| |
| |||||||
Log-Analyse und Auswertung: AVIRA findet 4 unerwünschte Programme TR/Kazy.evrfa TR/Rogue.AI.1030 BDS/Androm.lrdsWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
 |
11.01.2014, 20:55
| #1 |
 |  AVIRA findet 4 unerwünschte Programme TR/Kazy.evrfa TR/Rogue.AI.1030 BDS/Androm.lrds Hallo, ich habe heute meinem WIN7 (Ultimate 64Bit) PC routinemässig mit AVIRA Antivirus Suite 14.0.2.286 geprüft und bin einigermassen erschrocken, als AV 4 Funde gemeldet hat. Ich habe AV und Malwarebytes immer aktiv, Updates erfolgen automatisch, daher frage ich mich wie die überhaupt auf den Rechner kommen konnten. Der Rechner ist ein BuchhaltungsPC und wird nicht für Spiele oder sonstigen Kram "missbraucht". Ein Fehlverhalten, mit ausnahme von ganz selten mal sehr langen Bootzeiten hatte ich nicht beobachtet. Das AV LogFile (unter "Berichte") ist seltsamerweise nicht vorhanden, AV fragt ob es neu erstellt werden soll, ist dann aber leer. !? Aus den AV "Ereignissen" habe ich zumindest folg rauskopiert: Code:
ATTFilter Die Datei 'C:\Users\Ingrid\AppData\Local\Temp\tbaeVIMK.zip.part'
enthielt einen Virus oder unerwünschtes Programm 'TR/Kazy.evrfa' [trojan].
Durchgeführte Aktion(en):
Der Fund wurde als verdächtig eingestuft.
Eine Sicherungskopie wurde unter dem Namen 5a81acfd.qua erstellt ( QUARANTÄNE ).
Die Datei wurde gelöscht.
Die Datei 'C:\Users\Ingrid\AppData\Local\Temp\tu88G_OE.zip.part'
enthielt einen Virus oder unerwünschtes Programm 'TR/Rogue.AI.10301' [trojan].
Durchgeführte Aktion(en):
Eine Sicherungskopie wurde unter dem Namen 422f8377.qua erstellt ( QUARANTÄNE ).
Die Datei wurde gelöscht.
Die Datei 'C:\Users\Ingrid\AppData\Local\Temp\V0b33b28.zip.part'
enthielt einen Virus oder unerwünschtes Programm 'BDS/Androm.lrds' [backdoor].
Durchgeführte Aktion(en):
Der Fund wurde als verdächtig eingestuft.
Eine Sicherungskopie wurde unter dem Namen 104ada5b.qua erstellt ( QUARANTÄNE ).
Die Datei wurde gelöscht.
Was mir aufgefallen ist: Als ich den DEFOGGER von der verlinkten Seite runterladen wollte bekam ich folg Meldung Code:
ATTFilter Beim Zugriff auf Daten der URL "hxxp://www.coolzipextractorapp.com/default/ga/si/?dl=1&ts=0&tschnl=FL_6&adnm=35962878982&i=s&grid=GreenL&lg=EN&cc=DE&clg=en&c=1&d=0&cid=_224685751&kw=zip%207%20download%20for%20windows%207&mt=&mn=filepony.de&ct=&nt=D&expr=&ap=none&dv=c&color=greenl&agid=_2660955346"
wurde ein Virus oder unerwünschtes Programm 'ADWARE/InstallCore.Gen7' [adware] gefunden.
Durchgeführte Aktion: Der Zugriff auf die Datei wurde blockiert
Beim zweiten Versuch hat es geklappt. Als ich nach den erfolgten durch die drei von Euch empfohlenen tools Scans, bevor ich das LAN wieder angesteckt habe, den AV Echtzeit Scanner wieder aktivieren wollte, bekam ich die Meldung, dass auf CCUAC.EXE wegen fehlender Berechtigungen nicht zugegriffen werden kann. Ich wollte dann den PC Runterfahren, was nicht klappte, er blieb hängen. Nur noch Ausschalten hat geholfen. Bein Neustarten habe ich "Windows Normal Starten" ausgewählt, woraufhin der Rechner ca 15-20x gepiept hat. Danach wurde WIN7 gestartet. Auffällig war hier dass mich Windows zum Starten von AV nach Freigabe gefragt hat. Ich schreib das nur, weil ich das bei AV nicht kenne. Wäre echt dankbar wenn Ihr mir hier weiterhelfen könnt, insbesondere weil ich natürlich wissen möchte wie "gefährlich" das Ganze evtl. noch ist. Werde wohl auch die Datensicherungen auf dem Server erst mal entsprechend als "verseucht" markieren. Vielen Dank schon mal im Voraus Jackomo Die Logs waren zu gross, daher als ZIPs |
|
11.01.2014, 23:39
| #2 |
| /// TB-Ausbilder   | AVIRA findet 4 unerwünschte Programme TR/Kazy.evrfa TR/Rogue.AI.1030 BDS/Androm.lrds Hi,
__________________hänge die Logfiles bitte nicht an (das erschwert mir das Auswerten massiv), sondern füge deren Inhalt direkt innerhalb von Codetags ein: [code]Inhalt Logfile[/code]. (Anleitung)) Wenn es zu viele Zeichen sind, dann verteile die Logs auf mehrere Posts. Danke.
__________________ |
|
12.01.2014, 08:52
| #3 |
| | AVIRA findet 4 unerwünschte Programme TR/Kazy.evrfa TR/Rogue.AI.1030 BDS/Androm.lrdsCode:
ATTFilter defogger_disable by jpshortstuff (23.02.10.1)
Log created at 19:40 on 11/01/2014 (Ingrid)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
-=E.O.F=-
FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-01-2014 05
Ran by Ingrid (administrator) on INGRIDS-PC on 11-01-2014 19:45:38
Running from C:\Users\Ingrid\Downloads
Windows 7 Ultimate Service Pack 1 (X64) OS Language: German Standard
Internet Explorer Version 11
Boot Mode: Normal
==================== Processes (Whitelisted) =================
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
(Apple Inc.) C:\Program Files (x86)\AirPrint\airprint.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Schneider Electric) C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Sanford, L.P.) C:\Program Files (x86)\DYMO\DYMO Label Software\DymoPnpService.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
() C:\ProgramData\HiSuiteOuc\HiSuiteOuc64.exe
() C:\ProgramData\HandSetService\HuaweiHiSuiteService64.exe
(Haufe-Lexware GmbH & Co. KG) C:\Program Files (x86)\Lexware\Update Service\Hmg.InstallationService.Service.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(deltra Business Software GmbH & Co. KG) C:\orgaMAX\orgamaxmobil_service.exe
(PC Tools) C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe
(Centered Systems) C:\Program Files (x86)\Second Copy 8\ScVssService64.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
() C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avwebgrd.exe
(Schneider Electric) C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Centered Systems) C:\Program Files (x86)\Second Copy 8\SecCopy.exe
(Akamai Technologies, Inc.) C:\Users\Ingrid\AppData\Local\Akamai\netsession_win.exe
() C:\Program Files (x86)\HiSuite\HiSuite.exe
() C:\Users\Ingrid\AppData\Local\Program Files\Amazon\MP3 Downloader\AmazonMP3DownloaderHelper.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Akamai Technologies, Inc.) C:\Users\Ingrid\AppData\Local\Akamai\netsession_win.exe
(NEC Electronics Corporation) C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(TVG Telefon-und Verzeichnisverlag GmbH & Co. KG) C:\Program Files (x86)\TVG\DasTelefonbuch Deutschland\http_tfd.exe
(Acronis) C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
(Acronis International GmbH) C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe
() C:\Program Files (x86)\TVG\DasTelefonbuch Deutschland\win32\officemanager\OMAlarm.exe
(CANON INC.) C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
(Haufe-Lexware GmbH & Co. KG) C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe
(Schneider Electric) C:\Program Files (x86)\APC\PowerChute Personal Edition\apcsystray.exe
() C:\Users\Ingrid\AppData\Local\HiSuite\userdata\hwtools\hwtransport.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
(Microsoft Corporation) C:\Windows\SysWOW64\notepad.exe
(Dominik Reichl) C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
() C:\Users\Ingrid\Downloads\Defogger.exe
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [COMODO Internet Security] - C:\Program Files\COMODO\COMODO Internet Security\cfp.exe [9577680 2012-11-08] (COMODO)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Java\jre6\bin\jusched.exe [170496 2011-11-12] (Sun Microsystems, Inc.)
HKLM\...\Run: [Acronis Scheduler2 Service] - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe [519408 2013-07-18] (Acronis)
HKLM\...\Run: [ShadowPlay] - C:\Windows\system32\nvspcap64.dll [1064224 2013-11-08] (NVIDIA Corporation)
HKLM-x32\...\Run: [KeePass 2 PreLoad] - C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe [2065408 2013-11-03] (Dominik Reichl)
HKLM-x32\...\Run: [] - [x]
HKLM-x32\...\Run: [Display] - C:\Program Files (x86)\APC\PowerChute Personal Edition\DataCollectionLauncher.exe [284024 2012-01-24] (Schneider Electric)
HKLM-x32\...\Run: [NUSB3MON] - C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [106496 2010-01-22] (NEC Electronics Corporation)
HKLM-x32\...\Run: [avgnt] - C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [684600 2013-12-12] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [TrueImageMonitor.exe] - C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe [7843992 2013-10-24] (Acronis)
HKLM-x32\...\Run: [AcronisTibMounterMonitor] - C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe [1104616 2013-10-10] (Acronis International GmbH)
HKLM-x32\...\Run: [CanonQuickMenu] - C:\Program Files (x86)\Canon\Quick Menu\CNQMMAIN.EXE [1279120 2012-09-27] (CANON INC.)
HKLM-x32\...\Run: [IJNetworkScannerSelectorEX] - C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe [452272 2012-08-31] (CANON INC.)
HKLM-x32\...\Run: [LexwareInfoService] - C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe [208424 2013-10-17] (Haufe-Lexware GmbH & Co. KG)
HKCU\...\Run: [Second Copy] - C:\Program Files (x86)\Second Copy 8\SecCopy.exe [2999592 2011-06-01] (Centered Systems)
HKCU\...\Run: [Akamai NetSession Interface] - C:\Users\Ingrid\AppData\Local\Akamai\netsession_win.exe [4489472 2013-06-05] (Akamai Technologies, Inc.)
HKCU\...\Run: [Mobile Partner] - C:\Program Files (x86)\HiSuite\HiSuite.exe [583488 2013-07-11] ()
HKCU\...\Run: [AmazonMP3DownloaderHelper] - C:\Users\Ingrid\AppData\Local\Program Files\Amazon\MP3 Downloader\AmazonMP3DownloaderHelper.exe [400704 2013-05-22] ()
HKCU\...\Run: [Office Timeline Performance Helper] - C:\Program Files (x86)\Office Timeline\2013\OfficeTimelineStartup.exe [16640 2013-11-06] (OfficeTimeline LLC)
AppInit_DLLs: C:\Windows\system32\guard64.dll [390392 2012-11-08] (COMODO)
AppInit_DLLs-x32: C:\Windows\SysWOW64\guard32.dll [301264 2012-11-08] (COMODO)
==================== Internet (Whitelisted) ====================
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.dhl-geschaeftskundenportal.de/gkpl/appmanager/gkpl/customerDesktop;GKPSESSIONID=sQG1TpTZ6G57pv8yyhMyXMvp0YzKrLzfWR21JDrgTpPvycn6nKxy!1755012790!-1371229351?_nfpb=true&_pageLabel=P40012801239727818739&timedOut=true&_nfls=false
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x1011512EF041CC01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
SearchScopes: HKCU - DefaultScope {0FE81C87-F60E-4F46-8302-A791547E7620} URL = hxxp://www.google.de/search?q={searchTerms}
SearchScopes: HKCU - {0FE81C87-F60E-4F46-8302-A791547E7620} URL = hxxp://www.google.de/search?q={searchTerms}
BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files (x86)\TechSmith\Snagit 9\DLLx64\SnagitBHO64.dll (TechSmith Corporation)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files (x86)\TechSmith\Snagit 9\SnagitBHO.dll (TechSmith Corporation)
BHO-x32: Canon Easy-WebPrint EX BHO - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
BHO-x32: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM-x32 - Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\Snagit 9\SnagitIEAddin.dll (TechSmith Corporation)
Toolbar: HKLM-x32 - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
Toolbar: HKCU - No Name - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
DPF: HKLM {3234EB1E-733E-4E6A-A8AB-EBB6287E5A7E} hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel64_4.5.5.0.cab
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1
Tcpip\..\Interfaces\{63CD12CA-F687-4486-A109-E77EF4E92A98}: [NameServer]8.26.56.26,156.154.70.22
FireFox:
========
FF ProfilePath: C:\Users\Ingrid\AppData\Roaming\Mozilla\Firefox\Profiles\ah954slz.default-1371993247705
FF DefaultSearchEngine: Google
FF SelectedSearchEngine: Google
FF Homepage: hxxp://home.1und1.de/|hxxp://lm-1.de/Lambdamessung/LM-2-Lambdacontroller-Datenlogger-mit-OBD-II-Einkanal--14.html|hxxp://mediathek-audio.br.de/index.html?playeronly=true&channelId=b3
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_9_900_170.dll ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_170.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @canon.com/EPPEX - C:\Program Files (x86)\Canon\My Image Garden\AddOn\CIG\npmigfpi.dll (CANON INC.)
FF Plugin-x32: @dymo.com/DymoLabelFramework - C:\Program Files (x86)\DYMO\DYMO Label Software\Framework\npDYMOLabelFramework.dll ( Sanford L.P.)
FF Plugin-x32: @java.com/DTPlugin,version=10.17.2 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.17.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: amazon.com/AmazonMP3DownloaderPlugin - C:\Users\Ingrid\AppData\Local\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin10181.dll (Amazon.com, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin6.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin7.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\np_hoem_x.dll ()
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\amazondotcom-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\eBay-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\leo_ende_de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\yahoo-de.xml
FF Extension: Add to Amazon Wish List Button - C:\Users\Ingrid\AppData\Roaming\Mozilla\Firefox\Profiles\ah954slz.default-1371993247705\Extensions\amznUWL2@amazon.com.xpi [2013-11-28]
==================== Services (Whitelisted) =================
R2 AirPrint; C:\Program Files (x86)\AirPrint\airprint.exe [234784 2012-04-29] (Apple Inc.)
R2 AntiVirMailService; C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc.exe [896056 2013-12-12] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [440376 2013-12-12] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [440376 2013-11-12] (Avira Operations GmbH & Co. KG)
R2 AntiVirWebService; C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE [1011768 2013-12-12] (Avira Operations GmbH & Co. KG)
R2 APC Data Service; C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe [21880 2012-01-24] (Schneider Electric)
R2 APC UPS Service; C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe [705912 2012-01-24] (Schneider Electric)
R2 cmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [2828408 2012-11-08] (COMODO)
R2 DymoPnpService; C:\Program Files (x86)\DYMO\DYMO Label Software\DymoPnpService.exe [32336 2011-01-28] (Sanford, L.P.)
R2 HiSuiteOuc64.exe; C:\ProgramData\HiSuiteOuc\HiSuiteOuc64.exe [137024 2013-07-11] ()
R2 HuaweiHiSuiteService64.exe; C:\ProgramData\HandSetService\HuaweiHiSuiteService64.exe [197632 2013-05-02] ()
R2 Lexware_Update_Service; C:\Program Files (x86)\Lexware\Update Service\Hmg.InstallationService.Service.exe [49664 2013-10-08] (Haufe-Lexware GmbH & Co. KG)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [15125280 2013-11-08] (NVIDIA Corporation)
R2 orgaMAXMobileService; C:\orgaMAX\orgamaxmobil_service.exe [4125864 2012-03-27] (deltra Business Software GmbH & Co. KG)
R2 PCToolsSSDMonitorSvc; C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe [794272 2012-08-21] (PC Tools)
R2 ScVssService64; C:\Program Files (x86)\Second Copy 8\ScVssService64.exe [74536 2011-06-01] (Centered Systems)
R2 UsbClientService; C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe [248704 2013-04-30] ()
S3 SymSnapService; "C:\Program Files (x86)\Norton Ghost\Shared\Drivers\SymSnapServicex64.exe" [x]
==================== Drivers (Whitelisted) ====================
S3 applebmt; C:\Windows\System32\DRIVERS\applebmt.sys [51712 2009-10-15] (Apple Inc.)
S3 auusb; C:\Windows\System32\DRIVERS\auusb.sys [205232 2012-06-21] (Auerswald GmbH & Co.KG )
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [108440 2013-12-12] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [131576 2013-12-12] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2013-10-01] (Avira Operations GmbH & Co. KG)
R1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [584056 2012-11-08] (COMODO)
R1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [38144 2012-11-08] (COMODO)
S3 GenericMount; C:\Windows\System32\DRIVERS\GenericMount.sys [66608 2010-02-12] (Symantec Corporation)
S2 IMSLM2; C:\Windows\System32\Drivers\imslm2.sys [23320 2009-04-21] (BlueLite LLC)
R1 inspect; C:\Windows\System32\DRIVERS\inspect.sys [94288 2012-11-08] (COMODO)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [39200 2013-09-28] (NVIDIA Corporation)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [27520 2007-05-14] (Research In Motion Limited)
R0 tib; C:\Windows\System32\DRIVERS\tib.sys [1120032 2013-04-19] (Acronis International GmbH)
R0 tib_mounter; C:\Windows\System32\DRIVERS\tib_mounter.sys [198432 2013-12-14] (Acronis International GmbH)
R0 vidsflt; C:\Windows\System32\DRIVERS\vidsflt.sys [117024 2013-04-19] (Acronis International GmbH)
U5 hw_usbdev; C:\Windows\System32\Drivers\hw_usbdev.sys [116864 2011-10-24] (Huawei Technologies Co., Ltd.)
