| |
| |||||||
Log-Analyse und Auswertung: Umleitung zu fake java-updateWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
 |
14.04.2014, 19:28
| #1 |
 |  Umleitung zu fake java-update Hallo, ich habe das gleiche Problem wie bereits hier beschrieben: http://www.trojaner-board.de/150274-...va-update.html Wenn ich manche Seiten im Browser (Firefox) öffne, werde ich zu einer falschen Java Update Seite umgeleitet. Vielen Dank für Hilfe! Anbei defogger_disable.log, FRST.txt und gmer.log |
|
15.04.2014, 09:23
| #2 |
| /// the machine /// TB-Ausbilder    | Umleitung zu fake java-update Hi,
__________________Logs bitte immer in den Thread posten. Zur Not aufteilen und mehrere Posts nutzen. Ich kann auf Arbeit keine Anhänge öffnen, danke.  So funktioniert es:Posten in CODE-Tags Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
__________________ |
|
15.04.2014, 09:31
| #3 |
| | Umleitung zu fake java-update Guten Morgen,
__________________es kam die Meldung: Der Text, den Sie eingegeben haben, besteht aus 203401 Zeichen und ist damit zu lang. Bitte kürzen Sie den Text auf die maximale Länge von 120000 Zeichen. Logs bitte als Archiv an den Beitrag anhängen! Die gmer.log war dann zu groß für das Format, drum musste ich es in ne zip packen. Aber ich kann es natürlich in mehrere posts splitten: defogger_disable.log Code:
ATTFilter defogger_disable by jpshortstuff (23.02.10.1)
Log created at 19:54 on 14/04/2014 (Tobselo)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
-=E.O.F=-
FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-04-2014 01
Ran by Tobselo (administrator) on TOBSELO-PC on 14-04-2014 19:56:57
Running from C:\Users\Tobselo\Desktop
Windows 7 Professional Service Pack 1 (X64) OS Language: German Standard
Internet Explorer Version 11
Boot Mode: Normal
==================== Processes (Whitelisted) =================
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
() E:\Tobit Radio.fx\Server\rfx-server.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cistray.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Windows\system32\igfxsrvc.exe
(PassMark (R) Software) C:\Program Files (x86)\BatteryMon\BatteryMon.exe
(PassMark (R) Software) C:\Program Files (x86)\BatteryMon\BatteryMon.exe
(Samsung) C:\Program Files (x86)\Samsung\Kies\Kies.exe
(Tobit.Software) E:\Tobit Radio.fx\Client\rfx-tray.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
(Elaborate Bytes AG) C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
(Dropbox, Inc.) C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cis.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
(AppWork GmbH) C:\Program Files (x86)\JDownloader 2\JDownloader 2.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [COMODO Internet Security] => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [1275608 2014-03-25] (COMODO)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1808168 2009-06-18] (Synaptics Incorporated)
HKLM\...\Run: [IgfxTray] => C:\Windows\system32\igfxtray.exe [159232 2009-09-02] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] => C:\Windows\system32\hkcmd.exe [380928 2009-09-02] (Intel Corporation)
HKLM\...\Run: [Persistence] => C:\Windows\system32\igfxpers.exe [358912 2009-09-02] (Intel Corporation)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [108144 2012-11-05] (Microsoft Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [444904 2012-09-20] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [PrivDogService] => C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe [525480 2013-11-15] (AdTrustMedia)
HKLM-x32\...\Run: [ComodoFSFirefox] => "C:\Program Files (x86)\AdTrustMedia\PrivDog\FinalizeSetup.exe" /f
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-09-05] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe [3478392 2013-09-05] (Adobe Systems Inc.)
