| |
| |||||||
Log-Analyse und Auswertung: System hängt immer wieder, seit kurzem wechsel des antivirus programmsWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
 |
28.05.2013, 10:32
| #1 |
| |  System hängt immer wieder, seit kurzem wechsel des antivirus programms Hi Ich habe vorkurzem das bei mir installierte Norton 360 ausgeschaltet und avira installiert, weil der Verdacht bestand das Norton mir in meinen Programmen rumpfuscht (was allerdings nicht so war). Jetzt hab ich zwar Avira wieder runter und Norton wieder drauf, nur hängt mein PC jetzt immer wieder mal komplett. Nicht mal der Task Manager geht auf. 15-30 min nach system start verschwindet der effekt allerdings fast gänzlich. Sowohl CPU als auch Arbeitspeicher sind noch ein gutes Stück unter Max allerdings habe ich den Eindruck habe das mehr Arbeitsspeicher belegt ist als normal. Avira hat einen trojaner gefunden den ich gelöscht habe. Bedauerlicherweise hab ich die Logfiles nicht gespeichert und Avira ist schon runter. Dazu kommt das bei diesem Benuter der Prozess AdobeARM autraucht. Sogar noch nach Löschen der Datei des Programms. Bei Administrator Konto kommt das aber nicht. Soviel zu dem was ich beobachtet habe. Beim schließen von OTL hab ich diesen Fehler bekommen: Excaption EAcesddViolation in module OTL.exe at 00012C42. Access violation at address 00412C42 in module OTL.exe. Read of address 42ECFC00. OTL Code:
ATTFilter OTL logfile created on: 26.05.2013 15:39:46 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\xxx\Desktop 64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 5,96 Gb Total Physical Memory | 3,40 Gb Available Physical Memory | 57,00% Memory free 11,92 Gb Paging File | 9,36 Gb Available in Paging File | 78,50% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 455,45 Gb Total Space | 299,60 Gb Free Space | 65,78% Space Free | Partition Type: NTFS Drive D: | 455,96 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: NTFS Drive E: | 6,24 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: UDF Computer Name: xxx-PC | User Name: xxx_2 | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013.05.20 14:12:28 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\xxx\Desktop\OTL.exe PRC - [2012.12.24 05:33:29 | 000,144,520 | R--- | M] (Symantec Corporation) -- C:\Program Files (x86)\Norton 360\Engine\20.3.1.22\ccSvcHst.exe PRC - [2011.01.17 18:50:34 | 011,322,880 | ---- | M] (OpenOffice.org) -- C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe PRC - [2011.01.17 18:50:34 | 011,314,688 | ---- | M] (OpenOffice.org) -- C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin PRC - [2009.12.09 11:24:16 | 000,076,320 | ---- | M] () -- C:\OEM\USBDECTION\USBS3S4Detection.exe PRC - [2009.09.30 20:34:22 | 002,314,240 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe PRC - [2009.09.30 20:33:08 | 000,262,144 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe PRC - [2009.09.10 15:42:46 | 000,305,448 | ---- | M] (Egis Technology Inc.) -- C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\MWLService.exe PRC - [2009.09.10 15:42:30 | 000,349,480 | ---- | M] (Egis Technology Inc.) -- C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe PRC - [2009.08.28 11:38:58 | 001,150,496 | ---- | M] (Acer Incorporated) -- C:\Program Files (x86)\Acer\Registration\GregHSRW.exe PRC - [2009.08.13 01:04:44 | 000,062,208 | ---- | M] (NewTech Infosystems, Inc.) -- C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe PRC - [2009.08.13 00:58:28 | 000,261,888 | ---- | M] (NewTech Infosystems, Inc.) -- C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe PRC - [2009.08.04 07:09:34 | 000,199,464 | ---- | M] (Egis Technology Inc.) -- C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe PRC - [2009.07.04 04:47:12 | 000,240,160 | ---- | M] (Acer) -- C:\Programme\Acer\Acer Updater\UpdaterService.exe PRC - [2009.04.16 00:52:06 | 000,091,432 | ---- | M] (CyberLink Corp.) -- C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe ========== Modules (No Company Name) ========== MOD - [2012.05.30 08:51:08 | 000,699,280 | R--- | M] () -- C:\PROGRAM FILES (X86)\NORTON 360\ENGINE\20.3.1.22\wincfi39.dll MOD - [2011.09.06 20:56:32 | 000,985,088 | ---- | M] () -- C:\Program Files (x86)\OpenOffice.org 3\program\libxml2.dll MOD - [2009.02.03 03:33:56 | 000,460,199 | ---- | M] () -- C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\sqlite3.dll ========== Services (SafeList) ========== SRV:64bit: - [2009.10.19 15:17:42 | 000,202,752 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility) SRV - [2013.05.15 21:09:14 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2013.04.29 12:46:20 | 004,233,088 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe -- (NOBU) SRV - [2013.04.19 23:10:50 | 000,543,656 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service) SRV - [2013.02.28 18:45:16 | 000,161,384 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate) SRV - [2013.01.02 13:30:50 | 000,018,360 | ---- | M] (Overwolf Ltd) [On_Demand | Stopped] -- C:\Program Files (x86)\Overwolf\OverwolfUpdater.exe -- (OverwolfUpdaterService) SRV - [2012.12.24 05:33:29 | 000,144,520 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Norton 360\Engine\20.3.1.22\ccSvcHst.exe -- (N360) SRV - [2012.07.09 01:40:10 | 000,104,912 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32) SRV - [2009.12.09 11:24:16 | 000,076,320 | ---- | M] () [Auto | Running] -- C:\OEM\USBDECTION\USBS3S4Detection.exe -- (USBS3S4Detection) SRV - [2009.09.30 20:34:22 | 002,314,240 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe -- (UNS) SRV - [2009.09.30 20:33:08 | 000,262,144 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe -- (LMS) SRV - [2009.09.10 15:42:46 | 000,305,448 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\\MWLService.exe -- (MWLService) SRV - [2009.08.28 11:38:58 | 001,150,496 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files (x86)\Acer\Registration\GregHSRW.exe -- (Greg_Service) SRV - [2009.08.25 20:38:06 | 000,935,208 | ---- | M] (Nero AG) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0) SRV - [2009.08.13 01:04:44 | 000,062,208 | ---- | M] (NewTech Infosystems, Inc.) [Auto | Running] -- C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe -- (NTI IScheduleSvc) SRV - [2009.08.06 15:17:46 | 000,118,672 | ---- | M] (Intel(R) Corporation) [On_Demand | Stopped] -- C:\Programme\Intel\TurboBoost\TurboBoost.exe -- (TurboBoost) SRV - [2009.07.21 02:42:38 | 000,061,976 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Programme\Microsoft SQL Server\100\Shared\sqladhlp.exe -- (MSSQLServerADHelper100) SRV - [2009.07.04 04:47:12 | 000,240,160 | ---- | M] (Acer) [Auto | Running] -- C:\Programme\Acer\Acer Updater\UpdaterService.exe -- (Updater Service) SRV - [2009.06.10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32) SRV - [2009.03.30 04:02:56 | 057,617,752 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Programme\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS) SRV - [2009.03.30 04:01:06 | 000,427,880 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Programme\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE -- (SQLAgent$SQLEXPRESS) SRV - [2008.07.10 05:31:10 | 000,157,720 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter) ========== Driver Services (SafeList) ========== DRV:64bit: - [2013.05.20 14:40:26 | 000,177,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS -- (SymEvent) DRV:64bit: - [2013.02.27 20:54:59 | 000,303,616 | ---- | M] () [Kernel | Auto | Stopped] -- C:\Windows\SysNative\drivers\atksgt.sys -- (atksgt) DRV:64bit: - [2013.02.27 20:54:58 | 000,035,328 | ---- | M] () [Kernel | Auto | Stopped] -- C:\Windows\SysNative\drivers\lirsgt.sys -- (lirsgt) DRV:64bit: - [2013.01.31 05:18:18 | 000,432,800 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\N360x64\1403010.016\symnets.sys -- (SymNetS) DRV:64bit: - [2013.01.31 05:18:06 | 001,139,800 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\N360x64\1403010.016\symefa64.sys -- (SymEFA) DRV:64bit: - [2013.01.29 03:45:19 | 000,796,248 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\N360x64\1403010.016\srtsp64.sys -- (SRTSP) DRV:64bit: - [2013.01.29 03:45:19 | 000,036,952 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\N360x64\1403010.016\srtspx64.sys -- (SRTSPX) DRV:64bit: - [2013.01.22 04:15:33 | 000,493,656 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\N360x64\1403010.016\symds64.sys -- (SymDS) DRV:64bit: - [2012.11.16 04:22:01 | 000,224,416 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\N360x64\1403010.016\ironx64.sys -- (SymIRON) DRV:64bit: - [2012.11.16 04:18:04 | 000,168,096 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\N360x64\1403010.016\ccsetx64.sys -- (ccSet_N360) DRV:64bit: - [2012.03.01 08:54:38 | 000,022,896 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec) DRV:64bit: - [2011.03.11 08:22:41 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata) DRV:64bit: - [2011.03.11 08:22:40 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata) DRV:64bit: - [2009.12.09 11:39:52 | 000,537,624 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor) DRV:64bit: - [2009.11.18 12:30:56 | 000,123,408 | ---- | M] (ATI Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtiHdmi.sys -- (AtiHdmiService) DRV:64bit: - [2009.10.19 15:50:12 | 006,098,432 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag) DRV:64bit: - [2009.09.23 11:11:04 | 000,283,824 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\e1k62x64.sys -- (e1kexpress) DRV:64bit: - [2009.09.17 06:54:54 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (HECIx64) DRV:64bit: - [2009.08.06 15:17:34 | 000,013,784 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\TurboB.sys -- (TurboB) DRV:64bit: - [2009.07.14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs) DRV:64bit: - [2009.07.14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2) DRV:64bit: - [2009.07.14 03:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD) DRV:64bit: - [2009.07.14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor) DRV:64bit: - [2009.07.14 03:39:46 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\svchost.exe -- (1394hub) DRV:64bit: - [2009.06.10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv) DRV:64bit: - [2009.06.10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv) DRV:64bit: - [2009.06.10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a) DRV:64bit: - [2009.06.10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir) DRV:64bit: - [2009.06.02 13:15:30 | 000,060,464 | ---- | M] (Egis Technology Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\mwlPSDVDisk.sys -- (mwlPSDVDisk) DRV:64bit: - [2009.06.02 13:15:30 | 000,022,576 | ---- | M] (Egis Technology Inc.) [File_System | System | Running] -- C:\Windows\SysNative\drivers\mwlPSDFilter.sys -- (mwlPSDFilter) DRV:64bit: - [2009.06.02 13:15:30 | 000,020,016 | ---- | M] (Egis Technology Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\mwlPSDNserv.sys -- (mwlPSDNServ) DRV:64bit: - [2009.05.06 02:46:08 | 000,018,432 | ---- | M] (NewTech Infosystems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NTIDrvr.sys -- (NTIDrvr) DRV:64bit: - [2009.05.06 02:46:08 | 000,016,896 | ---- | M] (NewTech Infosystems Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\UBHelper.sys -- (UBHelper) DRV:64bit: - [2009.03.18 18:35:42 | 000,033,856 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hamachi.sys -- (hamachi) DRV - [2013.05.22 07:42:15 | 002,098,776 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\VirusDefs\20130525.006\ex64.sys -- (NAVEX15) DRV - [2013.05.22 07:42:11 | 000,126,040 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\VirusDefs\20130525.006\eng64.sys -- (NAVENG) DRV - [2013.05.19 17:36:07 | 000,484,512 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys -- (eeCtrl) DRV - [2013.05.19 17:36:07 | 000,138,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv) DRV - [2013.05.17 15:30:54 | 000,513,184 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\IPSDefs\20130524.001\IDSviA64.sys -- (IDSVia64) DRV - [2013.05.03 00:16:48 | 001,390,680 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\BASHDefs\20130515.001\BHDrvx64.sys -- (BHDrvx64) DRV - [2009.07.14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=aspire_m5811&r=17361210m005pe446v115w68n1u49o IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=aspire_m5811&r=17361210m005pe446v115w68n1u49o IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990} IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE:64bit: - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=aspire_m5811&r=17361210m005pe446v115w68n1u49o IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=aspire_m5811&r=17361210m005pe446v115w68n1u49o IE - HKLM\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACAW IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=aspire_m5811&r=17361210m005pe446v115w68n1u49o IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=aspire_m5811&r=17361210m005pe446v115w68n1u49o IE - HKCU\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - No CLSID value found IE - HKCU\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKCU\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACAW_deDE411DE412 IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7 IE - HKCU\..\SearchScopes\{E24DBF2D-F9F4-4BFB-A0D3-7078A8357211}: "URL" = hxxp://websearch.ask.com/redirect?client=ie&tb=AVR-4&o=APN10261&src=kw&q={searchTerms}&locale=&apn_ptnrs=^AGS&apn_dtid=^YYYYYY^YY^DE&apn_uid=cb60a469-860c-4b30-b4d6-702aeacd7eb6&apn_sauid=B12575B5-01EE-4210-966E-7BE4A95F9DA4 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - user.js - File not found FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_202.dll File not found FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.13.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation) FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.13.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_202.dll () FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google) FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.11.