| |
| |||||||
Log-Analyse und Auswertung: Viele PUP und Suspicious:W32/Malware!GeminiWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
 |
06.03.2014, 11:40
| #1 |
 |  Viele PUP und Suspicious:W32/Malware!Gemini Hallo Trojanerboard, ein Kumpel von mir hat auf meine Empfehlung hin mal Malwarebytes bei sich laufen lassen. Dabei kamen eine ganze Menge PUPs zum Vorschein. Die meisten scheint Malwarebytes erfolgreich entfernt zu haben. Nur dieses hier kam mehrere Male wieder zum Vorschein: Code:
ATTFilter Infizierte Registrierungswerte: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|BackgroundContainer (PUP.Optional.Conduit) -> Daten: "C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\Marc\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun
(Info: uTorrent wurde deinstalliert und es befindet sich KEINE illegale Software auf dem Rechner) Während dem FRST-Scan hat der bisher genutzte Antivirus ausgeschlagen und das Programm blockiert. Nach den Scans habe ich F-Secure nochmal einen Quick-Scan machen lassen und es hat dabei das hier gefunden: Code:
ATTFilter Scan-Bericht
Donnerstag, 6. März 2014 10:19:01 - 10:23:26
Computername: MARC-PC
Scan-Methode: Viren- und Spyware-Scan
Ziel: System
Ergebnis: 1 Malware gefunden
Neustart des Systems erforderlich, um den Desinfektionsvorgang abzuschließen!
Suspicious:W32/Malware!Gemini (Virus)
Aktion: unter Quarantäne
Statistiken
Gescannt:
Dateien: 12882
Nicht gescannt: 0
Ergebnis:
Viren: 1
Spyware: 0
Verdächtige Elemente: 0
Riskware: 0
Aktionen:
Desinfiziert: 0
Umbenannt: 0
Gelöscht: 0
In Quarantäne: 1
Fehlgeschl.: 0
Boot-Sektoren:
Gescannt: 0
Infiziert: 0
Verdächtige Elemente: 0
Desinfiziert: 0
Optionen
Version der Definitionen:
Viren: 2014-03-06_02
Spyware: 2014-03-06_02
Scan-Module:
F-Secure Aquarius: 11.00.01, 2014-03-06
F-Secure Hydra: 5.11.87, 2014-03-05
F-Secure Online: 13.50.112, 0-00-00
F-Secure Gemini: 3.02.208, 2014-02-26
Scan-Optionen:
Alle Dateien scannen
Archive scannen
Aktionen:
Viren: Nach Scannen fragen
Spyware: Nach Scannen fragen
Gruss Jerot |
|
06.03.2014, 11:49
| #2 |
| /// the machine /// TB-Ausbilder    | Viele PUP und Suspicious:W32/Malware!Gemini Hi,
__________________Logs bitte immer in den Thread posten. Zur Not aufteilen und mehrere Posts nutzen. Ich kann auf Arbeit keine Anhänge öffnen, danke.  So funktioniert es:Posten in CODE-Tags Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
__________________ |
|
06.03.2014, 12:09
| #3 |
| | Viele PUP und Suspicious:W32/Malware!Gemini Hallo schrauber,
__________________tut mir leid, wollte halt alles in einem Post haben. FRST Logfile: FRST Logfile: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 06-03-2014
Ran by Marc (administrator) on MARC-PC on 06-03-2014 09:02:25
Running from C:\Users\Marc\Downloads
Windows 7 Home Premium Service Pack 1 (X64) OS Language: German Standard
Internet Explorer Version 11
Boot Mode: Normal
==================== Processes (Whitelisted) =================
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\dsiwmis.exe
(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LMutilps32.exe
(F-Secure Corporation) C:\Program Files (x86)\Internet Security\fshoster32.exe
(F-Secure Corporation) C:\Program Files (x86)\Internet Security\apps\CCF_Reputation\fsorsp.exe
(Acer Incorporated) C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
(F-Secure Corporation) C:\Program Files (x86)\Internet Security\apps\ComputerSecurity\Anti-Virus\FSGK32.EXE
(Acer Incorporated) C:\Program Files\Acer\Acer Updater\UpdaterService.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
(NTI Corporation) C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(F-Secure Corporation) C:\Program Files (x86)\Internet Security\apps\ComputerSecurity\Common\FSMA32.EXE
(F-Secure Corporation) C:\Program Files (x86)\Internet Security\apps\ComputerSecurity\Anti-Virus\fssm32.exe
(F-Secure Corporation) C:\Program Files (x86)\Internet Security\apps\ComputerSecurity\Common\FSHDLL64.EXE
(CyberLink Corp.) C:\Program Files (x86)\Acer\clear.fi\MVP\clear.fiAgent.exe
(CyberLink) C:\Program Files (x86)\Acer\clear.fi\MVP\.\Kernel\DMR\DMREngine.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Google Inc.) C:\Users\Marc\AppData\Local\Google\Update\GoogleUpdate.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe
(NTI Corporation) C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LManager.exe
(Dolby Laboratories Inc.) C:\DOLBY PCEE4\pcee4.exe
(CyberLink Corp.) C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe
(Sun Microsystems, Inc.) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(F-Secure Corporation) C:\Program Files (x86)\Internet Security\fshoster32.exe
(F-Secure Corporation) C:\Program Files (x86)\Internet Security\apps\ComputerSecurity\Common\FSM32.EXE
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LMworker.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Google Inc.) C:\Users\Marc\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Marc\AppData\Local\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Google Inc.) C:\Users\Marc\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Marc\AppData\Local\Google\Chrome\Application\chrome.exe
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [IntelTBRunOnce] - wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs"
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2280232 2010-07-29] (Synaptics Incorporated)
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11785832 2011-03-10] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] - C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2189416 2011-03-09] (Realtek Semiconductor)
HKLM\...\Run: [Power Management] - C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [1796200 2011-02-23] (Acer Incorporated)
HKLM-x32\...\Run: [IAStorIcon] - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [283160 2010-09-14] (Intel Corporation)
HKLM-x32\...\Run: [SuiteTray] - C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe [340336 2010-09-28] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisTecPMMUpdate] - C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe [407920 2010-09-18] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisUpdate] - C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe [201584 2010-09-18] (Egis Technology Inc.)
HKLM-x32\...\Run: [Norton Online Backup] - C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-06-01] (Symantec Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35696 2009-02-28] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [BackupManagerTray] - C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe [297280 2011-02-15] (NTI Corporation)
HKLM-x32\...\Run: [LManager] - C:\Program Files (x86)\Launch Manager\LManager.exe [1081424 2011-03-14] (Dritek System Inc.)
HKLM-x32\...\Run: [Dolby Advanced Audio v2] - C:\Dolby PCEE4\pcee4.exe [506712 2011-02-03] (Dolby Laboratories Inc.)
HKLM-x32\...\Run: [ArcadeMovieService] - C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe [177448 2011-02-19] (CyberLink Corp.)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [252296 2012-01-17] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [F-Secure Hoster (45119)] - C:\Program Files (x86)\Internet Security\fshoster32.exe [183864 2012-11-26] (F-Secure Corporation)
HKLM-x32\...\Run: [F-Secure Manager] - C:\Program Files (x86)\Internet Security\apps\ComputerSecurity\Common\FSM32.EXE [310992 2012-10-18] (F-Secure Corporation)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-11-28] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2012-10-25] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152544 2012-12-12] (Apple Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\.DEFAULT\...\RunOnce: [IsMyWinLockerReboot] - msiexec.exe /qn /x{voidguid}
HKU\S-1-5-19\...\RunOnce: [IsMyWinLockerReboot] - msiexec.exe /qn /x{voidguid}
HKU\S-1-5-20\...\RunOnce: [IsMyWinLockerReboot] - msiexec.exe /qn /x{voidguid}
HKU\S-1-5-21-3551491834-2705507183-1249083949-1001\...\Run: [Google Update] - C:\Users\Marc\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2011-10-10] (Google Inc.)
HKU\S-1-5-21-3551491834-2705507183-1249083949-1001\...\Run: [uTorrent] - "C:\Users\Marc\Downloads\uTorrent.exe" /MINIMIZED
HKU\S-1-5-21-3551491834-2705507183-1249083949-1001\...\Run: [BackgroundContainer] - "C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\Marc\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun <===== ATTENTION
AppInit_DLLs: C:\Windows\system32\nvinitx.dll => C:\Windows\system32\nvinitx.dll [226920 2011-02-21] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\Windows\SysWOW64\nvinit.dll => C:\Windows\SysWOW64\nvinit.dll [192616 2011-02-21] (NVIDIA Corporation)
Startup: C:\Users\Marc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Bildschirmausschnitt- und Startprogramm.lnk
ShortcutTarget: OneNote 2010 Bildschirmausschnitt- und Startprogramm.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
==================== Internet (Whitelisted) ====================
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://acer.msn.com
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL =
SearchScopes: HKCU - {CFF4DB9B-135F-47c0-9269-B4C6572FD61A} URL = hxxp://mystart.incredibar.com/mb139/?search={searchTerms}&loc=IB_DS&a=6R8pphF2hk&i=26
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Chrome:
=======
CHR HomePage: hxxp://www.google.ch/
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\Marc\AppData\Local\Google\Chrome\Application\32.0.1700.102\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Users\Marc\AppData\Local\Google\Chrome\Application\32.0.1700.102\pdf.dll ()
CHR Plugin: (Shockwave Flash) - C:\Users\Marc\AppData\Local\Google\Chrome\Application\32.0.1700.102\gcswf32.dll No File
CHR Plugin: (Kaspersky Anti-Virus) - C:\Users\Marc\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.477_0\plugin/npUrlAdvisor.dll No File
CHR Plugin: (Kaspersky Anti-Virus) - C:\Users\Marc\AppData\Local\Google\Chrome\User Data\Default\Extensions\jagncdcchgajhfhijbbhecadmaiegcmh\12.0.0.477_0\plugin/npVKPlugin.dll No File
CHR Plugin: (Kaspersky Anti-Virus) - C:\Users\Marc\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjldcfjmnllhmgjclecdnfampinooman\12.0.0.374_0\plugin/npABPlugin.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (QuickTime Plug-in 7.7) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll (Apple Inc.)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~4\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Java(TM) Platform SE 6 U31) - C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
CHR Plugin: (Windows Live™ Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Google Update) - C:\Users\Marc\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll No File
CHR Extension: (YouTube) - C:\Users\Marc\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2011-12-22]
CHR Extension: (Google-Suche) - C:\Users\Marc\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2011-12-22]
CHR Extension: (uTorrentBar_DE) - C:\Users\Marc\AppData\Local\Google\Chrome\User Data\Default\Extensions\leocdeigfnkaojcapikdjcdbedcjmffc [2012-04-09]
CHR Extension: (Google Wallet) - C:\Users\Marc\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-26]
CHR Extension: (Google Mail) - C:\Users\Marc\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2011-12-22]
CHR HKLM-x32\...\Chrome\Extension: [leocdeigfnkaojcapikdjcdbedcjmffc] - C:\Users\Marc\AppData\Local\Temp\ccex.crx [2012-03-07]
CHR StartMenuInternet: Google Chrome - C:\Users\Marc\AppData\Local\Google\Chrome\Application\chrome.exe
==================== Services (Whitelisted) =================
R2 fshoster; C:\Program Files (x86)\Internet Security\fshoster32.exe [183864 2012-11-26] (F-Secure Corporation)
R3 FSMA; C:\Program Files (x86)\Internet Security\apps\ComputerSecurity\Common\FSMA32.EXE [208592 2012-10-18] (F-Secure Corporation)
R2 FSORSPClient; C:\Program Files (x86)\Internet Security\apps\CCF_Reputation\fsorsp.exe [60352 2013-06-29] (F-Secure Corporation)
R2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2804568 2010-06-01] (Symantec Corporation)
R2 NTI IScheduleSvc; C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe [257344 2011-02-15] (NTI Corporation)
S2 McAfee SiteAdvisor Service; c:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe [X]
==================== Drivers (Whitelisted) ====================
R3 F-Secure Gatekeeper; C:\Program Files (x86)\Internet Security\apps\ComputerSecurity\Anti-Virus\minifilter\fsgk.sys [203304 2014-03-05] (F-Secure Corporation)
R1 F-Secure HIPS; C:\Program Files (x86)\Internet Security\apps\ComputerSecurity\HIPS\drivers\fshs.sys [69480 2014-03-05] (F-Secure Corporation)
R0 fsbts; C:\Windows\System32\Drivers\fsbts.sys [56016 2013-01-19] ()
R0 fsbts; C:\Windows\SysWOW64\Drivers\fsbts.sys [42672 2013-01-19] ()
R3 fsni; C:\Program Files (x86)\Internet Security\apps\CCF_Scanning\fsni64.sys [80832 2013-04-25] (F-Secure Corporation)
R1 fsvista; C:\Program Files (x86)\Internet Security\apps\ComputerSecurity\Anti-Virus\minifilter\fsvista.sys [14032 2012-10-18] ()
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2014-03-06 09:02 - 2014-03-06 09:02 - 00017071 _____ () C:\Users\Marc\Downloads\FRST.txt
2014-03-06 09:02 - 2014-03-06 09:02 - 00000000 ____D () C:\FRST
2014-03-06 08:59 - 2014-03-06 08:59 - 02156544 _____ (Farbar) C:\Users\Marc\Downloads\FRST64.exe
2014-03-06 08:03 - 2013-12-21 10:53 - 00548864 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-03-06 08:03 - 2013-12-21 09:56 - 00454656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-03-05 13:44 - 2014-03-05 13:44 - 00001117 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2014-03-05 13:44 - 2014-03-05 13:44 - 00000000 ____D () C:\Users\Marc\AppData\Roaming\Malwarebytes
2014-03-05 13:44 - 2014-03-05 13:44 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-03-05 13:44 - 2014-03-05 13:44 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-03-05 13:44 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-03-05 13:37 - 2014-03-05 13:37 - 00392232 _____ (F-Secure Corporation) C:\Users\Marc\Downloads\swisscom-d1947420-a462-11e3-b453-123143002408.exe
2014-03-05 13:17 - 2014-03-05 13:19 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\Marc\Downloads\mbam-setup-1.75.0.1300.exe
==================== One Month Modified Files and Folders =======
2014-03-06 09:02 - 2014-03-06 09:02 - 00017071 _____ () C:\Users\Marc\Downloads\FRST.txt
2014-03-06 09:02 - 2014-03-06 09:02 - 00000000 ____D () C:\FRST
2014-03-06 08:59 - 2014-03-06 08:59 - 02156544 _____ (Farbar) C:\Users\Marc\Downloads\FRST64.exe
2014-03-06 08:36 - 2009-07-14 05:45 - 00016976 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-03-06 08:36 - 2009-07-14 05:45 - 00016976 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-03-06 08:33 - 2011-06-21 10:07 - 01877217 _____ () C:\Windows\WindowsUpdate.log
2014-03-06 08:31 - 2011-09-22 09:23 - 00000000 ____D () C:\ProgramData\clear.fi
2014-03-06 08:28 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-06 08:28 - 2009-07-14 05:51 - 00081080 _____ () C:\Windows\setupact.log
2014-03-06 08:27 - 2010-11-21 04:47 - 00138432 _____ () C:\Windows\PFRO.log
2014-03-06 08:26 - 2011-10-10 18:27 - 00001116 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3551491834-2705507183-1249083949-1001UA.job
2014-03-06 08:22 - 2011-09-26 18:29 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-03-06 08:20 - 2011-06-21 10:44 - 00657056 _____ () C:\Windows\system32\perfh007.dat
2014-03-06 08:20 - 2011-06-21 10:44 - 00131494 _____ () C:\Windows\system32\perfc007.dat
2014-03-06 08:20 - 2009-07-14 06:13 - 01528714 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-03-06 08:11 - 2012-08-16 09:20 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-03-05 17:56 - 2012-04-09 17:00 - 00000000 ____D () C:\Program Files (x86)\uTorrentBar_DE
2014-03-05 13:44 - 2014-03-05 13:44 - 00001117 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2014-03-05 13:44 - 2014-03-05 13:44 - 00000000 ____D () C:\Users\Marc\AppData\Roaming\Malwarebytes
2014-03-05 13:44 - 2014-03-05 13:44 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-03-05 13:44 - 2014-03-05 13:44 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-03-05 13:37 - 2014-03-05 13:37 - 00392232 _____ (F-Secure Corporation) C:\Users\Marc\Downloads\swisscom-d1947420-a462-11e3-b453-123143002408.exe
2014-03-05 13:19 - 2014-03-05 13:17 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\Marc\Downloads\mbam-setup-1.75.0.1300.exe
2014-03-05 13:19 - 2011-10-10 18:27 - 00001064 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3551491834-2705507183-1249083949-1001Core.job
2014-03-05 13:15 - 2012-08-16 09:20 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-03-05 13:15 - 2012-08-16 09:20 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-03-05 13:15 - 2012-08-16 09:20 - 00003822 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-03-05 13:14 - 2011-10-10 18:27 - 00004084 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3551491834-2705507183-1249083949-1001UA
2014-03-05 13:14 - 2011-10-10 18:27 - 00003688 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3551491834-2705507183-1249083949-1001Core
Some content of TEMP:
====================
C:\Users\Marc\AppData\Local\Temp\autorun.dll
C:\Users\Marc\AppData\Local\Temp\drm_dyndata_7390006.dll
C:\Users\Marc\AppData\Local\Temp\fft56AD.tmp.exe
C:\Users\Marc\AppData\Local\Temp\fsclm.dll
C:\Users\Marc\AppData\Local\Temp\fsols_launcher.exe
C:\Users\Marc\AppData\Local\Temp\fsonlinescanner.exe
C:\Users\Marc\AppData\Local\Temp\fsprod.dll
C:\Users\Marc\AppData\Local\Temp\fssfm.dll
C:\Users\Marc\AppData\Local\Temp\jre-6u31-windows-i586-iftw-rv.exe
C:\Users\Marc\AppData\Local\Temp\ose00000.exe
C:\Users\Marc\AppData\Local\Temp\preconfig.exe
C:\Users\Marc\AppData\Local\Temp\Tsu-0920.dll
C:\Users\Marc\AppData\Local\Temp\Tsu-1E3C.dll
C:\Users\Marc\AppData\Local\Temp\utt8588.tmp.exe
C:\Users\Marc\AppData\Local\Temp\wmpfirefoxplugin.exe
C:\Users\Marc\AppData\Local\Temp\xmllite.dll
C:\Users\Marc\AppData\Local\Temp\{2215ED68-958E-4F65-98BD-F70A7E036AB3}-33.0.1750.146_32.0.1700.102_chrome_updater.exe
C:\Users\Marc\AppData\Local\Temp\{7CAA9981-6037-4DD7-AC03-06CEDE5563BF}-29.0.1547.66_29.0.1547.57_chrome_updater.exe
==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
LastRegBack: 2014-01-31 16:10
==================== End Of Log ============================
--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- FRST Addition: Code:
ATTFilter Additional scan result of Farbar Recovery Scan Tool (x64) Version: 06-03-2014
Ran by Marc at 2014-03-06 09:03:13
Running from C:\Users\Marc\Downloads
Boot Mode: Normal
==========================================================
==================== Security Center ========================
AV: Computer Security (Enabled - Up to date) {15414183-282E-D62C-CA37-EF24860A2F17}
AS: Computer Security (Enabled - Up to date) {AE20A067-0E14-D9A2-F087-D456FD8D65AA}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
==================== Installed Programs ======================
1912 Titanic Mystery (HKLM-x32\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-117897550}) (Version: - Oberon Media)
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Acer Backup Manager (HKLM-x32\...\InstallShield_{0B61BBD5-DA3C-409A-8730-0C3DC3B0F270}) (Version: 3.0.0.85 - NTI Corporation)
Acer Crystal Eye Webcam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 1.0.1510 - CyberLink Corp.)
Acer Crystal Eye Webcam (x32 Version: 1.0.1510 - CyberLink Corp.) Hidden
Acer ePower Management (HKLM-x32\...\{3DB0448D-AD82-4923-B305-D001E521A964}) (Version: 6.00.3006 - Acer Incorporated)
Acer eRecovery Management (HKLM-x32\...\{7F811A54-5A09-4579-90E1-C93498E230D9}) (Version: 5.00.3002 - Acer Incorporated)
Acer GameZone Console (HKLM-x32\...\{C97623E2-0614-4845-B199-8E8BEC8E131C}_is1) (Version: 6.1.0.40497 - Oberon Media, Inc.)
Acer Registration (HKLM-x32\...\Acer Registration) (Version: 1.03.3004 - Acer Incorporated)
Acer ScreenSaver (HKLM-x32\...\Acer Screensaver) (Version: 1.1.1130.2010 - Acer Incorporated)
Acer Updater (HKLM-x32\...\{EE171732-BEB4-4576-887D-CB62727F01CA}) (Version: 1.02.3005 - Acer Incorporated)
Acrobat.com (HKLM-x32\...\{287ECFA4-719A-2143-A09B-D6A12DE54E40}) (Version: 1.6.65 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 1.5.0.7220 - Adobe Systems Inc.)
Adobe AIR (x32 Version: 1.5.0.7220 - Adobe Systems Inc.) Hidden
Adobe Flash Player 12 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 12.0.0.70 - Adobe Systems Incorporated)
Adobe Reader 9.1 MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-A91000000001}) (Version: 9.1.0 - Adobe Systems Incorporated)
Apple Application Support (HKLM-x32\...\{CCE825DB-347A-4004-A186-5F4A6FDD8547}) (Version: 2.3.2 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{D70884EA-E2CE-4539-91DB-4766CC1E5F5F}) (Version: 6.0.1.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Backup Manager V3 (x32 Version: 3.0.0.85 - NTI Corporation) Hidden
Bejeweled 2 Deluxe (HKLM-x32\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110265407}) (Version: - Oberon Media)
Belles Beauty Boutique (HKLM-x32\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-112623650}) (Version: - Oberon Media)
Bing Bar (HKLM-x32\...\{1E03DB52-D5CB-4338-A338-E526DD4D4DB1}) (Version: 7.0.610.0 - Microsoft Corporation)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Broadcom Card Reader Driver Installer (HKLM\...\{4710662C-8204-4334-A977-B1AC9E547819}) (Version: 14.6.1.2 - Broadcom Corporation)
Broadcom Gigabit NetLink Controller (HKLM\...\{C91DCB72-F5BB-410D-A91A-314F5D1B4284}) (Version: 14.6.1.2 - Broadcom Corporation)
CDisplayEx 1.9.5 (HKLM\...\CDisplayEx_is1) (Version: - cdisplayex.com)
Chicken Invaders 3 (HKLM-x32\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-112531267}) (Version: - Oberon Media)
clear.fi (HKLM-x32\...\InstallShield_{2637C347-9DAD-11D6-9EA2-00055D0CA761}) (Version: 1.0.1422.00 - CyberLink Corp.)
clear.fi (x32 Version: 1.0.1422.00 - CyberLink Corp.) Hidden
clear.fi (x32 Version: 9.0.7418 - CyberLink Corp.) Hidden
clear.fi Client (HKLM-x32\...\{43AAE145-83CF-4C96-9A5E-756CEFCE879F}) (Version: 1.00.3008 - Acer Incorporated)
Computer Security 12.71.102.0 (release) (x32 Version: 12.71.102.0 - F-Secure Corporation) Hidden
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{81FB7C60-565A-4869-9D90-3BE1D270E8B7}) (Version: - Microsoft)
Dolby Advanced Audio v2 (HKLM-x32\...\{B9E70C7A-9F85-4A39-A4A3-BFA3C3BF7613}) (Version: 7.2.7000.4 - Dolby Laboratories Inc)
Dream Day First Home (HKLM-x32\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-113832110}) (Version: - Oberon Media)
Farm Frenzy 3 Ice Age (HKLM-x32\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-118399487}) (Version: - Oberon Media)
Flip Words (HKLM-x32\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110109903}) (Version: - Oberon Media)
Fotogalerija Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
F-Secure CCF Reputation (x32 Version: 1.0.25.1877 - F-Secure) Hidden
F-Secure CCF Scanning 1.23.124.8831 (release) (x32 Version: 1.23.124.8831 - F-Secure Corporation) Hidden
F-Secure Network CCF 1.02.126 (x32 Version: 1.02.126 - F-Secure Corporation) Hidden
Galapago (HKLM-x32\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111307457}) (Version: - Oberon Media)
Galeria de Fotografias do Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Galería fotográfica de Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Galeria fotogràfica del Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Galeria fotografii usługi Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Galerie de photos Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Galerie foto Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
GIMP 2.8.2 (HKLM\...\GIMP-2_is1) (Version: 2.8.2 - The GIMP Team)
Google Chrome (HKCU\...\Google Chrome) (Version: 32.0.1700.102 - Google Inc.)
