\btwrchid.sys (Broadcom Corporation.) DRV:64bit: - (BTWDPAN) -- C:\Windows\SysNative\drivers\btwdpan.sys (Broadcom Corporation.) DRV:64bit: - (hpdskflt) -- C:\Windows\SysNative\drivers\hpdskflt.sys (Hewlett-Packard Company) DRV:64bit: - (Accelerometer) -- C:\Windows\SysNative\drivers\Accelerometer.sys (Hewlett-Packard Company) DRV:64bit: - (btwl2cap) -- C:\Windows\SysNative\drivers\btwl2cap.sys (Broadcom Corporation.) DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation) DRV:64bit: - (sdbus) -- C:\Windows\SysNative\drivers\sdbus.sys (Microsoft Corporation) DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company) DRV:64bit: - (TsUsbGD) -- C:\Windows\SysNative\drivers\TsUsbGD.sys (Microsoft Corporation) DRV:64bit: - (clwvd) -- C:\Windows\SysNative\drivers\clwvd.sys (CyberLink Corporation) DRV:64bit: - (FSProFilter) -- C:\Windows\SysNative\drivers\FSPFltd.sys (FSPro Labs) DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.) DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation) DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology) DRV:64bit: - (SrvHsfV92) -- C:\Windows\SysNative\drivers\VSTDPV6.SYS (Conexant Systems, Inc.) DRV:64bit: - (SrvHsfWinac) -- C:\Windows\SysNative\drivers\VSTCNXT6.SYS (Conexant Systems, Inc.) DRV:64bit: - (SrvHsfHDA) -- C:\Windows\SysNative\drivers\VSTAZL6.SYS (Conexant Systems, Inc.) DRV:64bit: - (NVENETFD) -- C:\Windows\SysNative\drivers\nvm62x64.sys (NVIDIA Corporation) DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation) DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation) DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation) DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.) DRV - (NAVEX15) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20130409.003\ex64.sys (Symantec Corporation) DRV - (NAVENG) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20130409.003\eng64.sys (Symantec Corporation) DRV - (BHDrvx64) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20130322.001\BHDrvx64.sys (Symantec Corporation) DRV - (EraserUtilRebootDrv) -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation) DRV - (eeCtrl) -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys (Symantec Corporation) DRV - (IDSVia64) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20130406.002\IDSviA64.sys (Symantec Corporation) DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.uk.msn.com/HPNOT/4 IE:64bit: - HKLM\..\SearchScopes,DefaultScope = IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox IE:64bit: - HKLM\..\SearchScopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671}: "URL" = hxxp://de.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF IE:64bit: - HKLM\..\SearchScopes\{C660B190-4D7B-4859-91B0-5F18ED7AC738}: "URL" = hxxp://www.amazon.de/s/ref=azs_osd_ieade?ie=UTF-8&tag=hp-de2-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms} IE:64bit: - HKLM\..\SearchScopes\{d43b3890-80c7-4010-a95d-1e77b5924dc3}: "URL" = hxxp://de.wikipedia.org/wiki/Special:Search?search={searchTerms} IE:64bit: - HKLM\..\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}: "URL" = hxxp://rover.ebay.com/rover/1/707-111076-19270-3/4?mpre=hxxp://www.ebay.de/sch/i.html?_nkw={searchTerms} IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/HPNOT/4 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Default_Page_URL = hxxp://www.google.com IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Default_Page_URL = hxxp://www.google.com IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = hxxp://www.google.com IE - HKLM\..\SearchScopes,DefaultScope = IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox IE - HKLM\..\SearchScopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671}: "URL" = hxxp://de.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF IE - HKLM\..\SearchScopes\{C660B190-4D7B-4859-91B0-5F18ED7AC738}: "URL" = hxxp://www.amazon.de/s/ref=azs_osd_ieade?ie=UTF-8&tag=hp-de2-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms} IE - HKLM\..\SearchScopes\{d43b3890-80c7-4010-a95d-1e77b5924dc3}: "URL" = hxxp://de.wikipedia.org/wiki/Special:Search?search={searchTerms} IE - HKLM\..\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}: "URL" = hxxp://rover.ebay.com/rover/1/707-111076-19270-3/4?mpre=hxxp://www.ebay.de/sch/i.html?_nkw={searchTerms} IE - HKLM\..\SearchScopes\{F29DC52A-10C1-41A0-B417-AD867D262592}: "URL" = hxxp://feed.helperbar.com/?publisher=OC&dpid=OC&co=DE&userid=0d9980cd-98b9-4afb-9e06-0b523d5d6acb&affid=111583&searchtype=ds&babsrc=lnkry&q={searchTerms} IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Default_Page_URL = hxxp://www.google.com IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = hxxp://www.google.com IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = hxxp://www.google.com IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Start Default_Page_URL = hxxp://www.google.com IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = hxxp://www.google.com IE - HKCU\..\SearchScopes,DefaultScope = IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox IE - HKCU\..\SearchScopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671}: "URL" = hxxp://de.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF IE - HKCU\..\SearchScopes\{C660B190-4D7B-4859-91B0-5F18ED7AC738}: "URL" = hxxp://www.amazon.de/s/ref=azs_osd_ieade?ie=UTF-8&tag=hp-de2-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms} IE - HKCU\..\SearchScopes\{d43b3890-80c7-4010-a95d-1e77b5924dc3}: "URL" = hxxp://de.wikipedia.org/wiki/Special:Search?search={searchTerms} IE - HKCU\..\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}: "URL" = hxxp://rover.ebay.com/rover/1/707-111076-19270-3/4?mpre=hxxp://www.ebay.de/sch/i.html?_nkw={searchTerms} IE - HKCU\..\SearchScopes\{F29DC52A-10C1-41A0-B417-AD867D262592}: "URL" = hxxp://feed.helperbar.com/?publisher=OC&dpid=OC&co=DE&userid=0d9980cd-98b9-4afb-9e06-0b523d5d6acb&affid=111583&searchtype=ds&babsrc=lnkry&q={searchTerms} IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.defaultenginename: "" FF - prefs.js..browser.search.selectedEngine: "" FF - prefs.js..browser.search.useDBForOrder: false FF - prefs.js..browser.startup.homepage: "google.de" FF - prefs.js..extensions.enabledAddons: DivXWebPlayer%40divx.com:2.0.2.039 FF - prefs.js..extensions.enabledAddons: tXsGT9QxoKlmxUz0Kj%40mDvNgXhNdd92G6vn.com:11 FF - prefs.js..extensions.enabledAddons: ich%40maltegoetz.de:1.4.8 FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:19.0.2 FF - prefs.js..network.proxy.type: 0 FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_6_602_180.dll File not found FF:64bit: - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.) FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation) FF:64bit: - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.4: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN) FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_180.dll () FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.) FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC) FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.) FF - HKLM\Software\MozillaPlugins\@intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.52: C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation) FF - HKLM\Software\MozillaPlugins\@intel-webapi.intel.com/Intel WebAPI updater: C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation) FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.17.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.17.