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8081.0709: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\IPSFFPlgn\ [2013.05.20 14:41:05 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\coFFPlgn\ [2013.05.26 15:07:40 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011.12.13 18:54:08 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2013.03.07 08:25:03 | 000,000,000 | ---D | M] [2012.05.18 23:13:17 | 000,000,000 | ---D | M] (No name found) -- C:\Users\x_2\AppData\Roaming\mozilla\Extensions [2013.04.27 19:17:38 | 000,000,000 | ---D | M] (No name found) -- C:\Users\x_2\AppData\Roaming\mozilla\Firefox\Profiles\cid2e4dx.default\extensions [2013.04.27 19:17:47 | 000,000,000 | ---D | M] (Avira SearchFree Toolbar plus Web Protection) -- C:\Users\xxx_2\AppData\Roaming\mozilla\Firefox\Profiles\cid2e4dx.default\extensions\toolbar@ask.com [2013.04.01 12:57:30 | 000,002,333 | ---- | M] () -- C:\Users\xxx_2\AppData\Roaming\mozilla\firefox\profiles\cid2e4dx.default\searchplugins\askcom.xml [2013.01.31 18:04:50 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions [2011.12.13 18:54:07 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll [2011.12.03 16:57:07 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml [2011.12.03 16:57:07 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml [2011.12.03 16:57:07 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml [2011.12.03 16:57:07 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml [2011.12.03 16:57:07 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml [2011.12.03 16:57:07 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml ========== Chrome ========== CHR - default_search_provider: Google (Enabled) CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding} CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms} CHR - homepage: hxxp://www.google.com/ CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer CHR - plugin: Native Client (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\25.0.1364.152\ppGoogleNaClPluginChrome.dll CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\25.0.1364.152\pdf.dll CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\25.0.1364.152\gcswf32.dll CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_262.dll CHR - plugin: Skype Toolbars (Enabled) = C:\Users\Niklas G\u00F6bel_2\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.9.0.9216_0\npSkypeChromePlugin.dll CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll CHR - plugin: Java Deployment Toolkit 6.0.220.4 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll CHR - plugin: Windows Live\u00AE Photo Gallery (Enabled) = C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll CHR - Extension: YouTube = C:\Users\xxx_2\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_1\ CHR - Extension: Google-Suche = C:\Users\xxx_2\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_1\ CHR - Extension: Google Mail = C:\Users\xxx_2\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1\ O1 HOSTS File: ([2009.06.10 23:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O2:64bit: - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre7\bin\ssv.dll (Oracle Corporation) O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.) O2:64bit: - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (Norton Identity Protection) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360\Engine\20.3.1.22\coIEPlg.dll (Symantec Corporation) O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton 360\Engine\20.3.1.22\IPS\IPSBHO.DLL (Symantec Corporation) O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.) O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\20.3.1.22\coIEPlg.dll (Symantec Corporation) O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O3:64bit: - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.) O4:64bit: - HKLM..\Run: [mwlDaemon] C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe (Egis Technology Inc.) O4 - HKLM..\Run: [ArcadeDeluxeAgent] C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe (CyberLink Corp.) O4 - HKLM..\Run: [BackupManagerTray] C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe (NewTech Infosystems, Inc.) O4 - HKLM..\Run: [EgisTecLiveUpdate] C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe (Egis Technology Inc.) O4 - HKLM..\Run: [RemoteControl8] C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe (CyberLink Corp.) O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.) O4 - HKCU..\Run: [Overwolf] C:\Program Files (x86)\Overwolf\Overwolf.exe (Overwolf) O4 - HKLM..\RunOnce: [{69ec32be-d994-44de-9eae-6d86ced6f352}] C:\ProgramData\Package Cache\{69ec32be-d994-44de-9eae-6d86ced6f352}\wdexpress_full.exe (Microsoft Corporation) O4 - Startup: C:\Users\xxx_2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Psi.lnk = C:\Program Files (x86)\Psi\Psi.exe () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1 O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL (Microsoft Corporation) O1364bit: - gopher Prefix: missing O13 - gopher Prefix: missing O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9F4DDD1D-DDD8-4C38-B859-61F5A62DB645}: DhcpNameServer = 192.168.2.1 O18:64bit: - Protocol\Handler\livecall - No CLSID value found O18:64bit: - Protocol\Handler\ms-help - No CLSID value found O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found O18:64bit: - Protocol\Handler\msnim - No CLSID value found O18:64bit: - Protocol\Handler\skype4com - No CLSID value found O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation) O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies) O18:64bit: - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll File not found O18:64bit: - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll File not found O18:64bit: - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll File not found O18:64bit: - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll File not found O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll File not found O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll File not found O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - File not found O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - File not found O20 - HKLM Winlogon: Shell - (explorer.exe) - File not found O20 - HKLM Winlogon: UserInit - (userinit.exe) - File not found O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - File not found O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O29:64bit: - HKLM SecurityProviders - (credssp.dll) - File not found O29 - HKLM SecurityProviders - (credssp.dll) - File not found O32 - HKLM CDRom: AutoRun - 1 O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2013.05.25 22:53:57 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\SPReview [2013.05.25 10:17:59 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Symantec [2013.05.21 19:51:59 | 000,000,000 | ---D | C] -- C:\Users\xxx_2\Documents\EVE [2013.05.21 19:50:59 | 000,000,000 | ---D | C] -- C:\Users\xxx_2\AppData\Local\CCP [2013.05.21 14:59:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Visual Studio 2012 [2013.05.21 14:58:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Help Viewer [2013.05.21 14:54:50 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Visual Studio 11.0 [2013.05.21 14:50:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Overwolf [2013.05.20 14:56:36 | 000,432,800 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\N360x64\1403010.016\symnets.sys [2013.05.20 14:56:35 | 001,139,800 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\N360x64\1403010.016\symefa64.sys [2013.05.20 14:56:35 | 000,023,448 | R--- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\N360x64\1403010.016\symelam.sys [2013.05.20 14:56:34 | 000,796,248 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\N360x64\1403010.016\srtsp64.sys [2013.05.20 14:56:34 | 000,493,656 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\N360x64\1403010.016\symds64.sys [2013.05.20 14:56:34 | 000,036,952 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\N360x64\1403010.016\srtspx64.sys [2013.05.20 14:56:33 | 000,224,416 