Identity Card (HKLM-x32\...\Identity Card) (Version: 1.00.3006 - Acer Incorporated)
Incredibar Toolbar on IE (HKLM-x32\...\incredibar) (Version: - ) <==== ATTENTION
Intel(R) Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2342 - Intel Corporation)
Intel(R) Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 10.0.0.1046 - Intel Corporation)
Intel(R) Turbo Boost Technology Monitor 2.0 (HKLM\...\{B77EFA0B-9BD3-4122-9F9A-15A963B5EA24}) (Version: 2.0.82.0 - Intel)
Interdiscount Fotoservice (HKLM-x32\...\Interdiscount Fotoservice) (Version: - )
iTunes (HKLM\...\{0E5D76AD-A3FB-48D5-8400-8903B10317D3}) (Version: 11.0.1.12 - Apple Inc.)
Java Auto Updater (x32 Version: 2.1.6.0 - Sun Microsystems, Inc.) Hidden
Java(TM) 6 Update 31 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83216031FF}) (Version: 6.0.310 - Oracle)
Java(TM) 7 Update 5 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217005FF}) (Version: 7.0.50 - Oracle)
JavaFX 2.1.1 (HKLM-x32\...\{1111706F-666A-4037-7777-211328764D10}) (Version: 2.1.1 - Oracle Corporation)
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Launch Manager (HKLM-x32\...\LManager) (Version: 5.1.4 - Acer Inc.)
Launch Pad (HKLM-x32\...\F-Secure ServiceEnabler 45119) (Version: 1.71.340.0 - F-Secure Corporation)
Launch Pad (x32 Version: 1.71.340.0 - F-Secure Corporation) Hidden
Malwarebytes Anti-Malware Version 1.75.0.1300 (HKLM-x32\...\Malwarebytes' Anti-Malware_is1) (Version: 1.75.0.1300 - Malwarebytes Corporation)
MediaEspresso (x32 Version: 1.0.1418_35759 - CyberLink Corp.) Hidden
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Client Profile DEU Language Pack (HKLM\...\Microsoft .NET Framework 4 Client Profile DEU Language Pack) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile DEU Language Pack (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6015.5000 - Microsoft Corporation) Hidden
Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Access MUI (German) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Excel MUI (German) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Home and Student 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Office Office 64-bit Components 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office OneNote MUI (German) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Outlook MUI (German) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (German) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (German) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Italian) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (German) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Publisher MUI (German) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit MUI (German) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (German) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Single Image 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (German) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.20913.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM-x32\...\{6AFCA4E1-9B78-3640-8F72-A7BF33448200}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
MSVCRT (x32 Version: 15.4.2862.0708 - Microsoft) Hidden
MSVCRT_amd64 (x32 Version: 15.4.2862.0708 - Microsoft) Hidden
MyWinLocker (Version: 4.0.14.11 - Egis Technology Inc.) Hidden
MyWinLocker 4 (x32 Version: 4.0.14.11 - Egis Technology Inc.) Hidden
MyWinLocker Suite (HKLM-x32\...\InstallShield_{17DF9714-60C9-43C9-A9C2-32BCAED44CBE}) (Version: 4.0.14.11 - Egis Technology Inc.)
MyWinLocker Suite (x32 Version: 4.0.14.11 - Egis Technology Inc.) Hidden
newsXpresso (HKLM-x32\...\InstallShield_{613C0AC5-3A67-4B94-8B13-9176AD83F5BF}) (Version: 1.0.0.40 - esobi Inc.)
newsXpresso (x32 Version: 1.0.0.40 - esobi Inc.) Hidden
Norton Online Backup (HKLM-x32\...\{40A66DF6-22D3-44B5-A7D3-83B118A2C0DC}) (Version: 2.1.17869 - Symantec Corporation)
NTI Media Maker 9 (HKLM-x32\...\InstallShield_{D3D5C4E8-040F-4C6F-8105-41D43CF94F44}) (Version: 9.0.2.8942 - NTI Corporation)
NTI Media Maker 9 (x32 Version: 9.0.2.8942 - NTI Corporation) Hidden
NVIDIA Control Panel 267.21 (Version: 267.21 - NVIDIA Corporation) Hidden
NVIDIA Graphics Driver 267.21 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 267.21 - NVIDIA Corporation)
NVIDIA Install Application (Version: 2.265.39.0 - NVIDIA Corporation) Hidden
NVIDIA PhysX (HKLM-x32\...\{B9DB4C76-01A4-46D5-8910-F7AA6376DBAF}) (Version: 9.10.0514 - NVIDIA Corporation)
Online Safety 2.71.927.655 (x32 Version: 2.71.927.655 - F-Secure Corporation) Hidden
OpenProj (HKLM-x32\...\{13702021-43FB-480C-912F-D9B74A538288}) (Version: 1.4.0 - Serena Software Inc.)
Poczta usługi Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Podstawowe programy Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Pošta Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
QuickTime (HKLM-x32\...\{AF0CE7C0-A3E4-4D73-988B-B29187EC6E9A}) (Version: 7.73.80.64 - Apple Inc.)
Raccolta foto di Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6329 - Realtek Semiconductor Corp.)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version: - Microsoft)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (x32 Version: - Microsoft) Hidden
Shredder (Version: 2.0.8.7 - Egis Technology Inc.) Hidden
Shredder (x32 Version: 2.0.8.7 - Egis Technology Inc.) Hidden
Sprill and Ritchie (HKLM-x32\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-117932650}) (Version: - Oberon Media)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 15.1.6.0 - Synaptics Incorporated)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2468871) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2533523) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2600217) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2836939v3) (Version: 3 - Microsoft Corporation)
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{B4A38370-2ADB-46B0-A1B0-0C4A2F7DCA31}) (Version: - Microsoft)
Update for Microsoft Filter Pack 2.0 (KB2810071) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.SingleImage_{001E8BF3-EDC3-4D5E-9C11-1D0E599B6497}) (Version: - Microsoft)
Update for Microsoft Filter Pack 2.0 (KB2810071) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{001E8BF3-EDC3-4D5E-9C11-1D0E599B6497}) (Version: - Microsoft)
Update for Microsoft InfoPath 2010 (KB2817369) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{4EEA3D3E-989C-4DF4-AB0A-3042C0C12AA3}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2494150) (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{3FCFD88F-4D13-4F38-8625-ABABEA7F61EA}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{DADF7E25-FFA4-4D02-BE84-1DAE62C18516}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.SingleImage_{F4284D93-7AE8-4309-8CF3-9AD394F35F3A}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{F4284D93-7AE8-4309-8CF3-9AD394F35F3A}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{287A1E92-9E41-4BC1-8920-B3D0E9220800}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{9D69691D-823D-4C3E-9B12-563A3F520366}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.SingleImage_{ECFE33A3-B8B7-439A-ADE4-59FBD29EF9B8}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{ECFE33A3-B8B7-439A-ADE4-59FBD29EF9B8}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{35698CB7-AAA2-4577-B505-DBFF504AEF23}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{5AA578BB-759C-40FD-9661-A737C0884541}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2837583) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{E21274CE-CA0C-49FA-93F4-DC292A052264}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2850079) 32-Bit Edition (HKLM-x32\...\{90140000-001F-0407-0000-0000000FF1CE}_Office14.SingleImage_{C70D2038-A2C4-4A99-87DE-5272BB44F0CE}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2850079) 32-Bit Edition (HKLM-x32\...\{90140000-001F-0409-0000-0000000FF1CE}_Office14.SingleImage_{B5C70C99-B109-42FD-B219-FF12CA543F19}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2850079) 32-Bit Edition (HKLM-x32\...\{90140000-001F-040C-0000-0000000FF1CE}_Office14.SingleImage_{82F87E28-B18E-46D6-A399-E2F19CF5949B}) (Version: - Microsoft)
Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.SingleImage_{51CCA922-A0CC-47C4-8910-6936D97CAC2E}) (Version: - Microsoft)
Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{51CCA922-A0CC-47C4-8910-6936D97CAC2E}) (Version: - Microsoft)
Update for Microsoft PowerPoint 2010 (KB2553145) 32-Bit Edition (HKLM-x32\...\{90140000-0018-0407-0000-0000000FF1CE}_Office14.SingleImage_{81812245-FC84-426A-BC02-6659C88CC7B2}) (Version: - Microsoft)
Update for Microsoft PowerPoint 2010 (KB2775360) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{80F56E3F-1D47-4E45-B6E0-FEF4E919F4F9}) (Version: - Microsoft)
Update for Microsoft SharePoint Workspace 2010 (KB2760601) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.SingleImage_{F9F5A080-AF38-4966-9A6B-C43DCA465035}) (Version: - Microsoft)
Update for Microsoft Visio Viewer 2010 (KB2810066) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{8C55AA83-54C2-4236-A622-78440A411DC5}) (Version: - Microsoft)
Update for Microsoft Word 2010 (KB2837593) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{E78E2B68-8FD1-42EE-BB74-99A4D9E6222D}) (Version: - Microsoft)
uTorrentBar_DE Toolbar (HKLM-x32\...\uTorrentBar_DE Toolbar) (Version: 6.8.5.1 - uTorrentBar_DE) <==== ATTENTION
VidSplitter (HKLM-x32\...\VidSplitter_is1) (Version: - GeoVid)
Welcome Center (HKLM-x32\...\Acer Welcome Center) (Version: 1.02.3102 - Acer Incorporated)
Windows Live Argazki Galeria (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Communications Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3508.1109 - Microsoft Corporation)
Windows Live Essentials (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Fotogaléria (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Fotogalerie (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Fotogalleri (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Fotoğraf Galerisi (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Fotótár (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Galeria de Fotos (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Galerija fotografija (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live ID Sign-in Assistant (Version: 7.250.4225.0 - Microsoft Corporation) Hidden
Windows Live Installer (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Language Selector (Version: 15.4.3508.1109 - Microsoft Corporation) Hidden
Windows Live Mail (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Mesh (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Messenger (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Messenger (x32 Version: 15.4.3502.0922 - Корпорация Майкрософт) Hidden
Windows Live MIME IFilter (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Movie Maker (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Photo Common (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Photo Gallery (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live PIMT Platform (x32 Version: 15.4.3508.1109 - Microsoft Corporation) Hidden
Windows Live Remote Client (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live Remote Client Resources (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live Remote Service (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live Remote Service Resources (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live SOXE (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live SOXE Definitions (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Temel Parçalar (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live UX Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live UX Platform Language Pack (x32 Version: 15.4.3508.1109 - Microsoft Corporation) Hidden
Windows Live Writer (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Writer Resources (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live 影像中心 (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live 程式集 (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Liven asennustyökalu (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Liven sähköposti (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Liven valokuvavalikoima (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
WinRAR 4.01 (32-Bit) (HKLM-x32\...\WinRAR archiver) (Version: 4.01.0 - win.rar GmbH)
World of Goo (HKLM-x32\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-116672750}) (Version: - Oberon Media)
Συλλογή φωτογραφιών του Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Основные компоненты Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Почта Windows Live (x32 Version: 15.4.3502.0922 - Корпорация Майкрософт) Hidden
Фотоальбом Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Фотогалерия на Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
גלריית התמונות של Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
بريد Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
معرض صور Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
==================== Restore Points =========================
08-12-2013 12:59:45 Geplanter Prüfpunkt
15-12-2013 11:11:59 Windows Update
17-12-2013 16:47:04 Windows Update
31-01-2014 15:16:51 Geplanter Prüfpunkt
01-02-2014 02:00:19 Windows Update
06-03-2014 07:01:34 Windows Update
==================== Hosts content: ==========================
2009-07-14 03:34 - 2009-06-10 22:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
==================== Scheduled Tasks (whitelisted) =============
Task: {0030E010-7F2A-440F-AD44-0467F69F0D85} - System32\Tasks\DMREngine => C:\Program Files (x86)\Acer\clear.fi\MVP\.\Kernel\DMR\DMREngine.exe [2011-02-22] (CyberLink)
Task: {0B3AAC88-2335-4ED8-869D-42427D1021B3} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3551491834-2705507183-1249083949-1001UA => C:\Users\Marc\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-10] (Google Inc.)
Task: {3CCA28EC-7EC4-475B-BC5D-6F0294B71314} - System32\Tasks\clear.fiAgent => C:\Program Files (x86)\Acer\clear.fi\MVP\clear.fiAgent.exe [2011-02-22] (CyberLink Corp.)
Task: {47CEB040-9475-4787-B6DA-6CAEE4189C46} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-03-05] (Adobe Systems Incorporated)
Task: {70E6C6BE-2B54-4A58-BBF1-9A4BA6825D06} - System32\Tasks\clear.fi => C:\Program Files (x86)\Acer\clear.fi\MVP\clear.fi.exe [2011-02-22] (Acer Incorporated)
Task: {A1FC770E-4755-43B5-938B-72B5848E5944} - System32\Tasks\BackgroundContainer Startup Task => Rundll32.exe "C:\Users\Marc\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun <==== ATTENTION
Task: {F7656026-DAFB-4799-83F0-2D01258CFFF6} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3551491834-2705507183-1249083949-1001Core => C:\Users\Marc\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-10] (Google Inc.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3551491834-2705507183-1249083949-1001Core.job => C:\Users\Marc\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3551491834-2705507183-1249083949-1001UA.job => C:\Users\Marc\AppData\Local\Google\Update\GoogleUpdate.exe
==================== Loaded Modules (whitelisted) =============
2009-01-22 00:45 - 2009-01-22 00:45 - 01401856 _____ () C:\Program Files (x86)\EgisTec MyWinLocker\x64\LIBEAY32.dll
2011-12-30 19:25 - 2011-05-28 22:05 - 00164864 _____ () C:\Program Files (x86)\WinRAR\rarext64.dll
2011-04-06 12:14 - 2011-03-26 01:28 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
==================== Alternate Data Streams (whitelisted) =========
AlternateDataStreams: C:\ProgramData\Temp:4D066AD2
AlternateDataStreams: C:\ProgramData\Temp:5925E400
AlternateDataStreams: C:\ProgramData\Temp:5D458568
AlternateDataStreams: C:\ProgramData\Temp:9B750A13
==================== Safe Mode (whitelisted) ===================
==================== Disabled items from MSCONFIG ==============
==================== Faulty Device Manager Devices =============
==================== Event log errors: =========================
Application errors:
==================
Error: (03/06/2014 09:03:22 AM) (Source: FSecure-FSecure-F-Secure DeepGuard) (User: )
Description: 1 2014-03-06 09:03:22+02:00 MARC-PC SYSTEM F-Secure DeepGuard
Application was blocked. This was determined to be a high-risk application by system control heuristics.
Application path: \\?\c:\windows\mod_frst.exe
File hash: 4bb423ae4bf7b46ba1cd43c521cf9314c03cf8c4
Error: (03/06/2014 08:29:45 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (03/06/2014 08:10:08 AM) (Source: Application Hang) (User: )
Description: Programm mbam.exe, Version 1.75.0.1 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen.
Prozess-ID: 11e4
Startzeit: 01cf390a716be9ab
Endzeit: 16
Anwendungspfad: C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
Berichts-ID: 4b17a536-a4fe-11e3-ad36-b870f49f769e
Error: (03/06/2014 07:54:36 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (03/05/2014 05:59:48 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (03/05/2014 02:51:23 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (03/05/2014 02:10:35 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (03/05/2014 01:08:34 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (02/02/2014 10:08:24 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (02/01/2014 07:18:00 PM) (Source: SideBySide) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "assemblyIdentity1". Fehler in Manifest- oder Richtliniendatei "assemblyIdentity2" in Zeile assemblyIdentity3.
Der Wert "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" des "version"-Attributs im assemblyIdentity-Element ist ungültig.
System errors:
=============
Error: (03/06/2014 08:31:04 AM) (Source: WMPNetworkSvc) (User: )
Description: 0x800700b7
Error: (03/06/2014 08:31:04 AM) (Source: WMPNetworkSvc) (User: )
Description: 00x800700b7hxxp://+:10243/WMPNSSv4/2811996591/
Error: (03/06/2014 08:31:04 AM) (Source: WMPNetworkSvc) (User: )
Description: 0x800700b7
Error: (03/06/2014 08:31:04 AM) (Source: WMPNetworkSvc) (User: )
Description: 00x800700b7hxxp://+:10243/WMPNSSv4/2811996591/
Error: (03/06/2014 08:28:18 AM) (Source: Service Control Manager) (User: )
Description: Der Dienst "McAfee SiteAdvisor Service" wurde aufgrund folgenden Fehlers nicht gestartet:
%%2
Error: (03/06/2014 07:55:30 AM) (Source: WMPNetworkSvc) (User: )
Description: 0x800700b7
Error: (03/06/2014 07:55:30 AM) (Source: WMPNetworkSvc) (User: )
Description: 00x800700b7hxxp://+:10243/WMPNSSv4/2811996591/
Error: (03/06/2014 07:55:30 AM) (Source: WMPNetworkSvc) (User: )
Description: 0x800700b7
Error: (03/06/2014 07:55:30 AM) (Source: WMPNetworkSvc) (User: )
Description: 00x800700b7hxxp://+:10243/WMPNSSv4/2811996591/
Error: (03/06/2014 07:53:34 AM) (Source: Service Control Manager) (User: )
Description: Der Dienst "McAfee SiteAdvisor Service" wurde aufgrund folgenden Fehlers nicht gestartet:
%%2
Microsoft Office Sessions:
=========================
Error: (03/06/2014 09:03:22 AM) (Source: FSecure-FSecure-F-Secure DeepGuard)(User: )
Description: 1 2014-03-06 09:03:22+02:00 MARC-PC SYSTEM F-Secure DeepGuard
Application was blocked. This was determined to be a high-risk application by system control heuristics.
Application path: \\?\c:\windows\mod_frst.exe
File hash: 4bb423ae4bf7b46ba1cd43c521cf9314c03cf8c4
Error: (03/06/2014 08:29:45 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (03/06/2014 08:10:08 AM) (Source: Application Hang)(User: )
Description: mbam.exe1.75.0.111e401cf390a716be9ab16C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe4b17a536-a4fe-11e3-ad36-b870f49f769e
Error: (03/06/2014 07:54:36 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (03/05/2014 05:59:48 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (03/05/2014 02:51:23 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (03/05/2014 02:10:35 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (03/05/2014 01:08:34 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (02/02/2014 10:08:24 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (02/01/2014 07:18:00 PM) (Source: SideBySide)(User: )
Description: assemblyIdentityversionMAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINORc:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dllc:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll3
CodeIntegrity Errors:
===================================
Date: 2012-08-23 11:57:28.688
Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\Users\Marc\AppData\Local\Temp\OnlineScanner\Anti-Virus\fsgk.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
Date: 2012-08-23 11:57:28.666
Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\Users\Marc\AppData\Local\Temp\OnlineScanner\Anti-Virus\fsgk.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
Date: 2012-08-22 21:25:40.978
Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\Users\Marc\AppData\Local\Temp\OnlineScanner\Anti-Virus\fsgk.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
Date: 2012-08-22 21:25:40.963
Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\Users\Marc\AppData\Local\Temp\OnlineScanner\Anti-Virus\fsgk.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
Date: 2012-08-11 15:46:01.828
Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\Users\Marc\AppData\Local\Temp\OnlineScanner\Anti-Virus\fsgk.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
Date: 2012-08-11 15:46:01.781
Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\Users\Marc\AppData\Local\Temp\OnlineScanner\Anti-Virus\fsgk.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
Date: 2012-08-11 15:04:57.601
Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\Users\Marc\AppData\Local\Temp\OnlineScanner\Anti-Virus\fsgk.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
Date: 2012-08-11 15:04:57.554
Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\Users\Marc\AppData\Local\Temp\OnlineScanner\Anti-Virus\fsgk.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
Date: 2012-08-10 14:28:14.314
Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\Users\Marc\AppData\Local\Temp\OnlineScanner\Anti-Virus\fsgk.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
Date: 2012-08-10 14:28:14.300
Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\Users\Marc\AppData\Local\Temp\OnlineScanner\Anti-Virus\fsgk.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
==================== Memory info ===========================
Percentage of memory in use: 45%
Total physical RAM: 3947.86 MB
Available physical RAM: 2162 MB
Total Pagefile: 7893.9 MB
Available Pagefile: 5707.56 MB
Total Virtual: 8192 MB
Available Virtual: 8191.82 MB
==================== Drives ================================
Drive c: (Acer) (Fixed) (Total:450.66 GB) (Free:337.2 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: 3F1DE35C)
Partition 1: (Not Active) - (Size=15 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=451 GB) - (Type=07 NTFS)
==================== End Of Log ============================
MBAM: Log 1: Code:
ATTFilter Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Datenbank Version: v2014.03.05.06 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 11.0.9600.16476 Marc :: MARC-PC [Administrator] 05.03.2014 13:49:03 mbam-log-2014-03-05 (13-49-03).txt Art des Suchlaufs: Quick-Scan Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 261893 Laufzeit: 11 Minute(n), 31 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 1 C:\Users\Marc\AppData\Local\TBHostSupport\TBHostSupport_0.dll (PUP.Optional.Conduit) -> Löschen bei Neustart. Infizierte Registrierungsschlüssel: 21 HKCR\CLSID\{2E61BEA4-D5C3-443E-92B7-672B0E36D5FE} (PUP.Optional.Conduit) -> Erfolgreich gelöscht und in Quarantäne gestellt. HKCR\Toolbar.CT2851647 (PUP.Optional.Conduit) -> Erfolgreich gelöscht und in Quarantäne gestellt. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2E61BEA4-D5C3-443E-92B7-672B0E36D5FE} (PUP.Optional.Conduit) -> Erfolgreich gelöscht und in Quarantäne gestellt. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2E61BEA4-D5C3-443E-92B7-672B0E36D5FE} (PUP.Optional.Conduit) -> Erfolgreich gelöscht und in Quarantäne gestellt. HKCR\CLSID\{c840e246-6b95-475e-9bd7-caa1c7eca9f2} (PUP.Optional.Conduit) -> Erfolgreich gelöscht und in Quarantäne gestellt. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C840E246-6B95-475E-9BD7-CAA1C7ECA9F2} (PUP.Optional.Conduit) -> Erfolgreich gelöscht und in Quarantäne gestellt. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{C840E246-6B95-475E-9BD7-CAA1C7ECA9F2} (PUP.Optional.Conduit) -> Erfolgreich gelöscht und in Quarantäne gestellt. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C840E246-6B95-475E-9BD7-CAA1C7ECA9F2} (PUP.Optional.Conduit) -> Erfolgreich gelöscht und in Quarantäne gestellt. HKCR\CLSID\{6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99} (PUP.Optional.Incredibar) -> Erfolgreich gelöscht und in Quarantäne gestellt. HKCR\Incredibar.IncredibarHlpr.1 (PUP.Optional.Incredibar) -> Erfolgreich gelöscht und in Quarantäne gestellt. HKCR\Incredibar.IncredibarHlpr (PUP.Optional.Incredibar) -> Erfolgreich gelöscht und in Quarantäne gestellt. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99} (PUP.Optional.Incredibar) -> Erfolgreich gelöscht und in Quarantäne gestellt. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99} (PUP.Optional.Incredibar) -> Erfolgreich gelöscht und in Quarantäne gestellt. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99} (PUP.Optional.Incredibar) -> Erfolgreich gelöscht und in Quarantäne gestellt. HKCR\CLSID\{F9639E4A-801B-4843-AEE3-03D9DA199E77} (PUP.Optional.Incredibar) -> Erfolgreich gelöscht und in Quarantäne gestellt. HKCR\Incredibar.dskBnd.1 (PUP.Optional.Incredibar) -> Erfolgreich gelöscht und in Quarantäne gestellt. HKCR\Incredibar.dskBnd (PUP.Optional.Incredibar) -> Erfolgreich gelöscht und in Quarantäne gestellt. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{F9639E4A-801B-4843-AEE3-03D9DA199E77} (PUP.Optional.Incredibar) -> Erfolgreich gelöscht und in Quarantäne gestellt. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{F9639E4A-801B-4843-AEE3-03D9DA199E77} (PUP.Optional.Incredibar) -> Erfolgreich gelöscht und in Quarantäne gestellt. HKCU\Software\AppDataLow\Software\PriceGong (PUP.Optional.PriceGong.A) -> Erfolgreich gelöscht und in Quarantäne gestellt. HKCU\Software\Conduit\ValueApps (PUP.Optional.ValueApps.A) -> Erfolgreich gelöscht und in Quarantäne gestellt. Infizierte Registrierungswerte: 8 HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser|{C840E246-6B95-475E-9BD7-CAA1C7ECA9F2} (PUP.Optional.Conduit) -> Daten: Fâ@È•k^G›×Ê¡Çì©ò -> Erfolgreich gelöscht und in Quarantäne gestellt. HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks|{C840E246-6B95-475E-9BD7-CAA1C7ECA9F2} (PUP.Optional.Conduit) -> Daten: -> Erfolgreich gelöscht und in Quarantäne gestellt. HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{C840E246-6B95-475E-9BD7-CAA1C7ECA9F2} (PUP.Optional.Conduit) -> Daten: uTorrentBar_DE Toolbar -> Erfolgreich gelöscht und in Quarantäne gestellt. HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks|{C840E246-6B95-475E-9BD7-CAA1C7ECA9F2} (PUP.Optional.Conduit) -> Daten: -> Erfolgreich gelöscht und in Quarantäne gestellt. HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{F9639E4A-801B-4843-AEE3-03D9DA199E77} (PUP.Optional.Incredibar) -> Daten: Incredibar Toolbar -> Erfolgreich gelöscht und in Quarantäne gestellt. HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{F9639E4A-801B-4843-AEE3-03D9DA199E77} (PUP.Optional.Incredibar) -> Daten: -> Erfolgreich gelöscht und in Quarantäne gestellt. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|TBHostSupport (PUP.Optional.Conduit) -> Daten: "C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\Marc\AppData\Local\TBHostSupport\TBHostSupport_0.dll",DLLRunTBHostSupportPlugin -> Erfolgreich gelöscht und in Quarantäne gestellt. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|BackgroundContainer (PUP.Optional.Conduit) -> Daten: "C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\Marc\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun -> Erfolgreich gelöscht und in Quarantäne gestellt. Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 2 C:\Users\Marc\AppData\Local\Temp\CT2851647 (PUP.Optional.Conduit.A) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\Users\Marc\AppData\Local\TBHostSupport (PUP.Optional.Conduit) -> Löschen bei Neustart. Infizierte Dateien: 6 C:\Program Files (x86)\uTorrentBar_DE\prxtbuTo2.dll (PUP.Optional.Conduit) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\Users\Marc\AppData\Local\Conduit\CT2851647\uTorrentBar_DEAutoUpdateHelper.exe (PUP.Optional.Conduit) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\Users\Marc\AppData\Local\Temp\CT2851647\CT2851647.txt (PUP.Optional.Conduit.A) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\Users\Marc\AppData\Local\Temp\CT2851647\manifest.json (PUP.Optional.Conduit.A) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\Users\Marc\AppData\Local\TBHostSupport\TBHostSupport.dll (PUP.Optional.Conduit) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\Users\Marc\AppData\Local\TBHostSupport\TBHostSupport_0.dll (PUP.Optional.Conduit) -> Löschen bei Neustart. (Ende) Code:
ATTFilter Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Datenbank Version: v2014.03.05.06 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 11.0.9600.16476 Marc :: MARC-PC [Administrator] 05.03.2014 14:35:01 mbam-log-2014-03-05 (14-35-01).txt Art des Suchlaufs: Quick-Scan Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 261549 Laufzeit: 13 Minute(n), 20 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|BackgroundContainer (PUP.Optional.Conduit) -> Daten: "C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\Marc\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun -> Erfolgreich gelöscht und in Quarantäne gestellt. Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 0 (Keine bösartigen Objekte gefunden) (Ende) Code:
ATTFilter Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Datenbank Version: v2014.03.05.06 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 11.0.9600.16476 Marc :: MARC-PC [Administrator] 05.03.2014 14:54:08 mbam-log-2014-03-05 (14-54-08).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|) Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 496561 Laufzeit: 2 Stunde(n), 6 Minute(n), 17 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 1 HKCR\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1} (PUP.Optional.Conduit) -> Erfolgreich gelöscht und in Quarantäne gestellt. Infizierte Registrierungswerte: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|BackgroundContainer (PUP.Optional.Conduit) -> Daten: "C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\Marc\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun -> Erfolgreich gelöscht und in Quarantäne gestellt. Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 10 C:\Program Files (x86)\Conduit\Community Alerts\Alert.dll (PUP.Optional.Conduit) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\Program Files (x86)\uTorrentBar_DE\hk64tbuTo2.dll (PUP.Optional.Conduit) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\Program Files (x86)\uTorrentBar_DE\hktbuTo2.dll (PUP.Optional.Conduit) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\Program Files (x86)\uTorrentBar_DE\ldrtbuTo2.dll (PUP.Optional.Conduit) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\Program Files (x86)\uTorrentBar_DE\tbuTo2.dll (PUP.Optional.Conduit) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\Program Files (x86)\uTorrentBar_DE\uTorrentBar_DEToolbarHelper1.exe (PUP.Optional.Conduit.A) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\Users\Marc\AppData\LocalLow\uTorrentBar_DE\hk64tbuTo2.dll (PUP.Optional.Conduit) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\Users\Marc\AppData\LocalLow\uTorrentBar_DE\hktbuTo2.dll (PUP.Optional.Conduit) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\Users\Marc\AppData\LocalLow\uTorrentBar_DE\ldrtbuTo2.dll (PUP.Optional.Conduit) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\Users\Marc\AppData\LocalLow\uTorrentBar_DE\tbuTo2.dll (PUP.Optional.Conduit) -> Erfolgreich gelöscht und in Quarantäne gestellt. (Ende) Code:
ATTFilter Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Datenbank Version: v2014.03.06.03 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 11.0.9600.16476 Marc :: MARC-PC [Administrator] 06.03.2014 08:10:42 mbam-log-2014-03-06 (08-10-42).txt Art des Suchlaufs: Quick-Scan Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 262089 Laufzeit: 15 Minute(n), 41 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|BackgroundContainer (PUP.Optional.Conduit) -> Daten: "C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\Marc\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun -> Erfolgreich gelöscht und in Quarantäne gestellt. Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 0 (Keine bösartigen Objekte gefunden) (Ende) Code:
ATTFilter Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Datenbank Version: v2014.03.06.03 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 11.0.9600.16476 Marc :: MARC-PC [Administrator] 06.03.2014 11:01:30 mbam-log-2014-03-06 (11-01-30).txt Art des Suchlaufs: Quick-Scan Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 262430 Laufzeit: 12 Minute(n), 11 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|BackgroundContainer (PUP.Optional.Conduit) -> Daten: "C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\Marc\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun -> Erfolgreich gelöscht und in Quarantäne gestellt. Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 0 (Keine bösartigen Objekte gefunden) (Ende) |
|
07.03.2014, 10:26
| #4 |
| | Viele PUP und Suspicious:W32/Malware!Gemini GMER Part 1: Code:
ATTFilter GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2014-03-06 09:41:51
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0001 465.76GB
Running: Gmer-19357.exe; Driver: C:\Users\Marc\AppData\Local\Temp\kwldypog.sys
---- User code sections - GMER 2.1 ----
.text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077281780 5 bytes JMP 0000000100321018
.text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077281cd0 5 bytes JMP 0000000100320018
.text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077281d80 5 bytes JMP 0000000100322018
.text C:\Windows\system32\lsm.exe[772] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077112ce0 5 bytes JMP 0000000100323018
.text C:\Windows\system32\lsm.exe[772] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771223d0 5 bytes JMP 0000000100324018
.text C:\Windows\system32\lsm.exe[772] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077199150 4 bytes JMP 0000000100325018
.text C:\Windows\system32\lsm.exe[772] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd225140 5 bytes JMP 000007ff7f059018
.text C:\Windows\system32\lsm.exe[772] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd228100 5 bytes JMP 000007ff7f058018
.text C:\Windows\system32\lsm.exe[772] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd229420 5 bytes JMP 000007ff7f056018
.text C:\Windows\system32\lsm.exe[772] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd229d80 5 bytes JMP 000007ff7f05c018
.text C:\Windows\system32\lsm.exe[772] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd22c450 5 bytes JMP 000007ff7f05d018
.text C:\Windows\system32\lsm.exe[772] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd232af0 5 bytes JMP 000007ff7f057018
.text C:\Windows\system32\lsm.exe[772] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd235470 5 bytes JMP 000007ff7f05a018
.text C:\Windows\system32\lsm.exe[772] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd254350 5 bytes JMP 000007ff7f05b018
.text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff04642c 5 bytes JMP 000007ff7f052018
.text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff046484 5 bytes JMP 000007ff7f051018
.text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff046518 5 bytes JMP 000007ff7f053018
.text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff046c34 5 bytes JMP 000007ff7f050018
.text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0475e8 5 bytes JMP 000007ff7f055018
.text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff04790c 5 bytes JMP 000007ff7f054018
.text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077281780 5 bytes JMP 0000000100bf1018
.text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077281cd0 5 bytes JMP 0000000100bf0018
.text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077281d80 5 bytes JMP 0000000100bf2018
.text C:\Windows\system32\winlogon.exe[856] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077112ce0 5 bytes JMP 0000000100bf5018
.text C:\Windows\system32\winlogon.exe[856] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771223d0 5 bytes JMP 0000000100bf6018
.text C:\Windows\system32\winlogon.exe[856] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077199150 4 bytes JMP 0000000100bf7018
.text C:\Windows\system32\winlogon.exe[856] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd225140 5 bytes JMP 000007ff7f059018
.text C:\Windows\system32\winlogon.exe[856] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd228100 5 bytes JMP 000007ff7f058018
.text C:\Windows\system32\winlogon.exe[856] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd229420 5 bytes JMP 000007ff7f056018
.text C:\Windows\system32\winlogon.exe[856] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd229d80 5 bytes JMP 000007ff7f05c018
.text C:\Windows\system32\winlogon.exe[856] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd22c450 5 bytes JMP 000007ff7f05d018
.text C:\Windows\system32\winlogon.exe[856] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd232af0 5 bytes JMP 000007ff7f057018
.text C:\Windows\system32\winlogon.exe[856] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd235470 5 bytes JMP 000007ff7f05a018
.text C:\Windows\system32\winlogon.exe[856] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd254350 5 bytes JMP 000007ff7f05b018
.text C:\Windows\system32\winlogon.exe[856] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007701f874 5 bytes JMP 0000000100bf4018
.text C:\Windows\system32\winlogon.exe[856] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077038c20 5 bytes JMP 0000000100bf3018
.text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff04642c 5 bytes JMP 000007ff7f052018
.text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff046484 5 bytes JMP 000007ff7f051018
.text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff046518 5 bytes JMP 000007ff7f053018
.text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff046c34 5 bytes JMP 000007ff7f050018
.text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0475e8 5 bytes JMP 000007ff7f055018
.text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff04790c 5 bytes JMP 000007ff7f054018
.text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077281780 5 bytes JMP 0000000100501018
.text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077281cd0 5 bytes JMP 0000000100500018
.text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077281d80 5 bytes JMP 0000000100502018
.text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077112ce0 5 bytes JMP 0000000100505018
.text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771223d0 5 bytes JMP 0000000100506018
.text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077199150 4 bytes JMP 0000000100507018
.text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd225140 5 bytes JMP 000007ff7f059018
.text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd228100 5 bytes JMP 000007ff7f058018
.text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd229420 5 bytes JMP 000007ff7f056018
.text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd229d80 5 bytes JMP 000007ff7f05c018
.text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd22c450 5 bytes JMP 000007ff7f05d018
.text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd232af0 5 bytes JMP 000007ff7f057018
.text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd235470 5 bytes JMP 000007ff7f05a018
.text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd254350 5 bytes JMP 000007ff7f05b018
.text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff04642c 5 bytes JMP 000007ff7f052018
.text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff046484 5 bytes JMP 000007ff7f051018
.text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff046518 5 bytes JMP 000007ff7f053018
.text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff046c34 5 bytes JMP 000007ff7f050018
.text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0475e8 5 bytes JMP 000007ff7f055018
.text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff04790c 5 bytes JMP 000007ff7f054018
.text C:\Windows\system32\nvvsvc.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077281780 5 bytes JMP 0000000100221018
.text C:\Windows\system32\nvvsvc.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077281cd0 5 bytes JMP 0000000100220018
.text C:\Windows\system32\nvvsvc.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077281d80 5 bytes JMP 0000000100222018
.text C:\Windows\system32\nvvsvc.exe[984] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077112ce0 5 bytes JMP 0000000100225018
.text C:\Windows\system32\nvvsvc.exe[984] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771223d0 5 bytes JMP 0000000100226018
.text C:\Windows\system32\nvvsvc.exe[984] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077199150 4 bytes JMP 0000000100227018
.text C:\Windows\system32\nvvsvc.exe[984] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd225140 5 bytes JMP 000007ff7f059018
.text C:\Windows\system32\nvvsvc.exe[984] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd228100 5 bytes JMP 000007ff7f058018
.text C:\Windows\system32\nvvsvc.exe[984] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd229420 5 bytes JMP 000007ff7f056018
.text C:\Windows\system32\nvvsvc.exe[984] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd229d80 5 bytes JMP 000007ff7f05c018
.text C:\Windows\system32\nvvsvc.exe[984] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd22c450 5 bytes JMP 000007ff7f05d018
.text C:\Windows\system32\nvvsvc.exe[984] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd232af0 5 bytes JMP 000007ff7f057018
.text C:\Windows\system32\nvvsvc.exe[984] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd235470 5 bytes JMP 000007ff7f05a018
.text C:\Windows\system32\nvvsvc.exe[984] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd254350 5 bytes JMP 000007ff7f05b018
.text C:\Windows\system32\nvvsvc.exe[984] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff04642c 5 bytes JMP 000007ff7f052018
.text C:\Windows\system32\nvvsvc.exe[984] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff046484 5 bytes JMP 000007ff7f051018
.text C:\Windows\system32\nvvsvc.exe[984] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff046518 5 bytes JMP 000007ff7f053018
.text C:\Windows\system32\nvvsvc.exe[984] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff046c34 5 bytes JMP 000007ff7f050018
.text C:\Windows\system32\nvvsvc.exe[984] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0475e8 5 bytes JMP 000007ff7f055018
.text C:\Windows\system32\nvvsvc.exe[984] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff04790c 5 bytes JMP 000007ff7f054018
.text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077281780 5 bytes JMP 00000001003a1018
.text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077281cd0 5 bytes JMP 00000001003a0018
.text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077281d80 5 bytes JMP 00000001003a2018
.text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077112ce0 5 bytes JMP 00000001003a5018
.text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771223d0 5 bytes JMP 00000001003a6018
.text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077199150 4 bytes JMP 00000001003a7018
.text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd225140 5 bytes JMP 000007ff7f059018
.text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd228100 5 bytes JMP 000007ff7f058018
.text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd229420 5 bytes JMP 000007ff7f056018
.text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd229d80 5 bytes JMP 000007ff7f05c018
.text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd22c450 5 bytes JMP 000007ff7f05d018
.text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd232af0 5 bytes JMP 000007ff7f057018
.text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd235470 5 bytes JMP 000007ff7f05a018
.text C:\Windows\system32\svchost.exe[128] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd254350 5 bytes JMP 000007ff7f05b018
.text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff04642c 5 bytes JMP 000007ff7f052018
.text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff046484 5 bytes JMP 000007ff7f051018
.text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff046518 5 bytes JMP 000007ff7f053018
.text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff046c34 5 bytes JMP 000007ff7f050018
.text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0475e8 5 bytes JMP 000007ff7f055018
.text C:\Windows\system32\svchost.exe[128] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff04790c 5 bytes JMP 000007ff7f054018
.text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077281780 5 bytes JMP 0000000100d51018
.text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077281cd0 5 bytes JMP 0000000100d50018
.text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077281d80 5 bytes JMP 0000000100d52018
.text C:\Windows\System32\svchost.exe[520] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077112ce0 5 bytes JMP 0000000100d55018
.text C:\Windows\System32\svchost.exe[520] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771223d0 5 bytes JMP 0000000100d56018
.text C:\Windows\System32\svchost.exe[520] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077199150 4 bytes JMP 0000000100d57018
.text C:\Windows\System32\svchost.exe[520] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd225140 5 bytes JMP 000007ff7f059018
.text C:\Windows\System32\svchost.exe[520] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd228100 5 bytes JMP 000007ff7f058018
.text C:\Windows\System32\svchost.exe[520] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd229420 5 bytes JMP 000007ff7f056018
.text C:\Windows\System32\svchost.exe[520] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd229d80 5 bytes JMP 000007ff7f05c018
.text C:\Windows\System32\svchost.exe[520] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd22c450 5 bytes JMP 000007ff7f05d018
.text C:\Windows\System32\svchost.exe[520] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd232af0 5 bytes JMP 000007ff7f057018
.text C:\Windows\System32\svchost.exe[520] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd235470 5 bytes JMP 000007ff7f05a018
.text C:\Windows\System32\svchost.exe[520] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd254350 5 bytes JMP 000007ff7f05b018
.text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff04642c 5 bytes JMP 000007ff7f052018
.text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff046484 5 bytes JMP 000007ff7f051018
.text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff046518 5 bytes JMP 000007ff7f053018
.text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff046c34 5 bytes JMP 000007ff7f050018
.text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0475e8 5 bytes JMP 000007ff7f055018
.text C:\Windows\System32\svchost.exe[520] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff04790c 5 bytes JMP 000007ff7f054018
.text C:\Windows\System32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077281780 5 bytes JMP 0000000100c31018
.text C:\Windows\System32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077281cd0 5 bytes JMP 0000000100c30018
.text C:\Windows\System32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077281d80 5 bytes JMP 0000000100c32018
.text C:\Windows\System32\svchost.exe[552] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077112ce0 5 bytes JMP 0000000100c35018
.text C:\Windows\System32\svchost.exe[552] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771223d0 5 bytes JMP 0000000100c36018
.text C:\Windows\System32\svchost.exe[552] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077199150 4 bytes JMP 0000000100c37018
.text C:\Windows\System32\svchost.exe[552] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd225140 5 bytes JMP 000007ff7f059018
.text C:\Windows\System32\svchost.exe[552] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd228100 5 bytes JMP 000007ff7f058018
.text C:\Windows\System32\svchost.exe[552] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd229420 5 bytes JMP 000007ff7f056018
.text C:\Windows\System32\svchost.exe[552] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd229d80 5 bytes JMP 000007ff7f05c018
.text C:\Windows\System32\svchost.exe[552] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd22c450 5 bytes JMP 000007ff7f05d018
.text C:\Windows\System32\svchost.exe[552] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd232af0 5 bytes JMP 000007ff7f057018
.text C:\Windows\System32\svchost.exe[552] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd235470 5 bytes JMP 000007ff7f05a018
.text C:\Windows\System32\svchost.exe[552] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd254350 5 bytes JMP 000007ff7f05b018
.text C:\Windows\System32\svchost.exe[552] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff04642c 5 bytes JMP 000007ff7f052018
.text C:\Windows\System32\svchost.exe[552] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff046484 5 bytes JMP 000007ff7f051018
.text C:\Windows\System32\svchost.exe[552] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff046518 5 bytes JMP 000007ff7f053018
.text C:\Windows\System32\svchost.exe[552] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff046c34 5 bytes JMP 000007ff7f050018
.text C:\Windows\System32\svchost.exe[552] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0475e8 5 bytes JMP 000007ff7f055018
.text C:\Windows\System32\svchost.exe[552] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff04790c 5 bytes JMP 000007ff7f054018
.text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077281780 5 bytes JMP 0000000100bd1018
.text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077281cd0 5 bytes JMP 0000000100bd0018
.text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077281d80 5 bytes JMP 0000000100bd2018
.text C:\Windows\system32\svchost.exe[600] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077112ce0 5 bytes JMP 0000000100bd5018
.text C:\Windows\system32\svchost.exe[600] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771223d0 5 bytes JMP 0000000100bd6018
.text C:\Windows\system32\svchost.exe[600] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077199150 4 bytes JMP 0000000100bd7018
.text C:\Windows\system32\svchost.exe[600] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd225140 5 bytes JMP 000007ff7f059018
.text C:\Windows\system32\svchost.exe[600] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd228100 5 bytes JMP 000007ff7f058018
.text C:\Windows\system32\svchost.exe[600] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd229420 5 bytes JMP 000007ff7f056018
.text C:\Windows\system32\svchost.exe[600] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd229d80 5 bytes JMP 000007ff7f05c018
.text C:\Windows\system32\svchost.exe[600] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd22c450 5 bytes JMP 000007ff7f05d018
.text C:\Windows\system32\svchost.exe[600] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd232af0 5 bytes JMP 000007ff7f057018
.text C:\Windows\system32\svchost.exe[600] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd235470 5 bytes JMP 000007ff7f05a018
.text C:\Windows\system32\svchost.exe[600] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd254350 5 bytes JMP 000007ff7f05b018
.text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff04642c 5 bytes JMP 000007ff7f052018
.text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff046484 5 bytes JMP 000007ff7f051018
.text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff046518 5 bytes JMP 000007ff7f053018
.text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff046c34 5 bytes JMP 000007ff7f050018
.text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0475e8 5 bytes JMP 000007ff7f055018
.text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff04790c 5 bytes JMP 000007ff7f054018
.text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077281780 5 bytes JMP 0000000100ee1018
.text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077281cd0 5 bytes JMP 0000000100ee0018
.text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077281d80 5 bytes JMP 0000000100ee2018
.text C:\Windows\system32\svchost.exe[624] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077112ce0 5 bytes JMP 0000000100ee5018
.text C:\Windows\system32\svchost.exe[624] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771223d0 5 bytes JMP 0000000100ee6018
.text C:\Windows\system32\svchost.exe[624] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077199150 4 bytes JMP 0000000100ee7018
.text C:\Windows\system32\svchost.exe[624] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd225140 5 bytes JMP 000007ff7f059018
.text C:\Windows\system32\svchost.exe[624] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd228100 5 bytes JMP 000007ff7f058018
.text C:\Windows\system32\svchost.exe[624] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd229420 5 bytes JMP 000007ff7f056018
.text C:\Windows\system32\svchost.exe[624] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd229d80 5 bytes JMP 000007ff7f05c018
.text C:\Windows\system32\svchost.exe[624] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd22c450 5 bytes JMP 000007ff7f05d018
.text C:\Windows\system32\svchost.exe[624] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd232af0 5 bytes JMP 000007ff7f057018
.text C:\Windows\system32\svchost.exe[624] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd235470 5 bytes JMP 000007ff7f05a018
.text C:\Windows\system32\svchost.exe[624] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd254350 5 bytes JMP 000007ff7f05b018
.text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff04642c 5 bytes JMP 000007ff7f052018
.text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff046484 5 bytes JMP 000007ff7f051018
.text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff046518 5 bytes JMP 000007ff7f053018
.text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff046c34 5 bytes JMP 000007ff7f050018
.text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0475e8 5 bytes JMP 000007ff7f055018
.text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff04790c 5 bytes JMP 000007ff7f054018
.text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077281780 5 bytes JMP 0000000100bc1018
.text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077281cd0 5 bytes JMP 0000000100bc0018
.text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077281d80 5 bytes JMP 0000000100bc2018
.text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077112ce0 5 bytes JMP 0000000100bc5018
.text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771223d0 5 bytes JMP 0000000100bc6018
.text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077199150 4 bytes JMP 0000000100bc7018
.text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd225140 5 bytes JMP 000007ff7f059018
.text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd228100 5 bytes JMP 000007ff7f058018
.text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd229420 5 bytes JMP 000007ff7f056018
.text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd229d80 5 bytes JMP 000007ff7f05c018
.text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd22c450 5 bytes JMP 000007ff7f05d018
.text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd232af0 5 bytes JMP 000007ff7f057018
.text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd235470 5 bytes JMP 000007ff7f05a018
.text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd254350 5 bytes JMP 000007ff7f05b018
.text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff04642c 5 bytes JMP 000007ff7f052018
.text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff046484 5 bytes JMP 000007ff7f051018
.text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff046518 5 bytes JMP 000007ff7f053018
.text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff046c34 5 bytes JMP 000007ff7f050018
.text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0475e8 5 bytes JMP 000007ff7f055018
.text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff04790c 5 bytes JMP 000007ff7f054018
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077281780 5 bytes JMP 00000001007e1018
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077281cd0 5 bytes JMP 00000001007e0018
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077281d80 5 bytes JMP 00000001007e2018
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1164] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077112ce0 5 bytes JMP 00000001007e5018
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1164] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771223d0 5 bytes JMP 00000001007e6018
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1164] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077199150 4 bytes JMP 00000001007e7018
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1164] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd225140 5 bytes JMP 000007ff7f059018
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1164] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd228100 5 bytes JMP 000007ff7f058018
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1164] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd229420 5 bytes JMP 000007ff7f056018
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1164] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd229d80 5 bytes JMP 000007ff7f05c018
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1164] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd22c450 5 bytes JMP 000007ff7f05d018
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1164] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd232af0 5 bytes JMP 000007ff7f057018
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1164] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd235470 5 bytes JMP 000007ff7f05a018
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1164] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd254350 5 bytes JMP 000007ff7f05b018
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1164] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff04642c 5 bytes JMP 000007ff7f052018
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1164] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff046484 5 bytes JMP 000007ff7f051018
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1164] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff046518 5 bytes JMP 000007ff7f053018
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1164] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff046c34 5 bytes JMP 000007ff7f050018
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1164] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0475e8 5 bytes JMP 000007ff7f055018
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1164] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff04790c 5 bytes JMP 000007ff7f054018
.text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077281780 5 bytes JMP 00000001007e1018
.text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077281cd0 5 bytes JMP 00000001007e0018
.text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077281d80 5 bytes JMP 00000001007e2018
.text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077112ce0 5 bytes JMP 00000001007e5018
.text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771223d0 5 bytes JMP 00000001007e6018
.text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077199150 4 bytes JMP 00000001007e7018
.text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd225140 5 bytes JMP 000007ff7f059018
.text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd228100 5 bytes JMP 000007ff7f058018
.text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd229420 5 bytes JMP 000007ff7f056018
.text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd229d80 5 bytes JMP 000007ff7f05c018
.text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd22c450 5 bytes JMP 000007ff7f05d018
.text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd232af0 5 bytes JMP 000007ff7f057018
.text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd235470 5 bytes JMP 000007ff7f05a018
.text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd254350 5 bytes JMP 000007ff7f05b018
.text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff04642c 5 bytes JMP 000007ff7f052018
.text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff046484 5 bytes JMP 000007ff7f051018
.text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff046518 5 bytes JMP 000007ff7f053018
.text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff046c34 5 bytes JMP 000007ff7f050018
.text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0475e8 5 bytes JMP 000007ff7f055018
.text C:\Windows\system32\nvvsvc.exe[1204] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff04790c 5 bytes JMP 000007ff7f054018
.text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077281780 5 bytes JMP 0000000100be1018
.text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077281cd0 5 bytes JMP 0000000100be0018
.text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077281d80 5 bytes JMP 0000000100be2018
.text C:\Windows\system32\svchost.exe[1516] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077112ce0 5 bytes JMP 0000000100be5018
.text C:\Windows\system32\svchost.exe[1516] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771223d0 5 bytes JMP 0000000100be6018
.text C:\Windows\system32\svchost.exe[1516] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077199150 4 bytes JMP 0000000100be7018
.text C:\Windows\system32\svchost.exe[1516] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd225140 5 bytes JMP 000007ff7f059018
.text C:\Windows\system32\svchost.exe[1516] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd228100 5 bytes JMP 000007ff7f058018
.text C:\Windows\system32\svchost.exe[1516] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd229420 5 bytes JMP 000007ff7f056018
.text C:\Windows\system32\svchost.exe[1516] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd229d80 5 bytes JMP 000007ff7f05c018
.text C:\Windows\system32\svchost.exe[1516] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd22c450 5 bytes JMP 000007ff7f05d018
.text C:\Windows\system32\svchost.exe[1516] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd232af0 5 bytes JMP 000007ff7f057018
.text C:\Windows\system32\svchost.exe[1516] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd235470 5 bytes JMP 000007ff7f05a018
.text C:\Windows\system32\svchost.exe[1516] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd254350 5 bytes JMP 000007ff7f05b018
.text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff04642c 5 bytes JMP 000007ff7f052018
.text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff046484 5 bytes JMP 000007ff7f051018
.text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff046518 5 bytes JMP 000007ff7f053018
.text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff046c34 5 bytes JMP 000007ff7f050018
.text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0475e8 5 bytes JMP 000007ff7f055018
.text C:\Windows\system32\svchost.exe[1516] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff04790c 5 bytes JMP 000007ff7f054018
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1612] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007742ffec 5 bytes JMP 000000010067100c
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1612] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077430814 5 bytes JMP 000000010067000c
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1612] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007743091c 5 bytes JMP 000000010067200c
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1612] C:\Windows\syswow64\kernel32.dll!OpenMutexA 000000007503ec07 5 bytes JMP 000000010067c00c
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1612] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075043b2a 5 bytes JMP 000000010067e00c
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1612] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 0000000075098599 5 bytes JMP 000000010067f00c
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1612] C:\Windows\syswow64\KERNELBASE.dll!GetFileSizeEx 0000000075bcce45 5 bytes JMP 000000010068200c
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1612] C:\Windows\syswow64\KERNELBASE.dll!GetFileSize 0000000075bcdfea 5 bytes JMP 000000010068100c
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1612] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000075bcec98 5 bytes JMP 000000010068300c
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1612] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexExW 0000000075bd0efc 5 bytes JMP 000000010067b00c
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1612] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000075bd1371 5 bytes JMP 000000010067d00c
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1612] C:\Windows\syswow64\KERNELBASE.dll!TerminateThread 0000000075bd3986 5 bytes JMP 000000010068500c
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1612] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000075bd3e6b 2 bytes JMP 000000010068400c
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1612] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx + 3 0000000075bd3e6e 2 bytes [AB, 8A]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1612] C:\Windows\syswow64\KERNELBASE.dll!CreateDirectoryW 0000000075bd923e 5 bytes JMP 000000010068000c
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1612] C:\Windows\SysWOW64\sechost.dll!ControlService 0000000075134d5c 5 bytes JMP 000000010067700c
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1612] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 0000000075134dc3 5 bytes JMP 000000010067800c
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1612] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007513567c 5 bytes JMP 000000010067a00c
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1612] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007513589f 5 bytes JMP 000000010067900c
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1612] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 000000007513714b 5 bytes JMP 000000010067600c
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1612] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 0000000075137245 5 bytes JMP 000000010067500c
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1612] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c37603 5 bytes JMP 000000010067400c
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1612] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c3835c 5 bytes JMP 000000010067300c