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@WildTangent.com/GamesAppPresenceDetector,Version=1.0: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll () FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKCU\Software\MozillaPlugins\ubisoft.com/uplaypc: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll (Ubisoft) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\IPSFFPlgn\ [2013.03.31 13:16:41 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\coFFPlgn\ [2013.03.31 13:16:36 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2012.11.28 22:17:30 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 19.0.2\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013.03.23 14:42:38 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 19.0.2\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012.10.23 23:08:40 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Steini\AppData\Roaming\mozilla\Extensions [2013.04.09 19:59:16 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Steini\AppData\Roaming\mozilla\Firefox\Profiles\nar1bxrf.default\extensions [2013.04.09 17:38:30 | 000,000,000 | ---D | M] (ProxTube - Unblock YouTube) -- C:\Users\Steini\AppData\Roaming\mozilla\Firefox\Profiles\nar1bxrf.default\extensions\ich@maltegoetz.de [2013.04.09 19:59:15 | 001,016,663 | ---- | M] () (No name found) -- C:\Users\Steini\AppData\Roaming\mozilla\firefox\profiles\nar1bxrf.default\extensions\antigameorigin@antigame.de.xpi [2012.10.23 18:43:53 | 000,550,833 | ---- | M] () (No name found) -- C:\Users\Steini\AppData\Roaming\mozilla\firefox\profiles\nar1bxrf.default\extensions\DivXWebPlayer@divx.com.xpi [2013.01.16 23:05:57 | 000,003,702 | ---- | M] () (No name found) -- C:\Users\Steini\AppData\Roaming\mozilla\firefox\profiles\nar1bxrf.default\extensions\tXsGT9QxoKlmxUz0Kj@mDvNgXhNdd92G6vn.com.xpi [2012.11.09 11:36:49 | 000,006,522 | ---- | M] () -- C:\Users\Steini\AppData\Roaming\mozilla\firefox\profiles\nar1bxrf.default\searchplugins\pcpmngr.xml [2012.11.30 12:18:45 | 000,002,089 | ---- | M] () -- C:\Users\Steini\AppData\Roaming\mozilla\firefox\profiles\nar1bxrf.default\searchplugins\Startpins.xml [2013.03.23 14:42:38 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions [2013.03.07 16:30:04 | 000,263,064 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll [2013.03.07 17:45:15 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml [2013.03.07 17:45:15 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml [2013.03.07 17:45:15 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml [2013.03.07 17:45:15 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml [2012.12.05 14:38:35 | 000,003,269 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\Web Search.xml [2013.03.07 17:45:15 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml [2013.03.07 17:45:15 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2009.06.10 23:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O2:64bit: - BHO: (HP SimplePass Browser Helper Object) - {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} - C:\Program Files (x86)\HP SimplePass\x64\IEBHO.dll (HP) O2:64bit: - BHO: (Windows Live ID Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.) O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC) O2 - BHO: (Norton Identity Protection) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\19.1.0.28\coIEPlg.dll (Symantec Corporation) O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\19.1.0.28\IPS\IPSBHO.DLL (Symantec Corporation) O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation) O2 - BHO: (HP SimplePass Browser Helper Object) - {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} - C:\Program Files (x86)\HP SimplePass\IEBHO.DLL (HP) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O2 - BHO: (HP Network Check Helper) - {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll (Hewlett-Packard) O3:64bit: - HKLM\..\Toolbar: (HP SimplePass Toolbar) - {C98EE38D-21E4-4A50-907D-2B56FEC7013E} - C:\Program Files (x86)\HP SimplePass\x64\IEBHO.dll (HP) O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\19.1.0.28\coIEPlg.dll (Symantec Corporation) O3 - HKLM\..\Toolbar: (no name) - {9E131A93-EED7-4BEB-B015-A0ADB30B5646} - No CLSID value found. O3 - HKLM\..\Toolbar: (HP SimplePass Toolbar) - {C98EE38D-21E4-4A50-907D-2B56FEC7013E} - C:\Program Files (x86)\HP SimplePass\IEBHO.DLL (HP) O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\19.1.0.28\coIEPlg.dll (Symantec Corporation) O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation) O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation) O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation) O4:64bit: - HKLM..\Run: [SetDefault] C:\Programme\Hewlett-Packard\HP LaunchBox\SetDefault.exe (Hewlett-Packard Development Company, L.P.) O4:64bit: - HKLM..\Run: [SysTrayApp] C:\Programme\IDT\WDM\sttray64.exe (IDT, Inc.) O4 - HKLM..\Run: [] File not found O4 - HKLM..\Run: [DivXUpdate] C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe () O4 - HKLM..\Run: [Easybits Recovery] C:\Program Files (x86)\EasyBits For Kids\ezRecover.exe (EasyBits Software AS) O4 - HKLM..\Run: [HP CoolSense] C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe (Hewlett-Packard Development Company, L.P.) O4 - HKLM..\Run: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe (Hewlett-Packard Development Company, L.P.) O4 - HKLM..\Run: [HPConnectionManager] C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe (Hewlett-Packard Development Company L.P.) O4 - HKLM..\Run: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe (Hewlett-Packard Development Company, L.P.) O4 - HKLM..\Run: [USB3MON] C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe (Intel Corporation) O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd) O4 - HKCU..\Run: [EPLTarget\P0000000000000001] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIHKE.EXE /EPT "EPLTarget\P0000000000000001" /M "Epson Stylus SX230" File not found O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: EnableShellExecuteHooks = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideFastUserSwitching = 0 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableLockWorkstation = 0 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableChangePassword = 0 O8:64bit: - Extra context menu item: Bild an &Bluetooth-Gerät senden... - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm () O8:64bit: - Extra context menu item: Seite an &Bluetooth-Gerät senden... - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm () O8 - Extra context menu item: Bild an &Bluetooth-Gerät senden... - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm () O8 - Extra context menu item: Seite an &Bluetooth-Gerät senden... - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm () O9:64bit: - Extra Button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm () O9:64bit: - Extra 'Tools' menuitem : @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm () O9 - Extra Button: @C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll,-103 - {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe (Hewlett-Packard) O9 - Extra 'Tools' menuitem : @C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll,-102 - {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe (Hewlett-Packard) O9 - Extra Button: @C:\Program Files (x86)\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041) O9 - Extra 'Tools' menuitem : @C:\Program Files (x86)\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041) O9 - Extra Button: Senden an Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm () O9 - Extra 'Tools' menuitem : Senden an &Bluetooth-Gerät... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm () O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Programme\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL (Microsoft Corp.) O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000008 [] - C:\Programme\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL (Microsoft Corp.) O13 - gopher Prefix: missing O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9C442D40-AB7E-45EE-918A-C7D60DD9C88A}: DhcpNameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E33A462B-903F-469E-8B78-1F8C51438511}: DhcpNameServer = 192.168.0.1 O18:64bit: - Protocol\Handler\livecall - No CLSID value found O18:64bit: - Protocol\Handler\msnim - No CLSID value found O18:64bit: - Protocol\Handler\skype4com - No CLSID value found O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found O18:64bit: - Protocol\Handler\wlpg - No CLSID value found O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies) O20:64bit: - AppInit_DLLs: (c:\Windows\SysWOW64\nvinit.dll) - c:\Windows\SysWOW64\nvinit.dll (NVIDIA Corporation) O20:64bit: - AppInit_DLLs: (C:\Windows\System32\nvinitx.dll) - C:\Windows\SysNative\nvinitx.dll (NVIDIA Corporation) O20 - AppInit_DLLs: (c:\Windows\SysWOW64\nvinit.dll) - c:\Windows\SysWOW64\nvinit.dll (NVIDIA Corporation) O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation) O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation) O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O28 - HKLM ShellExecuteHooks: {E54729E8-BB3D-4270-9D49-7389EA579090} - C:\Windows\SysWOW64\ezUPBHook.dll (EasyBits Software Corp.) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2012.09.18 14:40:03 | 000,000,069 | R--- | M] () - F:\Autorun.inf -- [ CDFS ] O32 - AutoRun File - [2012.11.22 18:40:18 | 000,000,024 | R--- | M] () - G:\autorun.inf -- [ CDFS ] O32 - AutoRun File - [2012.11.21 15:10:20 | 008,533,584 | R--- | M] () - I:\Autorun.exe -- [ CDFS ] O32 - AutoRun File - [2012.11.21 15:10:20 | 000,387,878 | R--- | M] () - I:\autorun.ico -- [ CDFS ] O32 - AutoRun File - [2012.11.21 15:10:20 | 000,000,047 | R--- | M] () - I:\autorun.inf -- [ CDFS ] O32 - AutoRun File - [2012.11.14 00:34:21 | 000,000,058 | R--- | M] () - J:\Autorun.inf -- [ CDFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2013.04.09 20:34:44 | 000,000,000 | ---D | C] -- C:\Users\Steini\AppData\Local\HP [2013.04.09 20:22:37 | 000,000,000 | ---D | C] -- C:\Users\Steini\AppData\Roaming\IDT [2013.04.09 18:41:48 | 000,000,000 | -HSD | C] -- C:\Config.Msi [2013.04.09 18:36:50 | 004,316,280 | ---- | C] (Piriform Ltd) -- C:\Users\Steini\Desktop\ccsetup400.exe [2013.04.09 01:04:29 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Iminent [2013.04.09 01:04:09 | 000,000,000 | ---D | C] -- C:\Users\Steini\AppData\Local\PutLockerDownloader [2013.04.09 01:04:06 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Gophoto.it [2013.04.09 01:04:02 | 000,000,000 | ---D | C] -- C:\Users\Steini\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Movie2KDownloader.com [2013.04.09 01:04:02 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Movie2KDownloader.com [2013.04.02 18:41:26 | 000,000,000 | ---D | C] -- C:\Windows\Sun [2013.04.01 23:58:57 | 000,000,000 | ---D | C] -- C:\Users\Steini\Desktop\Shades of Grey 01 - Geheimes Verlangen [2013.03.26 13:46:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun [2013.03.26 13:46:37 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java [2013.03.26 13:45:48 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Java [2013.03.13 15:08:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight [2013.03.13 15:07:55 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight [2013.03.13 15:07:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Silverlight [2013.03.12 21:23:36 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2013.04.10 00:13:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013.04.09 19:04:28 | 000,000,165 | -H-- | M] () -- C:\Users\Steini\Documents\~$Ogame Uni 70.ods [2013.04.09 18:41:50 | 000,000,898 | ---- | M] () -- C:\Windows\SysWow64\InstallUtil.InstallLog [2013.04.09 18:40:04 | 000,085,984 | ---- | M] () -- C:\Users\Steini\Documents\cc_20130409_183951.reg [2013.04.09 18:37:30 | 000,000,822 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk [2013.04.09 18:36:51 | 004,316,280 | ---- | M] (Piriform Ltd) -- C:\Users\Steini\Desktop\ccsetup400.exe [2013.04.09 17:58:21 | 000,377,856 | ---- | M] () -- C:\Users\Steini\Desktop\gmer_2.1.19163.exe [2013.04.09 17:39:17 | 000,006,643 | ---- | M] () -- C:\Users\Steini\Documents\Ogame Uni 70.ods [2013.04.09 11:44:38 | 001,500,018 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2013.04.09 11:44:38 | 000,654,610 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat [2013.04.09 11:44:38 | 000,616,452 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2013.04.09 11:44:38 | 000,130,192 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat [2013.04.09 11:44:38 | 000,106,574 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2013.04.09 11:41:33 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.04.04 13:21:18 | 000,031,248 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013.04.04 13:21:18 | 000,031,248 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013.04.03 21:00:42 | 000,000,336 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForSteini.job [2013.03.31 13:16:01 | 2068,295,679 | -HS- | M] () -- C:\hiberfil.sys [2013.03.26 22:56:22 | 000,000,915 | ---- | M] () -- C:\Users\Public\Desktop\VLC media player.lnk [2013.03.23 14:42:40 | 000,001,147 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk [2013.03.14 05:01:10 | 000,001,949 | ---- | M] () -- C:\Users\Public\Desktop\CDBurnerXP.lnk [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files Created - No Company Name ========== [2013.04.09 19:04:28 | 000,000,165 | -H-- | C] () -- C:\Users\Steini\Documents\~$Ogame Uni 70.ods [2013.04.09 18:39:57 | 000,085,984 | ---- | C] () -- C:\Users\Steini\Documents\cc_20130409_183951.reg [2013.04.09 17:58:21 | 000,377,856 | ---- | C] () -- C:\Users\Steini\Desktop\gmer_2.1.19163.exe [2013.04.09 01:04:44 | 000,000,898 | ---- | C] () -- C:\Windows\SysWow64\InstallUtil.InstallLog [2013.04.03 18:45:24 | 000,006,643 | ---- | C] () -- C:\Users\Steini\Documents\Ogame Uni 70.ods [2013.04.01 23:58:57 | 002,474,942 | ---- | C] () -- C:\Users\Steini\Documents\Shades of Grey 01 - Geheimes Verlangen - E L James.rtf [2013.02.01 02:17:19 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe [2013.02.01 02:17:19 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe [2013.02.01 02:17:19 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe [2013.02.01 02:17:19 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe [2013.02.01 02:17:19 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe [2013.01.13 14:58:01 | 000,000,116 | ---- | C] () -- C:\Windows\wininit.ini [2013.01.07 21:58:54 | 000,189,248 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe [2013.01.07 21:58:46 | 000,075,136 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe [2012.12.11 01:37:03 | 000,032,256 | ---- | C] () -- C:\Windows\SysWow64\AVSredirect.dll [2012.12.11 01:34:21 | 000,107,520 | RHS- | C] () -- C:\Windows\SysWow64\TAKDSDecoder.dll [2012.12.05 14:38:39 | 000,015,432 | ---- | C] () -- C:\Windows\Launcher.exe [2012.11.21 15:10:20 | 003,123,272 | R--- | C] () -- C:\Windows\SysWow64\pbsvc.exe [2012.11.07 17:23:12 | 000,049,152 | ---- | C] () -- C:\Windows\SysWow64\apache.dll [2012.10.24 13:17:01 | 000,040,960 | R--- | C] () -- C:\Windows\SysWow64\psfind.dll [2012.10.10 20:14:51 | 001,500,444 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI [2012.10.09 20:04:44 | 000,000,056 | -H-- | C] () -- C:\Windows\SysWow64\ezsidmv.dat [2012.08.06 15:25:20 | 000,000,068 | ---- | C] () -- C:\Windows\SysWow64\ezdigsgn.dat [2012.08.06 15:13:23 | 000,734,772 | ---- | C] () -- C:\Windows\SysWow64\igkrng700.bin [2012.08.06 15:13:22 | 000,559,780 | ---- | C] () -- C:\Windows\SysWow64\igfcg700m.bin [2012.08.06 15:13:21 | 000,058,880 | ---- | C] () -- C:\Windows\SysWow64\igdde32.dll [2012.08.06 15:13:20 | 013,001,728 | ---- | C] () -- C:\Windows\SysWow64\ig7icd32.dll [2011.12.08 16:14:58 | 000,001,536 | ---- | C] () -- C:\Windows\SysWow64\IusEventLog.dll [2011.09.06 12:34:28 | 000,007,736 | ---- | C] () -- C:\Windows\hpDSTRES.DLL ========== ZeroAccess Check ========== [2009.07.14 06:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 "" = C:\Windows\SysNative\shell32.dll -- [2012.06.09 07:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 06:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 03:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.21 05:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 03:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] ========== LOP Check ========== [2013.03.15 12:51:24 | 000,000,000 | ---D | M] -- C:\Users\Steini\AppData\Roaming\Audacity [2012.10.10 21:26:00 | 000,000,000 | ---D | M] -- C:\Users\Steini\AppData\Roaming\Bioshock2 [2012.10.12 14:33:28 | 000,000,000 | ---D | M] -- C:\Users\Steini\AppData\Roaming\Canneverbe Limited [2013.04.09 18:39:26 | 000,000,000 | ---D | M] -- C:\Users\Steini\AppData\Roaming\DAEMON Tools Lite [2012.11.13 15:52:21 | 000,000,000 | ---D | M] -- C:\Users\Steini\AppData\Roaming\Day 1 Studios [2013.04.09 20:22:37 | 000,000,000 | ---D | M] -- C:\Users\Steini\AppData\Roaming\IDT [2012.11.09 11:40:30 | 000,000,000 | ---D | M] -- C:\Users\Steini\AppData\Roaming\IrfanView [2013.01.30 23:04:12 | 000,000,000 | ---D | M] -- C:\Users\Steini\AppData\Roaming\runic games [2012.12.17 13:04:56 | 000,000,000 | ---D | M] -- C:\Users\Steini\AppData\Roaming\SoftGrid Client [2012.10.09 20:11:51 | 000,000,000 | ---D | M] -- C:\Users\Steini\AppData\Roaming\Synaptics [2013.01.07 23:29:23 | 000,000,000 | ---D | M] -- C:\Users\Steini\AppData\Roaming\Theta [2012.10.10 20:15:25 | 000,000,000 | ---D | M] -- C:\Users\Steini\AppData\Roaming\TP [2012.12.11 01:46:13 | 000,000,000 | ---D | M] -- C:\Users\Steini\AppData\Roaming\TuneUp Software [2012.11.26 16:20:48 | 000,000,000 | ---D | M] -- C:\Users\Steini\AppData\Roaming\Unity [2013.01.13 14:38:18 | 000,000,000 | ---D | M] -- C:\Users\Steini\AppData\Roaming\WebApp [2012.12.10 12:23:08 | 000,000,000 | ---D | M] -- C:\Users\Steini\AppData\Roaming\WildTangent [2012.10.24 13:04:02 | 000,000,000 | ---D | M] -- C:\Users\Steini\AppData\Roaming\_MDLogs ========== Purity Check ========== < End of report > Code:
ATTFilter GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2013-04-10 02:32:39
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.AX00 931,51GB
Running: gmer_2.1.19163.exe; Driver: C:\Users\Steini\AppData\Local\Temp\fwlcipoc.sys
---- User code sections - GMER 2.1 ----
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3624] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765c1465 2 bytes [5C, 76]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3624] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765c14bb 2 bytes [5C, 76]
.text ... * 2
.text C:\Program Files (x86)\HP SimplePass\TouchControl.exe[9804] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765c1465 2 bytes [5C, 76]
.text C:\Program Files (x86)\HP SimplePass\TouchControl.exe[9804] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765c14bb 2 bytes [5C, 76]
.text ... * 2
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077c6f9c0 5 bytes JMP 000000016da55f49
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtQueryObject 0000000077c6f9d8 5 bytes JMP 000000016da56411
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey 0000000077c6fa08 5 bytes JMP 000000016da5016d
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 0000000077c6fa20 5 bytes JMP 000000016da4fbca
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtQueryKey 0000000077c6fa70 5 bytes JMP 000000016da4fa44
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 0000000077c6fa88 2 bytes JMP 000000016da4fb52
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey + 3 0000000077c6fa8b 2 bytes [DE, F5]
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey 0000000077c6fb20 5 bytes JMP 000000016da50424
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 0000000077c6fc18 5 bytes JMP 000000016da54369
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateKey 0000000077c6fd2c 5 bytes JMP 000000016da4f9cc
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c6fd44 5 bytes JMP 000000016da54959
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 0000000077c6fd78 5 bytes JMP 000000016da539de
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000077c6fe24 5 bytes JMP 000000016da55fc4
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 0000000077c6fe3c 5 bytes JMP 000000016da54adb
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c70094 5 bytes JMP 000000016da54791
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077c701a4 5 bytes JMP 000000016da4fc42
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtDeleteFile 0000000077c709c4 5 bytes JMP 000000016da54584
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtDeleteKey 0000000077c709dc 5 bytes JMP 000000016da4cc5b
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077c70a24 5 bytes JMP 000000016da4cd29
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtFlushKey 0000000077c70b60 5 bytes JMP 000000016da4ccc2
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 0000000077c70f50 5 bytes JMP 000000016da4fcba
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c70f68 5 bytes JMP 000000016da4ff45
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx 0000000077c70ff8 5 bytes JMP 000000016da501fd
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 0000000077c7131c 5 bytes JMP 000000016da54b6b
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 0000000077c7145c 5 bytes JMP 000000016da4fec9
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 0000000077c71508 5 bytes JMP 000000016da56389
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey 0000000077c716f8 1 byte JMP 000000016da4d138
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey + 2 0000000077c716fa 3 bytes {JMP 0xfffffffff5ddba40}
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationKey 0000000077c71a38 5 bytes JMP 000000016da4facc
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtSetSecurityObject 0000000077c71b7c 5 bytes JMP 000000016da5616c
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000753a103d 5 bytes JMP 000000016da293a9
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000753a1072 5 bytes JMP 000000016da294e7
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000753a87b1 5 bytes JMP 000000015e9e856d
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000753cc9b5 5 bytes JMP 000000016da2971d
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\kernel32.dll!SetDllDirectoryW 00000000754200c3 5 bytes JMP 000000016da29efe
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\kernel32.dll!SetDllDirectoryA 000000007542016b 5 bytes JMP 000000016da2a231
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\kernel32.dll!WinExec 0000000075422c91 5 bytes JMP 000000016da29aa0
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\kernel32.dll!AllocConsole 0000000075446b3e 5 bytes JMP 000000016da57431
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\kernel32.dll!AttachConsole 0000000075446c02 5 bytes JMP 000000016da57443
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000765f2aa4 5 bytes JMP 000000016da2a43c
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075dc8a29 5 bytes JMP 000000016da57419
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000075dcd22e 5 bytes JMP 000000016da57401
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\GDI32.dll!AddFontResourceW 000000007605d2b2 5 bytes JMP 000000016da37617
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\GDI32.dll!AddFontResourceA 000000007605d7bb 5 bytes JMP 000000016da375fb
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\ADVAPI32.dll!EnumDependentServicesW 00000000762e1e3a 7 bytes JMP 000000016da3a3b9
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\ADVAPI32.dll!EnumServicesStatusExW 00000000762eb466 7 bytes JMP 000000016da3b2da
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\ADVAPI32.dll!GetServiceKeyNameW 00000000763078ff 7 bytes JMP 000000016da3aa60
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\ADVAPI32.dll!GetServiceDisplayNameW 00000000763079bb 7 bytes JMP 000000016da3ac11