HKLM-x32\...\Run: [VirtualCloneDrive] => C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [88984 2013-03-10] (Elaborate Bytes AG)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [224128 2014-03-04] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-19\...\Run: [Sidebar] => C:\Program Files\Windows Sidebar\Sidebar.exe [1475584 2010-11-21] (Microsoft Corporation)
HKU\S-1-5-20\...\Run: [Sidebar] => C:\Program Files\Windows Sidebar\Sidebar.exe [1475584 2010-11-21] (Microsoft Corporation)
HKU\S-1-5-21-3576753261-1654559635-1618898191-1000\...\Run: [BatteryMon] => C:\Program Files (x86)\BatteryMon\BatteryMon.exe [1344960 2012-06-15] (PassMark (R) Software)
HKU\S-1-5-21-3576753261-1654559635-1618898191-1000\...\Run: [] => C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe [1106288 2013-05-23] (Samsung)
HKU\S-1-5-21-3576753261-1654559635-1618898191-1000\...\Run: [KiesPreload] => C:\Program Files (x86)\Samsung\Kies\Kies.exe [1561968 2013-05-23] (Samsung)
HKU\S-1-5-21-3576753261-1654559635-1618898191-1000\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-3576753261-1654559635-1618898191-1000\...\Run: [rfxsrvtray] => E:\Tobit Radio.fx\Client\rfx-tray.exe [1838872 2013-02-07] (Tobit.Software)
HKU\S-1-5-21-3576753261-1654559635-1618898191-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [20922016 2014-02-10] (Skype Technologies S.A.)
Startup: C:\Users\Tobselo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
==================== Internet (Whitelisted) ====================
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xCC1D71950A2FCE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre8\bin\ssv.dll (Oracle Corporation)
BHO: Adobe Acrobat Create PDF Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre8\bin\jp2ssv.dll (Oracle Corporation)
BHO: Adobe Acrobat Create PDF from Selection - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: PrivDog Extension - {FB16E5C3-A9E2-47A2-8EFC-319E775E62CC} - C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedads.dll No File
BHO-x32: Adobe Acrobat Create PDF Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Adobe Acrobat Create PDF from Selection - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: PrivDog Extension - {FB16E5C3-A9E2-47A2-8EFC-319E775E62CC} - C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedads.dll No File
Toolbar: HKLM - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1
FireFox:
========
FF ProfilePath: C:\Users\Tobselo\AppData\Roaming\Mozilla\Firefox\Profiles\ktk825x4.default
FF SelectedSearchEngine: Google
FF Homepage: hxxp://www.google.com
FF NetworkProxy: "autoconfig_url", "https://secure.premiumize.me/b14557dbbd9013ae2f69facd9bd86bff/proxy.pac"
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_12_0_0_77.dll ()
FF Plugin: @java.com/DTPlugin,version=11.0.2 - C:\Program Files\Java\jre8\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.0.2 - C:\Program Files\Java\jre8\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.0.5 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.1 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.2 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: adobe.com/AdobeAAMDetect - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @nullsoft.com/winampDetector;version=1 - C:\Program Files (x86)\Winamp Detect\npwachk.dll (Nullsoft, Inc.)
FF Plugin-x32: Adobe Acrobat - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems)
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\amazondotcom-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\eBay-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\leo_ende_de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\yahoo-de.xml
FF Extension: FireShot - C:\Users\Tobselo\AppData\Roaming\Mozilla\Firefox\Profiles\ktk825x4.default\Extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba} [2014-03-14]
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [2013-12-13]
==================== Services (Whitelisted) =================
R2 cmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [6812400 2014-03-25] (COMODO)
S3 cmdvirth; C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [2264280 2014-03-25] (COMODO)
R2 Radio.fx; E:\Tobit Radio.fx\Server\rfx-server.exe [3999512 2013-06-03] ()
==================== Drivers (Whitelisted) ====================
R1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [23168 2014-03-25] (COMODO)
R1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [738472 2014-03-25] (COMODO)