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1612] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075871465 2 bytes [87, 75]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1612] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758714bb 2 bytes [87, 75]
.text ... * 2
.text C:\Program Files\Bonjour\mDNSResponder.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077281780 5 bytes JMP 0000000100201018
.text C:\Program Files\Bonjour\mDNSResponder.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077281cd0 5 bytes JMP 0000000100200018
.text C:\Program Files\Bonjour\mDNSResponder.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077281d80 5 bytes JMP 0000000100202018
.text C:\Program Files\Bonjour\mDNSResponder.exe[1692] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077112ce0 5 bytes JMP 0000000100205018
.text C:\Program Files\Bonjour\mDNSResponder.exe[1692] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771223d0 5 bytes JMP 0000000100206018
.text C:\Program Files\Bonjour\mDNSResponder.exe[1692] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077199150 4 bytes JMP 0000000100207018
.text C:\Program Files\Bonjour\mDNSResponder.exe[1692] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd225140 5 bytes JMP 000007ff7f059018
.text C:\Program Files\Bonjour\mDNSResponder.exe[1692] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd228100 5 bytes JMP 000007ff7f058018
.text C:\Program Files\Bonjour\mDNSResponder.exe[1692] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd229420 5 bytes JMP 000007ff7f056018
.text C:\Program Files\Bonjour\mDNSResponder.exe[1692] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd229d80 5 bytes JMP 000007ff7f05c018
.text C:\Program Files\Bonjour\mDNSResponder.exe[1692] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd22c450 5 bytes JMP 000007ff7f05d018
.text C:\Program Files\Bonjour\mDNSResponder.exe[1692] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd232af0 5 bytes JMP 000007ff7f057018
.text C:\Program Files\Bonjour\mDNSResponder.exe[1692] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd235470 5 bytes JMP 000007ff7f05a018
.text C:\Program Files\Bonjour\mDNSResponder.exe[1692] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd254350 5 bytes JMP 000007ff7f05b018
.text C:\Program Files\Bonjour\mDNSResponder.exe[1692] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff04642c 5 bytes JMP 000007ff7f052018
.text C:\Program Files\Bonjour\mDNSResponder.exe[1692] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff046484 5 bytes JMP 000007ff7f051018
.text C:\Program Files\Bonjour\mDNSResponder.exe[1692] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff046518 5 bytes JMP 000007ff7f053018
.text C:\Program Files\Bonjour\mDNSResponder.exe[1692] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff046c34 5 bytes JMP 000007ff7f050018
.text C:\Program Files\Bonjour\mDNSResponder.exe[1692] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0475e8 5 bytes JMP 000007ff7f055018
.text C:\Program Files\Bonjour\mDNSResponder.exe[1692] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff04790c 5 bytes JMP 000007ff7f054018
.text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1748] C:\Windows\syswow64\kernel32.dll!OpenMutexA 000000007503ec07 5 bytes JMP 00000001000b900c
.text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1748] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075043b2a 5 bytes JMP 00000001000bb00c
.text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1748] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 0000000075098599 5 bytes JMP 00000001000bc00c
.text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1748] C:\Windows\syswow64\KERNELBASE.dll!GetFileSizeEx 0000000075bcce45 5 bytes JMP 00000001000bf00c
.text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1748] C:\Windows\syswow64\KERNELBASE.dll!GetFileSize 0000000075bcdfea 5 bytes JMP 00000001000be00c
.text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1748] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000075bcec98 5 bytes JMP 000000010023000c
.text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1748] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexExW 0000000075bd0efc 5 bytes JMP 00000001000b800c
.text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1748] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000075bd1371 5 bytes JMP 00000001000ba00c
.text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1748] C:\Windows\syswow64\KERNELBASE.dll!TerminateThread 0000000075bd3986 5 bytes JMP 000000010023200c
.text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1748] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000075bd3e6b 5 bytes JMP 000000010023100c
.text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1748] C:\Windows\syswow64\KERNELBASE.dll!CreateDirectoryW 0000000075bd923e 5 bytes JMP 00000001000bd00c
.text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1748] C:\Windows\SysWOW64\sechost.dll!ControlService 0000000075134d5c 5 bytes JMP 00000001000b400c
.text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1748] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 0000000075134dc3 5 bytes JMP 00000001000b500c
.text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1748] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007513567c 5 bytes JMP 00000001000b700c
.text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1748] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007513589f 5 bytes JMP 00000001000b600c
.text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1748] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 000000007513714b 5 bytes JMP 00000001000b300c
.text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1748] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 0000000075137245 5 bytes JMP 00000001000b200c
.text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1748] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c37603 5 bytes JMP 00000001000b100c
.text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1748] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c3835c 5 bytes JMP 00000001000b000c
.text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1748] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075871465 2 bytes [87, 75]
.text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1748] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758714bb 2 bytes [87, 75]
.text ... * 2
.text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077281780 5 bytes JMP 0000000100811018
.text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077281cd0 5 bytes JMP 0000000100810018
.text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077281d80 5 bytes JMP 0000000100812018
.text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1808] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077112ce0 5 bytes JMP 0000000100815018
.text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1808] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771223d0 5 bytes JMP 0000000100816018
.text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1808] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077199150 4 bytes JMP 0000000100817018
.text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1808] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd225140 5 bytes JMP 000007ff7f059018
.text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1808] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd228100 5 bytes JMP 000007ff7f058018
.text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1808] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd229420 5 bytes JMP 000007ff7f056018
.text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1808] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd229d80 5 bytes JMP 000007ff7f05c018
.text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1808] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd22c450 5 bytes JMP 000007ff7f05d018
.text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1808] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd232af0 5 bytes JMP 000007ff7f057018
.text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1808] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd235470 5 bytes JMP 000007ff7f05a018
.text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1808] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd254350 5 bytes JMP 000007ff7f05b018
.text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1808] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff04642c 5 bytes JMP 000007ff7f052018
.text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1808] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff046484 5 bytes JMP 000007ff7f051018
.text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1808] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff046518 5 bytes JMP 000007ff7f053018
.text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1808] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff046c34 5 bytes JMP 000007ff7f050018
.text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1808] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0475e8 5 bytes JMP 000007ff7f055018
.text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1808] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff04790c 5 bytes JMP 000007ff7f054018
.text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007742ffec 5 bytes JMP 00000001001b100c
.text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077430814 5 bytes JMP 00000001001b000c
.text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007743091c 5 bytes JMP 00000001001b200c
.text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1820] C:\Windows\syswow64\kernel32.dll!OpenMutexA 000000007503ec07 5 bytes JMP 00000001001bc00c
.text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1820] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075043b2a 5 bytes JMP 00000001001be00c
.text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1820] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 0000000075098599 5 bytes JMP 00000001001bf00c
.text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1820] C:\Windows\syswow64\KERNELBASE.dll!GetFileSizeEx 0000000075bcce45 5 bytes JMP 00000001002d200c
.text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1820] C:\Windows\syswow64\KERNELBASE.dll!GetFileSize 0000000075bcdfea 5 bytes JMP 00000001002d100c
.text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1820] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000075bcec98 5 bytes JMP 00000001002d300c
.text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1820] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexExW 0000000075bd0efc 5 bytes JMP 00000001001bb00c
.text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1820] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000075bd1371 5 bytes JMP 00000001001bd00c
.text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1820] C:\Windows\syswow64\KERNELBASE.dll!TerminateThread 0000000075bd3986 5 bytes JMP 00000001002d500c
.text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1820] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000075bd3e6b 2 bytes JMP 00000001002d400c
.text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1820] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx + 3 0000000075bd3e6e 2 bytes [70, 8A]
.text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1820] C:\Windows\syswow64\KERNELBASE.dll!CreateDirectoryW 0000000075bd923e 5 bytes JMP 00000001002d000c
.text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1820] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c37603 5 bytes JMP 00000001001b400c
.text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1820] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c3835c 5 bytes JMP 00000001001b300c
.text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1820] C:\Windows\SysWOW64\sechost.dll!ControlService 0000000075134d5c 5 bytes JMP 00000001001b700c
.text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1820] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 0000000075134dc3 5 bytes JMP 00000001001b800c
.text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1820] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007513567c 5 bytes JMP 00000001001ba00c
.text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1820] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007513589f 5 bytes JMP 00000001001b900c
.text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1820] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 000000007513714b 5 bytes JMP 00000001001b600c
.text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1820] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 0000000075137245 5 bytes JMP 00000001001b500c
.text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1820] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075871465 2 bytes [87, 75]
.text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1820] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758714bb 2 bytes [87, 75]
.text ... * 2
.text C:\Windows\system32\svchost.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077281780 5 bytes JMP 0000000100621018
.text C:\Windows\system32\svchost.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077281cd0 5 bytes JMP 0000000100620018
.text C:\Windows\system32\svchost.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077281d80 5 bytes JMP 0000000100622018
.text C:\Windows\system32\svchost.exe[1852] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077112ce0 5 bytes JMP 0000000100625018
.text C:\Windows\system32\svchost.exe[1852] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771223d0 5 bytes JMP 0000000100626018
.text C:\Windows\system32\svchost.exe[1852] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077199150 4 bytes JMP 0000000100627018
.text C:\Windows\system32\svchost.exe[1852] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd225140 5 bytes JMP 000007ff7f059018
.text C:\Windows\system32\svchost.exe[1852] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd228100 5 bytes JMP 000007ff7f058018
.text C:\Windows\system32\svchost.exe[1852] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd229420 5 bytes JMP 000007ff7f056018
.text C:\Windows\system32\svchost.exe[1852] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd229d80 5 bytes JMP 000007ff7f05c018
.text C:\Windows\system32\svchost.exe[1852] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd22c450 5 bytes JMP 000007ff7f05d018
.text C:\Windows\system32\svchost.exe[1852] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd232af0 5 bytes JMP 000007ff7f057018
.text C:\Windows\system32\svchost.exe[1852] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd235470 5 bytes JMP 000007ff7f05a018
.text C:\Windows\system32\svchost.exe[1852] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd254350 5 bytes JMP 000007ff7f05b018
.text C:\Windows\system32\svchost.exe[1852] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff04642c 5 bytes JMP 000007ff7f052018
.text C:\Windows\system32\svchost.exe[1852] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff046484 5 bytes JMP 000007ff7f051018
.text C:\Windows\system32\svchost.exe[1852] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff046518 5 bytes JMP 000007ff7f053018
.text C:\Windows\system32\svchost.exe[1852] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff046c34 5 bytes JMP 000007ff7f050018
.text C:\Windows\system32\svchost.exe[1852] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0475e8 5 bytes JMP 000007ff7f055018
.text C:\Windows\system32\svchost.exe[1852] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff04790c 5 bytes JMP 000007ff7f054018
.text C:\Program Files (x86)\Internet Security\apps\CCF_Reputation\fsorsp.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075871465 2 bytes [87, 75]
.text C:\Program Files (x86)\Internet Security\apps\CCF_Reputation\fsorsp.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758714bb 2 bytes [87, 75]
.text ... * 2
.text C:\Program Files (x86)\Acer\Registration\GREGsvc.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007742ffec 5 bytes JMP 000000010003100c
.text C:\Program Files (x86)\Acer\Registration\GREGsvc.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077430814 5 bytes JMP 000000010003000c
.text C:\Program Files (x86)\Acer\Registration\GREGsvc.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007743091c 5 bytes JMP 000000010003200c
.text C:\Program Files (x86)\Acer\Registration\GREGsvc.exe[1996] C:\Windows\syswow64\kernel32.dll!OpenMutexA 000000007503ec07 5 bytes JMP 000000010003a00c
.text C:\Program Files (x86)\Acer\Registration\GREGsvc.exe[1996] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075043b2a 5 bytes JMP 000000010003c00c
.text C:\Program Files (x86)\Acer\Registration\GREGsvc.exe[1996] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 0000000075098599 5 bytes JMP 000000010003d00c
.text C:\Program Files (x86)\Acer\Registration\GREGsvc.exe[1996] C:\Windows\syswow64\KERNELBASE.dll!GetFileSizeEx 0000000075bcce45 5 bytes JMP 000000010017000c
.text C:\Program Files (x86)\Acer\Registration\GREGsvc.exe[1996] C:\Windows\syswow64\KERNELBASE.dll!GetFileSize 0000000075bcdfea 5 bytes JMP 000000010003f00c
.text C:\Program Files (x86)\Acer\Registration\GREGsvc.exe[1996] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000075bcec98 5 bytes JMP 000000010017100c
.text C:\Program Files (x86)\Acer\Registration\GREGsvc.exe[1996] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexExW 0000000075bd0efc 5 bytes JMP 000000010003900c
.text C:\Program Files (x86)\Acer\Registration\GREGsvc.exe[1996] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000075bd1371 5 bytes JMP 000000010003b00c
.text C:\Program Files (x86)\Acer\Registration\GREGsvc.exe[1996] C:\Windows\syswow64\KERNELBASE.dll!TerminateThread 0000000075bd3986 5 bytes JMP 000000010017300c
.text C:\Program Files (x86)\Acer\Registration\GREGsvc.exe[1996] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000075bd3e6b 5 bytes JMP 000000010017200c
.text C:\Program Files (x86)\Acer\Registration\GREGsvc.exe[1996] C:\Windows\syswow64\KERNELBASE.dll!CreateDirectoryW 0000000075bd923e 5 bytes JMP 000000010003e00c
.text C:\Program Files (x86)\Acer\Registration\GREGsvc.exe[1996] C:\Windows\SysWOW64\sechost.dll!ControlService 0000000075134d5c 5 bytes JMP 000000010003500c
.text C:\Program Files (x86)\Acer\Registration\GREGsvc.exe[1996] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 0000000075134dc3 3 bytes JMP 000000010003600c
.text C:\Program Files (x86)\Acer\Registration\GREGsvc.exe[1996] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle + 4 0000000075134dc7 1 byte [8A]
.text C:\Program Files (x86)\Acer\Registration\GREGsvc.exe[1996] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007513567c 5 bytes JMP 000000010003800c
.text C:\Program Files (x86)\Acer\Registration\GREGsvc.exe[1996] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007513589f 5 bytes JMP 000000010003700c
.text C:\Program Files (x86)\Acer\Registration\GREGsvc.exe[1996] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 000000007513714b 5 bytes JMP 000000010003400c
.text C:\Program Files (x86)\Acer\Registration\GREGsvc.exe[1996] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 0000000075137245 5 bytes JMP 000000010003300c
.text C:\Program Files (x86)\Acer\Registration\GREGsvc.exe[1996] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075871465 2 bytes [87, 75]
.text C:\Program Files (x86)\Acer\Registration\GREGsvc.exe[1996] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758714bb 2 bytes [87, 75]
.text ... * 2
.text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[708] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007742ffec 5 bytes JMP 000000010012100c
.text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[708] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077430814 5 bytes JMP 000000010012000c
.text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[708] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007743091c 5 bytes JMP 000000010012200c
.text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[708] C:\Windows\syswow64\kernel32.dll!OpenMutexA 000000007503ec07 5 bytes JMP 000000010012c00c
.text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[708] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075043b2a 5 bytes JMP 000000010012e00c
.text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[708] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 0000000075098599 5 bytes JMP 000000010012f00c
.text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[708] C:\Windows\syswow64\KERNELBASE.dll!GetFileSizeEx 0000000075bcce45 5 bytes JMP 000000010013200c
.text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[708] C:\Windows\syswow64\KERNELBASE.dll!GetFileSize 0000000075bcdfea 5 bytes JMP 000000010013100c
.text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[708] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000075bcec98 5 bytes JMP 000000010013300c
.text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[708] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexExW 0000000075bd0efc 5 bytes JMP 000000010012b00c
.text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[708] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000075bd1371 5 bytes JMP 000000010012d00c
.text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[708] C:\Windows\syswow64\KERNELBASE.dll!TerminateThread 0000000075bd3986 5 bytes JMP 000000010013500c
.text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[708] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000075bd3e6b 2 bytes JMP 000000010013400c
.text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[708] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx + 3 0000000075bd3e6e 2 bytes [56, 8A]
.text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[708] C:\Windows\syswow64\KERNELBASE.dll!CreateDirectoryW 0000000075bd923e 5 bytes JMP 000000010013000c
.text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[708] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c37603 5 bytes JMP 000000010012400c
.text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[708] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c3835c 5 bytes JMP 000000010012300c
.text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[708] C:\Windows\SysWOW64\sechost.dll!ControlService 0000000075134d5c 5 bytes JMP 000000010012700c
.text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[708] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 0000000075134dc3 5 bytes JMP 000000010012800c
.text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[708] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007513567c 5 bytes JMP 000000010012a00c
.text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[708] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007513589f 5 bytes JMP 000000010012900c
.text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[708] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 000000007513714b 5 bytes JMP 000000010012600c
.text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[708] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 0000000075137245 5 bytes JMP 000000010012500c
.text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[708] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075871465 2 bytes [87, 75]
.text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[708] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758714bb 2 bytes [87, 75]
.text ... * 2
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077281780 5 bytes JMP 0000000100111018
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077281cd0 5 bytes JMP 0000000100110018
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077281d80 5 bytes JMP 0000000100112018
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1572] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077112ce0 5 bytes JMP 0000000100115018
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1572] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771223d0 5 bytes JMP 0000000100116018
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1572] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077199150 5 bytes JMP 0000000100117018
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1572] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd225140 5 bytes JMP 000007ff7f059018
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1572] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd228100 5 bytes JMP 000007ff7f058018
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1572] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd229420 5 bytes JMP 000007ff7f056018
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1572] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd229d80 5 bytes JMP 000007ff7f05c018
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1572] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd22c450 5 bytes JMP 000007ff7f05d018
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1572] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd232af0 5 bytes JMP 000007ff7f057018
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1572] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd235470 5 bytes JMP 000007ff7f05a018
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1572] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd254350 5 bytes JMP 000007ff7f05b018
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1572] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff04642c 5 bytes JMP 000007ff7f052018
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1572] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff046484 5 bytes JMP 000007ff7f051018
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1572] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff046518 5 bytes JMP 000007ff7f053018
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1572] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff046c34 5 bytes JMP 000007ff7f050018
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1572] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0475e8 5 bytes JMP 000007ff7f055018
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1572] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff04790c 5 bytes JMP 000007ff7f054018
.text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2084] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007742ffec 5 bytes JMP 00000001023b100c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2084] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077430814 5 bytes JMP 00000001023b000c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2084] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007743091c 5 bytes JMP 00000001023b200c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2084] C:\Windows\syswow64\kernel32.dll!OpenMutexA 000000007503ec07 5 bytes JMP 00000001023bc00c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2084] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075043b2a 5 bytes JMP 00000001023be00c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2084] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 0000000075098599 5 bytes JMP 00000001023bf00c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2084] C:\Windows\syswow64\KERNELBASE.dll!GetFileSizeEx 0000000075bcce45 5 bytes JMP 00000001023c200c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2084] C:\Windows\syswow64\KERNELBASE.dll!GetFileSize 0000000075bcdfea 5 bytes JMP 00000001023c100c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2084] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000075bcec98 5 bytes JMP 00000001023c300c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2084] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexExW 0000000075bd0efc 5 bytes JMP 00000001023bb00c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2084] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000075bd1371 5 bytes JMP 00000001023bd00c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2084] C:\Windows\syswow64\KERNELBASE.dll!TerminateThread 0000000075bd3986 5 bytes JMP 00000001023c500c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2084] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000075bd3e6b 2 bytes JMP 00000001023c400c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2084] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx + 3 0000000075bd3e6e 2 bytes [7F, 8C]
.text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2084] C:\Windows\syswow64\KERNELBASE.dll!CreateDirectoryW 0000000075bd923e 5 bytes JMP 00000001023c000c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2084] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c37603 5 bytes JMP 00000001023b400c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2084] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c3835c 5 bytes JMP 00000001023b300c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2084] C:\Windows\SysWOW64\sechost.dll!ControlService 0000000075134d5c 5 bytes JMP 00000001023b700c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2084] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 0000000075134dc3 5 bytes JMP 00000001023b800c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2084] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007513567c 5 bytes JMP 00000001023ba00c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2084] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007513589f 5 bytes JMP 00000001023b900c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2084] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 000000007513714b 5 bytes JMP 00000001023b600c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2084] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 0000000075137245 5 bytes JMP 00000001023b500c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2084] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075871465 2 bytes [87, 75]
.text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2084] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758714bb 2 bytes [87, 75]
.text ... * 2
|
|
07.03.2014, 10:29
| #5 |
| | Viele PUP und Suspicious:W32/Malware!Gemini GMER Part 2: Code:
ATTFilter .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007742ffec 5 bytes JMP 000000010032100c
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077430814 5 bytes JMP 000000010032000c
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007743091c 5 bytes JMP 000000010032200c
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2156] C:\Windows\syswow64\kernel32.dll!OpenMutexA 000000007503ec07 5 bytes JMP 000000010032c00c
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2156] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075043b2a 5 bytes JMP 000000010032e00c
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2156] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 0000000075098599 5 bytes JMP 000000010032f00c
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2156] C:\Windows\syswow64\KERNELBASE.dll!GetFileSizeEx 0000000075bcce45 5 bytes JMP 000000010036200c
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2156] C:\Windows\syswow64\KERNELBASE.dll!GetFileSize 0000000075bcdfea 5 bytes JMP 000000010036100c
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2156] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000075bcec98 5 bytes JMP 000000010036300c
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2156] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexExW 0000000075bd0efc 5 bytes JMP 000000010032b00c
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2156] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000075bd1371 5 bytes JMP 000000010032d00c
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2156] C:\Windows\syswow64\KERNELBASE.dll!TerminateThread 0000000075bd3986 5 bytes JMP 000000010036500c
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2156] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000075bd3e6b 2 bytes JMP 000000010036400c
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2156] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx + 3 0000000075bd3e6e 2 bytes [79, 8A]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2156] C:\Windows\syswow64\KERNELBASE.dll!CreateDirectoryW 0000000075bd923e 5 bytes JMP 000000010036000c
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2156] C:\Windows\SysWOW64\sechost.dll!ControlService 0000000075134d5c 5 bytes JMP 000000010032700c
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2156] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 0000000075134dc3 5 bytes JMP 000000010032800c
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2156] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007513567c 5 bytes JMP 000000010032a00c
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2156] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007513589f 5 bytes JMP 000000010032900c
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2156] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 000000007513714b 5 bytes JMP 000000010032600c
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2156] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 0000000075137245 5 bytes JMP 000000010032500c
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2156] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c37603 5 bytes JMP 000000010032400c
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2156] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c3835c 5 bytes JMP 000000010032300c