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\N360x64\1403010.016\ironx64.sys [2013.05.20 14:56:33 | 000,168,096 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\N360x64\1403010.016\ccsetx64.sys [2013.05.20 14:55:14 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\N360x64\1403010.016 [2013.05.20 14:40:26 | 000,177,312 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS [2013.05.20 14:40:26 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared [2013.05.20 14:40:26 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec [2013.05.20 14:38:21 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\N360x64 [2013.05.20 14:38:20 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton 360 [2013.05.20 14:38:20 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Norton 360 [2013.05.20 14:37:28 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\NortonInstaller [2013.05.16 18:03:44 | 000,000,000 | ---D | C] -- C:\Windows\pss [2013.04.29 21:06:52 | 000,000,000 | ---D | C] -- C:\Users\xxx_2\AppData\Roaming\Psi [2013.04.29 21:06:52 | 000,000,000 | ---D | C] -- C:\Users\xxx_2\AppData\Local\Psi [2013.04.29 21:06:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Psi [2013.04.29 21:06:34 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Psi [2013.04.27 19:17:22 | 000,000,000 | ---D | C] -- C:\Users\xxx_2\AppData\Local\APN [2013.04.27 19:17:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Avira [2009.11.18 23:40:11 | 000,036,136 | ---- | C] (Oberon Media) -- C:\ProgramData\FullRemove.exe ========== Files - Modified Within 30 Days ========== [2013.05.26 15:19:18 | 000,001,110 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2013.05.26 15:16:56 | 000,000,000 | ---- | M] () -- C:\Users\xxx_2\defogger_reenable [2013.05.26 15:14:41 | 000,009,696 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013.05.26 15:14:41 | 000,009,696 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013.05.26 15:09:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013.05.26 15:07:45 | 000,001,106 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2013.05.26 15:07:29 | 000,065,536 | ---- | M] () -- C:\Windows\SysNative\Ikeext.etl [2013.05.26 15:07:15 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.05.26 15:07:09 | 504,676,351 | -HS- | M] () -- C:\hiberfil.sys [2013.05.25 10:18:01 | 000,002,127 | ---- | M] () -- C:\Users\Public\Desktop\Norton Online Backup.lnk [2013.05.24 20:19:47 | 000,002,187 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk [2013.05.21 19:49:51 | 000,002,746 | ---- | M] () -- C:\Windows\wininit.ini [2013.05.21 14:54:12 | 001,776,168 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI [2013.05.21 14:54:12 | 000,764,084 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat [2013.05.21 14:54:12 | 000,719,162 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2013.05.21 14:54:12 | 000,173,870 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat [2013.05.21 14:54:12 | 000,146,654 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2013.05.21 14:54:00 | 001,776,168 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2013.05.21 14:49:48 | 000,000,680 | RHS- | M] () -- C:\Users\xxx_2\ntuser.pol [2013.05.21 11:50:41 | 000,002,323 | ---- | M] () -- C:\Users\Public\Desktop\Norton 360.lnk [2013.05.21 11:50:13 | 002,231,691 | ---- | M] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\Cat.DB [2013.05.20 14:40:26 | 000,177,312 | ---- | M] (Symantec Corporation) -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS [2013.05.20 14:40:26 | 000,007,466 | ---- | M] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.CAT [2013.05.20 14:40:26 | 000,000,855 | ---- | M] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.INF [2013.04.29 21:06:41 | 000,000,975 | ---- | M] () -- C:\Users\xxx_2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Psi.lnk [2013.04.29 21:06:41 | 000,000,939 | ---- | M] () -- C:\Users\xxx_2\Desktop\Psi.lnk ========== Files Created - No Company Name ========== [2013.05.26 15:16:56 | 000,000,000 | ---- | C] () -- C:\Users\xxx_2\defogger_reenable [2013.05.21 11:49:20 | 002,231,691 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\Cat.DB [2013.05.20 14:58:21 | 000,014,818 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\VT20130115.021 [2013.05.20 14:56:35 | 000,009,670 | R--- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\symelam64.cat [2013.05.20 14:56:35 | 000,007,601 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\symnet64.cat [2013.05.20 14:56:35 | 000,007,587 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\symefa64.cat [2013.05.20 14:56:35 | 000,001,440 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\symnet.inf [2013.05.20 14:56:35 | 000,000,996 | R--- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\symelam.inf [2013.05.20 14:56:34 | 000,007,589 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\srtspx64.cat [2013.05.20 14:56:34 | 000,007,581 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\symds64.cat [2013.05.20 14:56:34 | 000,003,434 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\symefa.inf [2013.05.20 14:56:34 | 000,002,852 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\symds.inf [2013.05.20 14:56:34 | 000,001,438 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\srtsp64.inf [2013.05.20 14:56:34 | 000,001,420 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\srtspx64.inf [2013.05.20 14:56:33 | 000,007,611 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\ccsetx64.cat [2013.05.20 14:56:33 | 000,007,593 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\iron.cat [2013.05.20 14:56:33 | 000,007,585 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\srtsp64.cat [2013.05.20 14:56:33 | 000,000,853 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\ccsetx64.inf [2013.05.20 14:56:33 | 000,000,767 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\iron.inf [2013.05.20 14:55:14 | 000,000,172 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\isolate.ini [2013.05.20 14:40:26 | 000,007,466 | ---- | C] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.CAT [2013.05.20 14:40:26 | 000,000,855 | ---- | C] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.INF [2013.05.20 14:40:23 | 000,002,323 | ---- | C] () -- C:\Users\Public\Desktop\Norton 360.lnk [2013.05.17 20:28:59 | 000,000,975 | ---- | C] () -- C:\Users\xxx_2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Psi.lnk [2013.04.29 21:06:41 | 000,000,939 | ---- | C] () -- C:\Users\xxx_2\Desktop\Psi.lnk [2013.01.16 21:20:07 | 000,000,858 | ---- | C] () -- C:\Windows\client.config.ini [2012.05.18 23:07:12 | 000,000,680 | RHS- | C] () -- C:\Users\xxx_2\ntuser.pol [2012.01.24 21:41:38 | 001,776,168 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI ========== ZeroAccess Check ========== [2009.07.14 06:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 "" = C:\Windows\SysNative\shell32.dll -- [2012.06.09 07:30:56 | 014,165,504 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 06:46:56 | 012,868,608 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 03:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2009.07.14 03:15:20 | 000,605,696 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 03:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] ========== LOP Check ========== [2012.09.23 20:28:00 | 000,000,000 | ---D | M] -- C:\Users\xxx_2\AppData\Roaming\EVEMon [2012.07.13 21:50:41 | 000,000,000 | ---D | M] -- C:\Users\xxx_2\AppData\Roaming\Notepad++ [2012.05.18 23:08:19 | 000,000,000 | ---D | M] -- C:\Users\xxx_2\AppData\Roaming\OEM [2012.05.18 23:13:12 | 000,000,000 | ---D | M] -- C:\Users\xxx_2\AppData\Roaming\Opera [2013.04.29 21:06:52 | 000,000,000 | ---D | M] -- C:\Users\xxx_2\AppData\Roaming\Psi ========== Purity Check ========== ========== Alternate Data Streams ========== @Alternate Data Stream - 152 bytes -> C:\ProgramData\Temp:AB689DEA @Alternate Data Stream - 138 bytes -> C:\ProgramData\Temp:5D7E5A8F @Alternate Data Stream - 133 bytes -> C:\ProgramData\Temp:93DE1838 @Alternate Data Stream - 124 bytes -> C:\ProgramData\Temp:E1F04E8D @Alternate Data Stream - 122 bytes -> C:\ProgramData\Temp:444C53BA @Alternate Data Stream - 121 bytes -> C:\ProgramData\Temp:0B9176C0 < End of report > Code:
ATTFilter defogger_disable by jpshortstuff (23.02.10.1)
Log created at 09:35 on 28/05/2013 (xxx_2)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
-=E.O.F=-
Code:
ATTFilter GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2013-05-26 16:24:29
Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD10 rev.80.0 931,51GB
Running: gmer_2.1.19163.exe; Driver: C:\Users\xxx~3\AppData\Local\Temp\awriaaow.sys
---- User code sections - GMER 2.1 ----
.text 0000000075675677 1 byte JMP 0000000100290048
.text C:\OEM\USBDECTION\USBS3S4Detection.exe[1604] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075675679 5 bytes {JMP 0xffffffff8ac1a9d1}
.text C:\OEM\USBDECTION\USBS3S4Detection.exe[1604] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007567589a 7 bytes JMP 0000000100280ca6
.text C:\OEM\USBDECTION\USBS3S4Detection.exe[1604] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075675a1d 7 bytes JMP 00000001002903d8
.text C:\OEM\USBDECTION\USBS3S4Detection.exe[1604] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075675c9b 7 bytes JMP 000000010029012c
.text C:\OEM\USBDECTION\USBS3S4Detection.exe[1604] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075675d87 7 bytes JMP 00000001002902f4
.text C:\OEM\USBDECTION\USBS3S4Detection.exe[1604] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075677240 7 bytes JMP 0000000100280e6e
.text C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773bfc40 5 bytes JMP 00000001007a091c
.text C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000773bfda4 5 bytes JMP 00000001007a0048
.text C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000773bfe38 5 bytes JMP 00000001007a02ee
.text C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000773bff94 5 bytes JMP 00000001007a04b2
.text C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773bffc8 5 bytes JMP 00000001007a09fe
.text C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000773bfff8 5 bytes JMP 00000001007a0ae0
.text C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000773c0014 2 bytes JMP 000000010064004c
.text C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3 00000000773c0017 2 bytes [28, 89]
.text C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000773c072c 5 bytes JMP 00000001007a012a
.text C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000773c081c 5 bytes JMP 00000001007a0758
.text C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773c0834 5 bytes JMP 00000001007a0676
.text C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000773c0d84 5 bytes JMP 00000001007a03d0
.text C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000773c18b0 5 bytes JMP 00000001007a0594
.text C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000773c1b74 5 bytes JMP 00000001007a083a
.text C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000773c1d00 5 bytes JMP 00000001007a020c
.text C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 00000000766015ea 7 bytes JMP 00000001007b0762
.text C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007567524f 7 bytes JMP 00000001007a0f52
.text C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000756753d0 7 bytes JMP 00000001007b0210
.text C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075675677 1 byte JMP 00000001007b0048
.text C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075675679 5 bytes {JMP 0xffffffff8b13a9d1}
.text C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007567589a 7 bytes JMP 00000001007a0ca6
.text C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075675a1d 7 bytes JMP 00000001007b03d8
.text C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075675c9b 7 bytes JMP 00000001007b012c
.text C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075675d87 7 bytes JMP 00000001007b02f4
.text C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075677240 7 bytes JMP 00000001007a0e6e
.text C:\Program Files (x86)\Overwolf\Overwolf.exe[2292] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000752a1465 2 bytes [2A, 75]
.text C:\Program Files (x86)\Overwolf\Overwolf.exe[2292] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000752a14bb 2 bytes [2A, 75]
.text ... * 2
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773bfc40 5 bytes JMP 000000010010091c
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000773bfda4 5 bytes JMP 0000000100100048
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000773bfe38 5 bytes JMP 00000001001002ee
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000773bff94 5 bytes JMP 00000001001004b2
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773bffc8 5 bytes JMP 00000001001009fe
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000773bfff8 5 bytes JMP 0000000100100ae0
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000773c0014 2 bytes JMP 000000010002004c
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3 00000000773c0017 2 bytes [C6, 88]
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000773c072c 5 bytes JMP 000000010010012a
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000773c081c 5 bytes JMP 0000000100100758
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773c0834 5 bytes JMP 0000000100100676
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000773c0d84 5 bytes JMP 00000001001003d0
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000773c18b0 5 bytes JMP 0000000100100594
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000773c1b74 5 bytes JMP 000000010010083a
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000773c1d00 5 bytes JMP 000000010010020c
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 00000000766015ea 7 bytes JMP 000000010011059e
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007567524f 7 bytes JMP 0000000100100f52
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000756753d0 7 bytes JMP 0000000100110210
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075675677 1 byte JMP 0000000100110048
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075675679 5 bytes {JMP 0xffffffff8aa9a9d1}
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007567589a 7 bytes JMP 0000000100100ca6
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075675a1d 7 bytes JMP 00000001001103d8
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075675c9b 7 bytes JMP 000000010011012c
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075675d87 7 bytes JMP 00000001001102f4
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075677240 7 bytes JMP 0000000100100e6e
.text C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773bfc40 5 bytes JMP 000000010016091c
.text C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000773bfda4 5 bytes JMP 0000000100160048