R1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [48360 2014-03-25] (COMODO)
R1 inspect; C:\Windows\System32\DRIVERS\inspect.sys [105552 2014-03-25] (COMODO)
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2014-04-14 19:56 - 2014-04-14 19:56 - 00012799 _____ () C:\Users\Tobselo\Desktop\FRST.txt
2014-04-14 19:54 - 2014-04-14 19:54 - 00000476 _____ () C:\Users\Tobselo\Desktop\defogger_disable.log
2014-04-14 19:54 - 2014-04-14 19:54 - 00000000 _____ () C:\Users\Tobselo\defogger_reenable
2014-04-14 19:53 - 2014-04-14 19:53 - 00050477 _____ () C:\Users\Tobselo\Desktop\Defogger.exe
2014-04-14 19:36 - 2014-04-14 19:56 - 00000000 ____D () C:\FRST
2014-04-14 19:33 - 2014-04-14 19:34 - 02157568 _____ (Farbar) C:\Users\Tobselo\Desktop\FRST64.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00312728 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00191384 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00190872 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00111000 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2014-04-13 21:08 - 2014-04-13 21:08 - 00000000 ____D () C:\Program Files\Java
2014-04-13 21:06 - 2014-04-13 21:07 - 34121112 _____ (Oracle Corporation) C:\Users\Tobselo\Downloads\jre-8-windows-x64.exe
2014-04-11 12:16 - 2014-03-31 03:16 - 23134208 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-04-11 12:16 - 2014-03-31 03:13 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-04-11 12:16 - 2014-03-31 02:13 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-04-11 12:16 - 2014-03-31 01:57 - 17073152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-04-11 12:15 - 2014-03-04 11:44 - 01163264 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2014-04-11 12:15 - 2014-03-04 11:44 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2014-04-11 12:15 - 2014-03-04 11:44 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2014-04-11 12:15 - 2014-03-04 11:44 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2014-04-11 12:15 - 2014-03-04 11:44 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2014-04-11 12:15 - 2014-03-04 11:17 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2014-04-11 12:15 - 2014-03-04 11:16 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2014-04-11 12:15 - 2014-03-04 11:16 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2014-04-11 12:15 - 2014-03-04 11:16 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2014-04-11 12:15 - 2014-03-04 10:09 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2014-04-11 12:15 - 2014-03-04 10:09 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2014-04-11 12:15 - 2014-02-04 04:35 - 00274880 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\msiscsi.sys
2014-04-11 12:15 - 2014-02-04 04:35 - 00190912 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\storport.sys
2014-04-11 12:15 - 2014-02-04 04:35 - 00027584 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\Diskdump.sys
2014-04-11 12:15 - 2014-02-04 04:28 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\iologmsg.dll
2014-04-11 12:15 - 2014-02-04 04:00 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iologmsg.dll
2014-04-11 12:15 - 2014-01-24 04:37 - 01684928 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ntfs.sys
2014-04-02 22:56 - 2014-04-02 22:56 - 00000000 ____D () C:\Users\Tobselo\AppData\Local\Skype
2014-04-02 22:55 - 2014-04-02 22:55 - 00002699 _____ () C:\Users\Public\Desktop\Skype.lnk
2014-04-02 22:55 - 2014-04-02 22:55 - 00000000 ___RD () C:\Program Files (x86)\Skype
2014-03-31 01:35 - 2014-03-31 01:35 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-03-26 10:25 - 2014-03-26 10:25 - 00000000 ____D () C:\Windows\SolidWorks
2014-03-26 10:25 - 2014-03-26 10:25 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\SolidWorks
2014-03-25 12:30 - 2014-03-25 12:32 - 00000000 ____D () C:\Users\Tobselo\Documents\Werzi
2014-03-23 00:43 - 2014-03-23 22:48 - 00000000 ____D () C:\AdwCleaner
2014-03-23 00:41 - 2014-03-23 00:42 - 01950720 _____ () C:\Users\Tobselo\Downloads\adwcleaner_3.022.exe
2014-03-22 18:56 - 2014-03-23 22:54 - 00000000 ____D () C:\Program Files (x86)\MediaWatchV1
2014-03-22 18:56 - 2014-03-22 18:56 - 00000512 __RSH () C:\ProgramData\ntuser.pol
2014-03-18 22:47 - 2014-03-18 23:30 - 00540372 _____ () C:\Users\Tobselo\Documents\Ausgaben Budapest.xlsx
2014-03-17 22:31 - 2014-03-17 22:32 - 00000000 ____D () C:\Users\Tobselo\Documents\Bewerbung
==================== One Month Modified Files and Folders =======