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\ADVAPI32.dll!EnumServicesStatusExA 000000007630a3e2 7 bytes JMP 000000016da3b3a0
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076322538 5 bytes JMP 000000016da2985f
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\ADVAPI32.dll!GetServiceKeyNameA 0000000076341b94 7 bytes JMP 000000016da3ab18
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\ADVAPI32.dll!GetServiceDisplayNameA 0000000076341c31 7 bytes JMP 000000016da3acc9
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\ADVAPI32.dll!EnumServicesStatusA 0000000076342021 7 bytes JMP 000000016da3b21c
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\ADVAPI32.dll!EnumDependentServicesA 0000000076342104 7 bytes JMP 000000016da3a470
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\ADVAPI32.dll!EnumServicesStatusW 0000000076342221 5 bytes JMP 000000016da3b15e
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\sechost.dll!ControlService 0000000075684d5c 7 bytes JMP 000000016da3a1fe
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 0000000075684dc3 7 bytes JMP 000000016da3a527
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\sechost.dll!QueryServiceStatus 0000000075684e4b 7 bytes JMP 000000016da3a28a
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\sechost.dll!QueryServiceStatusEx 0000000075684eaf 7 bytes JMP 000000016da3a31d
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\sechost.dll!StartServiceW 0000000075684f35 7 bytes JMP 000000016da3a079
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\sechost.dll!StartServiceA 000000007568508d 7 bytes JMP 000000016da3a10f
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\sechost.dll!QueryServiceObjectSecurity 00000000756850f4 7 bytes JMP 000000016da3b02c
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075685181 7 bytes JMP 000000016da3b0c8
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075685254 7 bytes JMP 000000016da3a728
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756853d5 7 bytes JMP 000000016da3a643
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756854c2 7 bytes JMP 000000016da3a9ca
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756855e2 7 bytes JMP 000000016da3a934
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007568567c 7 bytes JMP 000000016da39e5b
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007568589f 7 bytes JMP 000000016da39d85
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075685a22 7 bytes JMP 000000016da3a5b5
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigA 0000000075685a83 7 bytes JMP 000000016da3ae5b
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW 0000000075685b29 7 bytes JMP 000000016da3adc2
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA 0000000075685ca0 7 bytes JMP 000000016da39535
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\sechost.dll!ControlServiceExW 0000000075685d8c 7 bytes JMP 000000016da394bc
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\sechost.dll!OpenSCManagerW 00000000756863ad 7 bytes JMP 000000016da39a83
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\sechost.dll!OpenSCManagerA 00000000756864f0 7 bytes JMP 000000016da39b0f
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfig2A 0000000075686633 7 bytes JMP 000000016da3af90
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfig2W 000000007568680c 7 bytes JMP 000000016da3aef4
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 000000007568714b 7 bytes JMP 000000016da39bf8
.text C:\Windows\notepad.exe[6620] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 0000000075687245 7 bytes JMP 000000016da39c84
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000076426143 5 bytes JMP 000000015ef1fa9a
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\ole32.dll!CoRegisterPSClsid 000000007642c56e 5 bytes JMP 000000016da411c4
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\ole32.dll!CoResumeClassObjects + 7 000000007642ea09 7 bytes JMP 000000016da41795
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\ole32.dll!OleRun 00000000764307de 5 bytes JMP 000000016da41650
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\ole32.dll!CoRegisterClassObject 00000000764321e1 5 bytes JMP 000000016da422c5
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\ole32.dll!OleUninitialize 000000007643eba1 6 bytes JMP 000000016da4156f
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\ole32.dll!OleInitialize 000000007643efd7 5 bytes JMP 000000016da414ff
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\ole32.dll!CoGetPSClsid 00000000764426b9 5 bytes JMP 000000016da4133c
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\ole32.dll!CoGetClassObject 00000000764554ad 5 bytes JMP 000000016da42853
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\ole32.dll!CoInitializeEx 00000000764609ad 5 bytes JMP 000000016da413af
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\ole32.dll!CoUninitialize 00000000764686d3 5 bytes JMP 000000016da41431
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076469d0b 5 bytes JMP 000000016da43b21
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076469d4e 5 bytes JMP 000000016da41c5c
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\ole32.dll!CoSuspendClassObjects + 7 000000007648bb09 7 bytes JMP 000000016da416c0
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\ole32.dll!CoRevokeClassObject 00000000764aeacf 5 bytes JMP 000000016da40c21
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\ole32.dll!CoGetInstanceFromFile 00000000764e340b 5 bytes JMP 000000016da42d13
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\ole32.dll!OleRegEnumFormatEtc 000000007652cfd9 5 bytes JMP 000000016da415da
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000075cd3e59 5 bytes JMP 000000015ea197d1
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000075cd3eae 5 bytes JMP 000000015ea27641
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000075cd4731 5 bytes JMP 000000015ea265d9
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000075cd5dee 5 bytes JMP 000000015ea4da4f
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\OLEAUT32.dll!RegisterActiveObject 0000000075d0279e 5 bytes JMP 000000016da40eb4
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\OLEAUT32.dll!RevokeActiveObject 0000000075d03294 5 bytes JMP 000000016da40fd5
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\OLEAUT32.dll!GetActiveObject 0000000075d18f40 5 bytes JMP 000000016da41048
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765c1465 2 bytes [5C, 76]
.text C:\Windows\notepad.exe[6620] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765c14bb 2 bytes [5C, 76]
.text ... * 2
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077c6f9c0 5 bytes JMP 000000016da55f49
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtQueryObject 0000000077c6f9d8 5 bytes JMP 000000016da56411
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey 0000000077c6fa08 5 bytes JMP 000000016da5016d
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 0000000077c6fa20 5 bytes JMP 000000016da4fbca
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtQueryKey 0000000077c6fa70 5 bytes JMP 000000016da4fa44
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 0000000077c6fa88 2 bytes JMP 000000016da4fb52
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey + 3 0000000077c6fa8b 2 bytes [DE, F5]
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey 0000000077c6fb20 5 bytes JMP 000000016da50424
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 0000000077c6fc18 5 bytes JMP 000000016da54369
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateKey 0000000077c6fd2c 5 bytes JMP 000000016da4f9cc
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c6fd44 5 bytes JMP 000000016da54959
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 0000000077c6fd78 5 bytes JMP 000000016da539de