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [x]
S3 tsusbhub; system32\drivers\tsusbhub.sys [x]
U2 V2iMount;
S3 VGPU; System32\drivers\rdvgkmd.sys [x]
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2014-01-11 19:45 - 2014-01-11 19:46 - 00019393 _____ C:\Users\Ingrid\Downloads\FRST.txt
2014-01-11 19:45 - 2014-01-11 19:45 - 00000000 ____D C:\FRST
2014-01-11 19:44 - 2014-01-11 19:44 - 02076672 _____ (Farbar) C:\Users\Ingrid\Downloads\FRST64.exe
2014-01-11 19:40 - 2014-01-11 19:40 - 00000246 _____ C:\Users\Ingrid\Downloads\defogger_enable.log
2014-01-11 19:40 - 2014-01-11 19:40 - 00000000 _____ C:\Users\Ingrid\defogger_reenable
2014-01-11 19:39 - 2014-01-11 19:40 - 00000474 _____ C:\Users\Ingrid\Downloads\defogger_disable.log
2014-01-11 19:38 - 2014-01-11 19:38 - 00050477 _____ C:\Users\Ingrid\Downloads\Defogger.exe
2014-01-08 11:15 - 2014-01-08 11:15 - 00186770 _____ C:\Users\Ingrid\Downloads\2013_01_Rechnung_1390451251_sign.zip
2014-01-08 11:14 - 2014-01-08 11:14 - 00556867 _____ C:\Users\Ingrid\Downloads\archive08012014_111353.zip
2013-12-26 19:34 - 2013-12-26 19:34 - 00000000 ____D C:\Windows\pss
2013-12-26 16:51 - 2013-12-26 16:51 - 00001142 _____ C:\Users\Ingrid\Desktop\Mozilla Firefox.lnk
2013-12-25 13:19 - 2013-12-25 13:19 - 107906448 _____ (deltra Business Software GmbH & Co KG ) C:\Users\Ingrid\Downloads\orgaMAXSetup.exe
2013-12-25 12:56 - 2013-12-25 12:56 - 00014386 _____ C:\Users\Ingrid\Downloads\Private-Nachrichten-khb-25.12.2013(1).csv
2013-12-25 12:54 - 2013-12-25 12:54 - 00055606 _____ C:\Users\Ingrid\Downloads\Private-Nachrichten-khb-25.12.2013.csv
2013-12-25 12:43 - 2013-12-25 12:43 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-12-19 11:27 - 2013-12-19 11:27 - 00003584 _____ C:\Users\Ingrid\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-12-15 19:00 - 2014-01-11 19:31 - 00058746 _____ C:\Windows\SysWOW64\AppLog.log
2013-12-15 12:53 - 2013-12-15 12:53 - 00003079 _____ C:\Users\Ingrid\Desktop\Tune Sweeper.lnk
2013-12-15 12:53 - 2013-12-15 12:53 - 00000000 ____D C:\Users\Ingrid\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Wide Angle Software
2013-12-15 12:53 - 2013-12-15 12:53 - 00000000 ____D C:\Program Files (x86)\Wide Angle Software
2013-12-15 12:49 - 2014-01-11 19:31 - 00000270 _____ C:\Windows\Tasks\RMSchedule.job
2013-12-15 12:49 - 2014-01-10 16:05 - 00000268 _____ C:\Windows\Tasks\RMAutoUpdate.job
2013-12-15 12:49 - 2013-12-15 12:49 - 00002848 _____ C:\Windows\System32\Tasks\RMSchedule
2013-12-15 12:49 - 2013-12-15 12:49 - 00002504 _____ C:\Windows\System32\Tasks\RMAutoUpdate
2013-12-14 13:11 - 2013-12-14 13:11 - 00367200 _____ (Acronis) C:\Windows\system32\Drivers\afcdp.sys
2013-12-14 13:11 - 2013-12-14 13:11 - 00198432 _____ (Acronis International GmbH) C:\Windows\system32\Drivers\tib_mounter.sys
2013-12-14 13:11 - 2013-12-14 13:11 - 00000000 ____D C:\Users\Ingrid\AppData\Roaming\11A73CA3-2688-4BAB-865C-287D8AFCE926
2013-12-14 13:10 - 2013-12-14 13:10 - 00001218 _____ C:\Users\Public\Desktop\Acronis True Image 2014.lnk
2013-12-12 08:47 - 2013-12-12 08:47 - 00001902 _____ C:\Users\Public\Desktop\LogWorks 309.lnk
2013-12-12 08:46 - 2013-12-12 08:46 - 00002749 _____ C:\Users\Ingrid\Desktop\LM Programmer v3.33.lnk
==================== One Month Modified Files and Folders =======
2014-01-11 19:46 - 2014-01-11 19:45 - 00019393 _____ C:\Users\Ingrid\Downloads\FRST.txt
2014-01-11 19:45 - 2014-01-11 19:45 - 00000000 ____D C:\FRST
2014-01-11 19:44 - 2014-01-11 19:44 - 02076672 _____ (Farbar) C:\Users\Ingrid\Downloads\FRST64.exe
2014-01-11 19:40 - 2014-01-11 19:40 - 00000246 _____ C:\Users\Ingrid\Downloads\defogger_enable.log
2014-01-11 19:40 - 2014-01-11 19:40 - 00000000 _____ C:\Users\Ingrid\defogger_reenable
2014-01-11 19:40 - 2014-01-11 19:39 - 00000474 _____ C:\Users\Ingrid\Downloads\defogger_disable.log
2014-01-11 19:40 - 2011-07-05 16:10 - 00000000 ____D C:\Users\Ingrid
2014-01-11 19:38 - 2014-01-11 19:38 - 00050477 _____ C:\Users\Ingrid\Downloads\Defogger.exe
2014-01-11 19:31 - 2013-12-15 19:00 - 00058746 _____ C:\Windows\SysWOW64\AppLog.log
2014-01-11 19:31 - 2013-12-15 12:49 - 00000270 _____ C:\Windows\Tasks\RMSchedule.job
2014-01-11 19:31 - 2013-06-22 19:45 - 00000000 ____D C:\Users\Ingrid\Documents\MailStore Home
2014-01-11 19:31 - 2013-06-22 19:45 - 00000000 ____D C:\ProgramData\firebird
2014-01-11 18:59 - 2012-12-20 14:22 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-01-11 18:52 - 2011-07-05 16:03 - 01082628 _____ C:\Windows\WindowsUpdate.log
2014-01-10 18:11 - 2011-11-12 12:11 - 00000000 ____D C:\Users\Ingrid\Documents\Buchhalter2012
2014-01-10 18:11 - 2011-07-09 14:16 - 00000000 ____D C:\ProgramData\Lexware
2014-01-10 16:19 - 2011-07-09 11:11 - 00000000 ____D C:\Users\Ingrid\Desktop\x
2014-01-10 16:19 - 2011-07-05 16:28 - 00000000 ____D C:\orgaMAX
2014-01-10 16:12 - 2009-07-14 05:45 - 00019952 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-01-10 16:12 - 2009-07-14 05:45 - 00019952 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-01-10 16:06 - 2013-06-23 13:19 - 00000000 ____D C:\Users\Ingrid\Documents\Outlook-Dateien
2014-01-10 16:05 - 2013-12-15 12:49 - 00000268 _____ C:\Windows\Tasks\RMAutoUpdate.job
2014-01-10 16:04 - 2012-01-15 11:38 - 00000000 ____D C:\Program Files (x86)\Registry Mechanic
2014-01-10 16:04 - 2009-07-14 05:51 - 00210395 _____ C:\Windows\setupact.log
2014-01-10 16:03 - 2011-07-09 13:02 - 00000000 ____D C:\ProgramData\NVIDIA
2014-01-10 16:03 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2014-01-10 16:01 - 2011-07-09 22:28 - 00000000 ____D C:\Users\Ingrid\AppData\Roaming\KeePass
2014-01-10 12:48 - 2012-12-20 09:31 - 00000000 ____D C:\Users\Ingrid\Documents\Buchhalter2013
2014-01-10 11:45 - 2011-07-09 11:19 - 00000000 ____D C:\Users\Ingrid\Documents\I Bieser Handel mit Kfz Sonderteilen
2014-01-10 08:04 - 2011-07-09 16:31 - 00000000 ____D C:\Users\Ingrid\Documents\Quicken
2014-01-08 11:15 - 2014-01-08 11:15 - 00186770 _____ C:\Users\Ingrid\Downloads\2013_01_Rechnung_1390451251_sign.zip
2014-01-08 11:14 - 2014-01-08 11:14 - 00556867 _____ C:\Users\Ingrid\Downloads\archive08012014_111353.zip
2014-01-07 13:28 - 2013-10-22 20:06 - 00000000 ____D C:\Users\Ingrid\Documents\Scans
2014-01-07 12:14 - 2011-07-09 08:58 - 00456016 _____ C:\Windows\PFRO.log
2014-01-07 12:06 - 2011-07-05 17:22 - 00000000 ____D C:\ProgramData\Microsoft Help
2014-01-07 12:06 - 2009-07-14 03:34 - 00000567 _____ C:\Windows\win.ini
2014-01-07 11:16 - 2011-07-09 16:34 - 00000000 ____D C:\Users\Ingrid\Documents\Quicken Archiv
2014-01-03 12:20 - 2011-07-09 11:23 - 00000000 ____D C:\Users\Ingrid\Documents\orgaMAX-Backup
2014-01-03 09:58 - 2009-07-14 06:09 - 00000000 ____D C:\Windows\System32\Tasks\WPD
2013-12-26 19:40 - 2012-07-15 10:55 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-12-26 19:34 - 2013-12-26 19:34 - 00000000 ____D C:\Windows\pss
2013-12-26 19:34 - 2011-07-05 16:10 - 00000000 ___RD C:\Users\Ingrid\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-12-26 16:51 - 2013-12-26 16:51 - 00001142 _____ C:\Users\Ingrid\Desktop\Mozilla Firefox.lnk
2013-12-25 13:19 - 2013-12-25 13:19 - 107906448 _____ (deltra Business Software GmbH & Co KG ) C:\Users\Ingrid\Downloads\orgaMAXSetup.exe
2013-12-25 12:56 - 2013-12-25 12:56 - 00014386 _____ C:\Users\Ingrid\Downloads\Private-Nachrichten-khb-25.12.2013(1).csv
2013-12-25 12:54 - 2013-12-25 12:54 - 00055606 _____ C:\Users\Ingrid\Downloads\Private-Nachrichten-khb-25.12.2013.csv
2013-12-25 12:43 - 2013-12-25 12:43 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-12-19 11:27 - 2013-12-19 11:27 - 00003584 _____ C:\Users\Ingrid\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-12-19 10:38 - 2013-11-24 13:31 - 00002771 _____ C:\Users\Public\Desktop\Lexware buchhalter.lnk
2013-12-17 11:56 - 2011-07-06 01:58 - 00700396 _____ C:\Windows\system32\perfh007.dat
2013-12-17 11:56 - 2011-07-06 01:58 - 00149192 _____ C:\Windows\system32\perfc007.dat
2013-12-17 11:56 - 2009-07-14 06:13 - 01622172 _____ C:\Windows\system32\PerfStringBackup.INI
2013-12-15 19:05 - 2013-09-27 17:42 - 00000000 ____D C:\Program Files (x86)\IrfanView
2013-12-15 19:05 - 2012-01-15 11:42 - 00000000 ____D C:\Users\Ingrid\AppData\Roaming\Registry Mechanic
2013-12-15 12:54 - 2013-11-28 18:58 - 00000000 ____D C:\Users\Ingrid\AppData\Local\Wide Angle Software
2013-12-15 12:53 - 2013-12-15 12:53 - 00003079 _____ C:\Users\Ingrid\Desktop\Tune Sweeper.lnk
2013-12-15 12:53 - 2013-12-15 12:53 - 00000000 ____D C:\Users\Ingrid\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Wide Angle Software
2013-12-15 12:53 - 2013-12-15 12:53 - 00000000 ____D C:\Program Files (x86)\Wide Angle Software
2013-12-15 12:52 - 2011-07-09 11:27 - 00000000 ____D C:\Users\Ingrid\Documents\Yukon
2013-12-15 12:49 - 2013-12-15 12:49 - 00002848 _____ C:\Windows\System32\Tasks\RMSchedule
2013-12-15 12:49 - 2013-12-15 12:49 - 00002504 _____ C:\Windows\System32\Tasks\RMAutoUpdate
2013-12-15 00:42 - 2013-09-09 11:01 - 00000000 ____D C:\Windows\system32\MRT
2013-12-15 00:40 - 2011-07-09 09:52 - 90708896 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2013-12-14 13:12 - 2012-12-01 10:32 - 00000000 ____D C:\ProgramData\Acronis
2013-12-14 13:11 - 2013-12-14 13:11 - 00367200 _____ (Acronis) C:\Windows\system32\Drivers\afcdp.sys
2013-12-14 13:11 - 2013-12-14 13:11 - 00198432 _____ (Acronis International GmbH) C:\Windows\system32\Drivers\tib_mounter.sys
2013-12-14 13:11 - 2013-12-14 13:11 - 00000000 ____D C:\Users\Ingrid\AppData\Roaming\11A73CA3-2688-4BAB-865C-287D8AFCE926
2013-12-14 13:11 - 2012-12-01 10:32 - 01464096 _____ (Acronis International GmbH) C:\Windows\system32\Drivers\tdrpman.sys
2013-12-14 13:11 - 2012-12-01 10:32 - 00269600 _____ (Acronis International GmbH) C:\Windows\system32\Drivers\snapman.sys
2013-12-14 13:11 - 2012-12-01 10:32 - 00116000 _____ (Acronis International GmbH) C:\Windows\system32\Drivers\fltsrv.sys
2013-12-14 13:10 - 2013-12-14 13:10 - 00001218 _____ C:\Users\Public\Desktop\Acronis True Image 2014.lnk
2013-12-12 12:14 - 2013-05-02 10:51 - 00084720 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avnetflt.sys
2013-12-12 12:14 - 2013-04-05 07:31 - 00131576 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys
2013-12-12 12:14 - 2013-04-05 07:31 - 00108440 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys
2013-12-12 08:47 - 2013-12-12 08:47 - 00001902 _____ C:\Users\Public\Desktop\LogWorks 309.lnk
2013-12-12 08:47 - 2011-07-09 15:36 - 00071684 _____ C:\Windows\DPINST.LOG
2013-12-12 08:46 - 2013-12-12 08:46 - 00002749 _____ C:\Users\Ingrid\Desktop\LM Programmer v3.33.lnk
2013-12-12 08:46 - 2012-02-03 11:15 - 00000000 ____D C:\Program Files (x86)\LogWorks3
2013-12-12 08:40 - 2012-07-05 19:50 - 00000000 ____D C:\Users\Ingrid\AppData\Local\Downloaded Installations
Files to move or delete:
====================
C:\Users\Ingrid\en_res.dll
C:\Users\Ingrid\es_res.dll
C:\Users\Ingrid\fr_res.dll
C:\Users\Ingrid\grm_res.dll
C:\Users\Ingrid\it_res.dll
C:\Users\Ingrid\jp_res.dll
C:\Users\Ingrid\mfc80u.dll
C:\Users\Ingrid\msvcr80.dll
C:\Users\Ingrid\PCPE Setup.exe
C:\Users\Ingrid\pt_res.dll
C:\Users\Ingrid\ResourceReader.dll
C:\Users\Ingrid\ru_res.dll
C:\Users\Ingrid\zh_res.dll
Some content of TEMP:
====================
C:\Users\Ingrid\AppData\Local\Temp\917b0b87-3358-4e79-93de-3dfc2fc99ed0.exe
C:\Users\Ingrid\AppData\Local\Temp\aiw53776009.exe
C:\Users\Ingrid\AppData\Local\Temp\AskSLib.dll
C:\Users\Ingrid\AppData\Local\Temp\avgnt.exe
C:\Users\Ingrid\AppData\Local\Temp\Install.exe
C:\Users\Ingrid\AppData\Local\Temp\install_flashplayer11x32au_mssd_aih.exe
C:\Users\Ingrid\AppData\Local\Temp\JiveXViewerStart1386082137.exe
C:\Users\Ingrid\AppData\Local\Temp\MSETUP4.EXE
C:\Users\Ingrid\AppData\Local\Temp\nvSCPAPI.dll
C:\Users\Ingrid\AppData\Local\Temp\nvSCPAPI64.dll
C:\Users\Ingrid\AppData\Local\Temp\nvStInst.exe
C:\Users\Ingrid\AppData\Local\Temp\wusetup.exE
C:\Users\khb\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe
==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
LastRegBack: 2014-01-09 12:51
==================== End Of Log ============================
Code:
ATTFilter Additional scan result of Farbar Recovery Scan Tool (x64) Version: 11-01-2014 05
Ran by Ingrid at 2014-01-11 19:47:27
Running from C:\Users\Ingrid\Downloads
Boot Mode: Normal
==========================================================
==================== Security Center ========================
AV: Avira Desktop (Disabled - Up to date) {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
AS: Avira Desktop (Disabled - Up to date) {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: COMODO Defense+ (Enabled - Up to date) {FEEA52D5-051E-08DD-07EF-2F009097607D}
FW: COMODO Firewall (Enabled) {7DB03214-694B-060B-1600-BD4715C36DBB}
==================== Installed Programs ======================
Acronis True Image 2014 (x32 Version: 17.0.6614 - Acronis) Hidden
Adobe Flash Player 11 ActiveX (x32 Version: 11.9.900.170 - Adobe Systems Incorporated)
Adobe Flash Player 11 Plugin (x32 Version: 11.9.900.170 - Adobe Systems Incorporated)
Adobe Reader X (10.1.8) - Deutsch (x32 Version: 10.1.8 - Adobe Systems Incorporated)
Akamai NetSession Interface (HKCU Version: - Akamai Technologies, Inc)
ALL-INKL WebDisk Version 0.1.6 (Version: 0.1.6 - ALL-INKL.COM)
Amazon MP3-Downloader 1.0.17 (x32 Version: 1.0.17 - Amazon Services LLC)
Amazon MP3-Downloader 1.0.18 (HKCU Version: 1.0.18 - Amazon Services LLC)
Apple Application Support (x32 Version: 2.3.6 - Apple Inc.)
Apple Mobile Device Support (Version: 7.0.0.117 - Apple Inc.)
Apple Software Update (x32 Version: 2.1.3.127 - Apple Inc.)
AT&T Connect Participant Application v9.3.10 (x32 Version: 9.3.10 - AT&T Inc.)
Auerswald COMfortel Set 2.8.0 (x32 Version: 2.8.0 - Auerswald GmbH & Co.KG)
Auerswald COMlist 2.5.2 (x32 Version: 2.5.2 - Auerswald GmbH & Co.KG)
Auerswald COMset 2.7.2 (x32 Version: 2.7.2 - Auerswald GmbH & Co.KG)
Auerswald Uni-TAPI driver (Version: - Auerswald GmbH & Co.KG)
Avira Antivirus Premium (x32 Version: 14.0.2.286 - Avira)
Bonjour (Version: 3.0.0.10 - Apple Inc.)
Canon Easy-PhotoPrint EX (x32 Version: - )
Canon Easy-WebPrint EX (x32 Version: 1.3.5.0 - Canon Inc.)
Canon IJ Network Scanner Selector EX (x32 Version: - Canon Inc.)
Canon IJ Network Tool (x32 Version: 3.2.0 - Canon Inc.)
Canon IJ Scan Utility (x32 Version: - Canon Inc.)
Canon Inkjet Printer Driver Add-On Module (Version: - )
Canon Kurzwahlprogramm (x32 Version: 1.3.0 - Canon Inc.)
Canon MP Navigator 1.0 (x32 Version: - )
Canon MP780 (Version: - )
Canon MX920 series Benutzerregistrierung (x32 Version: - *Canon Inc.)
Canon MX920 series MP Drivers (Version: 1.00 - Canon Inc.)
Canon MX920 series On-screen Manual (x32 Version: 7.6.0 - Canon Inc.)
Canon My Image Garden (x32 Version: 1.1.0 - Canon Inc.)
Canon My Image Garden Design Files (x32 Version: 1.0.1 - Canon Inc.)
Canon My Printer (x32 Version: 3.1.0 - Canon Inc.)
Canon Quick Menu (x32 Version: 2.1.0 - Canon Inc.)
Canon ScanGear Starter (x32 Version: - )
CDBurnerXP (x32 Version: 4.5.2.4291 - CDBurnerXP)
CD-LabelPrint (x32 Version: - )
COMODO Internet Security (Version: 5.5.64714.1383 - COMODO Security Solutions Inc.)
DasTelefonbuch Deutschland (x32 Version: - TVG Telefon- und Verzeichnisverlag GmbH & Co. KG)
DDBAC (x32 Version: 4.3.64 - DataDesign)
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition (x32 Version: - Microsoft)
Directory Compare (x32 Version: 3.4.0.0 - Juan M. Aguirregabiria)
DYMO Label v.8 (x32 Version: 8.3.0.1242 - Sanford, L.P.)
DYMO LabelWriter Drivers (Version: 8.3.0.443 - Sanford L.P.)
EVEREST Home Edition v2.20 (x32 Version: 2.20 - Lavalys Inc)
GeForce Experience NvStream Client Components (Version: 1.6.28 - NVIDIA Corporation) Hidden
Gx-Digital (x32 Version: 1.06ib - MTIHP)
HD Tune 2.55 (x32 Version: - EFD Software)
HiSuite (x32 Version: 32.610.20.00.06 - Huawei Technologies Co.,Ltd)
iCloud (Version: 2.1.2.8 - Apple Inc.)
IrfanView (remove only) (x32 Version: 4.36 - Irfan Skiljan)
iTunes (Version: 11.1.3.8 - Apple Inc.)
Java 7 Update 17 (x32 Version: 7.0.170 - Oracle)
Java Auto Updater (x32 Version: 2.1.9.0 - Sun Microsystems, Inc.) Hidden
Java(TM) 6 Update 13 (64-bit) (Version: 6.0.130 - Sun Microsystems, Inc.)
Java(TM) 6 Update 2 (x32 Version: 1.6.0.20 - Sun Microsystems, Inc.)
Java(TM) 6 Update 26 (x32 Version: 6.0.260 - Oracle)
JRE 1.6.1 (x32 Version: 1.6.1 - Auerswald GmbH & Co.KG)
KeePass Password Safe 2.24 (x32 Version: 2.24 - Dominik Reichl)
Lexware buchhalter 2014 (x32 Version: 19.0.0.91 - Haufe-Lexware GmbH & Co.KG)
Lexware buchhalter 2014 (x32 Version: 19.01.00.0140 - Haufe-Lexware GmbH & Co.KG) Hidden
Lexware Elster (x32 Version: 13.14.00.0008 - Haufe-Lexware GmbH & Co.KG) Hidden
Lexware Info Service (x32 Version: 4.01.00.0077 - Haufe-Lexware GmbH & Co.KG) Hidden
Lexware Installations Dienst (x32 Version: 3.01.00.0011 - Haufe-Lexware GmbH & Co.KG) Hidden
Lexware online banking (x32 Version: 21.00.00.0039 - Haufe-Lexware GmbH & Co.KG)
LogWorks3 (x32 Version: 3.07 - Innovate! Technologies)
LogWorks3 (x32 Version: 3.09 - Innovate Motorsports)
MailStore Home 8.1.0.9075 (x32 Version: 8.1.0.9075 - MailStore Software GmbH)
Malwarebytes Anti-Malware Version 1.75.0.1300 (x32 Version: 1.75.0.1300 - Malwarebytes Corporation)
marvell 91xx driver (x32 Version: 1.2.0.1016 - Marvell)
Marvell Miniport Driver (x32 Version: 11.45.4.3 - Marvell)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Client Profile DEU Language Pack (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile DEU Language Pack (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Extended (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Extended DEU Language Pack (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended DEU Language Pack (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft Office Access MUI (German) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Excel MUI (German) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Home and Business 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Office Office 64-bit Components 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office OneNote MUI (German) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Outlook MUI (German) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (German) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (German) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Italian) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (German) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Publisher MUI (German) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit MUI (German) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (German) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Single Image 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (German) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Silverlight (Version: 5.1.20913.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (x32 Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x32 Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (x32 Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (x32 Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (x32 Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (x32 Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (Version: 10.0.40820 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (Version: 10.0.40825 - Microsoft Corporation) Hidden
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) Language Pack - DEU (Version: 10.0.40820 - Microsoft Corporation) Hidden
Microsoft Visual Studio 2010-Tools für Office-Laufzeit (x64) Language Pack - DEU (Version: 10.0.40820 - Microsoft Corporation)
Microsoft WSE 3.0 Runtime (x32 Version: 3.0.5305.0 - Microsoft Corp.)
Mozilla Firefox 26.0 (x86 de) (x32 Version: 26.0 - Mozilla)
Mozilla Maintenance Service (x32 Version: 26.0 - Mozilla)
Mozilla Thunderbird 24.2.0 (x86 de) (x32 Version: 24.2.0 - Mozilla)
NEC Electronics USB 3.0 Host Controller Driver (x32 Version: 1.0.19.0 - NEC Electronics Corporation)
NEC Electronics USB 3.0 Host Controller Driver (x32 Version: 1.0.19.0 - NEC Electronics Corporation) Hidden
NVIDIA 3D Vision Controller-Treiber 331.58 (Version: 331.58 - NVIDIA Corporation)
NVIDIA 3D Vision Treiber 331.58 (Version: 331.58 - NVIDIA Corporation)
NVIDIA Display Control Panel (Version: 6.14.12.5957 - NVIDIA Corporation)
NVIDIA GeForce Experience 1.7.1 (Version: 1.7.1 - NVIDIA Corporation)
NVIDIA Grafiktreiber 331.58 (Version: 331.58 - NVIDIA Corporation)
NVIDIA HD-Audiotreiber 1.3.26.4 (Version: 1.3.26.4 - NVIDIA Corporation)
NVIDIA Install Application (Version: 2.1002.140.952 - NVIDIA Corporation) Hidden
NVIDIA LED Visualizer 1.0 (Version: 1.0 - NVIDIA Corporation) Hidden
NVIDIA PhysX (x32 Version: 9.13.0725 - NVIDIA Corporation) Hidden
NVIDIA PhysX-Systemsoftware 9.13.0725 (Version: 9.13.0725 - NVIDIA Corporation)
NVIDIA ShadowPlay 9.3.21 (Version: 9.3.21 - NVIDIA Corporation) Hidden
NVIDIA Stereoscopic 3D Driver (x32 Version: 7.17.13.3158 - NVIDIA Corporation) Hidden
NVIDIA Systemsteuerung 331.58 (Version: 331.58 - NVIDIA Corporation) Hidden
NVIDIA Update 9.3.21 (Version: 9.3.21 - NVIDIA Corporation) Hidden
NVIDIA Update Components (Version: 9.3.21 - NVIDIA Corporation) Hidden
NVIDIA Virtual Audio 1.2.9 (Version: 1.2.9 - NVIDIA Corporation)
Office Timeline 2013 (x32 Version: 2.1.11 - Office Timeline)
orgaMAX Business Software (x32 Version: 14.0 - deltra Business Software)
PC Tools Registry Mechanic 11.1 (x32 Version: 11.1 - PC Tools)
PowerChute Personal Edition 3.0.2 (x32 Version: 3.0.2 - Schneider Electric)
Quicken 2009 - ServicePack 3 (x32 Version: 16.08.1028 - Lexware GmbH & Co KG)
Quicken 2009 (x32 Version: 16.00.00.0182 - Lexware)
Quicken 2009 (x32 Version: 16.00.00.0182 - Lexware) Hidden
Quicken Import Export Server 2009 (x32 Version: 16.0.1.1 - Lexware GmbH & Co KG)
QuickTime (x32 Version: 7.73.80.64 - Apple Inc.)
RENESIS® Player Browser Plugins (x32 Version: 1.1.1 - examotion® GmbH)
SEClientOCXSetup (x32 Version: - )
Second Copy 8 (x32 Version: 8.0.4.1 - Centered Systems)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (x32 Version: - Microsoft) Hidden
Servicepack Datumsaktualisierung (x32 Version: 1.00.00.0005 - Haufe-Lexware) Hidden
SHIELD Streaming (Version: 1.6.53 - NVIDIA Corporation) Hidden
Snagit 9.1.3 (x32 Version: 9.1.3.16 - TechSmith Corporation)
SnapAPI (x32 Version: 4.4.1088 - Acronis)
Synology Assistant (remove only) (x32 Version: - )
TeamViewer 8 (x32 Version: 8.0.22298 - TeamViewer)
TreeSize Free V2.7 (x32 Version: 2.7 - JAM Software)
TreeSize Professional V6.0 (64 bit) (Version: 6.0 - JAM Software)
Tune Sweeper (x32 Version: 3.00 - Wide Angle Software)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (x32 Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (x32 Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (x32 Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939) (x32 Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3) (x32 Version: 3 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Extended (KB2468871) (x32 Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Extended (KB2533523) (x32 Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Extended (KB2600217) (x32 Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Extended (KB2836939v3) (x32 Version: 3 - Microsoft Corporation)
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition (x32 Version: - Microsoft)
Update for Microsoft Filter Pack 2.0 (KB2810071) 32-Bit Edition (x32 Version: - Microsoft)
Update for Microsoft Office 2010 (KB2494150) (x32 Version: - Microsoft)
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition (x32 Version: - Microsoft)
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition (x32 Version: - Microsoft)
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition (x32 Version: - Microsoft)
Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition (x32 Version: - Microsoft)
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition (x32 Version: - Microsoft)
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition (x32 Version: - Microsoft)
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition (x32 Version: - Microsoft)
Update for Microsoft Office 2010 (KB2826026) 32-Bit Edition (x32 Version: - Microsoft)
Update for Microsoft Office 2010 (KB2850079) 32-Bit Edition (x32 Version: - Microsoft)
Update for Microsoft OneNote 2010 (KB2810072) 32-Bit Edition (x32 Version: - Microsoft)
Update for Microsoft PowerPoint 2010 (KB2553145) 32-Bit Edition (x32 Version: - Microsoft)
Update for Microsoft Visio Viewer 2010 (KB2810066) 32-Bit Edition (x32 Version: - Microsoft)
Update for Microsoft Word 2010 (KB2837593) 32-Bit Edition (x32 Version: - Microsoft)
Visual Studio Tools for the Office system 3.0 Runtime (x32 Version: - Microsoft Corporation)
Visual Studio Tools for the Office system 3.0 Runtime (x32 Version: 9.0.30729 - Microsoft Corporation) Hidden
Visual Studio Tools for the Office system 3.0 Runtime Language Pack - DEU (x32 Version: 9.0.21022 - Microsoft Corporation) Hidden
Visual Studio Tools for the Office system 3.0 Runtime Service Pack 1 (KB949258) (x32 Version: 1 - Microsoft Corporation)
Visual Studio-Tools für Office System 3.0 Runtime Language Pack - DEU (x32 Version: - Microsoft Corporation)
Windows Driver Package - Innovate Motorsports Innovate USB Driver (10/12/2009 1.4.1.0) (Version: 10/12/2009 1.4.1.0 - Innovate Motorsports)
Windows-Treiberpaket - Apple Inc. Apple Wireless Mouse (09/17/2009 3.0.0.5) (Version: 09/17/2009 3.0.0.5 - Apple Inc.)