2014-04-14 19:57 - 2014-04-14 19:56 - 00012799 _____ () C:\Users\Tobselo\Desktop\FRST.txt
2014-04-14 19:56 - 2014-04-14 19:36 - 00000000 ____D () C:\FRST
2014-04-14 19:54 - 2014-04-14 19:54 - 00000476 _____ () C:\Users\Tobselo\Desktop\defogger_disable.log
2014-04-14 19:54 - 2014-04-14 19:54 - 00000000 _____ () C:\Users\Tobselo\defogger_reenable
2014-04-14 19:54 - 2013-03-31 19:54 - 00000000 ____D () C:\Users\Tobselo
2014-04-14 19:53 - 2014-04-14 19:53 - 00050477 _____ () C:\Users\Tobselo\Desktop\Defogger.exe
2014-04-14 19:50 - 2013-04-01 21:32 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\Skype
2014-04-14 19:49 - 2013-04-01 21:05 - 01474832 _____ () C:\Windows\system32\Drivers\sfi.dat
2014-04-14 19:41 - 2013-03-31 19:54 - 01942388 _____ () C:\Windows\WindowsUpdate.log
2014-04-14 19:34 - 2014-04-14 19:33 - 02157568 _____ (Farbar) C:\Users\Tobselo\Desktop\FRST64.exe
2014-04-14 19:11 - 2013-04-01 21:27 - 00000000 ____D () C:\Program Files (x86)\JDownloader 2
2014-04-14 17:12 - 2013-04-03 21:40 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\vlc
2014-04-14 17:07 - 2011-04-12 09:43 - 00699682 _____ () C:\Windows\system32\perfh007.dat
2014-04-14 17:07 - 2011-04-12 09:43 - 00149790 _____ () C:\Windows\system32\perfc007.dat
2014-04-14 17:07 - 2009-07-14 07:13 - 01620684 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-04-13 23:02 - 2013-04-20 14:58 - 00000266 _____ () C:\Windows\Tasks\AutoKMS.job
2014-04-13 21:08 - 2014-04-13 21:08 - 00312728 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00191384 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00190872 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00111000 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2014-04-13 21:08 - 2014-04-13 21:08 - 00000000 ____D () C:\Program Files\Java
2014-04-13 21:07 - 2014-04-13 21:06 - 34121112 _____ (Oracle Corporation) C:\Users\Tobselo\Downloads\jre-8-windows-x64.exe
2014-04-13 20:42 - 2009-07-14 06:45 - 00034608 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-13 20:42 - 2009-07-14 06:45 - 00034608 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-13 20:40 - 2013-04-03 23:10 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\Dropbox
2014-04-13 20:35 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-04-13 20:35 - 2009-07-14 06:51 - 00068936 _____ () C:\Windows\setupact.log
2014-04-13 20:34 - 2013-04-01 20:59 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-04-13 20:33 - 2014-03-12 21:30 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\TV-Browser
2014-04-13 20:30 - 2013-04-20 14:47 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-04-13 20:28 - 2013-08-02 00:17 - 00000000 ____D () C:\Windows\system32\MRT
2014-04-13 20:24 - 2013-04-04 00:01 - 90655440 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-04-13 18:49 - 2013-08-28 21:52 - 00013092 _____ () C:\Users\Tobselo\Documents\Stromzähler.xlsx
2014-04-09 21:55 - 2013-11-12 23:29 - 00000000 ____D () C:\ProgramData\Adtrustmedia
2014-04-09 21:54 - 2013-12-03 21:58 - 00000000 ____D () C:\Users\Tobselo\AppData\Local\AdTrustMedia
2014-04-02 22:56 - 2014-04-02 22:56 - 00000000 ____D () C:\Users\Tobselo\AppData\Local\Skype
2014-04-02 22:55 - 2014-04-02 22:55 - 00002699 _____ () C:\Users\Public\Desktop\Skype.lnk
2014-04-02 22:55 - 2014-04-02 22:55 - 00000000 ___RD () C:\Program Files (x86)\Skype
2014-04-02 22:55 - 2013-04-01 21:32 - 00000000 ____D () C:\ProgramData\Skype
2014-04-02 22:50 - 2013-04-01 22:04 - 00054108 _____ () C:\Windows\system32\Drivers\fvstore.dat
2014-04-02 22:32 - 2013-04-01 21:05 - 00000000 ____D () C:\Windows\System32\Tasks\COMODO
2014-04-02 22:31 - 2013-04-01 21:05 - 00001838 _____ () C:\Users\Public\Desktop\COMODO Internet Security.lnk
2014-03-31 03:16 - 2014-04-11 12:16 - 23134208 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-03-31 03:13 - 2014-04-11 12:16 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-03-31 02:13 - 2014-04-11 12:16 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-03-31 01:57 - 2014-04-11 12:16 - 17073152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-03-31 01:35 - 2014-03-31 01:35 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-03-26 10:25 - 2014-03-26 10:25 - 00000000 ____D () C:\Windows\SolidWorks
2014-03-26 10:25 - 2014-03-26 10:25 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\SolidWorks
2014-03-25 21:22 - 2013-01-24 22:43 - 00453680 _____ (COMODO) C:\Windows\system32\guard64.dll
2014-03-25 21:22 - 2013-01-24 22:43 - 00363504 _____ (COMODO) C:\Windows\SysWOW64\guard32.dll