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000077c6fe24 5 bytes JMP 000000016da55fc4
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 0000000077c6fe3c 5 bytes JMP 000000016da54adb
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c70094 5 bytes JMP 000000016da54791
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077c701a4 5 bytes JMP 000000016da4fc42
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtDeleteFile 0000000077c709c4 5 bytes JMP 000000016da54584
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtDeleteKey 0000000077c709dc 5 bytes JMP 000000016da4cc5b
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077c70a24 5 bytes JMP 000000016da4cd29
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtFlushKey 0000000077c70b60 5 bytes JMP 000000016da4ccc2
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 0000000077c70f50 5 bytes JMP 000000016da4fcba
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c70f68 5 bytes JMP 000000016da4ff45
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx 0000000077c70ff8 5 bytes JMP 000000016da501fd
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 0000000077c7131c 5 bytes JMP 000000016da54b6b
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 0000000077c7145c 5 bytes JMP 000000016da4fec9
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 0000000077c71508 5 bytes JMP 000000016da56389
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey 0000000077c716f8 1 byte JMP 000000016da4d138
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey + 2 0000000077c716fa 3 bytes {JMP 0xfffffffff5ddba40}
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationKey 0000000077c71a38 5 bytes JMP 000000016da4facc
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\ntdll.dll!NtSetSecurityObject 0000000077c71b7c 5 bytes JMP 000000016da5616c
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000753a103d 5 bytes JMP 000000016da293a9
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000753a1072 5 bytes JMP 000000016da294e7
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000753cc9b5 5 bytes JMP 000000016da2971d
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\kernel32.dll!SetDllDirectoryW 00000000754200c3 5 bytes JMP 000000016da29efe
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\kernel32.dll!SetDllDirectoryA 000000007542016b 5 bytes JMP 000000016da2a231
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\kernel32.dll!WinExec 0000000075422c91 5 bytes JMP 000000016da29aa0
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\kernel32.dll!AllocConsole 0000000075446b3e 5 bytes JMP 000000016da57431
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\kernel32.dll!AttachConsole 0000000075446c02 5 bytes JMP 000000016da57443
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000765f2aa4 5 bytes JMP 000000016da2a43c
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075dc8a29 5 bytes JMP 000000016da57419
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000075dcd22e 5 bytes JMP 000000016da57401
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\GDI32.dll!AddFontResourceW 000000007605d2b2 5 bytes JMP 000000016da37617
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\GDI32.dll!AddFontResourceA 000000007605d7bb 5 bytes JMP 000000016da375fb
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\ADVAPI32.dll!EnumDependentServicesW 00000000762e1e3a 7 bytes JMP 000000016da3a3b9
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\ADVAPI32.dll!EnumServicesStatusExW 00000000762eb466 7 bytes JMP 000000016da3b2da
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\ADVAPI32.dll!GetServiceKeyNameW 00000000763078ff 7 bytes JMP 000000016da3aa60
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\ADVAPI32.dll!GetServiceDisplayNameW 00000000763079bb 7 bytes JMP 000000016da3ac11
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\ADVAPI32.dll!EnumServicesStatusExA 000000007630a3e2 7 bytes JMP 000000016da3b3a0
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076322538 5 bytes JMP 000000016da2985f
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\ADVAPI32.dll!GetServiceKeyNameA 0000000076341b94 7 bytes JMP 000000016da3ab18
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\ADVAPI32.dll!GetServiceDisplayNameA 0000000076341c31 7 bytes JMP 000000016da3acc9
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\ADVAPI32.dll!EnumServicesStatusA 0000000076342021 7 bytes JMP 000000016da3b21c
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\ADVAPI32.dll!EnumDependentServicesA 0000000076342104 7 bytes JMP 000000016da3a470
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\ADVAPI32.dll!EnumServicesStatusW 0000000076342221 5 bytes JMP 000000016da3b15e
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\sechost.dll!ControlService 0000000075684d5c 7 bytes JMP 000000016da3a1fe
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 0000000075684dc3 7 bytes JMP 000000016da3a527
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\sechost.dll!QueryServiceStatus 0000000075684e4b 7 bytes JMP 000000016da3a28a
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\sechost.dll!QueryServiceStatusEx 0000000075684eaf 7 bytes JMP 000000016da3a31d
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\sechost.dll!StartServiceW 0000000075684f35 7 bytes JMP 000000016da3a079
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\sechost.dll!StartServiceA 000000007568508d 7 bytes JMP 000000016da3a10f
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\sechost.dll!QueryServiceObjectSecurity 00000000756850f4 7 bytes JMP 000000016da3b02c
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075685181 7 bytes JMP 000000016da3b0c8
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075685254 7 bytes JMP 000000016da3a728
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756853d5 7 bytes JMP 000000016da3a643
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756854c2 7 bytes JMP 000000016da3a9ca
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756855e2 7 bytes JMP 000000016da3a934
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007568567c 7 bytes JMP 000000016da39e5b
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007568589f 7 bytes JMP 000000016da39d85
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075685a22 7 bytes JMP 000000016da3a5b5
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigA 0000000075685a83 7 bytes JMP 000000016da3ae5b
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW 0000000075685b29 7 bytes JMP 000000016da3adc2
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA 0000000075685ca0 7 bytes JMP 000000016da39535
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\sechost.dll!ControlServiceExW 0000000075685d8c 7 bytes JMP 000000016da394bc
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\sechost.dll!OpenSCManagerW 00000000756863ad 7 bytes JMP 000000016da39a83
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\sechost.dll!OpenSCManagerA 00000000756864f0 7 bytes JMP 000000016da39b0f
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfig2A 0000000075686633 7 bytes JMP 000000016da3af90
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfig2W 000000007568680c 7 bytes JMP 000000016da3aef4
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 000000007568714b 7 bytes JMP 000000016da39bf8
.text C:\Windows\notepad.exe[7932] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 0000000075687245 7 bytes JMP 000000016da39c84
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\ole32.dll!CoRegisterPSClsid 000000007642c56e 5 bytes JMP 000000016da411c4
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\ole32.dll!CoResumeClassObjects + 7 000000007642ea09 7 bytes JMP 000000016da41795
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\ole32.dll!OleRun 00000000764307de 5 bytes JMP 000000016da41650
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\ole32.dll!CoRegisterClassObject 00000000764321e1 5 bytes JMP 000000016da422c5