==================== Restore Points =========================
02-01-2014 07:41:48 Geplanter Prüfpunkt
07-01-2014 11:00:15 Windows Update
==================== Hosts content: ==========================
2009-07-14 03:34 - 2009-06-10 22:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
==================== Scheduled Tasks (whitelisted) =============
Task: {17332B1B-E359-4145-A18E-A29BEB1BB1C9} - System32\Tasks\APC-startup => C:\Program Files (x86)\APC\APC PowerChute Personal Edition\Display.exe
Task: {4E457749-DA5B-407D-973D-609B7716A0C4} - System32\Tasks\RMAutoUpdate => C:\Program Files (x86)\Registry Mechanic\SULauncher.exe [2012-08-21] (PC Tools)
Task: {5DEFCD02-0CD3-465F-8AC1-3B5A156B072F} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-12-11] (Adobe Systems Incorporated)
Task: {98C5F330-C260-4B8B-BDDA-48A35C377A5A} - System32\Tasks\Microsoft\Windows\WindowsBackup\AutomaticBackup => Rundll32.exe /d sdengin2.dll,ExecuteScheduledBackup
Task: {E25867B5-B9C2-4B0A-8D0C-6B6237830A03} - System32\Tasks\RMSchedule => C:\Program Files (x86)\Registry Mechanic\RegMech.exe [2012-08-21] (PC Tools)
Task: {EB02381F-D652-4B1C-894A-712498C62C51} - System32\Tasks\Microsoft\Windows\MUI\LPRemove => C:\Windows\system32\lpremove.exe [2009-07-14] ()
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\RMAutoUpdate.job => C:\Program Files (x86)\Registry Mechanic\SULauncher.exe
Task: C:\Windows\Tasks\RMSchedule.job => C:\Program Files (x86)\Registry Mechanic\RegMech.exe
==================== Loaded Modules (whitelisted) =============
2012-08-23 03:51 - 2013-10-01 10:32 - 02818216 _____ () C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll
2013-04-05 11:58 - 2013-04-05 11:58 - 00021320 _____ () C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreamsPS64.dll
2013-04-05 11:58 - 2013-04-05 11:58 - 00954696 _____ () C:\Program Files\Common Files\Apple\Internet Services\ShellStreams64.dll
2012-10-10 07:35 - 2012-10-10 07:22 - 00397088 _____ () C:\Program Files (x86)\Avira\AntiVir Desktop\sqlite3.dll
2013-09-13 19:51 - 2013-09-13 19:51 - 00087952 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2013-09-13 19:51 - 2013-09-13 19:51 - 01242952 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2013-07-11 15:47 - 2013-07-11 15:47 - 00634176 _____ () C:\Program Files (x86)\HiSuite\core.dll
2013-07-11 15:49 - 2013-07-11 15:49 - 00302912 _____ () C:\Program Files (x86)\HiSuite\sdk.dll
2013-07-11 15:48 - 2013-07-11 15:48 - 00017832 _____ () C:\Program Files (x86)\HiSuite\mingwm10.dll
2013-07-11 15:48 - 2013-07-11 15:48 - 00049472 _____ () C:\Program Files (x86)\HiSuite\libgcc_s_dw2-1.dll
2013-07-11 15:49 - 2013-07-11 15:49 - 02421568 _____ () C:\Program Files (x86)\HiSuite\QtCore4.dll
2013-07-11 15:49 - 2013-07-11 15:49 - 00911168 _____ () C:\Program Files (x86)\HiSuite\QtNetwork4.dll
2013-07-11 15:49 - 2013-07-11 15:49 - 07723328 _____ () C:\Program Files (x86)\HiSuite\QtGui4.dll
2013-07-11 15:49 - 2013-07-11 15:49 - 12326208 _____ () C:\Program Files (x86)\HiSuite\QtWebKit4.dll
2013-07-11 15:49 - 2013-07-11 15:49 - 00262464 _____ () C:\Program Files (x86)\HiSuite\phonon4.dll
2013-07-11 15:49 - 2013-07-11 15:49 - 00855872 _____ () C:\Program Files (x86)\HiSuite\Proxy.DLL
2013-07-11 15:47 - 2013-07-11 15:47 - 00764224 _____ () C:\Program Files (x86)\HiSuite\Common.dll
2013-07-11 15:49 - 2013-07-11 15:49 - 00535360 _____ () C:\Program Files (x86)\HiSuite\Trace.dll
2013-07-11 15:49 - 2013-07-11 15:49 - 00596288 _____ () C:\Program Files (x86)\HiSuite\PluginContainer.dll
2013-07-11 15:47 - 2013-07-11 15:47 - 01475392 _____ () C:\Program Files (x86)\HiSuite\AtComm.dll
2013-07-11 15:47 - 2013-07-11 15:47 - 00759616 _____ () C:\Program Files (x86)\HiSuite\AddrBookSrvPlugin.dll
2013-07-11 15:50 - 2013-07-11 15:50 - 00751424 _____ () C:\Program Files (x86)\HiSuite\vCardvCalPlugin.dll
2013-07-11 15:47 - 2013-07-11 15:47 - 00105792 _____ () C:\Program Files (x86)\HiSuite\CryptPlugin.dll
2013-07-11 15:47 - 2013-07-11 15:47 - 00586560 _____ () C:\Program Files (x86)\HiSuite\CalendarPlugin.dll
2013-07-11 15:50 - 2013-07-11 15:50 - 00558400 _____ () C:\Program Files (x86)\HiSuite\XCodec.dll
2013-07-11 15:47 - 2013-07-11 15:47 - 00953664 _____ () C:\Program Files (x86)\HiSuite\DeviceAppPlugin.dll
2013-07-11 15:46 - 2013-07-11 15:46 - 00635200 _____ () C:\Program Files (x86)\HiSuite\ADB.dll
2013-07-11 15:48 - 2013-07-11 15:48 - 00504640 _____ () C:\Program Files (x86)\HiSuite\OSPowerMgr.dll
2013-07-11 15:50 - 2013-07-11 15:50 - 00768832 _____ () C:\Program Files (x86)\HiSuite\XObex.dll
2013-07-11 15:48 - 2013-07-11 15:48 - 00070976 _____ () C:\Program Files (x86)\HiSuite\obex.dll
2013-07-11 15:47 - 2013-07-11 15:47 - 00613184 _____ () C:\Program Files (x86)\HiSuite\ADBAdapt.dll
2013-07-11 15:48 - 2013-07-11 15:48 - 00637760 _____ () C:\Program Files (x86)\HiSuite\OSAdapt.dll
2013-07-11 15:49 - 2013-07-11 15:49 - 00108864 _____ () C:\Program Files (x86)\HiSuite\SmsSrvPlugin.dll
2013-07-11 15:49 - 2013-07-11 15:49 - 00687936 _____ () C:\Program Files (x86)\HiSuite\SmsAppPlugin.dll
2013-07-11 15:49 - 2013-07-11 15:49 - 00844608 _____ () C:\Program Files (x86)\HiSuite\SyncPlugin.dll
2013-07-11 15:47 - 2013-07-11 15:47 - 00540480 _____ () C:\Program Files (x86)\HiSuite\APKManagerPlugin.dll
2013-07-11 15:48 - 2013-07-11 15:48 - 00572736 _____ () C:\Program Files (x86)\HiSuite\MusicPlaySrvPlugin.dll
2013-07-11 15:48 - 2013-07-11 15:48 - 00551744 _____ () C:\Program Files (x86)\HiSuite\ImageMgrSrvPlugin.dll
2013-07-11 15:50 - 2013-07-11 15:50 - 00089408 _____ () C:\Program Files (x86)\HiSuite\plugins\imageformats\qgif4.dll
2013-07-11 15:50 - 2013-07-11 15:50 - 00088384 _____ () C:\Program Files (x86)\HiSuite\plugins\imageformats\qico4.dll
2013-07-11 15:50 - 2013-07-11 15:50 - 00198464 _____ () C:\Program Files (x86)\HiSuite\plugins\imageformats\qjpeg4.dll
2013-07-11 15:50 - 2013-07-11 15:50 - 00357184 _____ () C:\Program Files (x86)\HiSuite\plugins\imageformats\qmng4.dll
2013-07-11 15:50 - 2013-07-11 15:50 - 00078656 _____ () C:\Program Files (x86)\HiSuite\plugins\imageformats\qsvg4.dll
2013-07-11 15:49 - 2013-07-11 15:49 - 00305984 _____ () C:\Program Files (x86)\HiSuite\QtSvg4.dll
2013-07-11 15:50 - 2013-07-11 15:50 - 00376640 _____ () C:\Program Files (x86)\HiSuite\plugins\imageformats\qtiff4.dll
2013-07-11 15:50 - 2013-07-11 15:50 - 00253248 _____ () C:\Program Files (x86)\HiSuite\XFramePlugin.dll
2013-07-11 15:49 - 2013-07-11 15:49 - 00332096 _____ () C:\Program Files (x86)\HiSuite\QtXml4.dll
2013-07-11 15:49 - 2013-07-11 15:49 - 00222016 _____ () C:\Program Files (x86)\HiSuite\QtSql4.dll
2013-07-11 15:49 - 2013-07-11 15:49 - 00147264 _____ () C:\Program Files (x86)\HiSuite\StatusBarMgrPlugin.dll
2013-07-11 15:47 - 2013-07-11 15:47 - 01233216 _____ () C:\Program Files (x86)\HiSuite\AddrBookUIPlugin.dll
2013-07-11 15:49 - 2013-07-11 15:49 - 00208704 _____ () C:\Program Files (x86)\HiSuite\SettingUIPlugin.dll
2013-07-11 15:49 - 2013-07-11 15:49 - 00170304 _____ () C:\Program Files (x86)\HiSuite\RelationPlugin.dll
2013-07-11 15:49 - 2013-07-11 15:49 - 01483072 _____ () C:\Program Files (x86)\HiSuite\SMSUIPlugin.dll
2013-07-11 15:47 - 2013-07-11 15:47 - 00598336 _____ () C:\Program Files (x86)\HiSuite\CalendarUIPlugin.dll
2013-07-11 15:49 - 2013-07-11 15:49 - 00273216 _____ () C:\Program Files (x86)\HiSuite\TaskUIPlugin.dll
2013-07-11 15:47 - 2013-07-11 15:47 - 00222528 _____ () C:\Program Files (x86)\HiSuite\DownLoadPlugin.dll
2013-07-11 15:48 - 2013-07-11 15:48 - 00106816 _____ () C:\Program Files (x86)\HiSuite\NotifyServicePlugin.dll
2013-07-11 15:48 - 2013-07-11 15:48 - 01455936 _____ () C:\Program Files (x86)\HiSuite\ImExportUIPlugin.dll
2013-07-11 15:47 - 2013-07-11 15:47 - 00159040 _____ () C:\Program Files (x86)\HiSuite\GmailOperation.DLL
2013-07-11 15:48 - 2013-07-11 15:48 - 00993600 _____ () C:\Program Files (x86)\HiSuite\libxml2.dll
2013-07-11 15:50 - 2013-07-11 15:50 - 00084288 _____ () C:\Program Files (x86)\HiSuite\zlib1.dll
2013-07-11 15:49 - 2013-07-11 15:49 - 00211264 _____ () C:\Program Files (x86)\HiSuite\Outlook.dll
2013-07-11 15:49 - 2013-07-11 15:49 - 00137536 _____ () C:\Program Files (x86)\HiSuite\OutlookExpress.dll
2013-07-11 15:48 - 2013-07-11 15:48 - 00119616 _____ () C:\Program Files (x86)\HiSuite\LayoutPlugin.dll
2013-07-11 15:48 - 2013-07-11 15:48 - 00227136 _____ () C:\Program Files (x86)\HiSuite\ModuleTreePlugin.dll
2013-07-11 15:48 - 2013-07-11 15:48 - 00274752 _____ () C:\Program Files (x86)\HiSuite\HomeUIPlugin.dll
2013-07-11 15:47 - 2013-07-11 15:47 - 00897344 _____ () C:\Program Files (x86)\HiSuite\AppManagerUIPlugin.dll
2013-07-11 15:49 - 2013-07-11 15:49 - 01560896 _____ () C:\Program Files (x86)\HiSuite\QtScript4.dll
2013-07-11 15:48 - 2013-07-11 15:48 - 01182528 _____ () C:\Program Files (x86)\HiSuite\MusicMgrUIPlugin.dll
2013-07-11 15:48 - 2013-07-11 15:48 - 00713024 _____ () C:\Program Files (x86)\HiSuite\ImageMgrUIPlugin.dll
2013-07-11 15:49 - 2013-07-11 15:49 - 00239424 _____ () C:\Program Files (x86)\HiSuite\ScreenShotUIPlugin.dll
2013-07-11 15:50 - 2013-07-11 15:50 - 02308928 _____ () C:\Program Files (x86)\HiSuite\UpdateUIPlugin.dll
2013-07-11 15:48 - 2013-07-11 15:48 - 00087360 _____ () C:\Program Files (x86)\HiSuite\HWEMUIEditToolsUIPlugin.dll
2013-07-11 15:48 - 2013-07-11 15:48 - 00083264 _____ () C:\Program Files (x86)\HiSuite\LogoPlugin.dll
2013-07-11 15:47 - 2013-07-11 15:47 - 00916288 _____ () C:\Program Files (x86)\HiSuite\DeviceMgrUIPlugin.dll
2013-07-11 15:49 - 2013-07-11 15:49 - 00552768 _____ () C:\Program Files (x86)\HiSuite\SyncUIPlugin.dll
2013-07-11 15:47 - 2013-07-11 15:47 - 02282304 _____ () C:\Program Files (x86)\HiSuite\BackUpUIPlugin.dll
2013-07-11 15:48 - 2013-07-11 15:48 - 00203584 _____ () C:\Program Files (x86)\HiSuite\MenuMgrPlugin.dll
2013-07-11 15:50 - 2013-07-11 15:50 - 00364864 _____ () C:\Program Files (x86)\HiSuite\WebKitUIPlugin.dll
2013-07-11 15:48 - 2013-07-11 15:48 - 00171328 _____ () C:\Program Files (x86)\HiSuite\KuwoWebUIPlugin.dll
2013-07-11 15:50 - 2013-07-11 15:50 - 00832320 _____ () C:\Program Files (x86)\HiSuite\UpdateSrvPlugin.dll
2013-10-24 17:06 - 2013-10-24 17:06 - 00036672 _____ () C:\Program Files (x86)\Acronis\TrueImageHome\qt_icontray_ex.dll
2013-10-24 17:06 - 2013-10-24 17:06 - 00028992 _____ () C:\Program Files (x86)\Common Files\Acronis\Home\thread_pool.dll
2013-10-10 12:02 - 2013-10-10 12:02 - 00013120 _____ () C:\Program Files (x86)\Common Files\Acronis\TibMounter\icudt38.dll
2013-09-26 12:20 - 2013-09-26 12:20 - 00176168 _____ () C:\Program Files (x86)\Lexware\Update Manager\Haufe.Core.Diagnostics.Logging.Targets.Etw.dll
2013-09-26 12:20 - 2013-09-26 12:20 - 00043048 _____ () C:\Program Files (x86)\Lexware\Update Manager\Haufe.Core.Diagnostics.Etw.dll
2013-10-24 17:09 - 2013-10-24 17:09 - 00420160 _____ () C:\Program Files (x86)\Common Files\Acronis\Home\ulxmlrpcpp.dll
2013-12-25 12:43 - 2013-12-25 12:43 - 03559024 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
2013-10-01 11:00 - 2013-10-01 11:00 - 00022336 _____ () C:\Program Files (x86)\Acronis\TrueImageHome\ti_managers_proxy_stub.dll
==================== Alternate Data Streams (whitelisted) =========
AlternateDataStreams: C:\ProgramData\TEMP:D1B5B4F1
==================== Safe Mode (whitelisted) ===================
==================== Faulty Device Manager Devices =============
Name: PCI-Kommunikationscontroller (einfach)
Description: PCI-Kommunikationscontroller (einfach)
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
Name: Serieller PCI-Anschluss
Description: Serieller PCI-Anschluss
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
==================== Event log errors: =========================
Application errors:
==================
Error: (01/11/2014 11:19:14 AM) (Source: SideBySide) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "1". Fehler in Manifest- oder Richtliniendatei "2" in Zeile 3.
Ungültige XML-Syntax.
Error: (01/11/2014 10:00:16 AM) (Source: Windows Backup) (User: )
Description: Die Sicherung wurde aufgrund eines Fehlers beim Schreiben am Sicherungsspeicherort "\\Gns4000_359012\backup\IngridsPC\" nicht abgeschlossen. Fehler: "Der Sicherungsort wurde nicht gefunden oder ist ungültig. Überprüfen Sie die Sicherungseinstellungen und den Sicherungsort. (0x81000006)"
Error: (01/10/2014 06:33:01 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 15615
Error: (01/10/2014 06:33:01 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 15615
Error: (01/10/2014 06:33:01 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
Error: (01/10/2014 04:04:29 PM) (Source: Bonjour Service) (User: )
Description: 472: ERROR: read_msg errno 0 (Der Vorgang wurde erfolgreich beendet.)
Error: (01/10/2014 04:04:29 PM) (Source: Bonjour Service) (User: )
Description: ERROR: mDNSPlatformReadTCP - recv: 10053
Error: (01/10/2014 03:21:45 PM) (Source: SideBySide) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "1". Fehler in Manifest- oder Richtliniendatei "2" in Zeile 3.
Ungültige XML-Syntax.
Error: (01/10/2014 10:29:20 AM) (Source: Application Hang) (User: )
Description: Programm LMConfig333.exe, Version 3.33.0.0 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen.
Prozess-ID: 19bc
Startzeit: 01cf0de63b57a7c8
Endzeit: 0
Anwendungspfad: C:\Program Files (x86)\LogWorks3\LMConfig333.exe
Berichts-ID: abf56932-79d9-11e3-918e-00199929e801
Error: (01/10/2014 10:00:05 AM) (Source: Windows Backup) (User: )
Description: Die Sicherung wurde aufgrund eines Fehlers beim Schreiben am Sicherungsspeicherort "\\Gns4000_359012\backup\IngridsPC\" nicht abgeschlossen. Fehler: "Der Sicherungsort wurde nicht gefunden oder ist ungültig. Überprüfen Sie die Sicherungseinstellungen und den Sicherungsort. (0x81000006)"
System errors:
=============
Error: (01/11/2014 09:02:06 AM) (Source: BROWSER) (User: )
Description: Das Einlesen der Sicherungsliste durch den Suchdienst schlug auf Transport "\Device\NetBT_Tcpip_{63CD12CA-F687-4486-A109-E77EF4E92A98}" zu oft fehl.
Der Sicherungssuchdienst wird beendet.
Error: (01/11/2014 08:59:41 AM) (Source: Service Control Manager) (User: )
Description: Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung von Dienst IPBusEnum erreicht.
Error: (01/11/2014 08:59:03 AM) (Source: Service Control Manager) (User: )
Description: Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung von Dienst AntiVirSchedulerService erreicht.
Error: (01/10/2014 04:21:32 PM) (Source: BROWSER) (User: )
Description: Das Einlesen der Sicherungsliste durch den Suchdienst schlug auf Transport "\Device\NetBT_Tcpip_{63CD12CA-F687-4486-A109-E77EF4E92A98}" zu oft fehl.
Der Sicherungssuchdienst wird beendet.
Error: (01/10/2014 04:05:22 PM) (Source: Service Control Manager) (User: )
Description: Der Dienst "IPsec-Richtlinien-Agent" wurde aufgrund folgenden Fehlers nicht gestartet:
%%1053
Error: (01/10/2014 04:05:22 PM) (Source: Service Control Manager) (User: )
Description: Das Zeitlimit (30000 ms) wurde beim Verbindungsversuch mit dem Dienst IPsec-Richtlinien-Agent erreicht.
Error: (01/10/2014 04:03:46 PM) (Source: Service Control Manager) (User: )
Description: Der Dienst "Innovate USB Driver" wurde aufgrund folgenden Fehlers nicht gestartet:
%%1058
Error: (01/10/2014 07:40:02 AM) (Source: Service Control Manager) (User: )
Description: Der Dienst "Innovate USB Driver" wurde aufgrund folgenden Fehlers nicht gestartet:
%%1058
Error: (01/09/2014 11:08:48 PM) (Source: Service Control Manager) (User: )
Description: Der Dienst "Innovate USB Driver" wurde aufgrund folgenden Fehlers nicht gestartet:
%%1058
Error: (01/09/2014 08:17:43 AM) (Source: BROWSER) (User: )
Description: Das Einlesen der Sicherungsliste durch den Suchdienst schlug auf Transport "\Device\NetBT_Tcpip_{63CD12CA-F687-4486-A109-E77EF4E92A98}" zu oft fehl.
Der Sicherungssuchdienst wird beendet.
Microsoft Office Sessions:
=========================
Error: (01/11/2014 11:19:14 AM) (Source: SideBySide)(User: )
Description: C:\Windows\system32\lpremove.exeC:\Windows\system32\lpremove.exe3
Error: (01/11/2014 10:00:16 AM) (Source: Windows Backup)(User: )
Description: \\Gns4000_359012\backup\IngridsPC\Der Sicherungsort wurde nicht gefunden oder ist ungültig. Überprüfen Sie die Sicherungseinstellungen und den Sicherungsort. (0x81000006)
Error: (01/10/2014 06:33:01 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 15615
Error: (01/10/2014 06:33:01 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 15615
Error: (01/10/2014 06:33:01 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second
Error: (01/10/2014 04:04:29 PM) (Source: Bonjour Service)(User: )
Description: 472: ERROR: read_msg errno 0 (Der Vorgang wurde erfolgreich beendet.)
Error: (01/10/2014 04:04:29 PM) (Source: Bonjour Service)(User: )
Description: ERROR: mDNSPlatformReadTCP - recv: 10053
Error: (01/10/2014 03:21:45 PM) (Source: SideBySide)(User: )
Description: C:\Windows\system32\lpremove.exeC:\Windows\system32\lpremove.exe3
Error: (01/10/2014 10:29:20 AM) (Source: Application Hang)(User: )
Description: LMConfig333.exe3.33.0.019bc01cf0de63b57a7c80C:\Program Files (x86)\LogWorks3\LMConfig333.exeabf56932-79d9-11e3-918e-00199929e801
Error: (01/10/2014 10:00:05 AM) (Source: Windows Backup)(User: )
Description: \\Gns4000_359012\backup\IngridsPC\Der Sicherungsort wurde nicht gefunden oder ist ungültig. Überprüfen Sie die Sicherungseinstellungen und den Sicherungsort. (0x81000006)
CodeIntegrity Errors:
===================================
Date: 2013-06-22 15:08:51.721
Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\Users\Ingrid\AppData\Local\Temp\EverestDriver.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
Date: 2013-06-22 15:08:51.596
Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\Users\Ingrid\AppData\Local\Temp\EverestDriver.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
Date: 2013-06-22 15:08:51.128
Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\Program Files (x86)\Lavalys\EVEREST Home Edition\kerneld.amd64" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
Date: 2013-06-22 15:08:51.003
Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\Program Files (x86)\Lavalys\EVEREST Home Edition\kerneld.amd64" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
Date: 2013-01-08 22:48:46.293
Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume4\Users\Ingrid\AppData\Local\Temp\EverestDriver.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
Date: 2013-01-08 22:48:46.220
Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume4\Users\Ingrid\AppData\Local\Temp\EverestDriver.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
Date: 2013-01-08 22:48:45.847
Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume4\Program Files (x86)\Lavalys\EVEREST Home Edition\kerneld.amd64" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
Date: 2013-01-08 22:48:45.774
Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume4\Program Files (x86)\Lavalys\EVEREST Home Edition\kerneld.amd64" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
Date: 2012-10-17 09:37:06.890
Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume4\Windows\System32\drivers\usbaapl64.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
Date: 2012-10-17 09:37:06.830
Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume4\Windows\System32\drivers\usbaapl64.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
==================== Memory info ===========================
Percentage of memory in use: 30%
Total physical RAM: 7902.3 MB
Available physical RAM: 5523.63 MB
Total Pagefile: 15802.77 MB
Available Pagefile: 12614.03 MB
Total Virtual: 8192 MB
Available Virtual: 8191.8 MB
==================== Drives ================================
Drive b: (photo) (Network) (Total:787.45 GB) (Free:553.65 GB) NTFS
Drive c: (Win7 Ultimate) (Fixed) (Total:465.66 GB) (Free:345.62 GB) NTFS
Drive i: (MC-city) (Network) (Total:912.45 GB) (Free:472.69 GB) NTFS
Drive k: (khb) (Network) (Total:787.45 GB) (Free:553.65 GB) NTFS
Drive l: (LM-1) (Network) (Total:787.45 GB) (Free:553.65 GB) NTFS
Drive p: (Public) (Network) (Total:787.45 GB) (Free:553.65 GB) NTFS
Drive t: (music) (Network) (Total:912.45 GB) (Free:472.69 GB) NTFS
Drive u: (photo) (Network) (Total:912.45 GB) (Free:472.69 GB) NTFS
Drive w: (Backup) (Network) (Total:912.45 GB) (Free:472.69 GB) NTFS
Drive x: (backup) (Network) (Total:2952.93 GB) (Free:2232.47 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: 1112AFCA)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=466 GB) - (Type=07 NTFS)
========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 932 GB) (Disk ID: B376CAD8)
Partition 1: (Not Active) - (Size=932 GB) - (Type=42)
==================== End Of Log ============================
|
|
12.01.2014, 08:57
| #4 |
| | AVIRA findet 4 unerwünschte Programme TR/Kazy.evrfa TR/Rogue.AI.1030 BDS/Androm.lrdsCode:
ATTFilter GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2014-01-11 20:03:30
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-2 Hitachi_HDS721050CLA362 rev.JP2OA3CF 465,76GB
Running: gmer_2.1.19163.exe; Driver: C:\Users\Ingrid\AppData\Local\Temp\pwliqfog.sys
---- Kernel code sections - GMER 2.1 ----
INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 662 fffff800037af086 11 bytes [EC, 10, 50, 9C, 6A, 10, 48, ...]
INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 674 fffff800037af092 4 bytes [00, 50, B8, F6]
---- User code sections - GMER 2.1 ----
.text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077341360 8 bytes JMP 000000016fff00d8
.text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077341560 8 bytes JMP 000000016fff0110
.text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077341b00 8 bytes JMP 000000016fff0148
.text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077313b10 5 bytes JMP 000000016fff0110
.text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077317ac0 5 bytes JMP 000000016fff0d50
.text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773413a0 8 bytes JMP 000000016fff00d8
.text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077341570 8 bytes JMP 000000016fff0a78
.text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773415e0 8 bytes JMP 000000016fff0c00
.text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077341620 8 bytes JMP 000000016fff0b90
.text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773416c0 8 bytes JMP 000000016fff0c38
.text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077341750 8 bytes JMP 000000016fff0b58
.text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077341790 8 bytes JMP 000000016fff0998
.text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773417e0 8 bytes JMP 000000016fff09d0
.text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077341800 8 bytes JMP 000000016fff0bc8
.text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773419f0 8 bytes JMP 000000016fff0d18
.text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077341b00 8 bytes JMP 000000016fff0960
.text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077341bd0 8 bytes JMP 000000016fff0ab0
.text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077341d20 8 bytes JMP 000000016fff0c70
.text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077341d30 8 bytes JMP 000000016fff0ce0
.text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773420a0 8 bytes JMP 000000016fff0ae8
.text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077342130 8 bytes JMP 000000016fff0ca8
.text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773429a0 8 bytes JMP 000000016fff0b20
.text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077342a20 8 bytes JMP 000000016fff0a08
.text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077342aa0 8 bytes JMP 000000016fff0a40
.text C:\Windows\system32\services.exe[624] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000770da420 12 bytes JMP 000000016fff01b8
.text C:\Windows\system32\services.exe[624] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000770f1b50 12 bytes JMP 000000016fff0148
.text C:\Windows\system32\services.exe[624] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077168810 7 bytes JMP 000000016fff0180
.text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077313b10 5 bytes JMP 000000016fff0110
.text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077317ac0 5 bytes JMP 000000016fff0d50
.text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773413a0 8 bytes JMP 000000016fff00d8
.text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077341570 8 bytes JMP 000000016fff0a78
.text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773415e0 8 bytes JMP 000000016fff0c00
.text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077341620 8 bytes JMP 000000016fff0b90
.text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773416c0 8 bytes JMP 000000016fff0c38
.text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077341750 8 bytes JMP 000000016fff0b58
.text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077341790 8 bytes JMP 000000016fff0998
.text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773417e0 8 bytes JMP 000000016fff09d0
.text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077341800 8 bytes JMP 000000016fff0bc8
.text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773419f0 8 bytes JMP 000000016fff0d18
.text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077341b00 8 bytes JMP 000000016fff0960
.text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077341bd0 8 bytes JMP 000000016fff0ab0
.text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077341d20 8 bytes JMP 000000016fff0c70
.text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077341d30 8 bytes JMP 000000016fff0ce0
.text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773420a0 8 bytes JMP 000000016fff0ae8
.text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077342130 8 bytes JMP 000000016fff0ca8
.text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773429a0 8 bytes JMP 000000016fff0b20
.text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077342a20 8 bytes JMP 000000016fff0a08
.text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077342aa0 8 bytes JMP 000000016fff0a40
.text C:\Windows\system32\lsass.exe[648] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefedfa6f0 1 byte JMP 000007fffd070180
.text C:\Windows\system32\lsass.exe[648] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2 000007fefedfa6f2 5 bytes {JMP 0xfffffffffe275a90}
.text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077313b10 5 bytes JMP 000000016fff0110
.text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077317ac0 5 bytes JMP 000000016fff0d50
.text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773413a0 8 bytes JMP 000000016fff00d8
.text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077341570 8 bytes JMP 000000016fff0a78
.text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773415e0 8 bytes JMP 000000016fff0c00
.text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077341620 8 bytes JMP 000000016fff0b90
.text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773416c0 8 bytes JMP 000000016fff0c38
.text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077341750 8 bytes JMP 000000016fff0b58
.text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077341790 8 bytes JMP 000000016fff0998
.text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773417e0 8 bytes JMP 000000016fff09d0
.text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077341800 8 bytes JMP 000000016fff0bc8
.text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773419f0 8 bytes JMP 000000016fff0d18
.text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077341b00 8 bytes JMP 000000016fff0960
.text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077341bd0 8 bytes JMP 000000016fff0ab0
.text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077341d20 8 bytes JMP 000000016fff0c70
.text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077341d30 8 bytes JMP 000000016fff0ce0
.text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773420a0 8 bytes JMP 000000016fff0ae8
.text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077342130 8 bytes JMP 000000016fff0ca8
.text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773429a0 8 bytes JMP 000000016fff0b20
.text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077342a20 8 bytes JMP 000000016fff0a08
.text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077342aa0 8 bytes JMP 000000016fff0a40
.text C:\Windows\system32\svchost.exe[796] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000770da420 12 bytes JMP 000000016fff01b8
.text C:\Windows\system32\svchost.exe[796] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000770f1b50 12 bytes JMP 000000016fff0148
.text C:\Windows\system32\svchost.exe[796] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077168810 7 bytes JMP 000000016fff0180
.text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774ef9e0 5 bytes JMP 000000011001d120
.text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774efcb0 5 bytes JMP 000000011002fc20
.text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774efd64 5 bytes JMP 000000011002e100
.text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000774efdc8 5 bytes JMP 000000011002ed90
.text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000774efec0 5 bytes JMP 000000011002c3c0
.text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000774effa4 5 bytes JMP 000000011002e7a0
.text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774f0004 2 bytes JMP 0000000110030080
.text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000774f0007 2 bytes [B4, 98]
.text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000774f0084 5 bytes JMP 000000011002fe40
.text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774f00b4 5 bytes JMP 000000011002e400
.text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774f03b8 5 bytes JMP 000000011002cde0
.text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f0550 5 bytes JMP 000000011002b670
.text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000774f0694 5 bytes JMP 000000011002f8b0
.text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f088c 5 bytes JMP 000000011002bfe0
.text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774f08a4 5 bytes JMP 000000011002ca40
.text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774f0df4 5 bytes JMP 000000011002f6a0
.text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000774f0ed8 5 bytes JMP 000000011002f220
.text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774f1be4 5 bytes JMP 000000011002f460
.text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000774f1cb4 5 bytes JMP 000000011002c670
.text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000774f1d8c 5 bytes JMP 000000011002f020
.text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007750c4dd 5 bytes JMP 0000000110027f40
.text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077511287 7 bytes JMP 000000011001d240
.text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007501103d 5 bytes JMP 0000000110025070
.text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075011072 5 bytes JMP 0000000110025c00
.text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007503c965 5 bytes JMP 0000000110023ba0
.text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077313b10 5 bytes JMP 000000016fff0110
.text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077317ac0 5 bytes JMP 000000016fff0d50
.text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773413a0 8 bytes JMP 000000016fff00d8
.text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077341570 8 bytes JMP 000000016fff0a78
.text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773415e0 8 bytes JMP 000000016fff0c00
.text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077341620 8 bytes JMP 000000016fff0b90
.text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773416c0 8 bytes JMP 000000016fff0c38
.text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077341750 8 bytes JMP 000000016fff0b58
.text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077341790 8 bytes JMP 000000016fff0998
.text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773417e0 8 bytes JMP 000000016fff09d0
.text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077341800 8 bytes JMP 000000016fff0bc8
.text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773419f0 8 bytes JMP 000000016fff0d18
.text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077341b00 8 bytes JMP 000000016fff0960
.text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077341bd0 8 bytes JMP 000000016fff0ab0
.text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077341d20 8 bytes JMP 000000016fff0c70
.text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077341d30 8 bytes JMP 000000016fff0ce0
.text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773420a0 8 bytes JMP 000000016fff0ae8
.text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077342130 8 bytes JMP 000000016fff0ca8
.text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773429a0 8 bytes JMP 000000016fff0b20
.text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077342a20 8 bytes JMP 000000016fff0a08
.text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077342aa0 8 bytes JMP 000000016fff0a40
.text C:\Windows\system32\svchost.exe[528] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077313b10 5 bytes JMP 000000016fff0110
.text C:\Windows\system32\svchost.exe[528] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077317ac0 5 bytes JMP 000000016fff0d50
.text C:\Windows\system32\svchost.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773413a0 8 bytes JMP 000000016fff00d8
.text C:\Windows\system32\svchost.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077341570 8 bytes JMP 000000016fff0a78
.text C:\Windows\system32\svchost.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773415e0 8 bytes JMP 000000016fff0c00
.text C:\Windows\system32\svchost.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077341620 8 bytes JMP 000000016fff0b90
.text C:\Windows\system32\svchost.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773416c0 8 bytes JMP 000000016fff0c38
.text C:\Windows\system32\svchost.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077341750 8 bytes JMP 000000016fff0b58
.text C:\Windows\system32\svchost.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077341790 8 bytes JMP 000000016fff0998
.text C:\Windows\system32\svchost.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773417e0 8 bytes JMP 000000016fff09d0
.text C:\Windows\system32\svchost.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077341800 8 bytes JMP 000000016fff0bc8
.text C:\Windows\system32\svchost.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773419f0 8 bytes JMP 000000016fff0d18
.text C:\Windows\system32\svchost.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077341b00 8 bytes JMP 000000016fff0960
.text C:\Windows\system32\svchost.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077341bd0 8 bytes JMP 000000016fff0ab0
.text C:\Windows\system32\svchost.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077341d20 8 bytes JMP 000000016fff0c70
.text C:\Windows\system32\svchost.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077341d30 8 bytes JMP 000000016fff0ce0
.text C:\Windows\system32\svchost.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773420a0 8 bytes JMP 000000016fff0ae8
.text C:\Windows\system32\svchost.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077342130 8 bytes JMP 000000016fff0ca8
.text C:\Windows\system32\svchost.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773429a0 8 bytes JMP 000000016fff0b20
.text C:\Windows\system32\svchost.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077342a20 8 bytes JMP 000000016fff0a08
.text C:\Windows\system32\svchost.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077342aa0 8 bytes JMP 000000016fff0a40
.text C:\Windows\system32\svchost.exe[528] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000770da420 12 bytes JMP 000000016fff01b8
.text C:\Windows\system32\svchost.exe[528] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000770f1b50 12 bytes JMP 000000016fff0148
.text C:\Windows\system32\svchost.exe[528] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077168810 7 bytes JMP 000000016fff0180
.text C:\Windows\system32\svchost.exe[528] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2153c0 7 bytes JMP 000007fffd070148
.text C:\Windows\system32\svchost.exe[528] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefedfa6f0 1 byte JMP 000007fffd070180
.text C:\Windows\system32\svchost.exe[528] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2 000007fefedfa6f2 5 bytes {JMP 0xfffffffffe275a90}
.text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077313b10 5 bytes JMP 000000016fff0110
.text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077317ac0 5 bytes JMP 000000016fff0d50
.text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773413a0 8 bytes JMP 000000016fff00d8
.text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077341570 8 bytes JMP 000000016fff0a78
.text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773415e0 8 bytes JMP 000000016fff0c00
.text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077341620 8 bytes JMP 000000016fff0b90
.text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773416c0 8 bytes JMP 000000016fff0c38
.text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077341750 8 bytes JMP 000000016fff0b58
.text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077341790 8 bytes JMP 000000016fff0998
.text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773417e0 8 bytes JMP 000000016fff09d0
.text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077341800 8 bytes JMP 000000016fff0bc8
.text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773419f0 8 bytes JMP 000000016fff0d18
.text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077341b00 8 bytes JMP 000000016fff0960
.text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077341bd0 8 bytes JMP 000000016fff0ab0
.text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077341d20 8 bytes JMP 000000016fff0c70
.text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077341d30 8 bytes JMP 000000016fff0ce0
.text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773420a0 8 bytes JMP 000000016fff0ae8
.text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077342130 8 bytes JMP 000000016fff0ca8
.text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773429a0 8 bytes JMP 000000016fff0b20
.text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077342a20 8 bytes JMP 000000016fff0a08
.text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077342aa0 8 bytes JMP 000000016fff0a40
.text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000770da420 12 bytes JMP 000000016fff01b8
.text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000770f1b50 12 bytes JMP 000000016fff0148
.text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077168810 7 bytes JMP 000000016fff0180
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077313b10 5 bytes JMP 000000016fff0110
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077317ac0 5 bytes JMP 000000016fff0d50
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773413a0 8 bytes JMP 000000016fff00d8
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077341570 8 bytes JMP 000000016fff0a78
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773415e0 8 bytes JMP 000000016fff0c00
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077341620 8 bytes JMP 000000016fff0b90
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773416c0 8 bytes JMP 000000016fff0c38
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077341750 8 bytes JMP 000000016fff0b58
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077341790 8 bytes JMP 000000016fff0998
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773417e0 8 bytes JMP 000000016fff09d0
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077341800 8 bytes JMP 000000016fff0bc8
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773419f0 8 bytes JMP 000000016fff0d18
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077341b00 8 bytes JMP 000000016fff0960
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077341bd0 8 bytes JMP 000000016fff0ab0
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077341d20 8 bytes JMP 000000016fff0c70
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077341d30 8 bytes JMP 000000016fff0ce0
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773420a0 8 bytes JMP 000000016fff0ae8
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077342130 8 bytes JMP 000000016fff0ca8
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773429a0 8 bytes JMP 000000016fff0b20
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077342a20 8 bytes JMP 000000016fff0a08
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077342aa0 8 bytes JMP 000000016fff0a40
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000770da420 12 bytes JMP 000000016fff01b8
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000770f1b50 12 bytes JMP 000000016fff0148
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077168810 7 bytes JMP 000000016fff0180
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2153c0 7 bytes JMP 000007fffd070148
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077313b10 5 bytes JMP 000000016fff0110
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077317ac0 5 bytes JMP 000000016fff0d50
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773413a0 8 bytes JMP 000000016fff00d8
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077341570 8 bytes JMP 000000016fff0a78
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773415e0 8 bytes JMP 000000016fff0c00
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077341620 8 bytes JMP 000000016fff0b90
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773416c0 8 bytes JMP 000000016fff0c38
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077341750 8 bytes JMP 000000016fff0b58
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077341790 8 bytes JMP 000000016fff0998
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773417e0 8 bytes JMP 000000016fff09d0
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077341800 8 bytes JMP 000000016fff0bc8
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773419f0 8 bytes JMP 000000016fff0d18
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077341b00 8 bytes JMP 000000016fff0960
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077341bd0 8 bytes JMP 000000016fff0ab0
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077341d20 8 bytes JMP 000000016fff0c70
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077341d30 8 bytes JMP 000000016fff0ce0
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773420a0 8 bytes JMP 000000016fff0ae8
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077342130 8 bytes JMP 000000016fff0ca8
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773429a0 8 bytes JMP 000000016fff0b20
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077342a20 8 bytes JMP 000000016fff0a08
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077342aa0 8 bytes JMP 000000016fff0a40
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2153c0 7 bytes JMP 000007fffd070148
.text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077313b10 5 bytes JMP 000000016fff0110
.text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077317ac0 5 bytes JMP 000000016fff0d50
.text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773413a0 8 bytes JMP 000000016fff00d8
.text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077341570 8 bytes JMP 000000016fff0a78
.text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773415e0 8 bytes JMP 000000016fff0c00
.text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077341620 8 bytes JMP 000000016fff0b90
.text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773416c0 8 bytes JMP 000000016fff0c38
.text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077341750 8 bytes JMP 000000016fff0b58
.text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077341790 8 bytes JMP 000000016fff0998
.text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773417e0 8 bytes JMP 000000016fff09d0
.text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077341800 8 bytes JMP 000000016fff0bc8
.text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773419f0 8 bytes JMP 000000016fff0d18
.text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077341b00 8 bytes JMP 000000016fff0960
.text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077341bd0 8 bytes JMP 000000016fff0ab0
.text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077341d20 8 bytes JMP 000000016fff0c70
.text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077341d30 8 bytes JMP 000000016fff0ce0
.text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773420a0 8 bytes JMP 000000016fff0ae8
.text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077342130 8 bytes JMP 000000016fff0ca8
.text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773429a0 8 bytes JMP 000000016fff0b20
.text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077342a20 8 bytes JMP 000000016fff0a08
.text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077342aa0 8 bytes JMP 000000016fff0a40
.text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000770da420 12 bytes JMP 000000016fff01b8
.text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000770f1b50 12 bytes JMP 000000016fff0148
.text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077168810 7 bytes JMP 000000016fff0180
.text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2153c0 7 bytes JMP 000007fffd070148
.text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefe954750 5 bytes JMP 000007fffd0701b8
.text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefedfa6f0 1 byte JMP 000007fffd070180
.text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2 000007fefedfa6f2 5 bytes {JMP 0xfffffffffe275a90}
.text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1508] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774ef9e0 5 bytes JMP 000000011001d120
.text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1508] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774efcb0 5 bytes JMP 000000011002fc20
.text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1508] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774efd64 5 bytes JMP 000000011002e100
.text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1508] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000774efdc8 5 bytes JMP 000000011002ed90
.text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1508] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000774efec0 5 bytes JMP 000000011002c3c0
.text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1508] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000774effa4 5 bytes JMP 000000011002e7a0
.text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1508] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774f0004 2 bytes JMP 0000000110030080
.text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1508] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000774f0007 2 bytes [B4, 98]
.text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1508] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000774f0084 5 bytes JMP 000000011002fe40
.text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1508] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774f00b4 5 bytes JMP 000000011002e400
.text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1508] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774f03b8 5 bytes JMP 000000011002cde0
.text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1508] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f0550 5 bytes JMP 000000011002b670
.text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1508] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000774f0694 5 bytes JMP 000000011002f8b0
.text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1508] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f088c 5 bytes JMP 000000011002bfe0
.text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1508] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774f08a4 5 bytes JMP 000000011002ca40
.text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1508] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774f0df4 5 bytes JMP 000000011002f6a0
.text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1508] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000774f0ed8 5 bytes JMP 000000011002f220
.text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1508] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774f1be4 5 bytes JMP 000000011002f460
.text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1508] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000774f1cb4 5 bytes JMP 000000011002c670
.text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1508] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000774f1d8c 5 bytes JMP 000000011002f020
.text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1508] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007750c4dd 5 bytes JMP 0000000110027f40
.text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1508] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077511287 7 bytes JMP 000000011001d240
.text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1508] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007501103d 5 bytes JMP 0000000110025070
.text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1508] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075011072 5 bytes JMP 0000000110025c00
.text C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1508] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007503c965 5 bytes JMP 0000000110023ba0
.text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077313b10 5 bytes JMP 000000016fff0110
.text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077317ac0 5 bytes JMP 000000016fff0d50
.text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773413a0 8 bytes JMP 000000016fff00d8
.text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077341570 8 bytes JMP 000000016fff0a78
.text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773415e0 8 bytes JMP 000000016fff0c00
.text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077341620 8 bytes JMP 000000016fff0b90
.text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773416c0 8 bytes JMP 000000016fff0c38
.text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077341750 8 bytes JMP 000000016fff0b58
.text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077341790 8 bytes JMP 000000016fff0998
.text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773417e0 8 bytes JMP 000000016fff09d0
.text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077341800 8 bytes JMP 000000016fff0bc8
.text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773419f0 8 bytes JMP 000000016fff0d18
.text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077341b00 8 bytes JMP 000000016fff0960
.text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077341bd0 8 bytes JMP 000000016fff0ab0
.text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077341d20 8 bytes JMP 000000016fff0c70
.text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077341d30 8 bytes JMP 000000016fff0ce0
.text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773420a0 8 bytes JMP 000000016fff0ae8
.text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077342130 8 bytes JMP 000000016fff0ca8
.text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773429a0 8 bytes JMP 000000016fff0b20
.text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077342a20 8 bytes JMP 000000016fff0a08
.text C:\Windows\system32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077342aa0 8 bytes JMP 000000016fff0a40
.text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000770da420 12 bytes JMP 000000016fff01b8
.text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000770f1b50 12 bytes JMP 000000016fff0148
.text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077168810 7 bytes JMP 000000016fff0180
.text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2153c0 7 bytes JMP 000007fffd070148
.text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefedfa6f0 1 byte JMP 000007fffd070180
.text C:\Windows\system32\svchost.exe[1592] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2 000007fefedfa6f2 5 bytes {JMP 0xfffffffffe275a90}
.text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[1756] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000770da420 12 bytes JMP 000000016fff01b8
.text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[1756] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000770f1b50 12 bytes JMP 000000016fff0148
.text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[1756] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077168810 7 bytes JMP 000000016fff0180
.text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[1756] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2153c0 7 bytes JMP 000007fffd070148
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077313b10 5 bytes JMP 000000016fff0110
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077317ac0 5 bytes JMP 000000016fff0d50
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773413a0 8 bytes JMP 000000016fff00d8
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077341570 8 bytes JMP 000000016fff0a78
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773415e0 8 bytes JMP 000000016fff0c00
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077341620 8 bytes JMP 000000016fff0b90
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773416c0 8 bytes JMP 000000016fff0c38
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077341750 8 bytes JMP 000000016fff0b58
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077341790 8 bytes JMP 000000016fff0998
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773417e0 8 bytes JMP 000000016fff09d0
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077341800 8 bytes JMP 000000016fff0bc8
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773419f0 8 bytes JMP 000000016fff0d18
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077341b00 8 bytes JMP 000000016fff0960
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077341bd0 8 bytes JMP 000000016fff0ab0
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077341d20 8 bytes JMP 000000016fff0c70
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077341d30 8 bytes JMP 000000016fff0ce0
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773420a0 8 bytes JMP 000000016fff0ae8
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077342130 8 bytes JMP 000000016fff0ca8
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773429a0 8 bytes JMP 000000016fff0b20
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077342a20 8 bytes JMP 000000016fff0a08
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077342aa0 8 bytes JMP 000000016fff0a40
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1836] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000770da420 12 bytes JMP 000000016fff01b8
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1836] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000770f1b50 12 bytes JMP 000000016fff0148
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1836] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077168810 7 bytes JMP 000000016fff0180
.text C:\Program Files (x86)\AirPrint\airprint.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774ef9e0 5 bytes JMP 000000011001d120
.text C:\Program Files (x86)\AirPrint\airprint.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774efcb0 5 bytes JMP 000000011002fc20
.text C:\Program Files (x86)\AirPrint\airprint.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774efd64 5 bytes JMP 000000011002e100
.text C:\Program Files (x86)\AirPrint\airprint.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000774efdc8 5 bytes JMP 000000011002ed90