2014-03-25 21:22 - 2013-01-24 22:43 - 00043216 _____ (COMODO) C:\Windows\system32\cmdcsr.dll
2014-03-25 21:22 - 2013-01-24 22:42 - 00352984 _____ (COMODO) C:\Windows\system32\cmdvrt64.dll
2014-03-25 21:22 - 2013-01-24 22:42 - 00284888 _____ (COMODO) C:\Windows\SysWOW64\cmdvrt32.dll
2014-03-25 21:22 - 2013-01-24 22:42 - 00045784 _____ (COMODO) C:\Windows\system32\cmdkbd64.dll
2014-03-25 21:22 - 2013-01-24 22:42 - 00040664 _____ (COMODO) C:\Windows\SysWOW64\cmdkbd32.dll
2014-03-25 21:22 - 2013-01-16 19:51 - 00738472 _____ (COMODO) C:\Windows\system32\Drivers\cmdguard.sys
2014-03-25 21:22 - 2013-01-16 19:51 - 00105552 _____ (COMODO) C:\Windows\system32\Drivers\inspect.sys
2014-03-25 21:22 - 2013-01-16 19:51 - 00048360 _____ (COMODO) C:\Windows\system32\Drivers\cmdhlp.sys
2014-03-25 21:22 - 2013-01-16 19:51 - 00023168 _____ (COMODO) C:\Windows\system32\Drivers\cmderd.sys
2014-03-25 12:32 - 2014-03-25 12:30 - 00000000 ____D () C:\Users\Tobselo\Documents\Werzi
2014-03-23 22:54 - 2014-03-22 18:56 - 00000000 ____D () C:\Program Files (x86)\MediaWatchV1
2014-03-23 22:48 - 2014-03-23 00:43 - 00000000 ____D () C:\AdwCleaner
2014-03-23 14:19 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\rescache
2014-03-23 00:42 - 2014-03-23 00:41 - 01950720 _____ () C:\Users\Tobselo\Downloads\adwcleaner_3.022.exe
2014-03-22 18:56 - 2014-03-22 18:56 - 00000512 __RSH () C:\ProgramData\ntuser.pol
2014-03-22 18:56 - 2009-07-14 05:20 - 00000000 ___HD () C:\Windows\system32\GroupPolicy
2014-03-22 18:56 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\SysWOW64\GroupPolicy
2014-03-18 23:30 - 2014-03-18 22:47 - 00540372 _____ () C:\Users\Tobselo\Documents\Ausgaben Budapest.xlsx
2014-03-17 22:32 - 2014-03-17 22:31 - 00000000 ____D () C:\Users\Tobselo\Documents\Bewerbung
Some content of TEMP:
====================
C:\Users\Tobselo\AppData\Local\Temp\htmlayout.dll
C:\Users\Tobselo\AppData\Local\Temp\nsy362F.exe
C:\Users\Tobselo\AppData\Local\Temp\set-app.exe
==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
LastRegBack: 2014-04-11 13:36
==================== End Of Log ============================
Geändert von Tobselo (15.04.2014 um 09:38 Uhr) |
|
15.04.2014, 09:36
| #4 |
| | Umleitung zu fake java-update gmer.log Teil I Code:
ATTFilter GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2014-04-14 20:16:28
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Samsung_SSD_840_Series rev.DXT06B0Q 232,89GB
Running: Gmer-19357.exe; Driver: C:\Users\Tobselo\AppData\Local\Temp\uwtirfoc.sys
---- User code sections - GMER 2.1 ----
.text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774e3b10 6 bytes {JMP QWORD [RIP+0x8b5c520]}
.text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775113a0 6 bytes {JMP QWORD [RIP+0x8b0ec90]}
.text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077511570 6 bytes {JMP QWORD [RIP+0x90ceac0]}
.text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775115e0 6 bytes {JMP QWORD [RIP+0x91aea50]}
.text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077511620 6 bytes {JMP QWORD [RIP+0x916ea10]}
.text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775116c0 6 bytes {JMP QWORD [RIP+0x91ce970]}
.text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077511750 6 bytes {JMP QWORD [RIP+0x914e8e0]}
.text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077511790 6 bytes {JMP QWORD [RIP+0x904e8a0]}
.text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775117e0 6 bytes {JMP QWORD [RIP+0x906e850]}
.text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077511800 6 bytes {JMP QWORD [RIP+0x918e830]}
.text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775119f0 6 bytes {JMP QWORD [RIP+0x924e640]}
.text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077511b00 6 bytes {JMP QWORD [RIP+0x902e530]}
.text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077511bd0 6 bytes {JMP QWORD [RIP+0x90ee460]}
.text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077511d20 6 bytes {JMP QWORD [RIP+0x91ee310]}
.text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077511d30 6 bytes {JMP QWORD [RIP+0x922e300]}
.text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775120a0 6 bytes {JMP QWORD [RIP+0x910df90]}
.text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077512130 6 bytes {JMP QWORD [RIP+0x920df00]}
.text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775129a0 6 bytes {JMP QWORD [RIP+0x912d690]}