.text C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000773bfe38 5 bytes JMP 00000001001602ee
.text C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000773bff94 5 bytes JMP 00000001001604b2
.text C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773bffc8 5 bytes JMP 00000001001609fe
.text C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000773bfff8 5 bytes JMP 0000000100160ae0
.text C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000773c0014 2 bytes JMP 000000010003004c
.text C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3 00000000773c0017 2 bytes [C7, 88]
.text C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000773c072c 5 bytes JMP 000000010016012a
.text C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000773c081c 5 bytes JMP 0000000100160758
.text C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773c0834 5 bytes JMP 0000000100160676
.text C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000773c0d84 5 bytes JMP 00000001001603d0
.text C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000773c18b0 5 bytes JMP 0000000100160594
.text C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000773c1b74 5 bytes JMP 000000010016083a
.text C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000773c1d00 5 bytes JMP 000000010016020c
.text C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 00000000766015ea 7 bytes JMP 000000010017059e
.text C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007567524f 7 bytes JMP 0000000100160f52
.text C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000756753d0 7 bytes JMP 0000000100170210
.text C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075675677 1 byte JMP 0000000100170048
.text C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075675679 5 bytes {JMP 0xffffffff8aafa9d1}
.text C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007567589a 7 bytes JMP 0000000100160ca6
.text C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075675a1d 7 bytes JMP 00000001001703d8
.text C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075675c9b 7 bytes JMP 000000010017012c
.text C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075675d87 7 bytes JMP 00000001001702f4
.text C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075677240 7 bytes JMP 0000000100160e6e
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773bfc40 5 bytes JMP 000000010028091c
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000773bfda4 5 bytes JMP 0000000100280048
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000773bfe38 5 bytes JMP 00000001002802ee
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000773bff94 5 bytes JMP 00000001002804b2
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773bffc8 5 bytes JMP 00000001002809fe
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000773bfff8 5 bytes JMP 0000000100280ae0
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000773c0014 2 bytes JMP 000000010002004c
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3 00000000773c0017 2 bytes [C6, 88]
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000773c072c 5 bytes JMP 000000010028012a
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000773c081c 5 bytes JMP 0000000100280758
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773c0834 5 bytes JMP 0000000100280676
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000773c0d84 5 bytes JMP 00000001002803d0
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000773c18b0 5 bytes JMP 0000000100280594
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000773c1b74 5 bytes JMP 000000010028083a
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000773c1d00 5 bytes JMP 000000010028020c
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 00000000766015ea 7 bytes JMP 000000010029059e
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007567524f 7 bytes JMP 0000000100280f52
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000756753d0 7 bytes JMP 0000000100290210
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075675677 1 byte JMP 0000000100290048
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075675679 5 bytes {JMP 0xffffffff8ac1a9d1}
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007567589a 7 bytes JMP 0000000100280ca6
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075675a1d 7 bytes JMP 00000001002903d8
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075675c9b 7 bytes JMP 000000010029012c
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075675d87 7 bytes JMP 00000001002902f4
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075677240 7 bytes JMP 0000000100280e6e
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773bfc40 5 bytes JMP 00000001002c091c
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000773bfda4 5 bytes JMP 00000001002c0048
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000773bfe38 5 bytes JMP 00000001002c02ee
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000773bff94 5 bytes JMP 00000001002c04b2
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773bffc8 5 bytes JMP 00000001002c09fe
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000773bfff8 5 bytes JMP 00000001002c0ae0
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000773c0014 2 bytes JMP 000000010026004c
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3 00000000773c0017 2 bytes [EA, 88]
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000773c072c 5 bytes JMP 00000001002c012a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000773c081c 5 bytes JMP 00000001002c0758
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773c0834 5 bytes JMP 00000001002c0676
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000773c0d84 5 bytes JMP 00000001002c03d0
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000773c18b0 5 bytes JMP 00000001002c0594
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000773c1b74 5 bytes JMP 00000001002c083a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000773c1d00 5 bytes JMP 00000001002c020c
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007567524f 7 bytes JMP 00000001002c0f52
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000756753d0 7 bytes JMP 00000001002d0210
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNSC:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075675d87 7 bytes JMP 00000001002702f4
.text C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[5476] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075677240 7 bytes JMP 0000000100160e6e
.text C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773bfc40 5 bytes JMP 000000010028091c
.text C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000773bfda4 5 bytes JMP 0000000100280048
.text C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000773bfe38 5 bytes JMP 00000001002802ee
.text C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000773bff94 5 bytes JMP 00000001002804b2
.text C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773bffc8 5 bytes JMP 00000001002809fe
.text C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000773bfff8 5 bytes JMP 0000000100280ae0
.text C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000773c0014 2 bytes JMP 000000010002004c
.text C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3 00000000773c0017 2 bytes [C6, 88]
.text C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000773c072c 5 bytes JMP 000000010028012a