.text C:\Program Files (x86)\AirPrint\airprint.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000774efec0 5 bytes JMP 000000011002c3c0
.text C:\Program Files (x86)\AirPrint\airprint.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000774effa4 5 bytes JMP 000000011002e7a0
.text C:\Program Files (x86)\AirPrint\airprint.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774f0004 2 bytes JMP 0000000110030080
.text C:\Program Files (x86)\AirPrint\airprint.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000774f0007 2 bytes [B4, 98]
.text C:\Program Files (x86)\AirPrint\airprint.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000774f0084 5 bytes JMP 000000011002fe40
.text C:\Program Files (x86)\AirPrint\airprint.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774f00b4 5 bytes JMP 000000011002e400
.text C:\Program Files (x86)\AirPrint\airprint.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774f03b8 5 bytes JMP 000000011002cde0
.text C:\Program Files (x86)\AirPrint\airprint.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f0550 5 bytes JMP 000000011002b670
.text C:\Program Files (x86)\AirPrint\airprint.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000774f0694 5 bytes JMP 000000011002f8b0
.text C:\Program Files (x86)\AirPrint\airprint.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f088c 5 bytes JMP 000000011002bfe0
.text C:\Program Files (x86)\AirPrint\airprint.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774f08a4 5 bytes JMP 000000011002ca40
.text C:\Program Files (x86)\AirPrint\airprint.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774f0df4 5 bytes JMP 000000011002f6a0
.text C:\Program Files (x86)\AirPrint\airprint.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000774f0ed8 5 bytes JMP 000000011002f220
.text C:\Program Files (x86)\AirPrint\airprint.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774f1be4 5 bytes JMP 000000011002f460
.text C:\Program Files (x86)\AirPrint\airprint.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000774f1cb4 5 bytes JMP 000000011002c670
.text C:\Program Files (x86)\AirPrint\airprint.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000774f1d8c 5 bytes JMP 000000011002f020
.text C:\Program Files (x86)\AirPrint\airprint.exe[2008] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007750c4dd 5 bytes JMP 0000000110027f40
.text C:\Program Files (x86)\AirPrint\airprint.exe[2008] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077511287 7 bytes JMP 000000011001d240
.text C:\Program Files (x86)\AirPrint\airprint.exe[2008] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007501103d 5 bytes JMP 0000000110025070
.text C:\Program Files (x86)\AirPrint\airprint.exe[2008] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075011072 5 bytes JMP 0000000110025c00
.text C:\Program Files (x86)\AirPrint\airprint.exe[2008] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007503c965 5 bytes JMP 0000000110023ba0
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774ef9e0 5 bytes JMP 000000011001d120
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774efcb0 5 bytes JMP 000000011002fc20
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774efd64 5 bytes JMP 000000011002e100
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000774efdc8 5 bytes JMP 000000011002ed90
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000774efec0 5 bytes JMP 000000011002c3c0
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000774effa4 5 bytes JMP 000000011002e7a0
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774f0004 2 bytes JMP 0000000110030080
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000774f0007 2 bytes [B4, 98]
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000774f0084 5 bytes JMP 000000011002fe40
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774f00b4 5 bytes JMP 000000011002e400
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774f03b8 5 bytes JMP 000000011002cde0
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f0550 5 bytes JMP 000000011002b670
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000774f0694 5 bytes JMP 000000011002f8b0
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f088c 5 bytes JMP 000000011002bfe0
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774f08a4 5 bytes JMP 000000011002ca40
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774f0df4 5 bytes JMP 000000011002f6a0
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000774f0ed8 5 bytes JMP 000000011002f220
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774f1be4 5 bytes JMP 000000011002f460
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000774f1cb4 5 bytes JMP 000000011002c670
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000774f1d8c 5 bytes JMP 000000011002f020
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2036] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007750c4dd 5 bytes JMP 0000000110027f40
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2036] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077511287 7 bytes JMP 000000011001d240
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2036] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007501103d 5 bytes JMP 0000000110025070
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2036] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075011072 5 bytes JMP 0000000110025c00
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2036] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007503c965 5 bytes JMP 0000000110023ba0
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2036] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076adf776 5 bytes JMP 000000011001d270
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774ef9e0 5 bytes JMP 000000010068d120
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774efcb0 5 bytes JMP 000000010069fc20
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774efd64 5 bytes JMP 000000010069e100
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000774efdc8 5 bytes JMP 000000010069ed90
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000774efec0 5 bytes JMP 000000010069c3c0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000774effa4 5 bytes JMP 000000010069e7a0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774f0004 2 bytes JMP 00000001006a0080
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000774f0007 2 bytes [1B, 89]
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000774f0084 5 bytes JMP 000000010069fe40
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774f00b4 5 bytes JMP 000000010069e400
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774f03b8 5 bytes JMP 000000010069cde0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f0550 5 bytes JMP 000000010069b670
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000774f0694 5 bytes JMP 000000010069f8b0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f088c 5 bytes JMP 000000010069bfe0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774f08a4 5 bytes JMP 000000010069ca40
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774f0df4 5 bytes JMP 000000010069f6a0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000774f0ed8 5 bytes JMP 000000010069f220
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774f1be4 5 bytes JMP 000000010069f460
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000774f1cb4 5 bytes JMP 000000010069c670
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000774f1d8c 5 bytes JMP 000000010069f020
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007750c4dd 5 bytes JMP 0000000100697f40
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077511287 7 bytes JMP 000000010068d240
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007501103d 5 bytes JMP 0000000100695070
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075011072 5 bytes JMP 0000000100695c00
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007503c965 5 bytes JMP 0000000100693ba0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076adf776 5 bytes JMP 000000010068d270
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765e8bff 5 bytes JMP 000000010068b6e0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765e90d3 7 bytes JMP 000000010068c470
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765e9679 5 bytes JMP 000000010068b1a0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765e97d2 5 bytes JMP 000000010068ac20
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765eee09 5 bytes JMP 000000010068c160
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765eefc9 5 bytes JMP 0000000100688140
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765f12a5 5 bytes JMP 000000010068bc20
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000765f291f 5 bytes JMP 00000001006893d0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!SetParent 00000000765f2d64 5 bytes JMP 0000000100688980
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000765f2da4 5 bytes JMP 0000000100687ea0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000765f3698 5 bytes JMP 0000000100688c20
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000765f3baa 5 bytes JMP 000000010068bec0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000765f3c61 5 bytes JMP 000000010068b980
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000765f612e 5 bytes JMP 000000010068b440
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000765f6c30 7 bytes JMP 000000010068c690
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765f7603 5 bytes JMP 000000010068c8b0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000765f7668 5 bytes JMP 000000010068a160
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765f76e0 5 bytes JMP 000000010068a6a0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000765f781f 5 bytes JMP 000000010068aee0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765f835c 5 bytes JMP 000000010068cb20
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000765fc4b6 5 bytes JMP 0000000100688780
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007660c112 5 bytes JMP 0000000100689eb0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007660d0f5 5 bytes JMP 0000000100689c00
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007660eb96 5 bytes JMP 0000000100689120
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007660ec68 5 bytes JMP 0000000100689680
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!SendInput 000000007660ff4a 5 bytes JMP 0000000100689930
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076629f1d 5 bytes JMP 0000000100688370
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076631497 5 bytes JMP 0000000100687c90
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!mouse_event 000000007664027b 5 bytes JMP 00000001006997c0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!keybd_event 00000000766402bf 5 bytes JMP 00000001006999d0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076646cfc 5 bytes JMP 000000010068a960
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076646d5d 5 bytes JMP 000000010068a400
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076647dd7 5 bytes JMP 0000000100688580
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766488eb 5 bytes JMP 0000000100688f00
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000762958b3 5 bytes JMP 0000000100698d10
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076295ea6 5 bytes JMP 0000000100699530
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076297bcc 5 bytes JMP 0000000100699e10
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007629b895 5 bytes JMP 0000000100698d50
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007629c332 5 bytes JMP 0000000100699280
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007629cbfb 5 bytes JMP 0000000100698ae0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007629e743 5 bytes JMP 0000000100699d10
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000762c480f 5 bytes JMP 0000000100698ff0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe[512] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a42642 5 bytes JMP 00000001006944d0
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774ef9e0 5 bytes JMP 000000011001d120
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774efcb0 5 bytes JMP 000000011002fc20
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774efd64 5 bytes JMP 000000011002e100
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000774efdc8 5 bytes JMP 000000011002ed90
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000774efec0 5 bytes JMP 000000011002c3c0
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000774effa4 5 bytes JMP 000000011002e7a0
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774f0004 2 bytes JMP 0000000110030080
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000774f0007 2 bytes [B4, 98]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000774f0084 5 bytes JMP 000000011002fe40
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774f00b4 5 bytes JMP 000000011002e400
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774f03b8 5 bytes JMP 000000011002cde0
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f0550 5 bytes JMP 000000011002b670
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000774f0694 5 bytes JMP 000000011002f8b0
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f088c 5 bytes JMP 000000011002bfe0
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774f08a4 5 bytes JMP 000000011002ca40
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774f0df4 5 bytes JMP 000000011002f6a0
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000774f0ed8 5 bytes JMP 000000011002f220
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774f1be4 5 bytes JMP 000000011002f460
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000774f1cb4 5 bytes JMP 000000011002c670
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000774f1d8c 5 bytes JMP 000000011002f020
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1356] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007750c4dd 5 bytes JMP 0000000110027f40
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1356] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077511287 7 bytes JMP 000000011001d240
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1356] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007501103d 5 bytes JMP 0000000110025070
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1356] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075011072 5 bytes JMP 0000000110025c00
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1356] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007503c965 5 bytes JMP 0000000110023ba0
.text C:\Windows\system32\svchost.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077313b10 5 bytes JMP 000000016fff0110
.text C:\Windows\system32\svchost.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077317ac0 5 bytes JMP 000000016fff0d50
.text C:\Windows\system32\svchost.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773413a0 8 bytes JMP 000000016fff00d8
.text C:\Windows\system32\svchost.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077341570 8 bytes JMP 000000016fff0a78
.text C:\Windows\system32\svchost.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773415e0 8 bytes JMP 000000016fff0c00
.text C:\Windows\system32\svchost.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077341620 8 bytes JMP 000000016fff0b90
.text C:\Windows\system32\svchost.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773416c0 8 bytes JMP 000000016fff0c38
.text C:\Windows\system32\svchost.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077341750 8 bytes JMP 000000016fff0b58
.text C:\Windows\system32\svchost.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077341790 8 bytes JMP 000000016fff0998
.text C:\Windows\system32\svchost.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773417e0 8 bytes JMP 000000016fff09d0
.text C:\Windows\system32\svchost.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077341800 8 bytes JMP 000000016fff0bc8
.text C:\Windows\system32\svchost.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773419f0 8 bytes JMP 000000016fff0d18
.text C:\Windows\system32\svchost.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077341b00 8 bytes JMP 000000016fff0960
.text C:\Windows\system32\svchost.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077341bd0 8 bytes JMP 000000016fff0ab0
.text C:\Windows\system32\svchost.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077341d20 8 bytes JMP 000000016fff0c70
.text C:\Windows\system32\svchost.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077341d30 8 bytes JMP 000000016fff0ce0
.text C:\Windows\system32\svchost.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773420a0 8 bytes JMP 000000016fff0ae8
.text C:\Windows\system32\svchost.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077342130 8 bytes JMP 000000016fff0ca8
.text C:\Windows\system32\svchost.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773429a0 8 bytes JMP 000000016fff0b20
.text C:\Windows\system32\svchost.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077342a20 8 bytes JMP 000000016fff0a08
.text C:\Windows\system32\svchost.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077342aa0 8 bytes JMP 000000016fff0a40
.text C:\Windows\system32\svchost.exe[2612] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2153c0 7 bytes JMP 000007fffd070148
.text C:\ProgramData\HiSuiteOuc\HiSuiteOuc64.exe[2656] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000770da420 12 bytes JMP 000000016fff01b8
.text C:\ProgramData\HiSuiteOuc\HiSuiteOuc64.exe[2656] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000770f1b50 12 bytes JMP 000000016fff0148
.text C:\ProgramData\HiSuiteOuc\HiSuiteOuc64.exe[2656] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077168810 7 bytes JMP 000000016fff0180
.text C:\ProgramData\HiSuiteOuc\HiSuiteOuc64.exe[2656] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2153c0 7 bytes JMP 000007fffd070148
.text C:\Program Files (x86)\Lexware\Update Service\Hmg.InstallationService.Service.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774ef9e0 5 bytes JMP 000000011001d120
.text C:\Program Files (x86)\Lexware\Update Service\Hmg.InstallationService.Service.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774efcb0 5 bytes JMP 000000011002fc20
.text C:\Program Files (x86)\Lexware\Update Service\Hmg.InstallationService.Service.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774efd64 5 bytes JMP 000000011002e100
.text C:\Program Files (x86)\Lexware\Update Service\Hmg.InstallationService.Service.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000774efdc8 5 bytes JMP 000000011002ed90
.text C:\Program Files (x86)\Lexware\Update Service\Hmg.InstallationService.Service.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000774efec0 5 bytes JMP 000000011002c3c0
.text C:\Program Files (x86)\Lexware\Update Service\Hmg.InstallationService.Service.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000774effa4 5 bytes JMP 000000011002e7a0
.text C:\Program Files (x86)\Lexware\Update Service\Hmg.InstallationService.Service.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774f0004 2 bytes JMP 0000000110030080
.text C:\Program Files (x86)\Lexware\Update Service\Hmg.InstallationService.Service.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000774f0007 2 bytes [B4, 98]
.text C:\Program Files (x86)\Lexware\Update Service\Hmg.InstallationService.Service.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000774f0084 5 bytes JMP 000000011002fe40
.text C:\Program Files (x86)\Lexware\Update Service\Hmg.InstallationService.Service.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774f00b4 5 bytes JMP 000000011002e400
.text C:\Program Files (x86)\Lexware\Update Service\Hmg.InstallationService.Service.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774f03b8 5 bytes JMP 000000011002cde0
.text C:\Program Files (x86)\Lexware\Update Service\Hmg.InstallationService.Service.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f0550 5 bytes JMP 000000011002b670
.text C:\Program Files (x86)\Lexware\Update Service\Hmg.InstallationService.Service.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000774f0694 5 bytes JMP 000000011002f8b0
.text C:\Program Files (x86)\Lexware\Update Service\Hmg.InstallationService.Service.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f088c 5 bytes JMP 000000011002bfe0
.text C:\Program Files (x86)\Lexware\Update Service\Hmg.InstallationService.Service.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774f08a4 5 bytes JMP 000000011002ca40
.text C:\Program Files (x86)\Lexware\Update Service\Hmg.InstallationService.Service.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774f0df4 5 bytes JMP 000000011002f6a0
.text C:\Program Files (x86)\Lexware\Update Service\Hmg.InstallationService.Service.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000774f0ed8 5 bytes JMP 000000011002f220
.text C:\Program Files (x86)\Lexware\Update Service\Hmg.InstallationService.Service.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774f1be4 5 bytes JMP 000000011002f460
.text C:\Program Files (x86)\Lexware\Update Service\Hmg.InstallationService.Service.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000774f1cb4 5 bytes JMP 000000011002c670
.text C:\Program Files (x86)\Lexware\Update Service\Hmg.InstallationService.Service.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000774f1d8c 5 bytes JMP 000000011002f020
.text C:\Program Files (x86)\Lexware\Update Service\Hmg.InstallationService.Service.exe[2728] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007750c4dd 5 bytes JMP 0000000110027f40
.text C:\Program Files (x86)\Lexware\Update Service\Hmg.InstallationService.Service.exe[2728] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077511287 7 bytes JMP 000000011001d240
.text C:\Program Files (x86)\Lexware\Update Service\Hmg.InstallationService.Service.exe[2728] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 000000007501103d 5 bytes JMP 0000000110025070
.text C:\Program Files (x86)\Lexware\Update Service\Hmg.InstallationService.Service.exe[2728] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075011072 5 bytes JMP 0000000110025c00
.text C:\Program Files (x86)\Lexware\Update Service\Hmg.InstallationService.Service.exe[2728] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 000000007503c965 5 bytes JMP 0000000110023ba0
|
|
12.01.2014, 08:58
| #5 |
| | AVIRA findet 4 unerwünschte Programme TR/Kazy.evrfa TR/Rogue.AI.1030 BDS/Androm.lrdsCode:
ATTFilter .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077313b10 5 bytes JMP 000000016fff0110
.text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077317ac0 5 bytes JMP 000000016fff0d50
.text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773413a0 8 bytes JMP 000000016fff00d8
.text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077341570 8 bytes JMP 000000016fff0a78
.text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773415e0 8 bytes JMP 000000016fff0c00
.text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077341620 8 bytes JMP 000000016fff0b90
.text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773416c0 8 bytes JMP 000000016fff0c38
.text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077341750 8 bytes JMP 000000016fff0b58
.text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077341790 8 bytes JMP 000000016fff0998
.text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773417e0 8 bytes JMP 000000016fff09d0
.text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077341800 8 bytes JMP 000000016fff0bc8
.text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773419f0 8 bytes JMP 000000016fff0d18
.text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077341b00 8 bytes JMP 000000016fff0960
.text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077341bd0 8 bytes JMP 000000016fff0ab0
.text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077341d20 8 bytes JMP 000000016fff0c70
.text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077341d30 8 bytes JMP 000000016fff0ce0
.text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773420a0 8 bytes JMP 000000016fff0ae8
.text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077342130 8 bytes JMP 000000016fff0ca8
.text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773429a0 8 bytes JMP 000000016fff0b20
.text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077342a20 8 bytes JMP 000000016fff0a08
.text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077342aa0 8 bytes JMP 000000016fff0a40
.text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000770da420 12 bytes JMP 000000016fff01b8
.text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000770f1b50 12 bytes JMP 000000016fff0148
.text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077168810 7 bytes JMP 000000016fff0180
.text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2153c0 7 bytes JMP 000007fffd070148
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774ef9e0 5 bytes JMP 000000011001d120
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774efcb0 5 bytes JMP 000000011002fc20
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774efd64 5 bytes JMP 000000011002e100
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000774efdc8 5 bytes JMP 000000011002ed90
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000774efec0 5 bytes JMP 000000011002c3c0
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000774effa4 5 bytes JMP 000000011002e7a0
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774f0004 2 bytes JMP 0000000110030080
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000774f0007 2 bytes [B4, 98]
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000774f0084 5 bytes JMP 000000011002fe40
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774f00b4 5 bytes JMP 000000011002e400
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774f03b8 5 bytes JMP 000000011002cde0
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f0550 5 bytes JMP 000000011002b670
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000774f0694 5 bytes JMP 000000011002f8b0
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f088c 5 bytes JMP 000000011002bfe0
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774f08a4 5 bytes JMP 000000011002ca40
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774f0df4 5 bytes JMP 000000011002f6a0
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000774f0ed8 5 bytes JMP 000000011002f220
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774f1be4 5 bytes JMP 000000011002f460
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000774f1cb4 5 bytes JMP 000000011002c670
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2992] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000774f1d8c 5 bytes JMP 000000011002f020
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2992] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007750c4dd 5 bytes JMP 0000000110027f40
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2992] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077511287 7 bytes JMP 000000011001d240
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2992] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007501103d 5 bytes JMP 0000000110025070
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2992] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075011072 5 bytes JMP 0000000110025c00
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2992] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007503c965 5 bytes JMP 0000000110023ba0
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774ef9e0 5 bytes JMP 000000011001d120
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774efcb0 5 bytes JMP 000000011002fc20
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774efd64 5 bytes JMP 000000011002e100
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000774efdc8 5 bytes JMP 000000011002ed90
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000774efec0 5 bytes JMP 000000011002c3c0
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000774effa4 5 bytes JMP 000000011002e7a0
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774f0004 2 bytes JMP 0000000110030080
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000774f0007 2 bytes [B4, 98]
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000774f0084 5 bytes JMP 000000011002fe40
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774f00b4 5 bytes JMP 000000011002e400
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774f03b8 5 bytes JMP 000000011002cde0
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f0550 5 bytes JMP 000000011002b670
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000774f0694 5 bytes JMP 000000011002f8b0
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f088c 5 bytes JMP 000000011002bfe0
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774f08a4 5 bytes JMP 000000011002ca40
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774f0df4 5 bytes JMP 000000011002f6a0
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000774f0ed8 5 bytes JMP 000000011002f220
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774f1be4 5 bytes JMP 000000011002f460
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000774f1cb4 5 bytes JMP 000000011002c670
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000774f1d8c 5 bytes JMP 000000011002f020
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[3012] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007750c4dd 5 bytes JMP 0000000110027f40
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[3012] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077511287 7 bytes JMP 000000011001d240
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[3012] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007501103d 5 bytes JMP 0000000110025070
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[3012] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075011072 5 bytes JMP 0000000110025c00
.text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[3012] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007503c965 5 bytes JMP 0000000110023ba0
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774ef9e0 5 bytes JMP 000000011001d120
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774efcb0 5 bytes JMP 000000011002fc20
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774efd64 5 bytes JMP 000000011002e100
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000774efdc8 5 bytes JMP 000000011002ed90
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000774efec0 5 bytes JMP 000000011002c3c0
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000774effa4 5 bytes JMP 000000011002e7a0
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774f0004 2 bytes JMP 0000000110030080
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000774f0007 2 bytes [B4, 98]
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000774f0084 5 bytes JMP 000000011002fe40
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774f00b4 5 bytes JMP 000000011002e400
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774f03b8 5 bytes JMP 000000011002cde0
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f0550 5 bytes JMP 000000011002b670
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000774f0694 5 bytes JMP 000000011002f8b0
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f088c 5 bytes JMP 000000011002bfe0
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774f08a4 5 bytes JMP 000000011002ca40
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774f0df4 5 bytes JMP 000000011002f6a0
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000774f0ed8 5 bytes JMP 000000011002f220
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774f1be4 5 bytes JMP 000000011002f460
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000774f1cb4 5 bytes JMP 000000011002c670
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000774f1d8c 5 bytes JMP 000000011002f020
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007750c4dd 5 bytes JMP 0000000110027f40
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077511287 7 bytes JMP 000000011001d240
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007501103d 5 bytes JMP 0000000110025070
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075011072 5 bytes JMP 0000000110025c00
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007503c965 5 bytes JMP 0000000110023ba0
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076adf776 5 bytes JMP 000000011001d270
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765e8bff 5 bytes JMP 000000011001b6e0
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765e90d3 7 bytes JMP 000000011001c470
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765e9679 5 bytes JMP 000000011001b1a0
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765e97d2 5 bytes JMP 000000011001ac20
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765eee09 5 bytes JMP 000000011001c160
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765eefc9 5 bytes JMP 0000000110018140
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765f12a5 5 bytes JMP 000000011001bc20
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000765f291f 5 bytes JMP 00000001100193d0
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!SetParent 00000000765f2d64 5 bytes JMP 0000000110018980
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000765f2da4 5 bytes JMP 0000000110017ea0
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000765f3698 5 bytes JMP 0000000110018c20
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000765f3baa 5 bytes JMP 000000011001bec0
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000765f3c61 5 bytes JMP 000000011001b980
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000765f612e 5 bytes JMP 000000011001b440
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000765f6c30 7 bytes JMP 000000011001c690
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765f7603 5 bytes JMP 000000011001c8b0
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000765f7668 5 bytes JMP 000000011001a160
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765f76e0 5 bytes JMP 000000011001a6a0
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000765f781f 5 bytes JMP 000000011001aee0
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765f835c 5 bytes JMP 000000011001cb20
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000765fc4b6 5 bytes JMP 0000000110018780
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007660c112 5 bytes JMP 0000000110019eb0
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007660d0f5 5 bytes JMP 0000000110019c00
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007660eb96 5 bytes JMP 0000000110019120