.text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077512a20 6 bytes {JMP QWORD [RIP+0x908d610]}
.text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077512aa0 6 bytes {JMP QWORD [RIP+0x90ad590]}
.text C:\Windows\system32\services.exe[564] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000773a98e0 6 bytes {JMP QWORD [RIP+0x8cf6750]}
.text C:\Windows\system32\services.exe[564] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773c0650 6 bytes {JMP QWORD [RIP+0x8c9f9e0]}
.text C:\Windows\system32\services.exe[564] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007743acf0 6 bytes {JMP QWORD [RIP+0x8c45340]}
.text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774e3b10 6 bytes {JMP QWORD [RIP+0x8b5c520]}
.text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775113a0 6 bytes {JMP QWORD [RIP+0x8b0ec90]}
.text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077511570 6 bytes {JMP QWORD [RIP+0x90ceac0]}
.text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775115e0 6 bytes {JMP QWORD [RIP+0x91aea50]}
.text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077511620 6 bytes {JMP QWORD [RIP+0x916ea10]}
.text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775116c0 6 bytes {JMP QWORD [RIP+0x91ce970]}
.text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077511750 6 bytes {JMP QWORD [RIP+0x914e8e0]}
.text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077511790 6 bytes {JMP QWORD [RIP+0x904e8a0]}
.text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775117e0 6 bytes {JMP QWORD [RIP+0x906e850]}
.text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077511800 6 bytes {JMP QWORD [RIP+0x918e830]}
.text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775119f0 6 bytes {JMP QWORD [RIP+0x924e640]}
.text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077511b00 6 bytes {JMP QWORD [RIP+0x902e530]}
.text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077511bd0 6 bytes {JMP QWORD [RIP+0x90ee460]}
.text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077511d20 6 bytes {JMP QWORD [RIP+0x91ee310]}
.text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077511d30 6 bytes {JMP QWORD [RIP+0x922e300]}
.text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775120a0 6 bytes {JMP QWORD [RIP+0x910df90]}
.text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077512130 6 bytes {JMP QWORD [RIP+0x920df00]}
.text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775129a0 6 bytes {JMP QWORD [RIP+0x912d690]}
.text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077512a20 6 bytes {JMP QWORD [RIP+0x908d610]}
.text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077512aa0 6 bytes {JMP QWORD [RIP+0x90ad590]}
.text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774e3b10 6 bytes {JMP QWORD [RIP+0x8b5c520]}
.text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775113a0 6 bytes {JMP QWORD [RIP+0x8b0ec90]}
.text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077511570 6 bytes {JMP QWORD [RIP+0x90ceac0]}
.text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775115e0 6 bytes {JMP QWORD [RIP+0x91aea50]}
.text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077511620 6 bytes {JMP QWORD [RIP+0x916ea10]}
.text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775116c0 6 bytes {JMP QWORD [RIP+0x91ce970]}
.text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077511750 6 bytes {JMP QWORD [RIP+0x914e8e0]}
.text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077511790 6 bytes {JMP QWORD [RIP+0x904e8a0]}
.text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775117e0 6 bytes {JMP QWORD [RIP+0x906e850]}
.text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077511800 6 bytes {JMP QWORD [RIP+0x918e830]}
.text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775119f0 6 bytes {JMP QWORD [RIP+0x924e640]}
.text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077511b00 6 bytes {JMP QWORD [RIP+0x902e530]}
.text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077511bd0 6 bytes {JMP QWORD [RIP+0x90ee460]}
.text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077511d20 6 bytes {JMP QWORD [RIP+0x91ee310]}
.text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077511d30 6 bytes {JMP QWORD [RIP+0x922e300]}
.text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775120a0 6 bytes {JMP QWORD [RIP+0x910df90]}
.text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077512130 6 bytes {JMP QWORD [RIP+0x920df00]}
.text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775129a0 6 bytes {JMP QWORD [RIP+0x912d690]}