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\ole32.dll!OleUninitialize 000000007643eba1 6 bytes JMP 000000016da4156f
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\ole32.dll!OleInitialize 000000007643efd7 5 bytes JMP 000000016da414ff
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\ole32.dll!CoGetPSClsid 00000000764426b9 5 bytes JMP 000000016da4133c
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\ole32.dll!CoGetClassObject 00000000764554ad 5 bytes JMP 000000016da42853
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\ole32.dll!CoInitializeEx 00000000764609ad 5 bytes JMP 000000016da413af
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\ole32.dll!CoUninitialize 00000000764686d3 5 bytes JMP 000000016da41431
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076469d0b 5 bytes JMP 000000016da43b21
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076469d4e 5 bytes JMP 000000016da41c5c
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\ole32.dll!CoSuspendClassObjects + 7 000000007648bb09 7 bytes JMP 000000016da416c0
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\ole32.dll!CoRevokeClassObject 00000000764aeacf 5 bytes JMP 000000016da40c21
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\ole32.dll!CoGetInstanceFromFile 00000000764e340b 5 bytes JMP 000000016da42d13
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\ole32.dll!OleRegEnumFormatEtc 000000007652cfd9 5 bytes JMP 000000016da415da
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\OLEAUT32.dll!RegisterActiveObject 0000000075d0279e 5 bytes JMP 000000016da40eb4
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\OLEAUT32.dll!RevokeActiveObject 0000000075d03294 5 bytes JMP 000000016da40fd5
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\OLEAUT32.dll!GetActiveObject 0000000075d18f40 5 bytes JMP 000000016da41048
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765c1465 2 bytes [5C, 76]
.text C:\Windows\notepad.exe[7932] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765c14bb 2 bytes [5C, 76]
.text ... * 2
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077ac1400 8 bytes JMP 000000016fff02b8
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077ac1410 8 bytes JMP 000000016fff0838
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKey 0000000077ac1430 8 bytes JMP 000000016fff0158
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateValueKey 0000000077ac1440 8 bytes JMP 000000016fff04c8
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\ntdll.dll!NtQueryKey 0000000077ac1470 8 bytes JMP 000000016fff03c0
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\ntdll.dll!NtQueryValueKey 0000000077ac1480 8 bytes JMP 000000016fff0470
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey 0000000077ac14e0 8 bytes JMP 000000016fff0310
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077ac1580 8 bytes JMP 000000016fff0aa0
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateKey 0000000077ac1630 8 bytes JMP 000000016fff0368
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077ac1640 8 bytes JMP 000000016fff0890
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDirectoryFile 0000000077ac1660 8 bytes JMP 000000016fff0a48
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077ac16d0 8 bytes JMP 000000016fff07e0
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 0000000077ac16e0 8 bytes JMP 000000016fff0998
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077ac1860 8 bytes JMP 000000016fff08e8
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000077ac1910 8 bytes JMP 000000016fff0520
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077ac1e60 8 bytes JMP 000000016fff0940
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteKey 0000000077ac1e70 8 bytes JMP 000000016fff0208
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077ac1ea0 8 bytes JMP 000000016fff0578
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\ntdll.dll!NtFlushKey 0000000077ac1f70 8 bytes JMP 000000016fff0260
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ac21f0 1 byte JMP 000000016fff0680
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 2 0000000077ac21f2 6 bytes {JMP 0xfffffffff852e490}
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ac2200 8 bytes JMP 000000016fff06d8
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyEx 0000000077ac2260 8 bytes JMP 000000016fff01b0
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 0000000077ac2470 8 bytes JMP 000000016fff09f0
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey 0000000077ac2540 8 bytes JMP 000000016fff0628
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySecurityObject 0000000077ac25b0 8 bytes JMP 000000016fff0730
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\ntdll.dll!NtRenameKey 0000000077ac26f0 8 bytes JMP 000000016fff05d0
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationKey 0000000077ac2900 8 bytes JMP 000000016fff0418
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\ntdll.dll!NtSetSecurityObject 0000000077ac29d0 8 bytes JMP 000000016fff0788
.text C:\Windows\splwow64.exe[17332] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000775aa420 12 bytes JMP 000000016fff0d60
.text C:\Windows\splwow64.exe[17332] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000775c1b50 12 bytes JMP 000000016fff0c58
.text C:\Windows\splwow64.exe[17332] C:\Windows\system32\kernel32.dll!SetDllDirectoryW 00000000775ed890 6 bytes JMP 000000016fff0db8
.text C:\Windows\splwow64.exe[17332] C:\Windows\system32\kernel32.dll!SetDllDirectoryA 0000000077603380 6 bytes JMP 000000016fff0e10
.text C:\Windows\splwow64.exe[17332] C:\Windows\system32\kernel32.dll!AttachConsole 0000000077625980 9 bytes JMP 000000016fff0c00
.text C:\Windows\splwow64.exe[17332] C:\Windows\system32\kernel32.dll!AllocConsole 0000000077625a70 9 bytes JMP 000000016fff0ba8
.text C:\Windows\splwow64.exe[17332] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077638810 7 bytes JMP 000000016fff0cb0
.text C:\Windows\splwow64.exe[17332] C:\Windows\system32\kernel32.dll!WinExec 0000000077638d50 7 bytes JMP 000000016fff0d08
.text C:\Windows\splwow64.exe[17332] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdfa9940 6 bytes JMP 000007feff9014f0
.text C:\Windows\splwow64.exe[17332] C:\Windows\system32\GDI32.dll!AddFontResourceW 000007feff564834 5 bytes JMP 000007feff900838
.text C:\Windows\splwow64.exe[17332] C:\Windows\system32\GDI32.dll!AddFontResourceA 000007feff57900c 5 bytes JMP 000007feff9007e0
.text C:\Windows\splwow64.exe[17332] C:\Windows\system32\ADVAPI32.dll!EnumDependentServicesW 000007feff471440 5 bytes JMP 000007feff900e68
.text C:\Windows\splwow64.exe[17332] C:\Windows\system32\ADVAPI32.dll!EnumServicesStatusExW 000007feff47c570 7 bytes JMP 000007feff900fc8
.text C:\Windows\splwow64.exe[17332] C:\Windows\system32\ADVAPI32.dll!GetServiceDisplayNameW 000007feff493e40 7 bytes JMP 000007feff901128
.text C:\Windows\splwow64.exe[17332] C:\Windows\system32\ADVAPI32.dll!GetServiceKeyNameW 000007feff493f10 7 bytes JMP 000007feff901078
.text C:\Windows\splwow64.exe[17332] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff4ba1a0 7 bytes JMP 000007feff901498
.text C:\Windows\splwow64.exe[17332] C:\Windows\system32\ADVAPI32.dll!EnumDependentServicesA 000007feff4bce80 5 bytes JMP 000007feff900ec0
.text C:\Windows\splwow64.exe[17332] C:\Windows\system32\ADVAPI32.dll!EnumServicesStatusExA 000007feff4bcff0 7 bytes JMP 000007feff901020
.text C:\Windows\splwow64.exe[17332] C:\Windows\system32\ADVAPI32.dll!EnumServicesStatusA 000007feff4bd1f0 7 bytes JMP 000007feff900f70
.text C:\Windows\splwow64.exe[17332] C:\Windows\system32\ADVAPI32.dll!EnumServicesStatusW 000007feff4bd5f0 7 bytes JMP 000007feff900f18
.text C:\Windows\splwow64.exe[17332] C:\Windows\system32\ADVAPI32.dll!GetServiceDisplayNameA 000007feff4bd950 9 bytes JMP 000007feff901180