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2156] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075871465 2 bytes [87, 75]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2156] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758714bb 2 bytes [87, 75]
.text ... * 2
.text C:\Windows\system32\svchost.exe[2208] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077112ce0 5 bytes JMP 0000000100125018
.text C:\Windows\system32\svchost.exe[2208] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771223d0 5 bytes JMP 0000000100126018
.text C:\Windows\system32\svchost.exe[2208] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077199150 5 bytes JMP 0000000100127018
.text C:\Windows\system32\svchost.exe[2208] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd225140 5 bytes JMP 000007ff7f059018
.text C:\Windows\system32\svchost.exe[2208] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd228100 5 bytes JMP 000007ff7f058018
.text C:\Windows\system32\svchost.exe[2208] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd229420 5 bytes JMP 000007ff7f056018
.text C:\Windows\system32\svchost.exe[2208] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd229d80 5 bytes JMP 000007ff7f05c018
.text C:\Windows\system32\svchost.exe[2208] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd22c450 5 bytes JMP 000007ff7f05d018
.text C:\Windows\system32\svchost.exe[2208] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd232af0 5 bytes JMP 000007ff7f057018
.text C:\Windows\system32\svchost.exe[2208] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd235470 5 bytes JMP 000007ff7f05a018
.text C:\Windows\system32\svchost.exe[2208] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd254350 5 bytes JMP 000007ff7f05b018
.text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff04642c 5 bytes JMP 000007ff7f052018
.text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff046484 5 bytes JMP 000007ff7f051018
.text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff046518 5 bytes JMP 000007ff7f053018
.text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff046c34 5 bytes JMP 000007ff7f050018
.text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0475e8 5 bytes JMP 000007ff7f055018
.text C:\Windows\system32\svchost.exe[2208] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff04790c 5 bytes JMP 000007ff7f054018
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2468] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077112ce0 5 bytes JMP 0000000100075018
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2468] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771223d0 5 bytes JMP 0000000100076018
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2468] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077199150 5 bytes JMP 0000000100077018
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2468] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd225140 5 bytes JMP 000007ff7f059018
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2468] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd228100 5 bytes JMP 000007ff7f058018
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2468] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd229420 5 bytes JMP 000007ff7f056018
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2468] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd229d80 5 bytes JMP 000007ff7f05c018
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2468] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd22c450 5 bytes JMP 000007ff7f05d018
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2468] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd232af0 5 bytes JMP 000007ff7f057018
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2468] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd235470 5 bytes JMP 000007ff7f05a018
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2468] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd254350 5 bytes JMP 000007ff7f05b018
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2468] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff04642c 5 bytes JMP 000007ff7f052018
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2468] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff046484 5 bytes JMP 000007ff7f051018
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2468] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff046518 5 bytes JMP 000007ff7f053018
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2468] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff046c34 5 bytes JMP 000007ff7f050018
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2468] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0475e8 5 bytes JMP 000007ff7f055018
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2468] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff04790c 5 bytes JMP 000007ff7f054018
.text C:\Windows\system32\svchost.exe[2708] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077112ce0 5 bytes JMP 0000000100125018
.text C:\Windows\system32\svchost.exe[2708] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771223d0 5 bytes JMP 0000000100126018
.text C:\Windows\system32\svchost.exe[2708] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077199150 5 bytes JMP 0000000100127018
.text C:\Windows\system32\svchost.exe[2708] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd225140 5 bytes JMP 000007ff7f059018
.text C:\Windows\system32\svchost.exe[2708] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd228100 5 bytes JMP 000007ff7f058018
.text C:\Windows\system32\svchost.exe[2708] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd229420 5 bytes JMP 000007ff7f056018
.text C:\Windows\system32\svchost.exe[2708] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd229d80 5 bytes JMP 000007ff7f05c018
.text C:\Windows\system32\svchost.exe[2708] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd22c450 5 bytes JMP 000007ff7f05d018
.text C:\Windows\system32\svchost.exe[2708] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd232af0 5 bytes JMP 000007ff7f057018
.text C:\Windows\system32\svchost.exe[2708] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd235470 5 bytes JMP 000007ff7f05a018
.text C:\Windows\system32\svchost.exe[2708] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd254350 5 bytes JMP 000007ff7f05b018
.text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff04642c 5 bytes JMP 000007ff7f052018
.text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff046484 5 bytes JMP 000007ff7f051018
.text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff046518 5 bytes JMP 000007ff7f053018
.text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff046c34 5 bytes JMP 000007ff7f050018
.text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0475e8 5 bytes JMP 000007ff7f055018
.text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff04790c 5 bytes JMP 000007ff7f054018
.text C:\Windows\system32\taskhost.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077281780 5 bytes JMP 0000000100141018
.text C:\Windows\system32\taskhost.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077281cd0 5 bytes JMP 0000000100140018
.text C:\Windows\system32\taskhost.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077281d80 5 bytes JMP 0000000100142018
.text C:\Windows\system32\taskhost.exe[3264] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077112ce0 5 bytes JMP 0000000100145018
.text C:\Windows\system32\taskhost.exe[3264] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771223d0 5 bytes JMP 0000000100146018
.text C:\Windows\system32\taskhost.exe[3264] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077199150 5 bytes JMP 0000000100147018
.text C:\Windows\system32\taskhost.exe[3264] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd225140 5 bytes JMP 000007ff7f059018
.text C:\Windows\system32\taskhost.exe[3264] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd228100 5 bytes JMP 000007ff7f058018
.text C:\Windows\system32\taskhost.exe[3264] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd229420 5 bytes JMP 000007ff7f056018
.text C:\Windows\system32\taskhost.exe[3264] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd229d80 5 bytes JMP 000007ff7f05c018
.text C:\Windows\system32\taskhost.exe[3264] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd22c450 5 bytes JMP 000007ff7f05d018
.text C:\Windows\system32\taskhost.exe[3264] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd232af0 5 bytes JMP 000007ff7f057018
.text C:\Windows\system32\taskhost.exe[3264] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd235470 5 bytes JMP 000007ff7f05a018
.text C:\Windows\system32\taskhost.exe[3264] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd254350 5 bytes JMP 000007ff7f05b018
.text C:\Windows\system32\taskhost.exe[3264] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff04642c 5 bytes JMP 000007ff7f052018
.text C:\Windows\system32\taskhost.exe[3264] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff046484 5 bytes JMP 000007ff7f051018
.text C:\Windows\system32\taskhost.exe[3264] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff046518 5 bytes JMP 000007ff7f053018
.text C:\Windows\system32\taskhost.exe[3264] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff046c34 5 bytes JMP 000007ff7f050018
.text C:\Windows\system32\taskhost.exe[3264] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0475e8 5 bytes JMP 000007ff7f055018
.text C:\Windows\system32\taskhost.exe[3264] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff04790c 5 bytes JMP 000007ff7f054018
.text C:\Windows\system32\taskeng.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077281780 5 bytes JMP 0000000100291018
.text C:\Windows\system32\taskeng.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077281cd0 5 bytes JMP 0000000100290018
.text C:\Windows\system32\taskeng.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077281d80 5 bytes JMP 0000000100292018
.text C:\Windows\system32\taskeng.exe[3304] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077112ce0 5 bytes JMP 0000000100295018
.text C:\Windows\system32\taskeng.exe[3304] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771223d0 5 bytes JMP 0000000100296018
.text C:\Windows\system32\taskeng.exe[3304] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077199150 4 bytes JMP 0000000100297018
.text C:\Windows\system32\taskeng.exe[3304] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd225140 5 bytes JMP 000007ff7f059018
.text C:\Windows\system32\taskeng.exe[3304] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd228100 5 bytes JMP 000007ff7f058018
.text C:\Windows\system32\taskeng.exe[3304] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd229420 5 bytes JMP 000007ff7f056018
.text C:\Windows\system32\taskeng.exe[3304] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd229d80 5 bytes JMP 000007ff7f05c018
.text C:\Windows\system32\taskeng.exe[3304] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd22c450 5 bytes JMP 000007ff7f05d018
.text C:\Windows\system32\taskeng.exe[3304] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd232af0 5 bytes JMP 000007ff7f057018
.text C:\Windows\system32\taskeng.exe[3304] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd235470 5 bytes JMP 000007ff7f05a018
.text C:\Windows\system32\taskeng.exe[3304] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd254350 5 bytes JMP 000007ff7f05b018
.text C:\Windows\system32\taskeng.exe[3304] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff04642c 5 bytes JMP 000007ff7f052018
.text C:\Windows\system32\taskeng.exe[3304] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff046484 5 bytes JMP 000007ff7f051018
.text C:\Windows\system32\taskeng.exe[3304] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff046518 5 bytes JMP 000007ff7f053018
.text C:\Windows\system32\taskeng.exe[3304] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff046c34 5 bytes JMP 000007ff7f050018
.text C:\Windows\system32\taskeng.exe[3304] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0475e8 5 bytes JMP 000007ff7f055018
.text C:\Windows\system32\taskeng.exe[3304] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff04790c 5 bytes JMP 000007ff7f054018
.text C:\Windows\system32\Dwm.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077281780 5 bytes JMP 0000000100111018
.text C:\Windows\system32\Dwm.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077281cd0 5 bytes JMP 0000000100110018
.text C:\Windows\system32\Dwm.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077281d80 5 bytes JMP 0000000100112018
.text C:\Windows\system32\Dwm.exe[3344] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077112ce0 5 bytes JMP 0000000100115018
.text C:\Windows\system32\Dwm.exe[3344] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771223d0 5 bytes JMP 0000000100116018
.text C:\Windows\system32\Dwm.exe[3344] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077199150 5 bytes JMP 0000000100117018
.text C:\Windows\system32\Dwm.exe[3344] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd225140 5 bytes JMP 000007ff7f059018
.text C:\Windows\system32\Dwm.exe[3344] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd228100 5 bytes JMP 000007ff7f058018
.text C:\Windows\system32\Dwm.exe[3344] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd229420 5 bytes JMP 000007ff7f056018
.text C:\Windows\system32\Dwm.exe[3344] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd229d80 5 bytes JMP 000007ff7f05c018
.text C:\Windows\system32\Dwm.exe[3344] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd22c450 5 bytes JMP 000007ff7f05d018
.text C:\Windows\system32\Dwm.exe[3344] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd232af0 5 bytes JMP 000007ff7f057018
.text C:\Windows\system32\Dwm.exe[3344] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd235470 5 bytes JMP 000007ff7f05a018
.text C:\Windows\system32\Dwm.exe[3344] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd254350 5 bytes JMP 000007ff7f05b018
.text C:\Windows\system32\Dwm.exe[3344] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff04642c 5 bytes JMP 000007ff7f052018
.text C:\Windows\system32\Dwm.exe[3344] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff046484 5 bytes JMP 000007ff7f051018
.text C:\Windows\system32\Dwm.exe[3344] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff046518 5 bytes JMP 000007ff7f053018
.text C:\Windows\system32\Dwm.exe[3344] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff046c34 5 bytes JMP 000007ff7f050018
.text C:\Windows\system32\Dwm.exe[3344] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0475e8 5 bytes JMP 000007ff7f055018
.text C:\Windows\system32\Dwm.exe[3344] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff04790c 5 bytes JMP 000007ff7f054018
.text C:\Windows\Explorer.EXE[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077281780 5 bytes JMP 0000000100171018
.text C:\Windows\Explorer.EXE[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077281cd0 5 bytes JMP 0000000100170018
.text C:\Windows\Explorer.EXE[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077281d80 5 bytes JMP 0000000100172018
.text C:\Windows\Explorer.EXE[3360] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077112ce0 5 bytes JMP 0000000100175018
.text C:\Windows\Explorer.EXE[3360] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771223d0 5 bytes JMP 0000000100176018
.text C:\Windows\Explorer.EXE[3360] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077199150 5 bytes JMP 0000000100177018
.text C:\Windows\Explorer.EXE[3360] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd225140 5 bytes JMP 000007ff7f059018
.text C:\Windows\Explorer.EXE[3360] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd228100 5 bytes JMP 000007ff7f058018
.text C:\Windows\Explorer.EXE[3360] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd229420 5 bytes JMP 000007ff7f056018
.text C:\Windows\Explorer.EXE[3360] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd229d80 5 bytes JMP 000007ff7f05c018
.text C:\Windows\Explorer.EXE[3360] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd22c450 5 bytes JMP 000007ff7f05d018
.text C:\Windows\Explorer.EXE[3360] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd232af0 5 bytes JMP 000007ff7f057018
.text C:\Windows\Explorer.EXE[3360] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd235470 5 bytes JMP 000007ff7f05a018
.text C:\Windows\Explorer.EXE[3360] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd254350 5 bytes JMP 000007ff7f05b018
.text C:\Windows\Explorer.EXE[3360] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff04642c 5 bytes JMP 000007ff7f052018
.text C:\Windows\Explorer.EXE[3360] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff046484 5 bytes JMP 000007ff7f051018
.text C:\Windows\Explorer.EXE[3360] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff046518 5 bytes JMP 000007ff7f053018
.text C:\Windows\Explorer.EXE[3360] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff046c34 5 bytes JMP 000007ff7f050018
.text C:\Windows\Explorer.EXE[3360] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0475e8 5 bytes JMP 000007ff7f055018
.text C:\Windows\Explorer.EXE[3360] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff04790c 5 bytes JMP 000007ff7f054018
.text C:\Windows\Explorer.EXE[3360] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007701f874 5 bytes JMP 0000000100174018
.text C:\Windows\Explorer.EXE[3360] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077038c20 5 bytes JMP 0000000100173018
.text C:\Windows\System32\igfxtray.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077281780 5 bytes JMP 00000001001f1018
.text C:\Windows\System32\igfxtray.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077281cd0 5 bytes JMP 00000001001f0018
.text C:\Windows\System32\igfxtray.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077281d80 5 bytes JMP 00000001001f2018
.text C:\Windows\System32\igfxtray.exe[3864] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077112ce0 5 bytes JMP 00000001001f5018
.text C:\Windows\System32\igfxtray.exe[3864] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771223d0 5 bytes JMP 00000001001f6018
.text C:\Windows\System32\igfxtray.exe[3864] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077199150 4 bytes JMP 00000001001f7018
.text C:\Windows\System32\igfxtray.exe[3864] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd225140 5 bytes JMP 000007ff7f059018
.text C:\Windows\System32\igfxtray.exe[3864] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd228100 5 bytes JMP 000007ff7f058018
.text C:\Windows\System32\igfxtray.exe[3864] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd229420 5 bytes JMP 000007ff7f056018
.text C:\Windows\System32\igfxtray.exe[3864] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd229d80 5 bytes JMP 000007ff7f05c018
.text C:\Windows\System32\igfxtray.exe[3864] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd22c450 5 bytes JMP 000007ff7f05d018
.text C:\Windows\System32\igfxtray.exe[3864] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd232af0 5 bytes JMP 000007ff7f057018
.text C:\Windows\System32\igfxtray.exe[3864] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd235470 5 bytes JMP 000007ff7f05a018
.text C:\Windows\System32\igfxtray.exe[3864] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd254350 5 bytes JMP 000007ff7f05b018
.text C:\Windows\System32\igfxtray.exe[3864] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff04642c 5 bytes JMP 000007ff7f052018
.text C:\Windows\System32\igfxtray.exe[3864] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff046484 5 bytes JMP 000007ff7f051018
.text C:\Windows\System32\igfxtray.exe[3864] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff046518 5 bytes JMP 000007ff7f053018
.text C:\Windows\System32\igfxtray.exe[3864] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff046c34 5 bytes JMP 000007ff7f050018
.text C:\Windows\System32\igfxtray.exe[3864] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0475e8 5 bytes JMP 000007ff7f055018
.text C:\Windows\System32\igfxtray.exe[3864] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff04790c 5 bytes JMP 000007ff7f054018
.text C:\Windows\System32\hkcmd.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077281780 5 bytes JMP 00000001001f1018
.text C:\Windows\System32\hkcmd.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077281cd0 5 bytes JMP 00000001001f0018
.text C:\Windows\System32\hkcmd.exe[3880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077281d80 5 bytes JMP 00000001001f2018
.text C:\Windows\System32\hkcmd.exe[3880] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077112ce0 5 bytes JMP 00000001001f5018
.text C:\Windows\System32\hkcmd.exe[3880] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771223d0 5 bytes JMP 00000001001f6018
.text C:\Windows\System32\hkcmd.exe[3880] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077199150 4 bytes JMP 00000001001f7018
.text C:\Windows\System32\hkcmd.exe[3880] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd225140 5 bytes JMP 000007ff7f059018
.text C:\Windows\System32\hkcmd.exe[3880] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd228100 5 bytes JMP 000007ff7f058018
.text C:\Windows\System32\hkcmd.exe[3880] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd229420 5 bytes JMP 000007ff7f056018
.text C:\Windows\System32\hkcmd.exe[3880] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd229d80 5 bytes JMP 000007ff7f05c018
.text C:\Windows\System32\hkcmd.exe[3880] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd22c450 5 bytes JMP 000007ff7f05d018
.text C:\Windows\System32\hkcmd.exe[3880] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd232af0 5 bytes JMP 000007ff7f057018
.text C:\Windows\System32\hkcmd.exe[3880] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd235470 5 bytes JMP 000007ff7f05a018
.text C:\Windows\System32\hkcmd.exe[3880] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd254350 5 bytes JMP 000007ff7f05b018
.text C:\Windows\System32\hkcmd.exe[3880] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff04642c 5 bytes JMP 000007ff7f052018
.text C:\Windows\System32\hkcmd.exe[3880] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff046484 5 bytes JMP 000007ff7f051018
.text C:\Windows\System32\hkcmd.exe[3880] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff046518 5 bytes JMP 000007ff7f053018
.text C:\Windows\System32\hkcmd.exe[3880] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff046c34 5 bytes JMP 000007ff7f050018
.text C:\Windows\System32\hkcmd.exe[3880] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0475e8 5 bytes JMP 000007ff7f055018
.text C:\Windows\System32\hkcmd.exe[3880] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff04790c 5 bytes JMP 000007ff7f054018
.text C:\Windows\System32\igfxpers.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077281780 5 bytes JMP 0000000101b41018
.text C:\Windows\System32\igfxpers.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077281cd0 5 bytes JMP 0000000101b40018
.text C:\Windows\System32\igfxpers.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077281d80 5 bytes JMP 0000000101b42018
.text C:\Windows\System32\igfxpers.exe[4016] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077112ce0 5 bytes JMP 0000000101b45018
.text C:\Windows\System32\igfxpers.exe[4016] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771223d0 5 bytes JMP 0000000101b46018
.text C:\Windows\System32\igfxpers.exe[4016] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077199150 5 bytes JMP 0000000101b47018
.text C:\Windows\System32\igfxpers.exe[4016] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd225140 5 bytes JMP 000007ff7f059018
.text C:\Windows\System32\igfxpers.exe[4016] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd228100 5 bytes JMP 000007ff7f058018
.text C:\Windows\System32\igfxpers.exe[4016] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd229420 5 bytes JMP 000007ff7f056018
.text C:\Windows\System32\igfxpers.exe[4016] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd229d80 5 bytes JMP 000007ff7f05c018
.text C:\Windows\System32\igfxpers.exe[4016] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd22c450 5 bytes JMP 000007ff7f05d018
.text C:\Windows\System32\igfxpers.exe[4016] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd232af0 5 bytes JMP 000007ff7f057018
.text C:\Windows\System32\igfxpers.exe[4016] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd235470 5 bytes JMP 000007ff7f05a018
.text C:\Windows\System32\igfxpers.exe[4016] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd254350 5 bytes JMP 000007ff7f05b018
.text C:\Windows\System32\igfxpers.exe[4016] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff04642c 5 bytes JMP 000007ff7f052018
.text C:\Windows\System32\igfxpers.exe[4016] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff046484 5 bytes JMP 000007ff7f051018
.text C:\Windows\System32\igfxpers.exe[4016] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff046518 5 bytes JMP 000007ff7f053018
.text C:\Windows\System32\igfxpers.exe[4016] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff046c34 5 bytes JMP 000007ff7f050018
.text C:\Windows\System32\igfxpers.exe[4016] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0475e8 5 bytes JMP 000007ff7f055018
.text C:\Windows\System32\igfxpers.exe[4016] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff04790c 5 bytes JMP 000007ff7f054018
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077281780 5 bytes JMP 00000001001e1018
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077281cd0 5 bytes JMP 00000001001e0018
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077281d80 5 bytes JMP 00000001001e2018
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[808] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077112ce0 5 bytes JMP 00000001001e5018
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[808] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771223d0 5 bytes JMP 00000001001e6018
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[808] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077199150 4 bytes JMP 00000001001e7018
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[808] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd225140 5 bytes JMP 000007ff7f059018
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[808] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd228100 5 bytes JMP 000007ff7f058018
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[808] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd229420 5 bytes JMP 000007ff7f056018
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[808] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd229d80 5 bytes JMP 000007ff7f05c018
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[808] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd22c450 5 bytes JMP 000007ff7f05d018
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[808] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd232af0 5 bytes JMP 000007ff7f057018
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[808] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd235470 5 bytes JMP 000007ff7f05a018
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[808] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd254350 5 bytes JMP 000007ff7f05b018
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[808] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff04642c 5 bytes JMP 000007ff7f052018
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[808] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff046484 5 bytes JMP 000007ff7f051018
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[808] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff046518 5 bytes JMP 000007ff7f053018
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[808] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff046c34 5 bytes JMP 000007ff7f050018
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[808] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0475e8 5 bytes JMP 000007ff7f055018
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[808] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff04790c 5 bytes JMP 000007ff7f054018
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077281780 5 bytes JMP 0000000101b31018
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077281cd0 5 bytes JMP 0000000101b30018
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077281d80 5 bytes JMP 0000000101b32018
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3528] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077112ce0 5 bytes JMP 0000000101b35018
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3528] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771223d0 5 bytes JMP 0000000101b36018
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3528] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077199150 5 bytes JMP 0000000101b37018
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3528] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd225140 5 bytes JMP 000007ff7f059018
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3528] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd228100 5 bytes JMP 000007ff7f058018
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3528] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd229420 5 bytes JMP 000007ff7f056018
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3528] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd229d80 5 bytes JMP 000007ff7f05c018
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3528] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd22c450 5 bytes JMP 000007ff7f05d018
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3528] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd232af0 5 bytes JMP 000007ff7f057018
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3528] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd235470 5 bytes JMP 000007ff7f05a018
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3528] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd254350 5 bytes JMP 000007ff7f05b018
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3528] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff04642c 5 bytes JMP 000007ff7f052018
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3528] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff046484 5 bytes JMP 000007ff7f051018
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3528] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff046518 5 bytes JMP 000007ff7f053018
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3528] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff046c34 5 bytes JMP 000007ff7f050018
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3528] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0475e8 5 bytes JMP 000007ff7f055018
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3528] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff04790c 5 bytes JMP 000007ff7f054018
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077281780 5 bytes JMP 0000000100401018
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077281cd0 5 bytes JMP 0000000100400018
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077281d80 5 bytes JMP 0000000100402018
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[716] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077112ce0 5 bytes JMP 0000000100405018
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[716] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771223d0 5 bytes JMP 0000000100406018
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[716] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077199150 4 bytes JMP 0000000100407018
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[716] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd225140 5 bytes JMP 000007ff7f059018
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[716] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd228100 5 bytes JMP 000007ff7f058018
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[716] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd229420 5 bytes JMP 000007ff7f056018
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[716] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd229d80 5 bytes JMP 000007ff7f05c018
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[716] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd22c450 5 bytes JMP 000007ff7f05d018
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[716] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd232af0 5 bytes JMP 000007ff7f057018
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[716] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd235470 5 bytes JMP 000007ff7f05a018
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[716] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd254350 5 bytes JMP 000007ff7f05b018
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[716] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff04642c 5 bytes JMP 000007ff7f052018
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[716] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff046484 5 bytes JMP 000007ff7f051018
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[716] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff046518 5 bytes JMP 000007ff7f053018
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[716] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff046c34 5 bytes JMP 000007ff7f050018
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[716] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0475e8 5 bytes JMP 000007ff7f055018
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[716] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff04790c 5 bytes JMP 000007ff7f054018