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007660ec68 5 bytes JMP 0000000110019680
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!SendInput 000000007660ff4a 5 bytes JMP 0000000110019930
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076629f1d 5 bytes JMP 0000000110018370
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076631497 5 bytes JMP 0000000110017c90
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!mouse_event 000000007664027b 5 bytes JMP 00000001100297c0
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!keybd_event 00000000766402bf 5 bytes JMP 00000001100299d0
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076646cfc 5 bytes JMP 000000011001a960
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076646d5d 5 bytes JMP 000000011001a400
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076647dd7 5 bytes JMP 0000000110018580
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766488eb 5 bytes JMP 0000000110018f00
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2148] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a42642 5 bytes JMP 00000001100244d0
.text C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774ef9e0 5 bytes JMP 000000011001d120
.text C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774efcb0 5 bytes JMP 000000011002fc20
.text C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774efd64 5 bytes JMP 000000011002e100
.text C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000774efdc8 5 bytes JMP 000000011002ed90
.text C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000774efec0 5 bytes JMP 000000011002c3c0
.text C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000774effa4 5 bytes JMP 000000011002e7a0
.text C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774f0004 2 bytes JMP 0000000110030080
.text C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000774f0007 2 bytes [B4, 98]
.text C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000774f0084 5 bytes JMP 000000011002fe40
.text C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774f00b4 5 bytes JMP 000000011002e400
.text C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774f03b8 5 bytes JMP 000000011002cde0
.text C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f0550 5 bytes JMP 000000011002b670
.text C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000774f0694 5 bytes JMP 000000011002f8b0
.text C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f088c 5 bytes JMP 000000011002bfe0
.text C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774f08a4 5 bytes JMP 000000011002ca40
.text C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774f0df4 5 bytes JMP 000000011002f6a0
.text C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000774f0ed8 5 bytes JMP 000000011002f220
.text C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774f1be4 5 bytes JMP 000000011002f460
.text C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000774f1cb4 5 bytes JMP 000000011002c670
.text C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000774f1d8c 5 bytes JMP 000000011002f020
.text C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe[3608] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007750c4dd 5 bytes JMP 0000000110027f40
.text C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe[3608] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077511287 7 bytes JMP 000000011001d240
.text C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe[3608] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007501103d 5 bytes JMP 0000000110025070
.text C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe[3608] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075011072 5 bytes JMP 0000000110025c00
.text C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe[3608] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007503c965 5 bytes JMP 0000000110023ba0
.text C:\Windows\Explorer.EXE[3136] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077313b10 5 bytes JMP 000000016fff0110
.text C:\Windows\Explorer.EXE[3136] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077317ac0 5 bytes JMP 000000016fff0d50
.text C:\Windows\Explorer.EXE[3136] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773413a0 8 bytes JMP 000000016fff00d8
.text C:\Windows\Explorer.EXE[3136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077341570 8 bytes JMP 000000016fff0a78
.text C:\Windows\Explorer.EXE[3136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773415e0 8 bytes JMP 000000016fff0c00
.text C:\Windows\Explorer.EXE[3136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077341620 8 bytes JMP 000000016fff0b90
.text C:\Windows\Explorer.EXE[3136] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773416c0 8 bytes JMP 000000016fff0c38
.text C:\Windows\Explorer.EXE[3136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077341750 8 bytes JMP 000000016fff0b58
.text C:\Windows\Explorer.EXE[3136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077341790 8 bytes JMP 000000016fff0998
.text C:\Windows\Explorer.EXE[3136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773417e0 8 bytes JMP 000000016fff09d0
.text C:\Windows\Explorer.EXE[3136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077341800 8 bytes JMP 000000016fff0bc8
.text C:\Windows\Explorer.EXE[3136] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773419f0 8 bytes JMP 000000016fff0d18
.text C:\Windows\Explorer.EXE[3136] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077341b00 8 bytes JMP 000000016fff0960
.text C:\Windows\Explorer.EXE[3136] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077341bd0 8 bytes JMP 000000016fff0ab0
.text C:\Windows\Explorer.EXE[3136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077341d20 8 bytes JMP 000000016fff0c70
.text C:\Windows\Explorer.EXE[3136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077341d30 8 bytes JMP 000000016fff0ce0
.text C:\Windows\Explorer.EXE[3136] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773420a0 8 bytes JMP 000000016fff0ae8
.text C:\Windows\Explorer.EXE[3136] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077342130 8 bytes JMP 000000016fff0ca8
.text C:\Windows\Explorer.EXE[3136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773429a0 8 bytes JMP 000000016fff0b20
.text C:\Windows\Explorer.EXE[3136] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077342a20 8 bytes JMP 000000016fff0a08
.text C:\Windows\Explorer.EXE[3136] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077342aa0 8 bytes JMP 000000016fff0a40
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000770da420 12 bytes JMP 000000016fff01b8
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000770f1b50 12 bytes JMP 000000016fff0148
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077168810 7 bytes JMP 000000016fff0180
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2153c0 7 bytes JMP 000007fffd070148
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8a22d0 5 bytes JMP 000007fffd070260
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8a24b8 5 bytes JMP 000007fffd070298
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe8a5be0 5 bytes JMP 000007fffd0702d0
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe8a8384 9 bytes JMP 000007fffd0701f0
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8a89c4 9 bytes JMP 000007fffd0701b8
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe8a933c 5 bytes JMP 000007fffd070228
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe8ab9e8 5 bytes JMP 000007fffd070340
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe8ac8b0 5 bytes JMP 000007fffd070308
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00000000771f6ef0 8 bytes JMP 000000016fff06f8
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000771f8184 7 bytes JMP 000000016fff0880
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!SetParent 00000000771f8530 8 bytes JMP 000000016fff0730
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!PostMessageA 00000000771fa404 5 bytes JMP 000000016fff0308
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!EnableWindow 00000000771faaa0 9 bytes JMP 000000016fff08f0
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!MoveWindow 00000000771faad0 8 bytes JMP 000000016fff0768
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00000000771fc720 5 bytes JMP 000000016fff06c0
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!RegisterHotKey 00000000771fcd50 8 bytes JMP 000000016fff0848
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!PostThreadMessageA 00000000771fd2b0 5 bytes JMP 000000016fff0378
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!SendMessageA 00000000771fd338 5 bytes JMP 000000016fff03e8
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000771fdc40 9 bytes JMP 000000016fff0570
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00000000771ff510 7 bytes JMP 000000016fff08b8
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000771ff874 9 bytes JMP 000000016fff0298
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 00000000771ffac0 9 bytes JMP 000000016fff0490
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077200b74 10 bytes JMP 000000016fff03b0
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000077204d4c 5 bytes JMP 000000016fff02d0
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!GetKeyState 0000000077205010 5 bytes JMP 000000016fff0688
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077205438 7 bytes JMP 000000016fff0500
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!SendMessageW 0000000077206b50 5 bytes JMP 000000016fff0420
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!PostMessageW 00000000772076e4 7 bytes JMP 000000016fff0340
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007720dd90 5 bytes JMP 000000016fff05e0
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!GetClipboardData 000000007720e874 5 bytes JMP 000000016fff0810
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007720f780 8 bytes JMP 000000016fff07a0
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000772128e4 12 bytes JMP 000000016fff0538
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!mouse_event 0000000077213894 7 bytes JMP 000000016fff0228
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077218a10 8 bytes JMP 000000016fff0650
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077218be0 12 bytes JMP 000000016fff0458
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077218c20 12 bytes JMP 000000016fff0260
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!SendInput 0000000077218cd0 8 bytes JMP 000000016fff0618
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!BlockInput 000000007721ad60 8 bytes JMP 000000016fff07d8
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000772414e0 5 bytes JMP 000000016fff0928
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!keybd_event 00000000772645a4 7 bytes JMP 000000016fff01f0
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007726cc08 5 bytes JMP 000000016fff05a8
.text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007726df18 7 bytes JMP 000000016fff04c8
.text C:\Windows\system32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077313b10 5 bytes JMP 000000016fff0110
.text C:\Windows\system32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077317ac0 5 bytes JMP 000000016fff0d50
.text C:\Windows\system32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773413a0 8 bytes JMP 000000016fff00d8
.text C:\Windows\system32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077341570 8 bytes JMP 000000016fff0a78
.text C:\Windows\system32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773415e0 8 bytes JMP 000000016fff0c00
.text C:\Windows\system32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077341620 8 bytes JMP 000000016fff0b90
.text C:\Windows\system32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773416c0 8 bytes JMP 000000016fff0c38
.text C:\Windows\system32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077341750 8 bytes JMP 000000016fff0b58
.text C:\Windows\system32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077341790 8 bytes JMP 000000016fff0998
.text C:\Windows\system32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773417e0 8 bytes JMP 000000016fff09d0
.text C:\Windows\system32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077341800 8 bytes JMP 000000016fff0bc8
.text C:\Windows\system32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773419f0 8 bytes JMP 000000016fff0d18
.text C:\Windows\system32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077341b00 8 bytes JMP 000000016fff0960
.text C:\Windows\system32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077341bd0 8 bytes JMP 000000016fff0ab0
.text C:\Windows\system32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077341d20 8 bytes JMP 000000016fff0c70
.text C:\Windows\system32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077341d30 8 bytes JMP 000000016fff0ce0
.text C:\Windows\system32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773420a0 8 bytes JMP 000000016fff0ae8
.text C:\Windows\system32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077342130 8 bytes JMP 000000016fff0ca8
.text C:\Windows\system32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773429a0 8 bytes JMP 000000016fff0b20
.text C:\Windows\system32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077342a20 8 bytes JMP 000000016fff0a08
.text C:\Windows\system32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077342aa0 8 bytes JMP 000000016fff0a40
.text C:\Windows\system32\svchost.exe[3276] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2153c0 7 bytes JMP 000007fffd070148
.text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774ef9e0 5 bytes JMP 000000011001d120
.text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774efcb0 5 bytes JMP 000000011002fc20
.text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774efd64 5 bytes JMP 000000011002e100
.text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000774efdc8 5 bytes JMP 000000011002ed90
.text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000774efec0 5 bytes JMP 000000011002c3c0
.text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000774effa4 5 bytes JMP 000000011002e7a0
.text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774f0004 2 bytes JMP 0000000110030080
.text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000774f0007 2 bytes [B4, 98]
.text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000774f0084 5 bytes JMP 000000011002fe40
.text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774f00b4 5 bytes JMP 000000011002e400
.text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774f03b8 5 bytes JMP 000000011002cde0
.text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f0550 5 bytes JMP 000000011002b670
.text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000774f0694 5 bytes JMP 000000011002f8b0
.text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f088c 5 bytes JMP 000000011002bfe0
.text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774f08a4 5 bytes JMP 000000011002ca40
.text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774f0df4 5 bytes JMP 000000011002f6a0
.text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000774f0ed8 5 bytes JMP 000000011002f220
.text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774f1be4 5 bytes JMP 000000011002f460
.text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000774f1cb4 5 bytes JMP 000000011002c670
.text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000774f1d8c 5 bytes JMP 000000011002f020
.text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[3376] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007750c4dd 5 bytes JMP 0000000110027f40
.text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[3376] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077511287 7 bytes JMP 000000011001d240
.text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[3376] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007501103d 5 bytes JMP 0000000110025070
.text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[3376] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075011072 5 bytes JMP 0000000110025c00
.text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[3376] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007503c965 5 bytes JMP 0000000110023ba0
.text C:\Windows\system32\wbem\wmiprvse.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077313b10 5 bytes JMP 000000016fff0110
.text C:\Windows\system32\wbem\wmiprvse.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077317ac0 5 bytes JMP 000000016fff0d50
.text C:\Windows\system32\wbem\wmiprvse.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773413a0 8 bytes JMP 000000016fff00d8
.text C:\Windows\system32\wbem\wmiprvse.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077341570 8 bytes JMP 000000016fff0a78
.text C:\Windows\system32\wbem\wmiprvse.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773415e0 8 bytes JMP 000000016fff0c00
.text C:\Windows\system32\wbem\wmiprvse.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077341620 8 bytes JMP 000000016fff0b90
.text C:\Windows\system32\wbem\wmiprvse.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773416c0 8 bytes JMP 000000016fff0c38
.text C:\Windows\system32\wbem\wmiprvse.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077341750 8 bytes JMP 000000016fff0b58
.text C:\Windows\system32\wbem\wmiprvse.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077341790 8 bytes JMP 000000016fff0998
.text C:\Windows\system32\wbem\wmiprvse.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773417e0 8 bytes JMP 000000016fff09d0
.text C:\Windows\system32\wbem\wmiprvse.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077341800 8 bytes JMP 000000016fff0bc8
.text C:\Windows\system32\wbem\wmiprvse.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773419f0 8 bytes JMP 000000016fff0d18
.text C:\Windows\system32\wbem\wmiprvse.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077341b00 8 bytes JMP 000000016fff0960
.text C:\Windows\system32\wbem\wmiprvse.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077341bd0 8 bytes JMP 000000016fff0ab0
.text C:\Windows\system32\wbem\wmiprvse.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077341d20 8 bytes JMP 000000016fff0c70
.text C:\Windows\system32\wbem\wmiprvse.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077341d30 8 bytes JMP 000000016fff0ce0
.text C:\Windows\system32\wbem\wmiprvse.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773420a0 8 bytes JMP 000000016fff0ae8
.text C:\Windows\system32\wbem\wmiprvse.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077342130 8 bytes JMP 000000016fff0ca8
.text C:\Windows\system32\wbem\wmiprvse.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773429a0 8 bytes JMP 000000016fff0b20
.text C:\Windows\system32\wbem\wmiprvse.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077342a20 8 bytes JMP 000000016fff0a08
.text C:\Windows\system32\wbem\wmiprvse.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077342aa0 8 bytes JMP 000000016fff0a40
.text C:\Windows\system32\wbem\wmiprvse.exe[2840] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000770da420 12 bytes JMP 000000016fff01b8
.text C:\Windows\system32\wbem\wmiprvse.exe[2840] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000770f1b50 12 bytes JMP 000000016fff0148
.text C:\Windows\system32\wbem\wmiprvse.exe[2840] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077168810 7 bytes JMP 000000016fff0180
.text C:\Windows\system32\wbem\wmiprvse.exe[2840] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2153c0 7 bytes JMP 000007fffd070148
.text C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE[2636] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774ef9e0 5 bytes JMP 000000011001d120
.text C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE[2636] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774efcb0 5 bytes JMP 000000011002fc20
.text C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE[2636] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774efd64 5 bytes JMP 000000011002e100
.text C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE[2636] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000774efdc8 5 bytes JMP 000000011002ed90
.text C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE[2636] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000774efec0 5 bytes JMP 000000011002c3c0
.text C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE[2636] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000774effa4 5 bytes JMP 000000011002e7a0
.text C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE[2636] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774f0004 2 bytes JMP 0000000110030080
.text C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE[2636] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000774f0007 2 bytes [B4, 98]
.text C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE[2636] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000774f0084 5 bytes JMP 000000011002fe40
.text C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE[2636] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774f00b4 5 bytes JMP 000000011002e400
.text C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE[2636] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774f03b8 5 bytes JMP 000000011002cde0
.text C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE[2636] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f0550 5 bytes JMP 000000011002b670
.text C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE[2636] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000774f0694 5 bytes JMP 000000011002f8b0
.text C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE[2636] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f088c 5 bytes JMP 000000011002bfe0
.text C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE[2636] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774f08a4 5 bytes JMP 000000011002ca40
.text C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE[2636] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774f0df4 5 bytes JMP 000000011002f6a0
.text C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE[2636] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000774f0ed8 5 bytes JMP 000000011002f220
.text C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE[2636] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774f1be4 5 bytes JMP 000000011002f460
.text C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE[2636] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000774f1cb4 5 bytes JMP 000000011002c670
.text C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE[2636] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000774f1d8c 5 bytes JMP 000000011002f020
.text C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE[2636] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007750c4dd 5 bytes JMP 0000000110027f40
.text C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE[2636] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077511287 7 bytes JMP 000000011001d240
.text C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE[2636] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007501103d 5 bytes JMP 0000000110025070
.text C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE[2636] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075011072 5 bytes JMP 0000000110025c00
.text C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE[2636] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007503c965 5 bytes JMP 0000000110023ba0
.text C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE[2636] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076adf776 5 bytes JMP 000000011001d270
.text C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE[2636] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a42642 5 bytes JMP 00000001100244d0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774ef9e0 5 bytes JMP 000000011001d120
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774efcb0 5 bytes JMP 000000011002fc20
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774efd64 5 bytes JMP 000000011002e100
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000774efdc8 5 bytes JMP 000000011002ed90
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000774efec0 5 bytes JMP 000000011002c3c0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000774effa4 5 bytes JMP 000000011002e7a0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774f0004 2 bytes JMP 0000000110030080
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000774f0007 2 bytes [B4, 98]
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000774f0084 5 bytes JMP 000000011002fe40
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774f00b4 5 bytes JMP 000000011002e400
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774f03b8 5 bytes JMP 000000011002cde0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f0550 5 bytes JMP 000000011002b670
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000774f0694 5 bytes JMP 000000011002f8b0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f088c 5 bytes JMP 000000011002bfe0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774f08a4 5 bytes JMP 000000011002ca40
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774f0df4 5 bytes JMP 000000011002f6a0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000774f0ed8 5 bytes JMP 000000011002f220
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774f1be4 5 bytes JMP 000000011002f460
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000774f1cb4 5 bytes JMP 000000011002c670
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000774f1d8c 5 bytes JMP 000000011002f020
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe[3672] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007750c4dd 5 bytes JMP 0000000110027f40
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe[3672] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077511287 7 bytes JMP 000000011001d240
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe[3672] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 000000007501103d 5 bytes JMP 0000000110025070
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe[3672] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075011072 5 bytes JMP 0000000110025c00
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe[3672] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 000000007503c965 5 bytes JMP 0000000110023ba0
.text C:\Program Files\Windows Sidebar\sidebar.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077313b10 5 bytes JMP 000000016fff0110
.text C:\Program Files\Windows Sidebar\sidebar.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077317ac0 5 bytes JMP 000000016fff0d50
.text C:\Program Files\Windows Sidebar\sidebar.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773413a0 8 bytes JMP 000000016fff00d8
.text C:\Program Files\Windows Sidebar\sidebar.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077341570 8 bytes JMP 000000016fff0a78
.text C:\Program Files\Windows Sidebar\sidebar.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773415e0 8 bytes JMP 000000016fff0c00
.text C:\Program Files\Windows Sidebar\sidebar.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077341620 8 bytes JMP 000000016fff0b90
.text C:\Program Files\Windows Sidebar\sidebar.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773416c0 8 bytes JMP 000000016fff0c38
.text C:\Program Files\Windows Sidebar\sidebar.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077341750 8 bytes JMP 000000016fff0b58
.text C:\Program Files\Windows Sidebar\sidebar.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077341790 8 bytes JMP 000000016fff0998
.text C:\Program Files\Windows Sidebar\sidebar.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773417e0 8 bytes JMP 000000016fff09d0
.text C:\Program Files\Windows Sidebar\sidebar.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077341800 8 bytes JMP 000000016fff0bc8
.text C:\Program Files\Windows Sidebar\sidebar.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773419f0 8 bytes JMP 000000016fff0d18
.text C:\Program Files\Windows Sidebar\sidebar.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077341b00 8 bytes JMP 000000016fff0960
.text C:\Program Files\Windows Sidebar\sidebar.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077341bd0 8 bytes JMP 000000016fff0ab0
.text C:\Program Files\Windows Sidebar\sidebar.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077341d20 8 bytes JMP 000000016fff0c70
.text C:\Program Files\Windows Sidebar\sidebar.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077341d30 8 bytes JMP 000000016fff0ce0
.text C:\Program Files\Windows Sidebar\sidebar.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773420a0 8 bytes JMP 000000016fff0ae8
.text C:\Program Files\Windows Sidebar\sidebar.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077342130 8 bytes JMP 000000016fff0ca8
.text C:\Program Files\Windows Sidebar\sidebar.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773429a0 8 bytes JMP 000000016fff0b20
.text C:\Program Files\Windows Sidebar\sidebar.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077342a20 8 bytes JMP 000000016fff0a08
.text C:\Program Files\Windows Sidebar\sidebar.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077342aa0 8 bytes JMP 000000016fff0a40
.text C:\Program Files\Windows Sidebar\sidebar.exe[3124] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2153c0 7 bytes JMP 000007fffd070148
.text C:\Program Files\Windows Sidebar\sidebar.exe[3124] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8a22d0 5 bytes JMP 000007fffd070260
.text C:\Program Files\Windows Sidebar\sidebar.exe[3124] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8a24b8 5 bytes JMP 000007fffd070298
.text C:\Program Files\Windows Sidebar\sidebar.exe[3124] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe8a5be0 5 bytes JMP 000007fffd0702d0
.text C:\Program Files\Windows Sidebar\sidebar.exe[3124] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe8a8384 9 bytes JMP 000007fffd0701f0
.text C:\Program Files\Windows Sidebar\sidebar.exe[3124] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8a89c4 9 bytes JMP 000007fffd0701b8
.text C:\Program Files\Windows Sidebar\sidebar.exe[3124] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe8a933c 5 bytes JMP 000007fffd070228
.text C:\Program Files\Windows Sidebar\sidebar.exe[3124] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe8ab9e8 5 bytes JMP 000007fffd070340
.text C:\Program Files\Windows Sidebar\sidebar.exe[3124] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe8ac8b0 5 bytes JMP 000007fffd070308
.text C:\Program Files (x86)\HiSuite\HiSuite.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774ef9e0 5 bytes JMP 000000011001d120
.text C:\Program Files (x86)\HiSuite\HiSuite.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774efcb0 5 bytes JMP 000000011002fc20
.text C:\Program Files (x86)\HiSuite\HiSuite.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774efd64 5 bytes JMP 000000011002e100
.text C:\Program Files (x86)\HiSuite\HiSuite.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000774efdc8 5 bytes JMP 000000011002ed90
.text C:\Program Files (x86)\HiSuite\HiSuite.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000774efec0 5 bytes JMP 000000011002c3c0
.text C:\Program Files (x86)\HiSuite\HiSuite.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000774effa4 5 bytes JMP 000000011002e7a0
.text C:\Program Files (x86)\HiSuite\HiSuite.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774f0004 2 bytes JMP 0000000110030080
.text C:\Program Files (x86)\HiSuite\HiSuite.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000774f0007 2 bytes [B4, 98]
.text C:\Program Files (x86)\HiSuite\HiSuite.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000774f0084 5 bytes JMP 000000011002fe40
.text C:\Program Files (x86)\HiSuite\HiSuite.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774f00b4 5 bytes JMP 000000011002e400
.text C:\Program Files (x86)\HiSuite\HiSuite.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774f03b8 5 bytes JMP 000000011002cde0
.text C:\Program Files (x86)\HiSuite\HiSuite.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f0550 5 bytes JMP 000000011002b670
.text C:\Program Files (x86)\HiSuite\HiSuite.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000774f0694 5 bytes JMP 000000011002f8b0
.text C:\Program Files (x86)\HiSuite\HiSuite.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f088c 5 bytes JMP 000000011002bfe0
.text C:\Program Files (x86)\HiSuite\HiSuite.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774f08a4 5 bytes JMP 000000011002ca40
.text C:\Program Files (x86)\HiSuite\HiSuite.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774f0df4 5 bytes JMP 000000011002f6a0
.text C:\Program Files (x86)\HiSuite\HiSuite.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000774f0ed8 5 bytes JMP 000000011002f220
.text C:\Program Files (x86)\HiSuite\HiSuite.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774f1be4 5 bytes JMP 000000011002f460
.text C:\Program Files (x86)\HiSuite\HiSuite.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000774f1cb4 5 bytes JMP 000000011002c670
.text C:\Program Files (x86)\HiSuite\HiSuite.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000774f1d8c 5 bytes JMP 000000011002f020
.text C:\Program Files (x86)\HiSuite\HiSuite.exe[3088] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007750c4dd 5 bytes JMP 0000000110027f40
.text C:\Program Files (x86)\HiSuite\HiSuite.exe[3088] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077511287 7 bytes JMP 000000011001d240
.text C:\Program Files (x86)\HiSuite\HiSuite.exe[3088] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007501103d 5 bytes JMP 0000000110025070
.text C:\Program Files (x86)\HiSuite\HiSuite.exe[3088] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075011072 5 bytes JMP 0000000110025c00
.text C:\Program Files (x86)\HiSuite\HiSuite.exe[3088] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007503c965 5 bytes JMP 0000000110023ba0
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077313b10 5 bytes JMP 000000016fff0110
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077317ac0 5 bytes JMP 000000016fff0d50
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773413a0 8 bytes JMP 000000016fff00d8
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077341570 8 bytes JMP 000000016fff0a78
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773415e0 8 bytes JMP 000000016fff0c00
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077341620 8 bytes JMP 000000016fff0b90
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773416c0 8 bytes JMP 000000016fff0c38