.text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077512a20 6 bytes {JMP QWORD [RIP+0x908d610]}
.text C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077512aa0 6 bytes {JMP QWORD [RIP+0x90ad590]}
.text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774e3b10 6 bytes {JMP QWORD [RIP+0x8b5c520]}
.text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775113a0 6 bytes {JMP QWORD [RIP+0x8b0ec90]}
.text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077511570 6 bytes {JMP QWORD [RIP+0x90ceac0]}
.text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775115e0 6 bytes {JMP QWORD [RIP+0x91aea50]}
.text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077511620 6 bytes {JMP QWORD [RIP+0x916ea10]}
.text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775116c0 6 bytes {JMP QWORD [RIP+0x91ce970]}
.text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077511750 6 bytes {JMP QWORD [RIP+0x914e8e0]}
.text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077511790 6 bytes {JMP QWORD [RIP+0x904e8a0]}
.text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775117e0 6 bytes {JMP QWORD [RIP+0x906e850]}
.text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077511800 6 bytes {JMP QWORD [RIP+0x918e830]}
.text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775119f0 6 bytes {JMP QWORD [RIP+0x924e640]}
.text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077511b00 6 bytes {JMP QWORD [RIP+0x902e530]}
.text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077511bd0 6 bytes {JMP QWORD [RIP+0x90ee460]}
.text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077511d20 6 bytes {JMP QWORD [RIP+0x91ee310]}
.text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077511d30 6 bytes {JMP QWORD [RIP+0x922e300]}
.text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775120a0 6 bytes {JMP QWORD [RIP+0x910df90]}
.text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077512130 6 bytes {JMP QWORD [RIP+0x920df00]}
.text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775129a0 6 bytes {JMP QWORD [RIP+0x912d690]}
.text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077512a20 6 bytes {JMP QWORD [RIP+0x908d610]}
.text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077512aa0 6 bytes {JMP QWORD [RIP+0x90ad590]}
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077511430 8 bytes JMP 000000016fff00d8
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077511800 8 bytes JMP 000000016fff0110
.text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774e3b10 6 bytes {JMP QWORD [RIP+0x8b5c520]}
.text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775113a0 6 bytes {JMP QWORD [RIP+0x8b0ec90]}
.text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077511570 6 bytes {JMP QWORD [RIP+0x90ceac0]}
.text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775115e0 6 bytes {JMP QWORD [RIP+0x91aea50]}
.text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077511620 6 bytes {JMP QWORD [RIP+0x916ea10]}
.text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775116c0 6 bytes {JMP QWORD [RIP+0x91ce970]}
.text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077511750 6 bytes {JMP QWORD [RIP+0x914e8e0]}
.text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077511790 6 bytes {JMP QWORD [RIP+0x904e8a0]}
.text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775117e0 6 bytes {JMP QWORD [RIP+0x906e850]}
.text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077511800 6 bytes {JMP QWORD [RIP+0x918e830]}
.text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775119f0 6 bytes {JMP QWORD [RIP+0x924e640]}
.text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077511b00 6 bytes {JMP QWORD [RIP+0x902e530]}
.text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077511bd0 6 bytes {JMP QWORD [RIP+0x90ee460]}
.text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077511d20 6 bytes {JMP QWORD [RIP+0x91ee310]}
.text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077511d30 6 bytes {JMP QWORD [RIP+0x922e300]}
.text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775120a0 6 bytes {JMP QWORD [RIP+0x910df90]}
.text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077512130 6 bytes {JMP QWORD [RIP+0x920df00]}
.text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775129a0 6 bytes {JMP QWORD [RIP+0x912d690]}
.text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077512a20 6 bytes {JMP QWORD [RIP+0x908d610]}