.text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3888] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077112ce0 5 bytes JMP 00000001001e5018
.text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3888] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771223d0 5 bytes JMP 00000001001e6018
.text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3888] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077199150 4 bytes JMP 00000001001e7018
.text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3888] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd225140 5 bytes JMP 000007ff7f059018
.text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3888] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd228100 5 bytes JMP 000007ff7f058018
.text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3888] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd229420 5 bytes JMP 000007ff7f056018
.text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3888] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd229d80 5 bytes JMP 000007ff7f05c018
.text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3888] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd22c450 5 bytes JMP 000007ff7f05d018
.text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3888] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd232af0 5 bytes JMP 000007ff7f057018
.text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3888] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd235470 5 bytes JMP 000007ff7f05a018
.text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3888] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd254350 5 bytes JMP 000007ff7f05b018
.text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3888] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff04642c 5 bytes JMP 000007ff7f052018
.text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3888] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff046484 5 bytes JMP 000007ff7f051018
.text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3888] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff046518 5 bytes JMP 000007ff7f053018
.text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3888] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff046c34 5 bytes JMP 000007ff7f050018
.text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3888] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0475e8 5 bytes JMP 000007ff7f055018
.text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3888] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff04790c 5 bytes JMP 000007ff7f054018
.text C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007742ffec 5 bytes JMP 000000010010100c
.text C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077430814 5 bytes JMP 000000010010000c
.text C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007743091c 5 bytes JMP 000000010010200c
.text C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE[3180] C:\Windows\syswow64\kernel32.dll!OpenMutexA 000000007503ec07 5 bytes JMP 000000010010c00c
.text C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE[3180] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075043b2a 5 bytes JMP 000000010010e00c
.text C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE[3180] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 0000000075098599 5 bytes JMP 000000010010f00c
.text C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007742ffec 5 bytes JMP 000000010024100c
.text C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077430814 5 bytes JMP 000000010024000c
.text C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007743091c 5 bytes JMP 000000010024200c
.text C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe[2020] C:\Windows\syswow64\kernel32.dll!OpenMutexA 000000007503ec07 5 bytes JMP 000000010024c00c
.text C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe[2020] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075043b2a 5 bytes JMP 000000010024e00c
.text C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe[2020] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 0000000075098599 5 bytes JMP 000000010024f00c
.text C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe[2020] C:\Windows\syswow64\KERNELBASE.dll!GetFileSizeEx 0000000075bcce45 5 bytes JMP 000000010025200c
.text C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe[2020] C:\Windows\syswow64\KERNELBASE.dll!GetFileSize 0000000075bcdfea 5 bytes JMP 000000010025100c
.text C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe[2020] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000075bcec98 5 bytes JMP 000000010025300c
.text C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe[2020] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexExW 0000000075bd0efc 5 bytes JMP 000000010024b00c
.text C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe[2020] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000075bd1371 5 bytes JMP 000000010024d00c
.text C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe[2020] C:\Windows\syswow64\KERNELBASE.dll!TerminateThread 0000000075bd3986 5 bytes JMP 000000010025500c
.text C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe[2020] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000075bd3e6b 2 bytes JMP 000000010025400c
.text C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe[2020] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx + 3 0000000075bd3e6e 2 bytes [68, 8A]
.text C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe[2020] C:\Windows\syswow64\KERNELBASE.dll!CreateDirectoryW 0000000075bd923e 5 bytes JMP 000000010025000c
.text C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe[2020] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c37603 5 bytes JMP 000000010024400c
.text C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe[2020] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c3835c 5 bytes JMP 000000010024300c
.text C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe[2020] C:\Windows\SysWOW64\sechost.dll!ControlService 0000000075134d5c 5 bytes JMP 000000010024700c
.text C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe[2020] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 0000000075134dc3 5 bytes JMP 000000010024800c
.text C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe[2020] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007513567c 5 bytes JMP 000000010024a00c
.text C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe[2020] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007513589f 5 bytes JMP 000000010024900c
.text C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe[2020] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 000000007513714b 5 bytes JMP 000000010024600c
.text C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe[2020] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 0000000075137245 5 bytes JMP 000000010024500c
.text C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe[2020] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075871465 2 bytes [87, 75]
.text C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe[2020] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758714bb 2 bytes [87, 75]
.text ... * 2
.text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007742ffec 5 bytes JMP 000000010027100c
.text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077430814 5 bytes JMP 000000010027000c
.text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007743091c 5 bytes JMP 000000010027200c
.text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[1832] C:\Windows\syswow64\kernel32.dll!OpenMutexA 000000007503ec07 5 bytes JMP 000000010027c00c
.text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[1832] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075043b2a 5 bytes JMP 000000010027e00c
.text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[1832] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 0000000075098599 5 bytes JMP 000000010027f00c
.text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[1832] C:\Windows\syswow64\KERNELBASE.dll!GetFileSizeEx 0000000075bcce45 5 bytes JMP 000000010031200c
.text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[1832] C:\Windows\syswow64\KERNELBASE.dll!GetFileSize 0000000075bcdfea 5 bytes JMP 000000010031100c
.text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[1832] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000075bcec98 5 bytes JMP 000000010031300c
.text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[1832] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexExW 0000000075bd0efc 5 bytes JMP 000000010027b00c
.text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[1832] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000075bd1371 5 bytes JMP 000000010027d00c
.text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[1832] C:\Windows\syswow64\KERNELBASE.dll!TerminateThread 0000000075bd3986 5 bytes JMP 000000010031500c
.text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[1832] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000075bd3e6b 2 bytes JMP 000000010031400c
.text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[1832] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx + 3 0000000075bd3e6e 2 bytes [74, 8A]
.text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[1832] C:\Windows\syswow64\KERNELBASE.dll!CreateDirectoryW 0000000075bd923e 5 bytes JMP 000000010031000c
.text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[1832] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c37603 5 bytes JMP 000000010027400c
.text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[1832] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c3835c 5 bytes JMP 000000010027300c
.text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[1832] C:\Windows\SysWOW64\sechost.dll!ControlService 0000000075134d5c 5 bytes JMP 000000010027700c
.text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[1832] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 0000000075134dc3 5 bytes JMP 000000010027800c
.text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[1832] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007513567c 5 bytes JMP 000000010027a00c
.text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[1832] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007513589f 5 bytes JMP 000000010027900c
.text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[1832] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 000000007513714b 5 bytes JMP 000000010027600c
.text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[1832] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 0000000075137245 5 bytes JMP 000000010027500c
.text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075871465 2 bytes [87, 75]
.text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758714bb 2 bytes [87, 75]
.text ... * 2
.text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[4156] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007742ffec 5 bytes JMP 00000001002c100c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[4156] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077430814 5 bytes JMP 00000001002c000c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[4156] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007743091c 5 bytes JMP 00000001002c200c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[4156] C:\Windows\syswow64\kernel32.dll!OpenMutexA 000000007503ec07 5 bytes JMP 00000001002cc00c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[4156] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075043b2a 5 bytes JMP 00000001002ce00c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[4156] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 0000000075098599 5 bytes JMP 00000001002cf00c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[4156] C:\Windows\syswow64\KERNELBASE.dll!GetFileSizeEx 0000000075bcce45 5 bytes JMP 00000001002d200c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[4156] C:\Windows\syswow64\KERNELBASE.dll!GetFileSize 0000000075bcdfea 5 bytes JMP 00000001002d100c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[4156] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000075bcec98 5 bytes JMP 00000001002d300c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[4156] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexExW 0000000075bd0efc 5 bytes JMP 00000001002cb00c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[4156] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000075bd1371 5 bytes JMP 00000001002cd00c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[4156] C:\Windows\syswow64\KERNELBASE.dll!TerminateThread 0000000075bd3986 5 bytes JMP 00000001002d500c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[4156] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000075bd3e6b 2 bytes JMP 00000001002d400c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[4156] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx + 3 0000000075bd3e6e 2 bytes [70, 8A]
.text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[4156] C:\Windows\syswow64\KERNELBASE.dll!CreateDirectoryW 0000000075bd923e 5 bytes JMP 00000001002d000c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[4156] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c37603 5 bytes JMP 00000001002c400c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[4156] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c3835c 5 bytes JMP 00000001002c300c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[4156] C:\Windows\SysWOW64\sechost.dll!ControlService 0000000075134d5c 5 bytes JMP 00000001002c700c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[4156] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 0000000075134dc3 5 bytes JMP 00000001002c800c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[4156] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007513567c 5 bytes JMP 00000001002ca00c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[4156] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007513589f 5 bytes JMP 00000001002c900c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[4156] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 000000007513714b 5 bytes JMP 00000001002c600c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[4156] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 0000000075137245 5 bytes JMP 00000001002c500c
.text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[4156] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075871465 2 bytes [87, 75]
.text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[4156] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758714bb 2 bytes [87, 75]
.text ... * 2
.text C:\Program Files (x86)\Launch Manager\LManager.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007742ffec 5 bytes JMP 000000010031100c
.text C:\Program Files (x86)\Launch Manager\LManager.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077430814 5 bytes JMP 000000010031000c
.text C:\Program Files (x86)\Launch Manager\LManager.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007743091c 5 bytes JMP 000000010031200c
.text C:\Program Files (x86)\Launch Manager\LManager.exe[4228] C:\Windows\syswow64\kernel32.dll!OpenMutexA 000000007503ec07 5 bytes JMP 000000010031c00c
.text C:\Program Files (x86)\Launch Manager\LManager.exe[4228] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075043b2a 5 bytes JMP 000000010031e00c
.text C:\Program Files (x86)\Launch Manager\LManager.exe[4228] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 0000000075098599 5 bytes JMP 000000010031f00c
.text C:\Program Files (x86)\Launch Manager\LManager.exe[4228] C:\Windows\syswow64\KERNELBASE.dll!GetFileSizeEx 0000000075bcce45 5 bytes JMP 000000010033200c
.text C:\Program Files (x86)\Launch Manager\LManager.exe[4228] C:\Windows\syswow64\KERNELBASE.dll!GetFileSize 0000000075bcdfea 5 bytes JMP 000000010033100c
.text C:\Program Files (x86)\Launch Manager\LManager.exe[4228] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000075bcec98 5 bytes JMP 000000010033300c
.text C:\Program Files (x86)\Launch Manager\LManager.exe[4228] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexExW 0000000075bd0efc 5 bytes JMP 000000010031b00c
.text C:\Program Files (x86)\Launch Manager\LManager.exe[4228] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000075bd1371 5 bytes JMP 000000010031d00c
.text C:\Program Files (x86)\Launch Manager\LManager.exe[4228] C:\Windows\syswow64\KERNELBASE.dll!TerminateThread 0000000075bd3986 5 bytes JMP 000000010033500c
.text C:\Program Files (x86)\Launch Manager\LManager.exe[4228] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000075bd3e6b 2 bytes JMP 000000010033400c
.text C:\Program Files (x86)\Launch Manager\LManager.exe[4228] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx + 3 0000000075bd3e6e 2 bytes [76, 8A]
.text C:\Program Files (x86)\Launch Manager\LManager.exe[4228] C:\Windows\syswow64\KERNELBASE.dll!CreateDirectoryW 0000000075bd923e 5 bytes JMP 000000010033000c
.text C:\Program Files (x86)\Launch Manager\LManager.exe[4228] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c37603 5 bytes JMP 000000010031400c
.text C:\Program Files (x86)\Launch Manager\LManager.exe[4228] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c3835c 5 bytes JMP 000000010031300c
.text C:\Program Files (x86)\Launch Manager\LManager.exe[4228] C:\Windows\SysWOW64\sechost.dll!ControlService 0000000075134d5c 5 bytes JMP 000000010031700c
.text C:\Program Files (x86)\Launch Manager\LManager.exe[4228] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 0000000075134dc3 5 bytes JMP 000000010031800c
.text C:\Program Files (x86)\Launch Manager\LManager.exe[4228] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007513567c 5 bytes JMP 000000010031a00c
.text C:\Program Files (x86)\Launch Manager\LManager.exe[4228] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007513589f 5 bytes JMP 000000010031900c
.text C:\Program Files (x86)\Launch Manager\LManager.exe[4228] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 000000007513714b 5 bytes JMP 000000010031600c
.text C:\Program Files (x86)\Launch Manager\LManager.exe[4228] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 0000000075137245 5 bytes JMP 000000010031500c
.text C:\Program Files (x86)\Launch Manager\LManager.exe[4228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075871465 2 bytes [87, 75]
.text C:\Program Files (x86)\Launch Manager\LManager.exe[4228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758714bb 2 bytes [87, 75]
.text ... * 2
.text C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe[4248] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007742ffec 5 bytes JMP 00000001002e100c
.text C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe[4248] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077430814 5 bytes JMP 00000001002e000c
.text C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe[4248] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007743091c 5 bytes JMP 00000001002e200c
.text C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe[4248] C:\Windows\syswow64\kernel32.dll!OpenMutexA 000000007503ec07 5 bytes JMP 00000001002ec00c
.text C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe[4248] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075043b2a 5 bytes JMP 00000001002ee00c
.text C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe[4248] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 0000000075098599 5 bytes JMP 00000001002ef00c
.text C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe[4248] C:\Windows\syswow64\KERNELBASE.dll!GetFileSizeEx 0000000075bcce45 5 bytes JMP 00000001002f200c
.text C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe[4248] C:\Windows\syswow64\KERNELBASE.dll!GetFileSize 0000000075bcdfea 5 bytes JMP 00000001002f100c
.text C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe[4248] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000075bcec98 5 bytes JMP 00000001002f300c
.text C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe[4248] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexExW 0000000075bd0efc 5 bytes JMP 00000001002eb00c
.text C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe[4248] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000075bd1371 5 bytes JMP 00000001002ed00c
.text C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe[4248] C:\Windows\syswow64\KERNELBASE.dll!TerminateThread 0000000075bd3986 5 bytes JMP 00000001002f500c
.text C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe[4248] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000075bd3e6b 2 bytes JMP 00000001002f400c
.text C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe[4248] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx + 3 0000000075bd3e6e 2 bytes [72, 8A]
.text C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe[4248] C:\Windows\syswow64\KERNELBASE.dll!CreateDirectoryW 0000000075bd923e 5 bytes JMP 00000001002f000c
.text C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe[4248] C:\Windows\syswow64\user32.DLL!SetWindowsHookExW 0000000076c37603 5 bytes JMP 00000001002e400c
.text C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe[4248] C:\Windows\syswow64\user32.DLL!SetWindowsHookExA 0000000076c3835c 5 bytes JMP 00000001002e300c
.text C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe[4248] C:\Windows\SysWOW64\sechost.dll!ControlService 0000000075134d5c 5 bytes JMP 00000001002e700c
.text C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe[4248] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 0000000075134dc3 5 bytes JMP 00000001002e800c
.text C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe[4248] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007513567c 5 bytes JMP 00000001002ea00c
.text C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe[4248] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007513589f 5 bytes JMP 00000001002e900c
.text C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe[4248] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 000000007513714b 5 bytes JMP 00000001002e600c
.text C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe[4248] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 0000000075137245 5 bytes JMP 00000001002e500c
.text C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe[4248] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075871465 2 bytes [87, 75]
.text C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe[4248] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758714bb 2 bytes [87, 75]
.text ... * 2
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4316] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007742ffec 5 bytes JMP 000000010025100c
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4316] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077430814 5 bytes JMP 000000010025000c
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4316] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007743091c 5 bytes JMP 000000010025200c
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4316] C:\Windows\syswow64\kernel32.dll!OpenMutexA 000000007503ec07 5 bytes JMP 000000010025c00c
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4316] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075043b2a 5 bytes JMP 000000010025e00c
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4316] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 0000000075098599 5 bytes JMP 000000010025f00c
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4316] C:\Windows\syswow64\KERNELBASE.dll!GetFileSizeEx 0000000075bcce45 5 bytes JMP 000000010027200c
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4316] C:\Windows\syswow64\KERNELBASE.dll!GetFileSize 0000000075bcdfea 5 bytes JMP 000000010027100c
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4316] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000075bcec98 5 bytes JMP 000000010027300c
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4316] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexExW 0000000075bd0efc 5 bytes JMP 000000010025b00c
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4316] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000075bd1371 5 bytes JMP 000000010025d00c
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4316] C:\Windows\syswow64\KERNELBASE.dll!TerminateThread 0000000075bd3986 5 bytes JMP 000000010027500c
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4316] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000075bd3e6b 2 bytes JMP 000000010027400c
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4316] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx + 3 0000000075bd3e6e 2 bytes [6A, 8A]
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4316] C:\Windows\syswow64\KERNELBASE.dll!CreateDirectoryW 0000000075bd923e 5 bytes JMP 000000010027000c
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4316] C:\Windows\SysWOW64\sechost.dll!ControlService 0000000075134d5c 5 bytes JMP 000000010025700c
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4316] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 0000000075134dc3 5 bytes JMP 000000010025800c
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4316] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007513567c 5 bytes JMP 000000010025a00c
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4316] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007513589f 5 bytes JMP 000000010025900c
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4316] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 000000007513714b 5 bytes JMP 000000010025600c
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4316] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 0000000075137245 5 bytes JMP 000000010025500c
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4316] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076c37603 5 bytes JMP 000000010025400c
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4316] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076c3835c 5 bytes JMP 000000010025300c
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4316] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075871465 2 bytes [87, 75]
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4316] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758714bb 2 bytes [87, 75]
.text ... * 2
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007742ffec 5 bytes JMP 000000010010100c
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077430814 5 bytes JMP 000000010010000c
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007743091c 5 bytes JMP 000000010010200c
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4520] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075871465 2 bytes [87, 75]
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4520] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758714bb 2 bytes [87, 75]
.text ... * 2
.text C:\Windows\system32\wbem\unsecapp.exe[4796] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077112ce0 5 bytes JMP 00000001001e5018
.text C:\Windows\system32\wbem\unsecapp.exe[4796] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771223d0 5 bytes JMP 00000001001e6018
.text C:\Windows\system32\wbem\unsecapp.exe[4796] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077199150 4 bytes JMP 00000001001e7018
.text C:\Windows\system32\wbem\unsecapp.exe[4796] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd225140 5 bytes JMP 000007ff7f059018
.text C:\Windows\system32\wbem\unsecapp.exe[4796] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd228100 5 bytes JMP 000007ff7f058018
.text C:\Windows\system32\wbem\unsecapp.exe[4796] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd229420 5 bytes JMP 000007ff7f056018
.text C:\Windows\system32\wbem\unsecapp.exe[4796] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd229d80 5 bytes JMP 000007ff7f05c018
.text C:\Windows\system32\wbem\unsecapp.exe[4796] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd22c450 5 bytes JMP 000007ff7f05d018
.text C:\Windows\system32\wbem\unsecapp.exe[4796] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd232af0 5 bytes JMP 000007ff7f057018
.text C:\Windows\system32\wbem\unsecapp.exe[4796] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd235470 5 bytes JMP 000007ff7f05a018
.text C:\Windows\system32\wbem\unsecapp.exe[4796] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd254350 5 bytes JMP 000007ff7f05b018
.text C:\Windows\system32\wbem\unsecapp.exe[4796] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff04642c 5 bytes JMP 000007ff7f052018
.text C:\Windows\system32\wbem\unsecapp.exe[4796] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff046484 5 bytes JMP 000007ff7f051018
.text C:\Windows\system32\wbem\unsecapp.exe[4796] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff046518 5 bytes JMP 000007ff7f053018
.text C:\Windows\system32\wbem\unsecapp.exe[4796] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff046c34 5 bytes JMP 000007ff7f050018
.text C:\Windows\system32\wbem\unsecapp.exe[4796] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0475e8 5 bytes JMP 000007ff7f055018
.text C:\Windows\system32\wbem\unsecapp.exe[4796] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff04790c 5 bytes JMP 000007ff7f054018
.text C:\Windows\system32\DllHost.exe[4036] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077112ce0 5 bytes JMP 00000001000d5018
.text C:\Windows\system32\DllHost.exe[4036] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000771223d0 5 bytes JMP 00000001000d6018
.text C:\Windows\system32\DllHost.exe[4036] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077199150 5 bytes JMP 00000001000d7018
.text C:\Windows\system32\DllHost.exe[4036] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd225140 5 bytes JMP 000007ff7f059018
.text C:\Windows\system32\DllHost.exe[4036] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd228100 5 bytes JMP 000007ff7f058018
.text C:\Windows\system32\DllHost.exe[4036] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd229420 5 bytes JMP 000007ff7f056018
.text C:\Windows\system32\DllHost.exe[4036] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd229d80 5 bytes JMP 000007ff7f05c018
.text C:\Windows\system32\DllHost.exe[4036] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd22c450 5 bytes JMP 000007ff7f05d018
.text C:\Windows\system32\DllHost.exe[4036] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd232af0 5 bytes JMP 000007ff7f057018
.text C:\Windows\system32\DllHost.exe[4036] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd235470 5 bytes JMP 000007ff7f05a018
.text C:\Windows\system32\DllHost.exe[4036] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd254350 5 bytes JMP 000007ff7f05b018
.text C:\Windows\system32\DllHost.exe[4036] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feff04642c 5 bytes JMP 000007ff7f052018
.text C:\Windows\system32\DllHost.exe[4036] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff046484 5 bytes JMP 000007ff7f051018
.text C:\Windows\system32\DllHost.exe[4036] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff046518 5 bytes JMP 000007ff7f053018
.text C:\Windows\system32\DllHost.exe[4036] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff046c34 5 bytes JMP 000007ff7f050018
.text C:\Windows\system32\DllHost.exe[4036] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0475e8 5 bytes JMP 000007ff7f055018
.text C:\Windows\system32\DllHost.exe[4036] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff04790c 5 bytes JMP 000007ff7f054018
.text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007742ffec 5 bytes JMP 00000001000c100c
.text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077430814 5 bytes JMP 00000001000c000c
.text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007743091c 5 bytes JMP 00000001000c200c
.text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[2696] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075871465 2 bytes [87, 75]
.text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[2696] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758714bb 2 bytes [87, 75]
.text ... * 2
---- Threads - GMER 2.1 ----
Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [1868:5752] 0000000075137587
Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [1868:5936] 0000000063d10cb3
Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [1868:5636] 0000000077462e65
Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [1868:5232] 0000000077463e85
Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [1868:6052] 0000000077463e85
Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [1868:2116] 0000000077463e85
---- EOF - GMER 2.1 ----
|
|
08.03.2014, 12:34
| #6 |
| /// the machine /// TB-Ausbilder | Viele PUP und Suspicious:W32/Malware!Gemini hi, Scan mit Combofix
__________________ --> Viele PUP und Suspicious:W32/Malware!Gemini |
|
09.03.2014, 11:05
| #7 |
| | Viele PUP und Suspicious:W32/Malware!Gemini Hallo schrauber, Combofix hat keine Probleme gemacht. Ich musste nur direkt vor dem Erstellen des Logs mich wieder einloggen, da der Rechner seltsamerweise in den Standby-Modus gewechselt hatte (die Festplatte arbeitete nicht mehr, ansonsten hätte ich ihn nicht angerührt). Hoffe mal das macht nichts. Code:
ATTFilter ComboFix 14-03-05.01 - Marc 09.03.2014 10:32:15.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.41.1031.18.3948.2381 [GMT 1:00]
ausgeführt von:: c:\users\Marc\Desktop\ComboFix.exe
AV: Computer Security *Disabled/Updated* {15414183-282E-D62C-CA37-EF24860A2F17}
SP: Computer Security *Disabled/Updated* {AE20A067-0E14-D9A2-F087-D456FD8D65AA}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\security\Database\tmp.edb
.