.text C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000773c081c 5 bytes JMP 0000000100280758
.text C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773c0834 5 bytes JMP 0000000100280676
.text C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000773c0d84 5 bytes JMP 00000001002803d0
.text C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000773c18b0 5 bytes JMP 0000000100280594
.text C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000773c1b74 5 bytes JMP 000000010028083a
.text C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000773c1d00 5 bytes JMP 000000010028020c
.text C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 00000000766015ea 7 bytes JMP 000000010029059e
.text C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007567524f 7 bytes JMP 0000000100280f52
.text C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000756753d0 7 bytes JMP 0000000100290210
.text C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075675677 1 byte JMP 0000000100290048
.text C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075675679 5 bytes {JMP 0xffffffff8ac1a9d1}
.text C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007567589a 7 bytes JMP 0000000100280ca6
.text C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075675a1d 7 bytes JMP 00000001002903d8
.text C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075675c9b 7 bytes JMP 000000010029012c
.text C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075675d87 7 bytes JMP 00000001002902f4
.text C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075677240 7 bytes JMP 0000000100280e6e
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773bfc40 5 bytes JMP 000000010028091c
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000773bfda4 5 bytes JMP 0000000100280048
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000773bfe38 5 bytes JMP 00000001002802ee
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000773bff94 5 bytes JMP 00000001002804b2
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773bffc8 5 bytes JMP 00000001002809fe
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000773bfff8 5 bytes JMP 0000000100280ae0
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000773c0014 2 bytes JMP 000000010002004c
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3 00000000773c0017 2 bytes [C6, 88]
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000773c072c 5 bytes JMP 000000010028012a
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000773c081c 5 bytes JMP 0000000100280758
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773c0834 5 bytes JMP 0000000100280676
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000773c0d84 5 bytes JMP 00000001002803d0
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000773c18b0 5 bytes JMP 0000000100280594
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000773c1b74 5 bytes JMP 000000010028083a
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000773c1d00 5 bytes JMP 000000010028020c
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 00000000766015ea 7 bytes JMP 000000010029059e
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007567524f 7 bytes JMP 0000000100280f52
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000756753d0 7 bytes JMP 0000000100290210
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075675677 1 byte JMP 0000000100290048
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075675679 5 bytes {JMP 0xffffffff8ac1a9d1}
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007567589a 7 bytes JMP 0000000100280ca6
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075675a1d 7 bytes JMP 00000001002903d8
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075675c9b 7 bytes JMP 000000010029012c
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075675d87 7 bytes JMP 00000001002902f4
.text C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075677240 7 bytes JMP 0000000100280e6e
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773bfc40 5 bytes JMP 000000010010091c
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000773bfda4 5 bytes JMP 0000000100100048
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000773bfe38 5 bytes JMP 00000001001002ee
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000773bff94 5 bytes JMP 00000001001004b2
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773bffc8 5 bytes JMP 00000001001009fe
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000773bfff8 5 bytes JMP 0000000100100ae0
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000773c0014 2 bytes JMP 000000010002004c
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3 00000000773c0017 2 bytes [C6, 88]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000773c072c 5 bytes JMP 000000010010012a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000773c081c 5 bytes JMP 0000000100100758
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773c0834 5 bytes JMP 0000000100100676
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000773c0d84 5 bytes JMP 00000001001003d0
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000773c18b0 5 bytes JMP 0000000100100594
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000773c1b74 5 bytes JMP 000000010010083a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000773c1d00 5 bytes JMP 000000010010020c
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007567524f 7 bytes JMP 0000000100100f52
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000756753d0 7 bytes JMP 0000000100190210
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075675677 1 byte JMP 0000000100190048
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075675679 5 bytes {JMP 0xffffffff8ab1a9d1}
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007567589a 7 bytes JMP 0000000100100ca6
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075675a1d 7 bytes JMP 00000001001903d8
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075675c9b 7 bytes JMP 000000010019012c
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075675d87 7 bytes JMP 00000001001902f4
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075677240 7 bytes JMP 0000000100100e6e
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 00000000766015ea 7 bytes JMP 0000000100190762
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000752a1465 2 bytes [2A, 75]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000752a14bb 2 bytes [2A, 75]
.text ... * 2
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773bfc40 5 bytes JMP 00000001000a091c
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000773bfda4 5 bytes JMP 00000001000a0048
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000773bfe38 5 bytes JMP 00000001000a02ee
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000773bff94 5 bytes JMP 00000001000a04b2
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773bffc8 5 bytes JMP 00000001000a09fe
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000773bfff8 5 bytes JMP 00000001000a0ae0
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000773c0014 2 bytes JMP 000000010002004c
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3 00000000773c0017 2 bytes [C6, 88]
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000773c072c 5 bytes JMP 00000001000a012a
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000773c081c 5 bytes JMP 00000001000a0758