.text C:\Windows\splwow64.exe[17332] C:\Windows\system32\ADVAPI32.dll!GetServiceKeyNameA 000007feff4bd9e0 9 bytes JMP 000007feff9010d0
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff8e642c 9 bytes JMP 000007feff900af8
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff8e6484 7 bytes JMP 000007feff900940
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff8e6518 7 bytes JMP 000007feff9009f0
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\sechost.dll!OpenSCManagerW 000007feff8e659c 7 bytes JMP 000007feff900890
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\sechost.dll!QueryServiceStatus 000007feff8e6730 7 bytes JMP 000007feff9013e8
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\sechost.dll!QueryServiceStatusEx 000007feff8e6784 6 bytes JMP 000007feff901440
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\sechost.dll!StartServiceW 000007feff8e6824 9 bytes JMP 000007feff900a48
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\sechost.dll!OpenSCManagerA 000007feff8e6aa4 7 bytes JMP 000007feff9008e8
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff8e6c34 7 bytes JMP 000007feff900998
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\sechost.dll!StartServiceA 000007feff8e6d00 9 bytes JMP 000007feff900aa0
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\sechost.dll!QueryServiceObjectSecurity 000007feff8e6d58 5 bytes JMP 000007feff901338
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8e6e00 1 byte JMP 000007feff901390
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity + 2 000007feff8e6e02 5 bytes {JMP 0x1a590}
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8e6f2c 7 bytes JMP 000007feff900d60
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8e7220 7 bytes JMP 000007feff900d08
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8e739c 7 bytes JMP 000007feff900e10
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8e7538 7 bytes JMP 000007feff900db8
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8e75e8 7 bytes JMP 000007feff900c58
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8e790c 7 bytes JMP 000007feff900c00
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8e7ab4 7 bytes JMP 000007feff900cb0
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\sechost.dll!QueryServiceConfigA 000007feff8e7b04 5 bytes JMP 000007feff901230
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\sechost.dll!QueryServiceConfigW 000007feff8e7c34 5 bytes JMP 000007feff9011d8
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\sechost.dll!QueryServiceConfig2A 000007feff8e7d78 7 bytes JMP 000007feff9012e0
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\sechost.dll!QueryServiceConfig2W 000007feff8e8244 7 bytes JMP 000007feff901288
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA 000007feff8e8b00 7 bytes JMP 000007feff900ba8
.text C:\Windows\splwow64.exe[17332] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW 000007feff8e8c38 7 bytes JMP 000007feff900b50
.text C:\Windows\splwow64.exe[17332] C:\Windows\system32\oleaut32.dll!RevokeActiveObject 000007feff366700 5 bytes JMP 000007feff900418
.text C:\Windows\splwow64.exe[17332] C:\Windows\system32\oleaut32.dll!GetActiveObject 000007feff37c1e0 5 bytes JMP 000007feff900470
.text C:\Windows\splwow64.exe[17332] C:\Windows\system32\oleaut32.dll!RegisterActiveObject 000007feff37c260 7 bytes JMP 000007feff9003c0
---- Processes - GMER 2.1 ----
Library C:\Program Files (x86)\IMinent Toolbar\TbHelper2.exe (*** suspicious ***) @ C:\Program Files (x86)\IMinent Toolbar\TbHelper2.exe [6264] 0000000001370000
Library C:\Program Files (x86)\IMinent Toolbar\TbCommonUtils.dll (*** suspicious ***) @ C:\Program Files (x86)\IMinent Toolbar\TbHelper2.exe [6264] 0000000074670000
Library Q:\140066.deu\Office14\EXCELC.EXE (*** suspicious ***) @ Q:\140066.deu\Office14\EXCELC.EXE [6620] 000000002f060000
Library Q:\140066.deu\Office14\gfx.dll (*** suspicious ***) @ Q:\140066.deu\Office14\EXCELC.EXE [6620] 000000006a200000
Library Q:\140066.deu\Office14\oart.dll (*** suspicious ***) @ Q:\140066.deu\Office14\EXCELC.EXE [6620] 000000005fbb0000
Library Q:\140066.deu\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\MSO.DLL (*** suspicious ***) @ Q:\140066.deu\Office14\EXCELC.EXE [6620] 000000005e9e0000
Library Q:\140066.deu\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF (*** suspicious ***) @ Q:\140066.deu\Office14\EXCELC.EXE [6620] 0000000069de0000
Library Q:\140066.deu\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\1031\MSOINTL.DLL (*** suspicious ***) @ Q:\140066.deu\Office14\EXCELC.EXE [6620] 0000000069600000
Library Q:\140066.deu\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\RICHED20.DLL (*** suspicious ***) @ Q:\140066.deu\Office14\EXCELC.EXE [6620] 0000000069c90000
Library Q:\140066.deu\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\MSORES.DLL (*** suspicious ***) @ Q:\140066.deu\Office14\EXCELC.EXE [6620] 000000005a4b0000
Library Q:\140066.deu\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\USP10.DLL (*** suspicious ***) @ Q:\140066.deu\Office14\EXCELC.EXE [6620] 000000006d8e0000
Library Q:\140066.deu\Office14\OffSpon.EXE (*** suspicious ***) @ Q:\140066.deu\Office14\OffSpon.EXE [7932] 000000002d370000
Library Q:\140066.deu\Office14\msadctls.dll (*** suspicious ***) @ Q:\140066.deu\Office14\OffSpon.EXE [7932] 000000006aeb0000
---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{1810D142-8C3F-44B0-B690-517959AFF248}\Connection@Name isatap.{34B17D51-E4AF-4934-89B4-A76D747F0BEC}
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{65B344FB-95F7-4075-8F27-E44C7F30309F}?\Device\{1ABBF554-4D6E-4CC1-B36E-4D1BEFA78D12}?\Device\{1810D142-8C3F-44B0-B690-517959AFF248}?\Device\{E9FE0092-F9DC-4B9C-9EF1-95DC84208103}?\Device\{FFA9105C-3050-4D74-8BB7-BB927824F485}?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{65B344FB-95F7-4075-8F27-E44C7F30309F}"?"{1ABBF554-4D6E-4CC1-B36E-4D1BEFA78D12}"?"{1810D142-8C3F-44B0-B690-517959AFF248}"?"{E9FE0092-F9DC-4B9C-9EF1-95DC84208103}"?"{FFA9105C-3050-4D74-8BB7-BB927824F485}"?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{65B344FB-95F7-4075-8F27-E44C7F30309F}?\Device\TCPIP6TUNNEL_{1ABBF554-4D6E-4CC1-B36E-4D1BEFA78D12}?\Device\TCPIP6TUNNEL_{1810D142-8C3F-44B0-B690-517959AFF248}?\Device\TCPIP6TUNNEL_{E9FE0092-F9DC-4B9C-9EF1-95DC84208103}?\Device\TCPIP6TUNNEL_{FFA9105C-3050-4D74-8BB7-BB927824F485}?
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\08edb9edaa32
Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{1810D142-8C3F-44B0-B690-517959AFF248}@InterfaceName isatap.{34B17D51-E4AF-4934-89B4-A76D747F0BEC}
Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{1810D142-8C3F-44B0-B690-517959AFF248}@ReusableType 0
Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Teredo\PreviousState\00-00-00-00-00-00@ClientLocalPort 60708
Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Teredo\PreviousState\00-00-00-00-00-00@TeredoAddress 2001:0:5ef5:79fd:2463:12db:6dcb:91f9
Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 2732
Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 1161
Reg HKLM\SYSTEM\CurrentControlSet\services\SRTSP@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\services\SRTSP
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\08edb9edaa32 (not active ControlSet)
---- EOF - GMER 2.1 ----
Schon einmal Danke im Vorraus Grüße, Steini |
| Themen zu Malware Infizierung "page has moved, redirecting...", Werbeeinblendungen Firefox |
| 4d36e972-e325-11ce-bfc1-08002be10318, autorun, bho, browser, ccsetup, cursor, firefox, flash player, google, home, iminent toolbar, internet, kompetent, launch, logfile, malware, mausklick, mozilla, nodrives, ntdll.dll, ntopenkeyex, nvpciflt.sys, object, plug-in, problem, realtek, registry, scan, security, software, symantec, teredo, trojaner, trojaner board, tunnel, usb, usp10.dll, werbung, wildtangent games, windows, wörter |
Baum-Darstellung