.
((((((((((((((((((((((( Dateien erstellt von 2014-02-09 bis 2014-03-09 ))))))))))))))))))))))))))))))
.
.
2014-03-09 09:43 . 2014-03-09 09:43 -------- d-----w- c:\users\*****\AppData\Local\temp
2014-03-09 09:43 . 2014-03-09 09:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-03-06 11:24 . 2014-03-06 11:24 -------- d-----w- c:\windows\Migration
2014-03-06 08:02 . 2014-03-06 08:03 -------- d-----w- C:\FRST
2014-03-06 07:05 . 2013-12-06 02:30 1882112 ----a-w- c:\windows\system32\msxml3.dll
2014-03-06 07:05 . 2013-12-06 02:02 1237504 ----a-w- c:\windows\SysWow64\msxml3.dll
2014-03-06 07:05 . 2013-12-06 02:30 2048 ----a-w- c:\windows\system32\msxml3r.dll
2014-03-06 07:05 . 2013-12-06 02:02 2048 ----a-w- c:\windows\SysWow64\msxml3r.dll
2014-03-06 07:03 . 2013-12-21 09:53 548864 ----a-w- c:\windows\system32\vbscript.dll
2014-03-06 07:03 . 2013-12-21 08:56 454656 ----a-w- c:\windows\SysWow64\vbscript.dll
2014-03-06 07:02 . 2013-12-04 02:16 658432 ----a-w- c:\windows\system32\RMActivate_isv.exe
2014-03-06 07:02 . 2013-12-04 02:16 626176 ----a-w- c:\windows\system32\RMActivate.exe
2014-03-06 06:59 . 2013-12-24 23:09 1987584 ----a-w- c:\windows\SysWow64\d3d10warp.dll
2014-03-06 06:59 . 2013-12-24 22:48 2565120 ----a-w- c:\windows\system32\d3d10warp.dll
2014-03-06 06:59 . 2013-11-22 22:48 3928064 ----a-w- c:\windows\system32\d2d1.dll
2014-03-06 06:59 . 2013-11-26 08:16 3419136 ----a-w- c:\windows\SysWow64\d2d1.dll
2014-03-05 12:44 . 2014-03-05 12:44 -------- d-----w- c:\users\Marc\AppData\Roaming\Malwarebytes
2014-03-05 12:44 . 2014-03-05 12:44 -------- d-----w- c:\programdata\Malwarebytes
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-06 11:34 . 2011-09-22 08:46 88567024 ----a-w- c:\windows\system32\MRT.exe
2014-03-05 12:15 . 2012-08-16 08:20 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-03-05 12:15 . 2012-08-16 08:20 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackgroundContainer"="c:\users\Marc\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll" [2013-11-06 319264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-09-14 283160]
"SuiteTray"="c:\program files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe" [2010-09-28 340336]
"EgisTecPMMUpdate"="c:\program files (x86)\EgisTec IPS\PmmUpdate.exe" [2010-09-17 407920]
"EgisUpdate"="c:\program files (x86)\EgisTec IPS\EgisUpdate.exe" [2010-09-17 201584]
"Norton Online Backup"="c:\program files (x86)\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-01 1155928]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"BackupManagerTray"="c:\program files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe" [2011-02-15 297280]
"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2011-03-14 1081424]
"Dolby Advanced Audio v2"="c:\dolby pcee4\pcee4.exe" [2011-02-03 506712]
"ArcadeMovieService"="c:\program files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe" [2011-02-18 177448]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"F-Secure Hoster (45119)"="c:\program files (x86)\Internet Security\fshoster32.exe" [2012-11-26 183864]
"F-Secure Manager"="c:\program files (x86)\Internet Security\apps\ComputerSecurity\Common\FSM32.EXE" [2012-10-18 310992]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-12-12 152544]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"IsMyWinLockerReboot"="msiexec.exe" [2010-11-21 73216]
.
c:\users\Marc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Bildschirmausschnitt- und Startprogramm.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE /tsr [2013-6-25 228552]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~2\mcafee\SITEAD~1\mcsacore.exe;c:\progra~2\mcafee\SITEAD~1\mcsacore.exe [x]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [x]
R3 EgisTec Ticket Service;EgisTec Ticket Service;c:\program files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe;c:\program files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 TurboBoost;Intel(R) Turbo Boost Technology Monitor 2.0;c:\program files\Intel\TurboBoost\TurboBoost.exe;c:\program files\Intel\TurboBoost\TurboBoost.exe [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 fsbts;fsbts;c:\windows\system32\Drivers\fsbts.sys;c:\windows\SYSNATIVE\Drivers\fsbts.sys [x]
S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvpciflt.sys [x]
S1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files (x86)\Internet Security\apps\ComputerSecurity\HIPS\drivers\fshs.sys;c:\program files (x86)\Internet Security\apps\ComputerSecurity\HIPS\drivers\fshs.sys [x]
S1 fsvista;F-Secure Vista Support Driver;c:\program files (x86)\Internet Security\apps\ComputerSecurity\Anti-Virus\minifilter\fsvista.sys;c:\program files (x86)\Internet Security\apps\ComputerSecurity\Anti-Virus\minifilter\fsvista.sys [x]
S1 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\DRIVERS\mwlPSDFilter.sys;c:\windows\SYSNATIVE\DRIVERS\mwlPSDFilter.sys [x]
S1 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\DRIVERS\mwlPSDNServ.sys;c:\windows\SYSNATIVE\DRIVERS\mwlPSDNServ.sys [x]
S1 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\DRIVERS\mwlPSDVDisk.sys;c:\windows\SYSNATIVE\DRIVERS\mwlPSDVDisk.sys [x]
S2 DsiWMIService;Dritek WMI Service;c:\program files (x86)\Launch Manager\dsiwmis.exe;c:\program files (x86)\Launch Manager\dsiwmis.exe [x]
S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe [x]
S2 fshoster;F-Secure Dll Hoster;c:\program files (x86)\Internet Security\fshoster32.exe;c:\program files (x86)\Internet Security\fshoster32.exe [x]
S2 FSORSPClient;F-Secure ORSP Client;c:\program files (x86)\Internet Security\apps\CCF_Reputation\fsorsp.exe;c:\program files (x86)\Internet Security\apps\CCF_Reputation\fsorsp.exe [x]
S2 GREGService;GREGService;c:\program files (x86)\Acer\Registration\GREGsvc.exe;c:\program files (x86)\Acer\Registration\GREGsvc.exe [x]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 Live Updater Service;Live Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe;c:\program files\Acer\Acer Updater\UpdaterService.exe [x]
S2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe;c:\program files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe [x]
S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys;c:\windows\SYSNATIVE\DRIVERS\TurboB.sys [x]
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [x]
S3 b57xdbd;Broadcom xD Picture Bus Driver Service;c:\windows\system32\drivers\b57xdbd.sys;c:\windows\SYSNATIVE\drivers\b57xdbd.sys [x]
S3 b57xdmp;Broadcom xD Picture vstorp client drv;c:\windows\system32\drivers\b57xdmp.sys;c:\windows\SYSNATIVE\drivers\b57xdmp.sys [x]
S3 bScsiMSa;bScsiMSa;c:\windows\system32\drivers\bScsiMSa.sys;c:\windows\SYSNATIVE\drivers\bScsiMSa.sys [x]
S3 bScsiSDa;bScsiSDa;c:\windows\system32\DRIVERS\bScsiSDa.sys;c:\windows\SYSNATIVE\DRIVERS\bScsiSDa.sys [x]
S3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files (x86)\Internet Security\apps\ComputerSecurity\Anti-Virus\minifilter\fsgk.sys;c:\program files (x86)\Internet Security\apps\ComputerSecurity\Anti-Virus\minifilter\fsgk.sys [x]
S3 fsni;fsni;c:\program files (x86)\Internet Security\apps\CCF_Scanning\fsni64.sys;c:\program files (x86)\Internet Security\apps\CCF_Scanning\fsni64.sys [x]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys;c:\windows\SYSNATIVE\DRIVERS\k57nd60a.sys [x]
.
.
Inhalt des "geplante Tasks" Ordners
.
2014-03-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-16 12:15]
.
2014-03-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3551491834-2705507183-1249083949-1001Core.job
- c:\users\Marc\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-10 17:27]
.
2014-03-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3551491834-2705507183-1249083949-1001UA.job
- c:\users\Marc\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-10 17:27]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-03-30 167960]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-03-30 391704]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-03-30 418840]
"IntelTBRunOnce"="wscript.exe" [2013-10-12 168960]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-03-10 11785832]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2011-03-09 2189416]
"Power Management"="c:\program files\Acer\Acer ePower Management\ePowerTray.exe" [2011-02-23 1796200]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\windows\System32\nvinitx.dll
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: An OneNote s&enden - c:\progra~2\MICROS~4\Office14\ONBttnIE.dll/105
IE: Nach Microsoft E&xcel exportieren - c:\progra~2\MICROS~4\Office14\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-uTorrent - c:\users\Marc\Downloads\uTorrent.exe
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
Toolbar-Locked - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-incredibar - c:\program files (x86)\Incredibar.com\incredibar\1.5.11.14\uninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\fshoster]
"ImagePath"="\"c:\program files (x86)\Internet Security\fshoster32.exe\" -hosterid:0"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_12_0_0_70_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_12_0_0_70_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_12_0_0_70_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_12_0_0_70_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_70.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.12"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_70.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_70.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_70.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\F-Secure\My Services Agent\Protected]
@Denied: ) (Everyone)
"AgentIdentifier"="45bd4cbd-d7cc-41a9-a360-f4f3af9274b6"
"AuthorizationCode"=""
"45119_AgentIdentifier"="45bd4cbd-d7cc-41a9-a360-f4f3af9274b6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2014-03-09 10:46:51
ComboFix-quarantined-files.txt 2014-03-09 09:46
.
Vor Suchlauf: 13 Verzeichnis(se), 359'174'889'472 Bytes frei
Nach Suchlauf: 19 Verzeichnis(se), 360'929'583'104 Bytes frei
.
- - End Of File - - 1273055B89599813750377BC358EA1A9
|
|
10.03.2014, 11:00
| #8 |
| /// the machine /// TB-Ausbilder | Viele PUP und Suspicious:W32/Malware!Gemini Downloade Dir bitte  Malwarebytes Anti-Malware
Downloade Dir bitte  AdwCleaner auf deinen Desktop.
Beende bitte Deine Schutzsoftware um eventuelle Konflikte zu vermeiden.
und ein frisches FRST log bitte.
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
11.03.2014, 14:53
| #9 |
| | Viele PUP und Suspicious:W32/Malware!Gemini Hallo Schrauber, kann ich den AdwCleaner noch anderswo sicher herunterladen? Mein Antivirus blockiert den Download und behauptet es sei ein Trojan.GenericKD.1601035 |
|
12.03.2014, 12:04
| #10 |
| /// the machine /// TB-Ausbilder | Viele PUP und Suspicious:W32/Malware!Gemini Du bist dir auch sicher dass Du nicht auf die Werbung klickst? Der Download ist nur der reine Schriftzug "Download: AdwCleaner" nix fettes grünes Download Button oder so 
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
12.03.2014, 16:51
| #11 |
| | Viele PUP und Suspicious:W32/Malware!Gemini Habs genau so gemacht wie bei Malwarebytes und Combofix. Nur der reine Schriftzug. Sowohl Downloadlink als auch Dateigrösse und Namen haben während des Downloads gepasst. Am Ende gabs dann immer eine Fehlermeldung und das Fenster des Antivirus. Heute scheint seltsamerweise alles in Ordnung zu sein. MBAM: Code:
ATTFilter Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Datenbank Version: v2014.03.12.07 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 11.0.9600.16518 Marc :: MARC-PC [Administrator] 12.03.2014 14:18:29 mbam-log-2014-03-12 (14-18-29).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|) Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 491573 Laufzeit: 1 Stunde(n), 24 Minute(n), 27 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|BackgroundContainer (PUP.Optional.Conduit) -> Daten: "C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\Marc\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun -> Erfolgreich gelöscht und in Quarantäne gestellt. Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 0 (Keine bösartigen Objekte gefunden) (Ende) Code:
ATTFilter # AdwCleaner v3.021 - Bericht erstellt am 12/03/2014 um 15:56:25
# Aktualisiert 10/03/2014 von Xplode
# Betriebssystem : Windows 7 Home Premium Service Pack 1 (64 bits)
# Benutzername : Marc - MARC-PC
# Gestartet von : C:\Users\Marc\Downloads\adwcleaner.exe
# Option : Löschen
***** [ Dienste ] *****
***** [ Dateien / Ordner ] *****
Ordner Gelöscht : C:\ProgramData\Premium
Ordner Gelöscht : C:\Program Files (x86)\Conduit
Ordner Gelöscht : C:\Program Files (x86)\uTorrentBar_DE
Ordner Gelöscht : C:\Users\Marc\AppData\Local\Conduit
Ordner Gelöscht : C:\Users\Marc\AppData\Local\NativeMessaging
Ordner Gelöscht : C:\Users\Marc\AppData\Local\PackageAware
Ordner Gelöscht : C:\Users\Marc\AppData\Local\WhiteListing
Ordner Gelöscht : C:\Users\Marc\AppData\LocalLow\Conduit
Ordner Gelöscht : C:\Users\Marc\AppData\LocalLow\PriceGong
Ordner Gelöscht : C:\Users\Marc\AppData\LocalLow\uTorrentBar_DE
Datei Gelöscht : C:\Program Files (x86)\Mozilla Firefox\user.js
Datei Gelöscht : C:\Windows\System32\Tasks\BackgroundContainer Startup Task
***** [ Verknüpfungen ] *****
***** [ Registrierungsdatenbank ] *****
Schlüssel Gelöscht : HKLM\SOFTWARE\Google\Chrome\Extensions\leocdeigfnkaojcapikdjcdbedcjmffc
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Applications\ilividsetupv1.exe
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\escort.escortIEPane
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\escort.escortIEPane.1
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\esrv.IncredibarESrvc
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\esrv.IncredibarESrvc.1
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\I
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\IncredibarApp.appCore
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\IncredibarApp.appCore.1
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\incredibar_install_RASAPI32
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\incredibar_install_RASMANCS
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\IncredibarToolbar_RASAPI32
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\IncredibarToolbar_RASMANCS
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\uTorrentBar_DEAutoUpdateHelper_RASAPI32
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\uTorrentBar_DEAutoUpdateHelper_RASMANCS
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\uTorrentBar_DEToolbarHelper_RASAPI32
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\uTorrentBar_DEToolbarHelper_RASMANCS
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\{CFE8AAFD-A0F3-4329-84E9-6B679EC93EC2}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{64697678-0000-0010-8000-00AA00389B71}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{C01315C7-B4E2-4864-B43D-5FAFC414D179}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{C1545464-C77C-4130-A572-1C619E2895FE}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{ED0E67AD-926C-4008-87E5-03CF72AA2A7E}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{EF7FEC6D-451B-4452-9D26-7E10C6B5DB6E}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{22B0769F-794B-4422-AC84-47B123C8986D}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{255E0B2A-D747-4EEF-B7CE-159D73A3656D}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{28ED590D-F5ED-4E05-A87F-1D759F1C6169}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{45D5B93F-E2ED-4AF2-915E-DCDDBDA8C33C}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{771B99AB-636F-4A11-9039-8DFEB927B061}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{A8321AA2-2227-40C7-8525-6C2F4E1B0EBE}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{AA41A731-6814-4A70-A6F1-C0A20FBBFBD5}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{ABBB8A9E-D8AF-40D1-94BE-5175077465FC}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{BF737694-56F6-46FA-9FDC-FA99A5B25FAD}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{CFCD164E-8AC9-478E-9ECC-B616A932016C}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{D5961CC0-B442-4567-8030-67E241EF4CC2}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{E450067F-1C93-41A7-928E-07E5C2EEC680}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{F977D9F2-4BDC-44A6-B508-7C0284C61EED}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\TypeLib\{48C9C8B0-A546-46C1-A81F-47A31E623E9D}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\TypeLib\{CFE8AAFD-A0F3-4329-84E9-6B679EC93EC2}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{74C36554-31F0-49DD-8857-ED6A64DF45BE}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{61BA41CF-3657-4A69-92D6-FE4EB820EB87}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7FA26B75-ADC9-42C0-A0ED-BE3DD92CC0D1}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47C0-9269-B4C6572FD61A}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{22B0769F-794B-4422-AC84-47B123C8986D}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{255E0B2A-D747-4EEF-B7CE-159D73A3656D}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{28ED590D-F5ED-4E05-A87F-1D759F1C6169}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{45D5B93F-E2ED-4AF2-915E-DCDDBDA8C33C}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{771B99AB-636F-4A11-9039-8DFEB927B061}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{A8321AA2-2227-40C7-8525-6C2F4E1B0EBE}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{AA41A731-6814-4A70-A6F1-C0A20FBBFBD5}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{ABBB8A9E-D8AF-40D1-94BE-5175077465FC}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{BF737694-56F6-46FA-9FDC-FA99A5B25FAD}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{CFCD164E-8AC9-478E-9ECC-B616A932016C}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{D5961CC0-B442-4567-8030-67E241EF4CC2}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{E450067F-1C93-41A7-928E-07E5C2EEC680}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{F977D9F2-4BDC-44A6-B508-7C0284C61EED}
Schlüssel Gelöscht : HKCU\Software\Conduit
Schlüssel Gelöscht : HKCU\Software\IM
Schlüssel Gelöscht : HKCU\Software\ImInstaller
Schlüssel Gelöscht : HKCU\Software\incredibar.com
Schlüssel Gelöscht : HKCU\Software\AppDataLow\Toolbar
Schlüssel Gelöscht : HKCU\Software\AppDataLow\Software\BackgroundContainer
Schlüssel Gelöscht : HKCU\Software\AppDataLow\Software\Conduit
Schlüssel Gelöscht : HKCU\Software\AppDataLow\Software\SmartBar
Schlüssel Gelöscht : HKCU\Software\AppDataLow\Software\uTorrentBar_DE
Schlüssel Gelöscht : HKLM\Software\Conduit
Schlüssel Gelöscht : HKLM\Software\incredibar.com
Schlüssel Gelöscht : HKLM\Software\uTorrentBar_DE
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\incredibar
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\uTorrentBar_DE Toolbar
***** [ Browser ] *****
-\\ Internet Explorer v11.0.9600.16518
-\\ Google Chrome v
[ Datei : C:\Users\Marc\AppData\Local\Google\Chrome\User Data\Default\preferences ]
*************************
AdwCleaner[R0].txt - [9123 octets] - [12/03/2014 15:52:26]
AdwCleaner[S0].txt - [8562 octets] - [12/03/2014 15:56:25]
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [8622 octets] ##########
Code:
ATTFilter ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.2 (02.20.2014:1)
OS: Windows 7 Home Premium x64
Ran by Marc on 12.03.2014 at 16:03:35.06
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services
~~~ Registry Values
~~~ Registry Keys
~~~ Files
~~~ Folders
Successfully deleted: [Folder] "C:\Users\Marc\appdata\local\software"
Successfully deleted: [Empty Folder] C:\Users\Marc\appdata\local\{03329340-7417-4D6F-B893-8253429BBB00}
Successfully deleted: [Empty Folder] C:\Users\Marc\appdata\local\{1F16C5E7-AD9B-43D4-B2CE-0BDCD736CA0B}
Successfully deleted: [Empty Folder] C:\Users\Marc\appdata\local\{2FF56B18-B108-461F-9BF4-E3C7B17A856D}
Successfully deleted: [Empty Folder] C:\Users\Marc\appdata\local\{350DDE9D-5140-4E98-950C-EF59EEEB1D41}
Successfully deleted: [Empty Folder] C:\Users\Marc\appdata\local\{ABBBF6B9-A696-4063-BDD3-AC2C745EF8F9}
Successfully deleted: [Empty Folder] C:\Users\Marc\appdata\local\{C3FE716D-43BC-4388-9047-4451C3D9DF6B}
~~~ Event Viewer Logs were cleared
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 12.03.2014 at 16:08:34.63
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
13.03.2014, 10:46
| #12 |
| /// the machine /// TB-Ausbilder | Viele PUP und Suspicious:W32/Malware!GeminiESET Online Scanner
Downloade Dir bitte  SecurityCheck und:
und ein frisches FRST log bitte. Noch Probleme?
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
13.03.2014, 19:36
| #13 |
| | Viele PUP und Suspicious:W32/Malware!Gemini ESET: Code:
ATTFilter ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=f022cb3c890c5d41bc84dcaeccfeaaa9
# engine=17431
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2014-03-13 05:05:23
# local_time=2014-03-13 06:05:23 (+0100, Mitteleuropäische Zeit)
# country="Switzerland"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=2559 16777215 0 0 0 0 0 0
# compatibility_mode=5893 16776574 100 94 17315238 146360173 0 0
# scanned=378864
# found=0
# cleaned=0
# scan_time=11213
Code:
ATTFilter Results of screen317's Security Check version 0.99.80 Windows 7 Service Pack 1 x64 (UAC is enabled) Internet Explorer 11 ``````````````Antivirus/Firewall Check:`````````````` Computer Security Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware Version 1.75.0.1300 JavaFX 2.1.1 Java(TM) 6 Update 31 Java(TM) 7 Update 5 Java version out of Date! Adobe Reader 9 Adobe Reader out of Date! Google Chrome 32.0.1700.102 Google Chrome 33.0.1750.146 ````````Process Check: objlist.exe by Laurent```````` Internet Security apps ComputerSecurity Anti-Virus\FSGK32.EXE Internet Security apps ComputerSecurity Anti-Virus\fssm32.exe Symantec Norton Online Backup NOBuAgent.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: ````````````````````End of Log`````````````````````` FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-03-2014
Ran by Marc (administrator) on MARC-PC on 13-03-2014 19:13:43
Running from C:\Users\Marc\Desktop
Windows 7 Home Premium Service Pack 1 (X64) OS Language: German Standard
Internet Explorer Version 11
Boot Mode: Normal
==================== Processes (Whitelisted) =================
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\dsiwmis.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LMutilps32.exe
(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
(F-Secure Corporation) C:\Program Files (x86)\Internet Security\fshoster32.exe
(F-Secure Corporation) C:\Program Files (x86)\Internet Security\apps\CCF_Reputation\fsorsp.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(Acer Incorporated) C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
(Acer Incorporated) C:\Program Files\Acer\Acer Updater\UpdaterService.exe
(F-Secure Corporation) C:\Program Files (x86)\Internet Security\apps\ComputerSecurity\Anti-Virus\FSGK32.EXE
(Symantec Corporation) C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
(NTI Corporation) C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(F-Secure Corporation) C:\Program Files (x86)\Internet Security\apps\ComputerSecurity\Common\FSMA32.EXE
(F-Secure Corporation) C:\Program Files (x86)\Internet Security\apps\ComputerSecurity\Anti-Virus\fssm32.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(CyberLink Corp.) C:\Program Files (x86)\Acer\clear.fi\MVP\clear.fiAgent.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe
(NTI Corporation) C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe
(CyberLink) C:\Program Files (x86)\Acer\clear.fi\MVP\.\Kernel\DMR\DMREngine.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LManager.exe
(Dolby Laboratories Inc.) C:\DOLBY PCEE4\pcee4.exe
(CyberLink Corp.) C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe
(Sun Microsystems, Inc.) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(F-Secure Corporation) C:\Program Files (x86)\Internet Security\fshoster32.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LMworker.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(F-Secure Corporation) C:\Program Files (x86)\Internet Security\apps\ComputerSecurity\Common\FSLAUNCH.EXE
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [IntelTBRunOnce] - wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs"
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2280232 2010-07-29] (Synaptics Incorporated)
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11785832 2011-03-10] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] - C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2189416 2011-03-09] (Realtek Semiconductor)
HKLM\...\Run: [Power Management] - C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [1796200 2011-02-23] (Acer Incorporated)
HKLM-x32\...\Run: [IAStorIcon] - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [283160 2010-09-14] (Intel Corporation)
HKLM-x32\...\Run: [SuiteTray] - C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe [340336 2010-09-28] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisTecPMMUpdate] - C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe [407920 2010-09-18] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisUpdate] - C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe [201584 2010-09-18] (Egis Technology Inc.)