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773c0834 5 bytes JMP 00000001000a0676
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000773c0d84 5 bytes JMP 00000001000a03d0
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000773c18b0 5 bytes JMP 00000001000a0594
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000773c1b74 5 bytes JMP 00000001000a083a
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000773c1d00 5 bytes JMP 00000001000a020c
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 00000000766015ea 7 bytes JMP 00000001000b059e
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007567524f 7 bytes JMP 00000001000a0f52
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000756753d0 7 bytes JMP 00000001000b0210
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075675677 1 byte JMP 00000001000b0048
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075675679 5 bytes {JMP 0xffffffff8aa3a9d1}
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007567589a 7 bytes JMP 00000001000a0ca6
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075675a1d 7 bytes JMP 00000001000b03d8
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075675c9b 7 bytes JMP 00000001000b012c
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075675d87 7 bytes JMP 00000001000b02f4
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075677240 7 bytes JMP 00000001000a0e6e
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773bfc40 5 bytes JMP 00000001006d091c
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000773bfda4 5 bytes JMP 00000001006d0048
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000773bfe38 5 bytes JMP 00000001006d02ee
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000773bff94 5 bytes JMP 00000001006d04b2
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773bffc8 5 bytes JMP 00000001006d09fe
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000773bfff8 5 bytes JMP 00000001006d0ae0
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000773c0014 2 bytes JMP 00000001006a004c
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3 00000000773c0017 2 bytes [2E, 89]
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000773c072c 5 bytes JMP 00000001006d012a
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000773c081c 5 bytes JMP 00000001006d0758
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773c0834 5 bytes JMP 00000001006d0676
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000773c0d84 5 bytes JMP 00000001006d03d0
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000773c18b0 5 bytes JMP 00000001006d0594
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000773c1b74 5 bytes JMP 00000001006d083a
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000773c1d00 5 bytes JMP 00000001006d020c
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 00000000766015ea 7 bytes JMP 00000001006e059e
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007567524f 7 bytes JMP 00000001006d0f52
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000756753d0 7 bytes JMP 00000001006e0210
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075675677 1 byte JMP 00000001006e0048
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075675679 5 bytes {JMP 0xffffffff8b06a9d1}
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007567589a 7 bytes JMP 00000001006d0ca6
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075675a1d 7 bytes JMP 00000001006e03d8
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075675c9b 7 bytes JMP 00000001006e012c
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075675d87 7 bytes JMP 00000001006e02f4
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075677240 7 bytes JMP 00000001006d0e6e
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000752a1465 2 bytes [2A, 75]
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000752a14bb 2 bytes [2A, 75]
.text ... * 2
.text C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773bfc40 5 bytes JMP 000000010039091c
.text C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000773bfda4 5 bytes JMP 0000000100390048
.text C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000773bfe38 5 bytes JMP 00000001003902ee
.text C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000773bff94 5 bytes JMP 00000001003904b2
.text C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773bffc8 5 bytes JMP 00000001003909fe
.text C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000773bfff8 5 bytes JMP 0000000100390ae0
.text C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000773c0014 2 bytes JMP 000000010002004c
.text C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3 00000000773c0017 2 bytes [C6, 88]
.text C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000773c072c 5 bytes JMP 000000010039012a
.text C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000773c081c 5 bytes JMP 0000000100390758
.text C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773c0834 5 bytes JMP 0000000100390676
.text C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000773c0d84 5 bytes JMP 00000001003903d0
.text C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000773c18b0 5 bytes JMP 0000000100390594
.text C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000773c1b74 5 bytes JMP 000000010039083a
.text C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000773c1d00 5 bytes JMP 000000010039020c
.text C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007567524f 7 bytes JMP 0000000100390f52
.text C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000756753d0 7 bytes JMP 00000001003a0210
.text C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075675677 1 byte JMP 00000001003a0048
.text C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075675679 5 bytes {JMP 0xffffffff8ad2a9d1}
.text C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007567589a 7 bytes JMP 0000000100390ca6
.text C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075675a1d 7 bytes JMP 00000001003a03d8
.text C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075675c9b 7 bytes JMP 00000001003a012c
.text C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075675d87 7 bytes JMP 00000001003a02f4
.text C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075677240 7 bytes JMP 0000000100390e6e
.text C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 00000000766015ea 7 bytes JMP 00000001003a04bc
---- EOF - GMER 2.1 ----
Vielen Dank im Vorraus |
|
01.06.2013, 18:57
| #2 | |
| /// the machine /// TB-Ausbilder    | System hängt immer wieder, seit kurzem wechsel des antivirus programms Hi,
__________________Combofix sollte ausschließlich ausgeführt werden, wenn dies von einem Teammitglied angewiesen wurde!Downloade dir bitte Combofix vom folgenden Downloadspiegel Link 1 WICHTIG - Speichere Combofix auf deinem Desktop
Wenn Combofix fertig ist, wird es eine Logfile erstellen. Bitte poste die C:\Combofix.txt in deiner nächsten Antwort. Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten Zitat:
__________________ |
|
| Themen zu System hängt immer wieder, seit kurzem wechsel des antivirus programms |
| antivirus, avira, avira searchfree toolbar, bho, cid, cpu, error, excel, fehler, firefox, flash player, format, home, hängt, ntdll.dll, plug-in, programm, prozess, registry, rojaner gefunden, rundll, scan, server, software, svchost.exe, symantec, system, system hängt, trojaner, visual studio, windows |
Linear-Darstellung