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077341750 8 bytes JMP 000000016fff0b58
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077341790 8 bytes JMP 000000016fff0998
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773417e0 8 bytes JMP 000000016fff09d0
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077341800 8 bytes JMP 000000016fff0bc8
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773419f0 8 bytes JMP 000000016fff0d18
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077341b00 8 bytes JMP 000000016fff0960
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077341bd0 8 bytes JMP 000000016fff0ab0
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077341d20 8 bytes JMP 000000016fff0c70
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077341d30 8 bytes JMP 000000016fff0ce0
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773420a0 8 bytes JMP 000000016fff0ae8
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077342130 8 bytes JMP 000000016fff0ca8
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773429a0 8 bytes JMP 000000016fff0b20
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077342a20 8 bytes JMP 000000016fff0a08
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077342aa0 8 bytes JMP 000000016fff0a40
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3652] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000770da420 12 bytes JMP 000000016fff01b8
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3652] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000770f1b50 12 bytes JMP 000000016fff0148
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3652] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077168810 7 bytes JMP 000000016fff0180
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3652] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2153c0 7 bytes JMP 000007fffd070148
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3652] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8a22d0 5 bytes JMP 000007fffd0702d0
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3652] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8a24b8 5 bytes JMP 000007fffd070308
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3652] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe8a5be0 5 bytes JMP 000007fffd070340
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3652] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe8a8384 9 bytes JMP 000007fffd0701f0
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3652] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8a89c4 9 bytes JMP 000007fffd0701b8
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3652] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe8a933c 5 bytes JMP 000007fffd070228
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3652] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe8ab9e8 5 bytes JMP 000007fffd0703b0
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3652] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe8ac8b0 5 bytes JMP 000007fffd070378
.text C:\Users\Ingrid\AppData\Local\Akamai\netsession_win.exe[4336] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774ef9e0 5 bytes JMP 000000011001d120
.text C:\Users\Ingrid\AppData\Local\Akamai\netsession_win.exe[4336] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774efcb0 5 bytes JMP 000000011002fc20
.text C:\Users\Ingrid\AppData\Local\Akamai\netsession_win.exe[4336] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774efd64 5 bytes JMP 000000011002e100
.text C:\Users\Ingrid\AppData\Local\Akamai\netsession_win.exe[4336] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000774efdc8 5 bytes JMP 000000011002ed90
.text C:\Users\Ingrid\AppData\Local\Akamai\netsession_win.exe[4336] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000774efec0 5 bytes JMP 000000011002c3c0
.text C:\Users\Ingrid\AppData\Local\Akamai\netsession_win.exe[4336] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000774effa4 5 bytes JMP 000000011002e7a0
.text C:\Users\Ingrid\AppData\Local\Akamai\netsession_win.exe[4336] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774f0004 2 bytes JMP 0000000110030080
.text C:\Users\Ingrid\AppData\Local\Akamai\netsession_win.exe[4336] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000774f0007 2 bytes [B4, 98]
.text C:\Users\Ingrid\AppData\Local\Akamai\netsession_win.exe[4336] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000774f0084 5 bytes JMP 000000011002fe40
.text C:\Users\Ingrid\AppData\Local\Akamai\netsession_win.exe[4336] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774f00b4 5 bytes JMP 000000011002e400
.text C:\Users\Ingrid\AppData\Local\Akamai\netsession_win.exe[4336] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774f03b8 5 bytes JMP 000000011002cde0
.text C:\Users\Ingrid\AppData\Local\Akamai\netsession_win.exe[4336] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f0550 5 bytes JMP 000000011002b670
.text C:\Users\Ingrid\AppData\Local\Akamai\netsession_win.exe[4336] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000774f0694 5 bytes JMP 000000011002f8b0
.text C:\Users\Ingrid\AppData\Local\Akamai\netsession_win.exe[4336] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f088c 5 bytes JMP 000000011002bfe0
.text C:\Users\Ingrid\AppData\Local\Akamai\netsession_win.exe[4336] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774f08a4 5 bytes JMP 000000011002ca40
.text C:\Users\Ingrid\AppData\Local\Akamai\netsession_win.exe[4336] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774f0df4 5 bytes JMP 000000011002f6a0
.text C:\Users\Ingrid\AppData\Local\Akamai\netsession_win.exe[4336] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000774f0ed8 5 bytes JMP 000000011002f220
.text C:\Users\Ingrid\AppData\Local\Akamai\netsession_win.exe[4336] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774f1be4 5 bytes JMP 000000011002f460
.text C:\Users\Ingrid\AppData\Local\Akamai\netsession_win.exe[4336] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000774f1cb4 5 bytes JMP 000000011002c670
.text C:\Users\Ingrid\AppData\Local\Akamai\netsession_win.exe[4336] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000774f1d8c 5 bytes JMP 000000011002f020
.text C:\Users\Ingrid\AppData\Local\Akamai\netsession_win.exe[4336] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007750c4dd 5 bytes JMP 0000000110027f40
.text C:\Users\Ingrid\AppData\Local\Akamai\netsession_win.exe[4336] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077511287 7 bytes JMP 000000011001d240
.text C:\Users\Ingrid\AppData\Local\Akamai\netsession_win.exe[4336] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007501103d 5 bytes JMP 0000000110025070
.text C:\Users\Ingrid\AppData\Local\Akamai\netsession_win.exe[4336] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075011072 5 bytes JMP 0000000110025c00
.text C:\Users\Ingrid\AppData\Local\Akamai\netsession_win.exe[4336] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007503c965 5 bytes JMP 0000000110023ba0
.text C:\Users\Ingrid\AppData\Local\Akamai\netsession_win.exe[4336] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076adf776 5 bytes JMP 000000011001d270
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[456] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774ef9e0 5 bytes JMP 000000011001d120
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[456] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774efcb0 5 bytes JMP 000000011002fc20
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[456] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774efd64 5 bytes JMP 000000011002e100
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[456] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000774efdc8 5 bytes JMP 000000011002ed90
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[456] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000774efec0 5 bytes JMP 000000011002c3c0
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[456] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000774effa4 5 bytes JMP 000000011002e7a0
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[456] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774f0004 2 bytes JMP 0000000110030080
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[456] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000774f0007 2 bytes [B4, 98]
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[456] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000774f0084 5 bytes JMP 000000011002fe40
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[456] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774f00b4 5 bytes JMP 000000011002e400
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[456] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774f03b8 5 bytes JMP 000000011002cde0
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[456] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f0550 5 bytes JMP 000000011002b670
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[456] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000774f0694 5 bytes JMP 000000011002f8b0
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[456] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f088c 5 bytes JMP 000000011002bfe0
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[456] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774f08a4 5 bytes JMP 000000011002ca40
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[456] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774f0df4 5 bytes JMP 000000011002f6a0
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[456] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000774f0ed8 5 bytes JMP 000000011002f220
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[456] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774f1be4 5 bytes JMP 000000011002f460
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[456] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000774f1cb4 5 bytes JMP 000000011002c670
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[456] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000774f1d8c 5 bytes JMP 000000011002f020
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[456] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007750c4dd 5 bytes JMP 0000000110027f40
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[456] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077511287 7 bytes JMP 000000011001d240
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[456] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007501103d 5 bytes JMP 0000000110025070
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[456] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075011072 5 bytes JMP 0000000110025c00
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[456] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007503c965 5 bytes JMP 0000000110023ba0
.text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[456] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076adf776 5 bytes JMP 000000011001d270
.text C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774ef9e0 5 bytes JMP 000000011001d120
.text C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774efcb0 5 bytes JMP 000000011002fc20
.text C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774efd64 5 bytes JMP 000000011002e100
.text C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000774efdc8 5 bytes JMP 000000011002ed90
.text C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000774efec0 5 bytes JMP 000000011002c3c0
.text C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000774effa4 5 bytes JMP 000000011002e7a0
.text C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774f0004 2 bytes JMP 0000000110030080
.text C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000774f0007 2 bytes [B4, 98]
.text C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000774f0084 5 bytes JMP 000000011002fe40
.text C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774f00b4 5 bytes JMP 000000011002e400
.text C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774f03b8 5 bytes JMP 000000011002cde0
.text C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f0550 5 bytes JMP 000000011002b670
.text C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000774f0694 5 bytes JMP 000000011002f8b0
.text C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f088c 5 bytes JMP 000000011002bfe0
.text C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774f08a4 5 bytes JMP 000000011002ca40
.text C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774f0df4 5 bytes JMP 000000011002f6a0
.text C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000774f0ed8 5 bytes JMP 000000011002f220
.text C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774f1be4 5 bytes JMP 000000011002f460
.text C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000774f1cb4 5 bytes JMP 000000011002c670
.text C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000774f1d8c 5 bytes JMP 000000011002f020
.text C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe[4944] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007750c4dd 5 bytes JMP 0000000110027f40
.text C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe[4944] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077511287 7 bytes JMP 000000011001d240
.text C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe[4944] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007501103d 5 bytes JMP 0000000110025070
.text C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe[4944] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075011072 5 bytes JMP 0000000110025c00
.text C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe[4944] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007503c965 5 bytes JMP 0000000110023ba0
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774ef9e0 5 bytes JMP 000000011001d120
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774efcb0 5 bytes JMP 000000011002fc20
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774efd64 5 bytes JMP 000000011002e100
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000774efdc8 5 bytes JMP 000000011002ed90
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000774efec0 5 bytes JMP 000000011002c3c0
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000774effa4 5 bytes JMP 000000011002e7a0
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774f0004 2 bytes JMP 0000000110030080
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000774f0007 2 bytes [B4, 98]
|
|
12.01.2014, 09:00
| #6 |
| | AVIRA findet 4 unerwünschte Programme TR/Kazy.evrfa TR/Rogue.AI.1030 BDS/Androm.lrdsCode:
ATTFilter .text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000774f0084 5 bytes JMP 000000011002fe40
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774f00b4 5 bytes JMP 000000011002e400
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774f03b8 5 bytes JMP 000000011002cde0
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f0550 5 bytes JMP 000000011002b670
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000774f0694 5 bytes JMP 000000011002f8b0
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f088c 5 bytes JMP 000000011002bfe0
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774f08a4 5 bytes JMP 000000011002ca40
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774f0df4 5 bytes JMP 000000011002f6a0
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000774f0ed8 5 bytes JMP 000000011002f220
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774f1be4 5 bytes JMP 000000011002f460
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000774f1cb4 5 bytes JMP 000000011002c670
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000774f1d8c 5 bytes JMP 000000011002f020
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007750c4dd 5 bytes JMP 0000000110027f40
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077511287 7 bytes JMP 000000011001d240
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 000000007501103d 5 bytes JMP 0000000110025070
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075011072 5 bytes JMP 0000000110025c00
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 000000007503c965 5 bytes JMP 0000000110023ba0
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076adf776 5 bytes JMP 000000011001d270
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765e8bff 5 bytes JMP 000000011001b6e0
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765e90d3 7 bytes JMP 000000011001c470
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765e9679 5 bytes JMP 000000011001b1a0
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765e97d2 5 bytes JMP 000000011001ac20
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765eee09 5 bytes JMP 000000011001c160
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765eefc9 5 bytes JMP 0000000110018140
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765f12a5 5 bytes JMP 000000011001bc20
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000765f291f 5 bytes JMP 00000001100193d0
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!SetParent 00000000765f2d64 5 bytes JMP 0000000110018980
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000765f2da4 5 bytes JMP 0000000110017ea0
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000765f3698 5 bytes JMP 0000000110018c20
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000765f3baa 5 bytes JMP 000000011001bec0
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000765f3c61 5 bytes JMP 000000011001b980
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000765f612e 5 bytes JMP 000000011001b440
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000765f6c30 7 bytes JMP 000000011001c690
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765f7603 5 bytes JMP 000000011001c8b0
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000765f7668 5 bytes JMP 000000011001a160
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765f76e0 5 bytes JMP 000000011001a6a0
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000765f781f 5 bytes JMP 000000011001aee0
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765f835c 5 bytes JMP 000000011001cb20
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000765fc4b6 5 bytes JMP 0000000110018780
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007660c112 5 bytes JMP 0000000110019eb0
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007660d0f5 5 bytes JMP 0000000110019c00
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007660eb96 5 bytes JMP 0000000110019120
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007660ec68 5 bytes JMP 0000000110019680
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!SendInput 000000007660ff4a 5 bytes JMP 0000000110019930
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076629f1d 5 bytes JMP 0000000110018370
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076631497 5 bytes JMP 0000000110017c90
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!mouse_event 000000007664027b 5 bytes JMP 00000001100297c0
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!keybd_event 00000000766402bf 5 bytes JMP 00000001100299d0
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076646cfc 5 bytes JMP 000000011001a960
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076646d5d 5 bytes JMP 000000011001a400
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076647dd7 5 bytes JMP 0000000110018580
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766488eb 5 bytes JMP 0000000110018f00
.text C:\Program Files (x86)\Lexware\Update Manager\LxUpdateManager.exe[4328] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a42642 5 bytes JMP 00000001100244d0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\apcsystray.exe[5224] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774ef9e0 5 bytes JMP 000000010050d120
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\apcsystray.exe[5224] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774efcb0 5 bytes JMP 000000010051fc20
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\apcsystray.exe[5224] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774efd64 5 bytes JMP 000000010051e100
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\apcsystray.exe[5224] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000774efdc8 5 bytes JMP 000000010051ed90
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\apcsystray.exe[5224] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000774efec0 5 bytes JMP 000000010051c3c0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\apcsystray.exe[5224] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000774effa4 5 bytes JMP 000000010051e7a0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\apcsystray.exe[5224] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774f0004 2 bytes JMP 0000000100520080
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\apcsystray.exe[5224] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000774f0007 2 bytes [03, 89]
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\apcsystray.exe[5224] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000774f0084 5 bytes JMP 000000010051fe40
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\apcsystray.exe[5224] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774f00b4 5 bytes JMP 000000010051e400
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\apcsystray.exe[5224] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774f03b8 5 bytes JMP 000000010051cde0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\apcsystray.exe[5224] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f0550 5 bytes JMP 000000010051b670
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\apcsystray.exe[5224] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000774f0694 5 bytes JMP 000000010051f8b0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\apcsystray.exe[5224] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f088c 5 bytes JMP 000000010051bfe0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\apcsystray.exe[5224] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774f08a4 5 bytes JMP 000000010051ca40
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\apcsystray.exe[5224] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774f0df4 5 bytes JMP 000000010051f6a0
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\apcsystray.exe[5224] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000774f0ed8 5 bytes JMP 000000010051f220
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\apcsystray.exe[5224] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774f1be4 5 bytes JMP 000000010051f460
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\apcsystray.exe[5224] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000774f1cb4 5 bytes JMP 000000010051c670
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\apcsystray.exe[5224] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000774f1d8c 5 bytes JMP 000000010051f020
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\apcsystray.exe[5224] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007750c4dd 5 bytes JMP 0000000100517f40
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\apcsystray.exe[5224] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077511287 7 bytes JMP 000000010050d240
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\apcsystray.exe[5224] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007501103d 5 bytes JMP 0000000100515070
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\apcsystray.exe[5224] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075011072 5 bytes JMP 0000000100515c00
.text C:\Program Files (x86)\APC\PowerChute Personal Edition\apcsystray.exe[5224] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007503c965 5 bytes JMP 0000000100513ba0
.text C:\Windows\system32\SearchIndexer.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077313b10 5 bytes JMP 000000016fff0110
.text C:\Windows\system32\SearchIndexer.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077317ac0 5 bytes JMP 000000016fff0d50
.text C:\Windows\system32\SearchIndexer.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773413a0 8 bytes JMP 000000016fff00d8
.text C:\Windows\system32\SearchIndexer.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077341570 8 bytes JMP 000000016fff0a78
.text C:\Windows\system32\SearchIndexer.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773415e0 8 bytes JMP 000000016fff0c00
.text C:\Windows\system32\SearchIndexer.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077341620 8 bytes JMP 000000016fff0b90
.text C:\Windows\system32\SearchIndexer.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773416c0 8 bytes JMP 000000016fff0c38
.text C:\Windows\system32\SearchIndexer.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077341750 8 bytes JMP 000000016fff0b58
.text C:\Windows\system32\SearchIndexer.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077341790 8 bytes JMP 000000016fff0998
.text C:\Windows\system32\SearchIndexer.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773417e0 8 bytes JMP 000000016fff09d0
.text C:\Windows\system32\SearchIndexer.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077341800 8 bytes JMP 000000016fff0bc8
.text C:\Windows\system32\SearchIndexer.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773419f0 8 bytes JMP 000000016fff0d18
.text C:\Windows\system32\SearchIndexer.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077341b00 8 bytes JMP 000000016fff0960
.text C:\Windows\system32\SearchIndexer.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077341bd0 8 bytes JMP 000000016fff0ab0
.text C:\Windows\system32\SearchIndexer.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077341d20 8 bytes JMP 000000016fff0c70
.text C:\Windows\system32\SearchIndexer.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077341d30 8 bytes JMP 000000016fff0ce0
.text C:\Windows\system32\SearchIndexer.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773420a0 8 bytes JMP 000000016fff0ae8
.text C:\Windows\system32\SearchIndexer.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077342130 8 bytes JMP 000000016fff0ca8
.text C:\Windows\system32\SearchIndexer.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773429a0 8 bytes JMP 000000016fff0b20
.text C:\Windows\system32\SearchIndexer.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077342a20 8 bytes JMP 000000016fff0a08
.text C:\Windows\system32\SearchIndexer.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077342aa0 8 bytes JMP 000000016fff0a40
.text C:\Windows\system32\SearchIndexer.exe[4220] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000770da420 12 bytes JMP 000000016fff01b8
.text C:\Windows\system32\SearchIndexer.exe[4220] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000770f1b50 12 bytes JMP 000000016fff0148
.text C:\Windows\system32\SearchIndexer.exe[4220] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077168810 7 bytes JMP 000000016fff0180
.text C:\Windows\system32\SearchIndexer.exe[4220] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2153c0 7 bytes JMP 000007fffd070148
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3244] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000770da420 12 bytes JMP 000000016fff01b8
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3244] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000770f1b50 12 bytes JMP 000000016fff0148
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3244] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077168810 7 bytes JMP 000000016fff0180
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3244] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2153c0 7 bytes JMP 000007fffd070148
.text C:\Windows\System32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077313b10 5 bytes JMP 000000016fff0110
.text C:\Windows\System32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077317ac0 5 bytes JMP 000000016fff0d50
.text C:\Windows\System32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773413a0 8 bytes JMP 000000016fff00d8
.text C:\Windows\System32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077341570 8 bytes JMP 000000016fff0a78
.text C:\Windows\System32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773415e0 8 bytes JMP 000000016fff0c00
.text C:\Windows\System32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077341620 8 bytes JMP 000000016fff0b90
.text C:\Windows\System32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773416c0 8 bytes JMP 000000016fff0c38
.text C:\Windows\System32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077341750 8 bytes JMP 000000016fff0b58
.text C:\Windows\System32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077341790 8 bytes JMP 000000016fff0998
.text C:\Windows\System32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773417e0 8 bytes JMP 000000016fff09d0
.text C:\Windows\System32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077341800 8 bytes JMP 000000016fff0bc8
.text C:\Windows\System32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773419f0 8 bytes JMP 000000016fff0d18
.text C:\Windows\System32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077341b00 8 bytes JMP 000000016fff0960
.text C:\Windows\System32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077341bd0 8 bytes JMP 000000016fff0ab0
.text C:\Windows\System32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077341d20 8 bytes JMP 000000016fff0c70
.text C:\Windows\System32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077341d30 8 bytes JMP 000000016fff0ce0
.text C:\Windows\System32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773420a0 8 bytes JMP 000000016fff0ae8
.text C:\Windows\System32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077342130 8 bytes JMP 000000016fff0ca8
.text C:\Windows\System32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773429a0 8 bytes JMP 000000016fff0b20
.text C:\Windows\System32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077342a20 8 bytes JMP 000000016fff0a08
.text C:\Windows\System32\svchost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077342aa0 8 bytes JMP 000000016fff0a40
.text C:\Windows\System32\svchost.exe[1948] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2153c0 7 bytes JMP 000007fffd070148
.text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774ef9e0 5 bytes JMP 000000011001d120
.text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774efcb0 5 bytes JMP 000000011002fc20
.text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774efd64 5 bytes JMP 000000011002e100
.text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000774efdc8 5 bytes JMP 000000011002ed90
.text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000774efec0 5 bytes JMP 000000011002c3c0
.text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000774effa4 5 bytes JMP 000000011002e7a0
.text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774f0004 2 bytes JMP 0000000110030080
.text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000774f0007 2 bytes [B4, 98]
.text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000774f0084 5 bytes JMP 000000011002fe40
.text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774f00b4 5 bytes JMP 000000011002e400
.text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774f03b8 5 bytes JMP 000000011002cde0
.text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f0550 5 bytes JMP 000000011002b670
.text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000774f0694 5 bytes JMP 000000011002f8b0
.text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f088c 5 bytes JMP 000000011002bfe0
.text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774f08a4 5 bytes JMP 000000011002ca40
.text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774f0df4 5 bytes JMP 000000011002f6a0
.text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000774f0ed8 5 bytes JMP 000000011002f220
.text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774f1be4 5 bytes JMP 000000011002f460
.text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000774f1cb4 5 bytes JMP 000000011002c670
.text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[5988] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000774f1d8c 5 bytes JMP 000000011002f020
.text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[5988] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007750c4dd 5 bytes JMP 0000000110027f40
.text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[5988] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077511287 7 bytes JMP 000000011001d240
.text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[5988] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007501103d 5 bytes JMP 0000000110025070
.text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[5988] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075011072 5 bytes JMP 0000000110025c00
.text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[5988] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007503c965 5 bytes JMP 0000000110023ba0
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[6856] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774ef9e0 5 bytes JMP 000000011001d120
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[6856] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774efcb0 5 bytes JMP 000000011002fc20
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[6856] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774efd64 5 bytes JMP 000000011002e100
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[6856] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000774efdc8 5 bytes JMP 000000011002ed90
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[6856] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000774efec0 5 bytes JMP 000000011002c3c0
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[6856] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000774effa4 5 bytes JMP 000000011002e7a0
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[6856] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774f0004 2 bytes JMP 0000000110030080
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[6856] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000774f0007 2 bytes [B4, 98]
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[6856] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000774f0084 5 bytes JMP 000000011002fe40
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[6856] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774f00b4 5 bytes JMP 000000011002e400
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[6856] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774f03b8 5 bytes JMP 000000011002cde0
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[6856] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f0550 5 bytes JMP 000000011002b670