HKLM-x32\...\Run: [Norton Online Backup] - C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-06-01] (Symantec Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35696 2009-02-28] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [BackupManagerTray] - C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe [297280 2011-02-15] (NTI Corporation)
HKLM-x32\...\Run: [LManager] - C:\Program Files (x86)\Launch Manager\LManager.exe [1081424 2011-03-14] (Dritek System Inc.)
HKLM-x32\...\Run: [Dolby Advanced Audio v2] - C:\Dolby PCEE4\pcee4.exe [506712 2011-02-03] (Dolby Laboratories Inc.)
HKLM-x32\...\Run: [ArcadeMovieService] - C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe [177448 2011-02-19] (CyberLink Corp.)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [252296 2012-01-17] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [F-Secure Hoster (45119)] - C:\Program Files (x86)\Internet Security\fshoster32.exe [183864 2012-11-26] (F-Secure Corporation)
HKLM-x32\...\Run: [F-Secure Manager] - C:\Program Files (x86)\Internet Security\apps\ComputerSecurity\Common\FSM32.EXE [310992 2012-10-18] (F-Secure Corporation)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-11-28] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2012-10-25] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152544 2012-12-12] (Apple Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\.DEFAULT\...\RunOnce: [IsMyWinLockerReboot] - msiexec.exe /qn /x{voidguid}
AppInit_DLLs: C:\Windows\System32\nvinitx.dll => C:\Windows\System32\nvinitx.dll [226920 2011-02-21] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\Windows\SysWOW64\nvinit.dll => C:\Windows\SysWOW64\nvinit.dll [192616 2011-02-21] (NVIDIA Corporation)
Startup: C:\Users\Marc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Bildschirmausschnitt- und Startprogramm.lnk
ShortcutTarget: OneNote 2010 Bildschirmausschnitt- und Startprogramm.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
==================== Internet (Whitelisted) ====================
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Chrome:
=======
CHR HomePage: hxxp://www.google.ch/
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\Marc\AppData\Local\Google\Chrome\Application\33.0.1750.146\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Users\Marc\AppData\Local\Google\Chrome\Application\33.0.1750.146\pdf.dll ()
CHR Plugin: (Shockwave Flash) - C:\Users\Marc\AppData\Local\Google\Chrome\Application\33.0.1750.146\gcswf32.dll No File
CHR Plugin: (Kaspersky Anti-Virus) - C:\Users\Marc\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.477_0\plugin/npUrlAdvisor.dll No File
CHR Plugin: (Kaspersky Anti-Virus) - C:\Users\Marc\AppData\Local\Google\Chrome\User Data\Default\Extensions\jagncdcchgajhfhijbbhecadmaiegcmh\12.0.0.477_0\plugin/npVKPlugin.dll No File
CHR Plugin: (Kaspersky Anti-Virus) - C:\Users\Marc\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjldcfjmnllhmgjclecdnfampinooman\12.0.0.374_0\plugin/npABPlugin.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (QuickTime Plug-in 7.7) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll (Apple Inc.)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~4\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Java(TM) Platform SE 6 U31) - C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
CHR Plugin: (Windows Live™ Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Google Update) - C:\Users\Marc\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll No File
CHR Extension: (YouTube) - C:\Users\Marc\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2011-12-22]
CHR Extension: (Google-Suche) - C:\Users\Marc\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2011-12-22]
CHR Extension: (Google Wallet) - C:\Users\Marc\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-26]
CHR Extension: (Google Mail) - C:\Users\Marc\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2011-12-22]
CHR StartMenuInternet: Google Chrome - C:\Users\Marc\AppData\Local\Google\Chrome\Application\chrome.exe
==================== Services (Whitelisted) =================
R2 fshoster; C:\Program Files (x86)\Internet Security\fshoster32.exe [183864 2012-11-26] (F-Secure Corporation)
R3 FSMA; C:\Program Files (x86)\Internet Security\apps\ComputerSecurity\Common\FSMA32.EXE [208592 2012-10-18] (F-Secure Corporation)
R2 FSORSPClient; C:\Program Files (x86)\Internet Security\apps\CCF_Reputation\fsorsp.exe [60352 2013-06-29] (F-Secure Corporation)
R2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2804568 2010-06-01] (Symantec Corporation)
R2 NTI IScheduleSvc; C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe [257344 2011-02-15] (NTI Corporation)
S2 McAfee SiteAdvisor Service; c:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe [X]
==================== Drivers (Whitelisted) ====================
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
R3 F-Secure Gatekeeper; C:\Program Files (x86)\Internet Security\apps\ComputerSecurity\Anti-Virus\minifilter\fsgk.sys [203304 2014-03-05] (F-Secure Corporation)
R1 F-Secure HIPS; C:\Program Files (x86)\Internet Security\apps\ComputerSecurity\HIPS\drivers\fshs.sys [69480 2014-03-05] (F-Secure Corporation)
R0 fsbts; C:\Windows\System32\Drivers\fsbts.sys [56016 2013-01-19] ()
R0 fsbts; C:\Windows\SysWOW64\Drivers\fsbts.sys [42672 2013-01-19] ()
R3 fsni; C:\Program Files (x86)\Internet Security\apps\CCF_Scanning\fsni64.sys [80832 2013-04-25] (F-Secure Corporation)
R1 fsvista; C:\Program Files (x86)\Internet Security\apps\ComputerSecurity\Anti-Virus\minifilter\fsvista.sys [14032 2012-10-18] ()
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
Code:
ATTFilter ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2014-03-13 19:13 - 2014-03-13 19:13 - 00015490 _____ () C:\Users\Marc\Desktop\FRST.txt 2014-03-13 19:10 - 2014-03-13 19:11 - 02157056 _____ (Farbar) C:\Users\Marc\Desktop\FRST64.exe 2014-03-13 18:24 - 2014-03-13 18:24 - 00001053 _____ () C:\Users\Marc\Desktop\checkup.txt 2014-03-13 14:48 - 2014-03-13 14:48 - 00000000 ____D () C:\Program Files (x86)\ESET 2014-03-13 14:41 - 2014-03-13 14:41 - 00987442 _____ () C:\Users\Marc\Desktop\SecurityCheck.exe 2014-03-13 14:38 - 2014-03-13 14:38 - 02347384 _____ (ESET) C:\Users\Marc\Desktop\esetsmartinstaller_enu.exe 2014-03-12 17:12 - 2014-03-12 17:12 - 05128584 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe 2014-03-12 16:15 - 2014-03-12 16:15 - 00000000 ____D () C:\Users\Marc\Downloads\FRST-OlderVersion 2014-03-12 16:08 - 2014-03-12 16:08 - 00001327 _____ () C:\Users\Marc\Desktop\JRT.txt 2014-03-12 16:03 - 2014-03-12 16:03 - 00000000 ____D () C:\Windows\ERUNT 2014-03-12 15:51 - 2014-03-12 15:56 - 00000000 ____D () C:\AdwCleaner 2014-03-12 14:00 - 2014-03-12 14:00 - 01949184 _____ () C:\Users\Marc\Downloads\adwcleaner.exe 2014-03-11 15:18 - 2014-03-11 15:18 - 00001117 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk 2014-03-11 15:18 - 2014-03-11 15:18 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware 2014-03-11 15:18 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys 2014-03-11 14:47 - 2014-03-11 14:47 - 01037734 _____ (Thisisu) C:\Users\Marc\Desktop\JRT.exe 2014-03-11 14:42 - 2014-03-11 14:43 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\Marc\Downloads\mbam-setup-1.75.0.1300.exe 2014-03-09 10:46 - 2014-03-09 10:46 - 00019843 _____ () C:\ComboFix.txt 2014-03-09 10:29 - 2014-03-09 10:46 - 00000000 ____D () C:\Qoobox 2014-03-09 10:29 - 2011-06-26 07:45 - 00256000 _____ () C:\Windows\PEV.exe 2014-03-09 10:29 - 2010-11-07 18:20 - 00208896 _____ () C:\Windows\MBR.exe 2014-03-09 10:29 - 2009-04-20 05:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe 2014-03-09 10:29 - 2000-08-31 01:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe 2014-03-09 10:29 - 2000-08-31 01:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe 2014-03-09 10:29 - 2000-08-31 01:00 - 00098816 _____ () C:\Windows\sed.exe 2014-03-09 10:29 - 2000-08-31 01:00 - 00080412 _____ () C:\Windows\grep.exe 2014-03-09 10:29 - 2000-08-31 01:00 - 00068096 _____ () C:\Windows\zip.exe 2014-03-09 10:28 - 2014-03-09 10:45 - 00000000 ____D () C:\Windows\erdnt 2014-03-09 10:11 - 2014-03-09 10:11 - 05187267 ____R (Swearware) C:\Users\Marc\Desktop\ComboFix.exe 2014-03-06 12:18 - 2014-02-06 13:16 - 23170048 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll 2014-03-06 12:18 - 2014-02-06 12:30 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb 2014-03-06 12:18 - 2014-02-06 12:30 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll 2014-03-06 12:18 - 2014-02-06 12:12 - 02765824 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll 2014-03-06 12:18 - 2014-02-06 12:07 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll 2014-03-06 12:18 - 2014-02-06 12:06 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll 2014-03-06 12:18 - 2014-02-06 11:57 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll 2014-03-06 12:18 - 2014-02-06 11:56 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll 2014-03-06 12:18 - 2014-02-06 11:52 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll 2014-03-06 12:18 - 2014-02-06 11:49 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe 2014-03-06 12:18 - 2014-02-06 11:48 - 00708608 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll 2014-03-06 12:18 - 2014-02-06 11:48 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe 2014-03-06 12:18 - 2014-02-06 11:38 - 17103872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2014-03-06 12:18 - 2014-02-06 11:32 - 00218624 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe 2014-03-06 12:18 - 2014-02-06 11:20 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2014-03-06 12:18 - 2014-02-06 11:17 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll 2014-03-06 12:18 - 2014-02-06 11:11 - 05768704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll 2014-03-06 12:18 - 2014-02-06 11:01 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll 2014-03-06 12:18 - 2014-02-06 11:00 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll 2014-03-06 12:18 - 2014-02-06 10:57 - 02168320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2014-03-06 12:18 - 2014-02-06 10:57 - 00627200 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll 2014-03-06 12:18 - 2014-02-06 10:52 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2014-03-06 12:18 - 2014-02-06 10:52 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll 2014-03-06 12:18 - 2014-02-06 10:50 - 02041856 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl 2014-03-06 12:18 - 2014-02-06 10:49 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2014-03-06 12:18 - 2014-02-06 10:47 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe 2014-03-06 12:18 - 2014-02-06 10:46 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll 2014-03-06 12:18 - 2014-02-06 10:25 - 04244480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2014-03-06 12:18 - 2014-02-06 10:25 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll 2014-03-06 12:18 - 2014-02-06 10:24 - 02334208 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll 2014-03-06 12:18 - 2014-02-06 10:22 - 13051392 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll 2014-03-06 12:18 - 2014-02-06 10:13 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll 2014-03-06 12:18 - 2014-02-06 10:09 - 01964032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl 2014-03-06 12:18 - 2014-02-06 10:03 - 11266048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2014-03-06 12:18 - 2014-02-06 09:55 - 01393664 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll 2014-03-06 12:18 - 2014-02-06 09:41 - 01820160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2014-03-06 12:18 - 2014-02-06 09:40 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll 2014-03-06 12:18 - 2014-02-06 09:36 - 01156096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2014-03-06 12:18 - 2014-02-06 09:34 - 00703488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll 2014-03-06 11:29 - 2014-03-06 11:29 - 00032001 _____ () C:\Users\Marc\Desktop\Logfiles.zip 2014-03-06 09:41 - 2014-03-06 09:41 - 00215077 _____ () C:\Users\Marc\Desktop\Gmer.txt 2014-03-06 09:17 - 2014-03-06 09:17 - 00380416 _____ () C:\Users\Marc\Downloads\Gmer-19357.exe 2014-03-06 09:03 - 2014-03-06 09:03 - 00040957 _____ () C:\Users\Marc\Desktop\Addition.txt 2014-03-06 09:02 - 2014-03-13 19:13 - 00000000 ____D () C:\FRST 2014-03-06 09:02 - 2014-03-12 16:21 - 00031991 _____ () C:\Users\Marc\Desktop\FRST 12.03.14.txt 2014-03-06 08:05 - 2014-01-01 00:05 - 00420008 _____ () C:\Windows\SysWOW64\locale.nls 2014-03-06 08:05 - 2014-01-01 00:04 - 00420008 _____ () C:\Windows\system32\locale.nls 2014-03-06 08:05 - 2013-12-06 03:30 - 01882112 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll 2014-03-06 08:05 - 2013-12-06 03:30 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll 2014-03-06 08:05 - 2013-12-06 03:02 - 01237504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll 2014-03-06 08:05 - 2013-12-06 03:02 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll 2014-03-06 08:03 - 2013-12-21 10:53 - 00548864 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll 2014-03-06 08:03 - 2013-12-21 09:56 - 00454656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll 2014-03-06 08:02 - 2013-12-04 03:16 - 00658432 _____ (Microsoft Corporation) C:\Windows\system32\RMActivate_isv.exe 2014-03-06 08:02 - 2013-12-04 03:16 - 00626176 _____ (Microsoft Corporation) C:\Windows\system32\RMActivate.exe 2014-03-06 08:01 - 2013-12-04 03:27 - 00488448 _____ (Microsoft Corporation) C:\Windows\system32\secproc.dll 2014-03-06 08:01 - 2013-12-04 03:27 - 00485888 _____ (Microsoft Corporation) C:\Windows\system32\secproc_isv.dll 2014-03-06 08:01 - 2013-12-04 03:27 - 00123392 _____ (Microsoft Corporation) C:\Windows\system32\secproc_ssp_isv.dll 2014-03-06 08:01 - 2013-12-04 03:27 - 00123392 _____ (Microsoft Corporation) C:\Windows\system32\secproc_ssp.dll 2014-03-06 08:01 - 2013-12-04 03:26 - 00528384 _____ (Microsoft Corporation) C:\Windows\system32\msdrm.dll 2014-03-06 08:01 - 2013-12-04 03:16 - 00553984 _____ (Microsoft Corporation) C:\Windows\system32\RMActivate_ssp.exe 2014-03-06 08:01 - 2013-12-04 03:16 - 00552960 _____ (Microsoft Corporation) C:\Windows\system32\RMActivate_ssp_isv.exe 2014-03-06 08:01 - 2013-12-04 03:03 - 00428032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secproc.dll 2014-03-06 08:01 - 2013-12-04 03:03 - 00423936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secproc_isv.dll 2014-03-06 08:01 - 2013-12-04 03:03 - 00087040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secproc_ssp_isv.dll 2014-03-06 08:01 - 2013-12-04 03:03 - 00087040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secproc_ssp.dll 2014-03-06 08:01 - 2013-12-04 03:02 - 00390144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msdrm.dll 2014-03-06 08:01 - 2013-12-04 02:54 - 00594944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RMActivate_isv.exe 2014-03-06 08:01 - 2013-12-04 02:54 - 00572416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RMActivate.exe 2014-03-06 08:01 - 2013-12-04 02:54 - 00510976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RMActivate_ssp.exe 2014-03-06 08:01 - 2013-12-04 02:54 - 00508928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RMActivate_ssp_isv.exe 2014-03-06 07:59 - 2013-12-25 00:09 - 01987584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10warp.dll 2014-03-06 07:59 - 2013-12-24 23:48 - 02565120 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll 2014-03-06 07:59 - 2013-11-26 09:16 - 03419136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d2d1.dll 2014-03-06 07:59 - 2013-11-22 23:48 - 03928064 _____ (Microsoft Corporation) C:\Windows\system32\d2d1.dll 2014-03-05 13:44 - 2014-03-05 13:44 - 00000000 ____D () C:\Users\Marc\AppData\Roaming\Malwarebytes 2014-03-05 13:44 - 2014-03-05 13:44 - 00000000 ____D () C:\ProgramData\Malwarebytes 2014-03-05 13:37 - 2014-03-05 13:37 - 00392232 _____ (F-Secure Corporation) C:\Users\Marc\Downloads\swisscom-d1947420-a462-11e3-b453-123143002408.exe ==================== One Month Modified Files and Folders ======= 2014-03-13 19:13 - 2014-03-13 19:13 - 00015490 _____ () C:\Users\Marc\Desktop\FRST.txt 2014-03-13 19:13 - 2014-03-06 09:02 - 00000000 ____D () C:\FRST 2014-03-13 19:11 - 2014-03-13 19:10 - 02157056 _____ (Farbar) C:\Users\Marc\Desktop\FRST64.exe 2014-03-13 19:11 - 2012-08-16 09:20 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job 2014-03-13 18:25 - 2011-06-21 10:07 - 01629574 _____ () C:\Windows\WindowsUpdate.log 2014-03-13 18:24 - 2014-03-13 18:24 - 00001053 _____ () C:\Users\Marc\Desktop\checkup.txt 2014-03-13 18:19 - 2011-10-10 18:27 - 00001116 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3551491834-2705507183-1249083949-1001UA.job 2014-03-13 14:48 - 2014-03-13 14:48 - 00000000 ____D () C:\Program Files (x86)\ESET 2014-03-13 14:46 - 2011-06-21 10:44 - 00702338 _____ () C:\Windows\system32\perfh007.dat 2014-03-13 14:46 - 2011-06-21 10:44 - 00151044 _____ () C:\Windows\system32\perfc007.dat 2014-03-13 14:46 - 2009-07-14 06:13 - 01628664 _____ () C:\Windows\system32\PerfStringBackup.INI 2014-03-13 14:41 - 2014-03-13 14:41 - 00987442 _____ () C:\Users\Marc\Desktop\SecurityCheck.exe 2014-03-13 14:38 - 2014-03-13 14:38 - 02347384 _____ (ESET) C:\Users\Marc\Desktop\esetsmartinstaller_enu.exe 2014-03-13 14:32 - 2009-07-14 05:45 - 00016976 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2014-03-13 14:32 - 2009-07-14 05:45 - 00016976 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2014-03-13 14:26 - 2011-09-22 09:23 - 00000000 ____D () C:\ProgramData\clear.fi 2014-03-13 14:25 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT 2014-03-13 14:25 - 2009-07-14 05:51 - 00081696 _____ () C:\Windows\setupact.log 2014-03-12 17:12 - 2014-03-12 17:12 - 05128584 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe 2014-03-12 17:12 - 2012-08-16 09:20 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2014-03-12 17:12 - 2012-08-16 09:20 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl 2014-03-12 17:12 - 2012-08-16 09:20 - 00003822 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater 2014-03-12 16:21 - 2014-03-06 09:02 - 00031991 _____ () C:\Users\Marc\Desktop\FRST 12.03.14.txt 2014-03-12 16:15 - 2014-03-12 16:15 - 00000000 ____D () C:\Users\Marc\Downloads\FRST-OlderVersion 2014-03-12 16:08 - 2014-03-12 16:08 - 00001327 _____ () C:\Users\Marc\Desktop\JRT.txt 2014-03-12 16:03 - 2014-03-12 16:03 - 00000000 ____D () C:\Windows\ERUNT 2014-03-12 15:56 - 2014-03-12 15:51 - 00000000 ____D () C:\AdwCleaner 2014-03-12 15:56 - 2012-04-09 16:43 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox 2014-03-12 14:00 - 2014-03-12 14:00 - 01949184 _____ () C:\Users\Marc\Downloads\adwcleaner.exe 2014-03-11 15:18 - 2014-03-11 15:18 - 00001117 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk 2014-03-11 15:18 - 2014-03-11 15:18 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware 2014-03-11 14:47 - 2014-03-11 14:47 - 01037734 _____ (Thisisu) C:\Users\Marc\Desktop\JRT.exe 2014-03-11 14:43 - 2014-03-11 14:42 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\Marc\Downloads\mbam-setup-1.75.0.1300.exe 2014-03-11 14:37 - 2010-11-21 04:47 - 00201614 _____ () C:\Windows\PFRO.log 2014-03-09 10:46 - 2014-03-09 10:46 - 00019843 _____ () C:\ComboFix.txt 2014-03-09 10:46 - 2014-03-09 10:29 - 00000000 ____D () C:\Qoobox 2014-03-09 10:46 - 2009-07-14 04:20 - 00000000 __RHD () C:\Users\Default 2014-03-09 10:45 - 2014-03-09 10:28 - 00000000 ____D () C:\Windows\erdnt 2014-03-09 10:43 - 2009-07-14 03:34 - 00000215 _____ () C:\Windows\system.ini 2014-03-09 10:11 - 2014-03-09 10:11 - 05187267 ____R (Swearware) C:\Users\Marc\Desktop\ComboFix.exe 2014-03-09 10:08 - 2012-08-29 19:00 - 01602944 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI 2014-03-07 10:35 - 2011-10-10 18:33 - 00002358 _____ () C:\Users\Marc\Desktop\Google Chrome.lnk 2014-03-06 12:38 - 2013-08-24 16:09 - 00000000 ____D () C:\Windows\system32\MRT 2014-03-06 12:34 - 2011-09-22 09:46 - 88567024 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe 2014-03-06 12:20 - 2011-09-26 18:29 - 00000000 ____D () C:\ProgramData\Microsoft Help 2014-03-06 11:29 - 2014-03-06 11:29 - 00032001 _____ () C:\Users\Marc\Desktop\Logfiles.zip 2014-03-06 09:41 - 2014-03-06 09:41 - 00215077 _____ () C:\Users\Marc\Desktop\Gmer.txt 2014-03-06 09:17 - 2014-03-06 09:17 - 00380416 _____ () C:\Users\Marc\Downloads\Gmer-19357.exe 2014-03-06 09:03 - 2014-03-06 09:03 - 00040957 _____ () C:\Users\Marc\Desktop\Addition.txt 2014-03-05 13:44 - 2014-03-05 13:44 - 00000000 ____D () C:\Users\Marc\AppData\Roaming\Malwarebytes 2014-03-05 13:44 - 2014-03-05 13:44 - 00000000 ____D () C:\ProgramData\Malwarebytes 2014-03-05 13:37 - 2014-03-05 13:37 - 00392232 _____ (F-Secure Corporation) C:\Users\Marc\Downloads\swisscom-d1947420-a462-11e3-b453-123143002408.exe 2014-03-05 13:19 - 2011-10-10 18:27 - 00001064 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3551491834-2705507183-1249083949-1001Core.job 2014-03-05 13:14 - 2011-10-10 18:27 - 00004084 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3551491834-2705507183-1249083949-1001UA 2014-03-05 13:14 - 2011-10-10 18:27 - 00003688 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3551491834-2705507183-1249083949-1001Core Some content of TEMP: ==================== C:\Users\Marc\AppData\Local\Temp\Quarantine.exe ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\rpcss.dll => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit LastRegBack: 2014-01-31 16:10 ==================== End Of Log ============================ |
|
14.03.2014, 18:36
| #14 |
| /// the machine /// TB-Ausbilder | Viele PUP und Suspicious:W32/Malware!Gemini Java und Adobe updaten. Fertig Die Reihenfolge ist hier entscheidend.
Falls Du Lob oder Kritik abgeben möchtest kannst Du das hier tun Hier noch ein paar Tipps zur Absicherung deines Systems. Ich kann garnicht zu oft erwähnen, wie wichtig es ist, dass dein System Up to Date ist.
Anti- Viren Software
Zusätzlicher Schutz
Sicheres Browsen
Alternative Browser Andere Browser tendieren zu etwas mehr Sicherheit als der IE, da diese keine Active X Elemente verwenden. Diese können von Spyware zur Infektion deines Systems missbraucht werden.
Performance Bereinige regelmäßig deine Temp Files. Ich empfehle hierzu TFC Halte dich fern von jedlichen Registry Cleanern. Diese Schaden deinem System mehr als sie helfen. Hier ein paar ( englishe ) Links Miekemoes Blogspot ( MVP ) Bill Castner ( MVP ) Don'ts
Hinweis: Bitte gib mir eine kurze Rückmeldung wenn alles erledigt ist und keine Fragen mehr vorhanden sind, so das ich diesen Thread aus meinen Abos löschen kann.
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
19.03.2014, 08:10
| #15 |
| | Viele PUP und Suspicious:W32/Malware!Gemini Hallo schrauber, alles erledigt. Malwarebytes findet auch nichts mehr. Danke vielmals für deine Hilfe. Gruss Jerot |
|
| Themen zu Viele PUP und Suspicious:W32/Malware!Gemini |
| antivirus, appdata, c:\windows, code, empfehlung, infizierte, intel, malwarebytes, microsoft, ordner, programm, prozessor, pup.optional.conduit, pup.optional.conduit.a, pup.optional.incredibar, pup.optional.pricegong.a, pup.optional.valueapps.a, rechner, rundll, rundll32.exe, system32, taskmanager, windows |
Linear-Darstellung