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[6856] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000774f0694 5 bytes JMP 000000011002f8b0
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[6856] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f088c 5 bytes JMP 000000011002bfe0
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[6856] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774f08a4 5 bytes JMP 000000011002ca40
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[6856] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774f0df4 5 bytes JMP 000000011002f6a0
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[6856] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000774f0ed8 5 bytes JMP 000000011002f220
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[6856] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774f1be4 5 bytes JMP 000000011002f460
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[6856] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000774f1cb4 5 bytes JMP 000000011002c670
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[6856] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000774f1d8c 5 bytes JMP 000000011002f020
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[6856] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007750c4dd 5 bytes JMP 0000000110027f40
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[6856] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077511287 7 bytes JMP 000000011001d240
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[6856] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007501103d 5 bytes JMP 0000000110025070
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[6856] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075011072 5 bytes JMP 0000000110025c00
.text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[6856] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007503c965 5 bytes JMP 0000000110023ba0
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077313b10 5 bytes JMP 000000016fff0110
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077317ac0 5 bytes JMP 000000016fff0d50
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773413a0 8 bytes JMP 000000016fff00d8
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077341570 8 bytes JMP 000000016fff0a78
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773415e0 8 bytes JMP 000000016fff0c00
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077341620 8 bytes JMP 000000016fff0b90
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773416c0 8 bytes JMP 000000016fff0c38
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077341750 8 bytes JMP 000000016fff0b58
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077341790 8 bytes JMP 000000016fff0998
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773417e0 8 bytes JMP 000000016fff09d0
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077341800 8 bytes JMP 000000016fff0bc8
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773419f0 8 bytes JMP 000000016fff0d18
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077341b00 8 bytes JMP 000000016fff0960
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077341bd0 8 bytes JMP 000000016fff0ab0
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077341d20 8 bytes JMP 000000016fff0c70
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077341d30 8 bytes JMP 000000016fff0ce0
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773420a0 8 bytes JMP 000000016fff0ae8
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077342130 8 bytes JMP 000000016fff0ca8
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773429a0 8 bytes JMP 000000016fff0b20
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077342a20 8 bytes JMP 000000016fff0a08
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077342aa0 8 bytes JMP 000000016fff0a40
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\system32\KERNEL32.dll!CreateProcessAsUserW 00000000770da420 12 bytes JMP 000000016fff01b8
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\system32\KERNEL32.dll!CreateProcessW 00000000770f1b50 12 bytes JMP 000000016fff0148
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\system32\KERNEL32.dll!CreateProcessA 0000000077168810 7 bytes JMP 000000016fff0180
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2153c0 7 bytes JMP 000007fffd070148
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8a22d0 5 bytes JMP 000007fffd070260
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8a24b8 5 bytes JMP 000007fffd070298
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe8a5be0 5 bytes JMP 000007fffd0702d0
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe8a8384 9 bytes JMP 000007fffd0701f0
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8a89c4 9 bytes JMP 000007fffd0701b8
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe8a933c 5 bytes JMP 000007fffd070228
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe8ab9e8 5 bytes JMP 000007fffd070340
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe8ac8b0 5 bytes JMP 000007fffd070308
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefedfa6f0 1 byte JMP 000007fffd070180
.text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[6360] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2 000007fefedfa6f2 5 bytes {JMP 0xfffffffffe275a90}
.text C:\Windows\system32\AUDIODG.EXE[5204] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077313b10 5 bytes JMP 000000016fff0110
.text C:\Windows\system32\AUDIODG.EXE[5204] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077317ac0 5 bytes JMP 000000016fff0d50
.text C:\Windows\system32\AUDIODG.EXE[5204] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773413a0 8 bytes JMP 000000016fff00d8
.text C:\Windows\system32\AUDIODG.EXE[5204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077341570 8 bytes JMP 000000016fff0a78
.text C:\Windows\system32\AUDIODG.EXE[5204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773415e0 8 bytes JMP 000000016fff0c00
.text C:\Windows\system32\AUDIODG.EXE[5204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077341620 8 bytes JMP 000000016fff0b90
.text C:\Windows\system32\AUDIODG.EXE[5204] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773416c0 8 bytes JMP 000000016fff0c38
.text C:\Windows\system32\AUDIODG.EXE[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077341750 8 bytes JMP 000000016fff0b58
.text C:\Windows\system32\AUDIODG.EXE[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077341790 8 bytes JMP 000000016fff0998
.text C:\Windows\system32\AUDIODG.EXE[5204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773417e0 8 bytes JMP 000000016fff09d0
.text C:\Windows\system32\AUDIODG.EXE[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077341800 8 bytes JMP 000000016fff0bc8
.text C:\Windows\system32\AUDIODG.EXE[5204] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773419f0 8 bytes JMP 000000016fff0d18
.text C:\Windows\system32\AUDIODG.EXE[5204] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077341b00 8 bytes JMP 000000016fff0960
.text C:\Windows\system32\AUDIODG.EXE[5204] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077341bd0 8 bytes JMP 000000016fff0ab0
.text C:\Windows\system32\AUDIODG.EXE[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077341d20 8 bytes JMP 000000016fff0c70
.text C:\Windows\system32\AUDIODG.EXE[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077341d30 8 bytes JMP 000000016fff0ce0
.text C:\Windows\system32\AUDIODG.EXE[5204] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773420a0 8 bytes JMP 000000016fff0ae8
.text C:\Windows\system32\AUDIODG.EXE[5204] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077342130 8 bytes JMP 000000016fff0ca8
.text C:\Windows\system32\AUDIODG.EXE[5204] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773429a0 8 bytes JMP 000000016fff0b20
.text C:\Windows\system32\AUDIODG.EXE[5204] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077342a20 8 bytes JMP 000000016fff0a08
.text C:\Windows\system32\AUDIODG.EXE[5204] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077342aa0 8 bytes JMP 000000016fff0a40
.text C:\Windows\system32\AUDIODG.EXE[5204] C:\Windows\System32\kernel32.dll!CreateProcessAsUserW 00000000770da420 12 bytes JMP 000000016fff01b8
.text C:\Windows\system32\AUDIODG.EXE[5204] C:\Windows\System32\kernel32.dll!CreateProcessW 00000000770f1b50 12 bytes JMP 000000016fff0148
.text C:\Windows\system32\AUDIODG.EXE[5204] C:\Windows\System32\kernel32.dll!CreateProcessA 0000000077168810 7 bytes JMP 000000016fff0180
.text C:\Windows\system32\AUDIODG.EXE[5204] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2153c0 7 bytes JMP 000007fffd070148
.text C:\Windows\system32\AUDIODG.EXE[5204] C:\Windows\System32\GDI32.dll!DeleteDC 000007fefe8a22d0 5 bytes JMP 000007fffd070260
.text C:\Windows\system32\AUDIODG.EXE[5204] C:\Windows\System32\GDI32.dll!BitBlt 000007fefe8a24b8 5 bytes JMP 000007fffd070298
.text C:\Windows\system32\AUDIODG.EXE[5204] C:\Windows\System32\GDI32.dll!MaskBlt 000007fefe8a5be0 5 bytes JMP 000007fffd0702d0
.text C:\Windows\system32\AUDIODG.EXE[5204] C:\Windows\System32\GDI32.dll!CreateDCW 000007fefe8a8384 9 bytes JMP 000007fffd0701f0
.text C:\Windows\system32\AUDIODG.EXE[5204] C:\Windows\System32\GDI32.dll!CreateDCA 000007fefe8a89c4 9 bytes JMP 000007fffd0701b8
.text C:\Windows\system32\AUDIODG.EXE[5204] C:\Windows\System32\GDI32.dll!GetPixel 000007fefe8a933c 5 bytes JMP 000007fffd070228
.text C:\Windows\system32\AUDIODG.EXE[5204] C:\Windows\System32\GDI32.dll!StretchBlt 000007fefe8ab9e8 5 bytes JMP 000007fffd070340
.text C:\Windows\system32\AUDIODG.EXE[5204] C:\Windows\System32\GDI32.dll!PlgBlt 000007fefe8ac8b0 5 bytes JMP 000007fffd070308
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774ef9e0 5 bytes JMP 000000011001d120
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774efcb0 5 bytes JMP 000000011002fc20
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774efd64 5 bytes JMP 000000011002e100
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000774efdc8 5 bytes JMP 000000011002ed90
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000774efec0 5 bytes JMP 000000011002c3c0
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000774effa4 5 bytes JMP 000000011002e7a0
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774f0004 2 bytes JMP 0000000110030080
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000774f0007 2 bytes [B4, 98]
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000774f0084 5 bytes JMP 000000011002fe40
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774f00b4 5 bytes JMP 000000011002e400
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774f03b8 5 bytes JMP 000000011002cde0
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f0550 5 bytes JMP 000000011002b670
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000774f0694 5 bytes JMP 000000011002f8b0
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f088c 5 bytes JMP 000000011002bfe0
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774f08a4 5 bytes JMP 000000011002ca40
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774f0df4 5 bytes JMP 000000011002f6a0
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000774f0ed8 5 bytes JMP 000000011002f220
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774f1be4 5 bytes JMP 000000011002f460
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000774f1cb4 5 bytes JMP 000000011002c670
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000774f1d8c 5 bytes JMP 000000011002f020
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007750c4dd 5 bytes JMP 0000000110027f40
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077511287 7 bytes JMP 000000011001d240
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007501103d 5 bytes JMP 0000000110025070
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075011072 5 bytes JMP 0000000110025c00
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007503c965 5 bytes JMP 0000000110023ba0
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076adf776 5 bytes JMP 000000011001d270
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\ADVAPI32.DLL!CreateProcessAsUserA 0000000076a42642 5 bytes JMP 00000001100244d0
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074ff1465 2 bytes [FF, 74]
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074ff14bb 2 bytes [FF, 74]
.text ... * 2
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765e8bff 5 bytes JMP 000000011001b6e0
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765e90d3 7 bytes JMP 000000011001c470
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765e9679 5 bytes JMP 000000011001b1a0
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765e97d2 5 bytes JMP 000000011001ac20
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765eee09 5 bytes JMP 000000011001c160
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765eefc9 5 bytes JMP 0000000110018140
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765f12a5 5 bytes JMP 000000011001bc20
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000765f291f 5 bytes JMP 00000001100193d0
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!SetParent 00000000765f2d64 5 bytes JMP 0000000110018980
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000765f2da4 5 bytes JMP 0000000110017ea0
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000765f3698 5 bytes JMP 0000000110018c20
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000765f3baa 5 bytes JMP 000000011001bec0
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000765f3c61 5 bytes JMP 000000011001b980
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000765f612e 5 bytes JMP 000000011001b440
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000765f6c30 7 bytes JMP 000000011001c690
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765f7603 5 bytes JMP 000000011001c8b0
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000765f7668 5 bytes JMP 000000011001a160
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765f76e0 5 bytes JMP 000000011001a6a0
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000765f781f 5 bytes JMP 000000011001aee0
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765f835c 5 bytes JMP 000000011001cb20
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000765fc4b6 5 bytes JMP 0000000110018780
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007660c112 5 bytes JMP 0000000110019eb0
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007660d0f5 5 bytes JMP 0000000110019c00
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007660eb96 5 bytes JMP 0000000110019120
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007660ec68 5 bytes JMP 0000000110019680
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!SendInput 000000007660ff4a 5 bytes JMP 0000000110019930
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076629f1d 5 bytes JMP 0000000110018370
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076631497 5 bytes JMP 0000000110017c90
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!mouse_event 000000007664027b 5 bytes JMP 00000001100297c0
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!keybd_event 00000000766402bf 5 bytes JMP 00000001100299d0
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076646cfc 5 bytes JMP 000000011001a960
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076646d5d 5 bytes JMP 000000011001a400
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076647dd7 5 bytes JMP 0000000110018580
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766488eb 5 bytes JMP 0000000110018f00
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000762958b3 5 bytes JMP 0000000110028d10
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076295ea6 5 bytes JMP 0000000110029530
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076297bcc 5 bytes JMP 0000000110029e10
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007629b895 5 bytes JMP 0000000110028d50
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007629c332 5 bytes JMP 0000000110029280
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007629cbfb 5 bytes JMP 0000000110028ae0
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007629e743 5 bytes JMP 0000000110029d10
.text C:\Users\Ingrid\Downloads\Defogger.exe[6288] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000762c480f 5 bytes JMP 0000000110028ff0
.text C:\Windows\system32\conhost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077313b10 5 bytes JMP 000000016fff0110
.text C:\Windows\system32\conhost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077317ac0 5 bytes JMP 000000016fff0d50
.text C:\Windows\system32\conhost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773413a0 8 bytes JMP 000000016fff00d8
.text C:\Windows\system32\conhost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077341570 8 bytes JMP 000000016fff0a78
.text C:\Windows\system32\conhost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773415e0 8 bytes JMP 000000016fff0c00
.text C:\Windows\system32\conhost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077341620 8 bytes JMP 000000016fff0b90
.text C:\Windows\system32\conhost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773416c0 8 bytes JMP 000000016fff0c38
.text C:\Windows\system32\conhost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077341750 8 bytes JMP 000000016fff0b58
.text C:\Windows\system32\conhost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077341790 8 bytes JMP 000000016fff0998
.text C:\Windows\system32\conhost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773417e0 8 bytes JMP 000000016fff09d0
.text C:\Windows\system32\conhost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077341800 8 bytes JMP 000000016fff0bc8
.text C:\Windows\system32\conhost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773419f0 8 bytes JMP 000000016fff0d18
.text C:\Windows\system32\conhost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077341b00 8 bytes JMP 000000016fff0960
.text C:\Windows\system32\conhost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077341bd0 8 bytes JMP 000000016fff0ab0
.text C:\Windows\system32\conhost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077341d20 8 bytes JMP 000000016fff0c70
.text C:\Windows\system32\conhost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077341d30 8 bytes JMP 000000016fff0ce0
.text C:\Windows\system32\conhost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773420a0 8 bytes JMP 000000016fff0ae8
.text C:\Windows\system32\conhost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077342130 8 bytes JMP 000000016fff0ca8
.text C:\Windows\system32\conhost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773429a0 8 bytes JMP 000000016fff0b20
.text C:\Windows\system32\conhost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077342a20 8 bytes JMP 000000016fff0a08
.text C:\Windows\system32\conhost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077342aa0 8 bytes JMP 000000016fff0a40
.text C:\Windows\system32\conhost.exe[4416] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000770da420 12 bytes JMP 000000016fff01b8
.text C:\Windows\system32\conhost.exe[4416] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000770f1b50 12 bytes JMP 000000016fff0148
.text C:\Windows\system32\conhost.exe[4416] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077168810 7 bytes JMP 000000016fff0180
.text C:\Windows\system32\conhost.exe[4416] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2153c0 7 bytes JMP 000007fffd070148
.text C:\Windows\system32\conhost.exe[4416] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8a22d0 5 bytes JMP 000007fffd070260
.text C:\Windows\system32\conhost.exe[4416] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8a24b8 5 bytes JMP 000007fffd070298
.text C:\Windows\system32\conhost.exe[4416] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe8a5be0 5 bytes JMP 000007fffd0702d0
.text C:\Windows\system32\conhost.exe[4416] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe8a8384 9 bytes JMP 000007fffd0701f0
.text C:\Windows\system32\conhost.exe[4416] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8a89c4 9 bytes JMP 000007fffd0701b8
.text C:\Windows\system32\conhost.exe[4416] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe8a933c 5 bytes JMP 000007fffd070228
.text C:\Windows\system32\conhost.exe[4416] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe8ab9e8 5 bytes JMP 000007fffd070340
.text C:\Windows\system32\conhost.exe[4416] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe8ac8b0 5 bytes JMP 000007fffd070308
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774ef9e0 5 bytes JMP 000000011001d120
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774efcb0 5 bytes JMP 000000011002fc20
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774efd64 5 bytes JMP 000000011002e100
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000774efdc8 5 bytes JMP 000000011002ed90
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000774efec0 5 bytes JMP 000000011002c3c0
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000774effa4 5 bytes JMP 000000011002e7a0
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000774f0004 2 bytes JMP 0000000110030080
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3 00000000774f0007 2 bytes [B4, 98]
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000774f0084 5 bytes JMP 000000011002fe40
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774f00b4 5 bytes JMP 000000011002e400
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774f03b8 5 bytes JMP 000000011002cde0
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f0550 5 bytes JMP 000000011002b670
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000774f0694 5 bytes JMP 000000011002f8b0
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f088c 5 bytes JMP 000000011002bfe0
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774f08a4 5 bytes JMP 000000011002ca40
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000774f0df4 5 bytes JMP 000000011002f6a0
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000774f0ed8 5 bytes JMP 000000011002f220
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000774f1be4 5 bytes JMP 000000011002f460
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000774f1cb4 5 bytes JMP 000000011002c670
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000774f1d8c 5 bytes JMP 000000011002f020
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007750c4dd 5 bytes JMP 0000000110027f40
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077511287 7 bytes JMP 000000011001d240
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007501103d 5 bytes JMP 0000000110025070
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075011072 5 bytes JMP 0000000110025c00
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007503c965 5 bytes JMP 0000000110023ba0
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076adf776 5 bytes JMP 000000011001d270
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765e8bff 5 bytes JMP 000000011001b6e0
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765e90d3 7 bytes JMP 000000011001c470
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765e9679 5 bytes JMP 000000011001b1a0
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765e97d2 5 bytes JMP 000000011001ac20
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765eee09 5 bytes JMP 000000011001c160
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765eefc9 5 bytes JMP 0000000110018140
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000765f12a5 5 bytes JMP 000000011001bc20
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000765f291f 5 bytes JMP 00000001100193d0
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!SetParent 00000000765f2d64 5 bytes JMP 0000000110018980
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000765f2da4 5 bytes JMP 0000000110017ea0
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000765f3698 5 bytes JMP 0000000110018c20
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000765f3baa 5 bytes JMP 000000011001bec0
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000765f3c61 5 bytes JMP 000000011001b980
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000765f612e 5 bytes JMP 000000011001b440
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000765f6c30 7 bytes JMP 000000011001c690
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765f7603 5 bytes JMP 000000011001c8b0
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000765f7668 5 bytes JMP 000000011001a160
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000765f76e0 5 bytes JMP 000000011001a6a0
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000765f781f 5 bytes JMP 000000011001aee0
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765f835c 5 bytes JMP 000000011001cb20
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000765fc4b6 5 bytes JMP 0000000110018780
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007660c112 5 bytes JMP 0000000110019eb0
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007660d0f5 5 bytes JMP 0000000110019c00
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007660eb96 5 bytes JMP 0000000110019120
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007660ec68 5 bytes JMP 0000000110019680
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!SendInput 000000007660ff4a 5 bytes JMP 0000000110019930
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076629f1d 5 bytes JMP 0000000110018370
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076631497 5 bytes JMP 0000000110017c90
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!mouse_event 000000007664027b 5 bytes JMP 00000001100297c0
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!keybd_event 00000000766402bf 5 bytes JMP 00000001100299d0
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076646cfc 5 bytes JMP 000000011001a960
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076646d5d 5 bytes JMP 000000011001a400
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076647dd7 5 bytes JMP 0000000110018580
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766488eb 5 bytes JMP 0000000110018f00
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000762958b3 5 bytes JMP 0000000110028d10
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076295ea6 5 bytes JMP 0000000110029530
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076297bcc 5 bytes JMP 0000000110029e10
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007629b895 5 bytes JMP 0000000110028d50
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007629c332 5 bytes JMP 0000000110029280
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007629cbfb 5 bytes JMP 0000000110028ae0
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007629e743 5 bytes JMP 0000000110029d10
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000762c480f 5 bytes JMP 0000000110028ff0
.text C:\Users\Ingrid\Downloads\gmer_2.1.19163.exe[1164] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a42642 5 bytes JMP 00000001100244d0
---- Threads - GMER 2.1 ----
Thread C:\Windows\system32\lsm.exe [656:5060] 000007fefea50168
Thread C:\Windows\system32\svchost.exe [928:2924] 000007fefaae2154
Thread C:\Windows\system32\svchost.exe [928:2244] 000007fefc1b4af4
Thread C:\Windows\system32\svchost.exe [928:7052] 000007fefc1b4af4
Thread C:\Windows\System32\spoolsv.exe [1472:2344] 000007fef6b010c8
Thread C:\Windows\System32\spoolsv.exe [1472:2352] 000007fef6ac6144
Thread C:\Windows\System32\spoolsv.exe [1472:2356] 000007fef68b5fd0
Thread C:\Windows\System32\spoolsv.exe [1472:2360] 000007fef68a3438
Thread C:\Windows\System32\spoolsv.exe [1472:2364] 000007fef68b63ec
Thread C:\Windows\System32\spoolsv.exe [1472:2372] 000007fef6e35e5c
Thread C:\Windows\System32\spoolsv.exe [1472:2376] 000007fef6e65074
Thread C:\ProgramData\HandSetService\HuaweiHiSuiteService64.exe [2696:2712] 000007fefd9fa808
Thread C:\Windows\Explorer.EXE [3136:1252] 000000000cd3dbb0
Thread C:\Windows\Explorer.EXE [3136:7000] 000000000cd314a0
---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0009dd5072b6
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0009dd5072b6@7cc3a166c088 0xBB 0x8A 0x73 0x30 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000b0d4080d4
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000b0d4080d4@7cc3a166c088 0x8F 0x7C 0x66 0x4E ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0009dd5072b6 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0009dd5072b6@7cc3a166c088 0xBB 0x8A 0x73 0x30 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000b0d4080d4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000b0d4080d4@7cc3a166c088 0x8F 0x7C 0x66 0x4E ...
---- EOF - GMER 2.1 ----
ich hoffe das klappt mit dem dreigeteilten GMER.txt Jackomo |
|
12.01.2014, 13:28
| #7 |
| /// TB-Ausbilder | AVIRA findet 4 unerwünschte Programme TR/Kazy.evrfa TR/Rogue.AI.1030 BDS/Androm.lrds Ok. ESET Online Scanner
__________________ cheers, Leo |
|
12.01.2014, 21:04
| #8 |
| | AVIRA findet 4 unerwünschte Programme TR/Kazy.evrfa TR/Rogue.AI.1030 BDS/Androm.lrds Hallo Leo, hier das Log Code:
ATTFilter ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=03b56e0e3582ae44935778697abe32bf
# engine=16622
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2014-01-12 06:46:48
# local_time=2014-01-12 07:46:48 (+0100, Mitteleuropäische Zeit)
# country="Germany"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=3074 16777213 100 100 36677339 80974302 0 0
# compatibility_mode=5893 16776574 100 94 16019347 141182258 0 0
# scanned=262593
# found=0
# cleaned=0
# scan_time=10870
|
|
13.01.2014, 19:55
| #9 |
| /// TB-Ausbilder | AVIRA findet 4 unerwünschte Programme TR/Kazy.evrfa TR/Rogue.AI.1030 BDS/Androm.lrds Sieht gut aus. Schritt 1 Dein Java ist nicht mehr aktuell. Ältere Versionen enthalten Sicherheitslücken, die von Malware zur Infizierung per Drive-by Download missbraucht werden können. Die aktuelle Version ist Java 7 Update 45.
Überleg dir also, ob du eine Java-Installation wirklich brauchst. Falls du Java weiterhin verwenden möchtest, dann:
Cleanup Zum Schluss werden wir jetzt noch unsere Tools (inklusive der Quarantäne-Ordner) wegräumen, die verseuchten Systemwiederherstellungspunkte löschen und alle Einstellungen wieder herrichten. Auch diese Schritte sind noch wichtig und sollten in der angegebenen Reihenfolge ausgeführt werden.
>> OK << Wir sind durch, deine Logs sehen für mich im Moment sauber aus.  Ich habe dir nachfolgend ein paar Hinweise und Tipps zusammengestellt, die dazu beitragen sollen, dass du in Zukunft unsere Hilfe nicht mehr brauchen wirst. Bitte gib mir danach noch eine kurze Rückmeldung, wenn auch von deiner Seite keine Probleme oder Fragen mehr offen sind, damit ich dieses Thema als erledigt betrachten kann. Epilog: Tipps, Dos & Don'ts  Aktualität von System und SoftwareDas Betriebsystem Windows muss zwingend immer auf dem neusten Stand sein. Stelle sicher, dass die automatischen Updates aktiviert sind:
Auch die installierte Software sollte immer in der aktuellsten Version vorliegen. Speziell gilt das für den Browser, Java, Flash-Player und PDF-Reader, denn bekannte Sicherheitslücken in deren alten Versionen werden dazu ausgenutzt, um beim blossen Besuch einer präparierten Website per Drive-by Download Malware zu installieren. Das kann sogar auf normalerweise legitimen Websites geschehen, wenn es einem Angreifer gelungen ist, seinen Code in die Seite einzuschleusen, und ist deshalb relativ unberechenbar.
Sicherheits-SoftwareEine Bemerkung vorneweg: Jede Softwarelösung hat ihre Schwächen. Die gesamte Verantwortung für die Sicherheit auf Software zu übertragen und einen Rundum-Schutz zu erwarten, wäre eine gefährliche Illusion. Bei unbedachtem oder bewusst risikoreichem Verhalten wird auch das beste Programm früher oder später seinen Dienst versagen (z.B. ein Virenscanner, der eine verseuchte Datei nicht erkennt). Trotzdem ist entsprechende Software natürlich wichtig und hilft dir in Kombination mit einem gut gewarteten (up-to-date) System und durchdachtem Verhalten, deinen Rechner sauber zu halten.
Es liegt in der Natur der Sache, dass die am weitesten verbreitete Anwendungs-Software auch am häufigsten von Malware-Autoren attackiert wird. Es kann daher bereits einen kleinen Sicherheitsgewinn darstellen, wenn man alternative Software (z.B. einen alternativen PDF Reader) benutzt. Anstelle des Internet Explorers kann man beispielsweise den Mozilla Firefox einsetzen, für welchen es zwei nützliche Addons zur Empfehlung gibt:
(Un-)Sicheres Verhalten im InternetNebst unbemerkten Drive-by Installationen wird Malware aber auch oft mehr oder weniger aktiv vom Benutzer selbst installiert. Der Besuch zwielichtiger Websites kann bereits Risiken bergen. Und Downloads aus dubiosen Quellen sind immer russisches Roulette. Auch wenn der Virenscanner im Moment darin keine Bedrohung erkennt, muss das nichts bedeuten.
Oft wird auch versucht, den Benutzer mit mehr oder weniger trickreichen Methoden dazu zu bringen, eine für ihn verhängnisvolle Handlung selbst auszuführen (Überbegriff Social Engineering).
Nervige Adware (Werbung) und unnötige Toolbars werden auch meist durch den Benutzer selbst mitinstalliert.
Allgemeine HinweiseAbschliessend noch ein paar grundsätzliche Bemerkungen:
Wenn du möchtest, kannst du das Forum mit einer kleinen Spende unterstützen. Es bleibt mir nur noch, dir unbeschwertes und sicheres Surfen zu wünschen und dass wir uns hier so bald nicht wiedersehen. 
__________________ cheers, Leo |
|
16.01.2014, 22:14
| #10 |
| | AVIRA findet 4 unerwünschte Programme TR/Kazy.evrfa TR/Rogue.AI.1030 BDS/Androm.lrds Hallo Leo, Vielen Dank für Deine Hilfe ! Hab mal ein Bisschen abgewartet. Ich kann hier Nichts Ungewöhnliches mehr feststellen, das thema kannst Du schliessen. Danke auch noch für die Ergänzenden Tipps ! Schönen Abend noch Jackomo |
|
17.01.2014, 00:15
| #11 |
| /// TB-Ausbilder | AVIRA findet 4 unerwünschte Programme TR/Kazy.evrfa TR/Rogue.AI.1030 BDS/Androm.lrds Freut mich, dass wir helfen konnten.  Falls du dem Forum noch Verbesserungsvorschläge, Kritik oder ein Lob mitgeben möchtest, kannst du das hier tun. Dieses Thema scheint erledigt und wird aus meinen Abos gelöscht. Ich bekomme somit keine Benachrichtigung mehr über neue Antworten. Solltest du das Thema erneut brauchen, schicke mir bitte eine PM und wir machen hier weiter. Jeder andere bitte diese Anleitung lesen und einen eigenen Thread erstellen.
__________________ cheers, Leo |
|
| Themen zu AVIRA findet 4 unerwünschte Programme TR/Kazy.evrfa TR/Rogue.AI.1030 BDS/Androm.lrds |
| adware/installcore.gen7, aktiv, antivirus, backdoor, bds/androm.lrds, download, gefährlich, gmer, malwarebytes, namen, neustarten, programm, programme, spiele, tr/kazy.evrfa, tr/rogue.ai.10301, umgeleitet, updates, windows |
Linear-Darstellung