.text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077512aa0 6 bytes {JMP QWORD [RIP+0x90ad590]}
.text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd549055 3 bytes CALL 9000027
.text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5553c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefec9a6f0 6 bytes {JMP QWORD [RIP+0x365940]}
.text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefecc0c10 6 bytes {JMP QWORD [RIP+0x35f420]}
.text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000000dc50a0 6 bytes {JMP QWORD [RIP+0x3aaf90]}
.text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774e3b10 6 bytes {JMP QWORD [RIP+0x8b5c520]}
.text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775113a0 6 bytes {JMP QWORD [RIP+0x8b0ec90]}
.text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077511570 6 bytes {JMP QWORD [RIP+0x90ceac0]}
.text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775115e0 6 bytes {JMP QWORD [RIP+0x91aea50]}
.text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077511620 6 bytes {JMP QWORD [RIP+0x916ea10]}
.text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775116c0 6 bytes {JMP QWORD [RIP+0x91ce970]}
.text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077511750 6 bytes {JMP QWORD [RIP+0x914e8e0]}
.text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077511790 6 bytes {JMP QWORD [RIP+0x904e8a0]}
.text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775117e0 6 bytes {JMP QWORD [RIP+0x906e850]}
.text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077511800 6 bytes {JMP QWORD [RIP+0x918e830]}
.text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775119f0 6 bytes {JMP QWORD [RIP+0x924e640]}
.text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077511b00 6 bytes {JMP QWORD [RIP+0x902e530]}
.text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077511bd0 6 bytes {JMP QWORD [RIP+0x90ee460]}
.text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077511d20 6 bytes {JMP QWORD [RIP+0x91ee310]}
.text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077511d30 6 bytes {JMP QWORD [RIP+0x922e300]}
.text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775120a0 6 bytes {JMP QWORD [RIP+0x910df90]}
.text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077512130 6 bytes {JMP QWORD [RIP+0x920df00]}
.text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775129a0 6 bytes {JMP QWORD [RIP+0x912d690]}
.text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077512a20 6 bytes {JMP QWORD [RIP+0x908d610]}
.text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077512aa0 6 bytes {JMP QWORD [RIP+0x90ad590]}
.text C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774e3b10 6 bytes {JMP QWORD [RIP+0x8b5c520]}
.text C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775113a0 6 bytes {JMP QWORD [RIP+0x8b0ec90]}
.text C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077511570 6 bytes {JMP QWORD [RIP+0x90ceac0]}
.text C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775115e0 6 bytes {JMP QWORD [RIP+0x91aea50]}
.text C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077511620 6 bytes {JMP QWORD [RIP+0x916ea10]}
.text C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775116c0 6 bytes {JMP QWORD [RIP+0x91ce970]}
.text C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077511750 6 bytes {JMP QWORD [RIP+0x914e8e0]}
.text C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077511790 6 bytes {JMP QWORD [RIP+0x904e8a0]}
.text C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775117e0 6 bytes {JMP QWORD [RIP+0x906e850]}
.text C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077511800 6 bytes {JMP QWORD [RIP+0x918e830]}
.text C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775119f0 6 bytes {JMP QWORD [RIP+0x924e640]}
.text C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077511b00 6 bytes {JMP QWORD [RIP+0x902e530]}
.text C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077511bd0 6 bytes {JMP QWORD [RIP+0x90ee460]}
.text C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077511d20 6 bytes {JMP QWORD [RIP+0x91ee310]}
.text C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077511d30 6 bytes {JMP QWORD [RIP+0x922e300]}
.text C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775120a0 6 bytes {JMP QWORD [RIP+0x910df90]}
.text C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077512130 6 bytes {JMP QWORD [RIP+0x920df00]}
.text C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775129a0 6 bytes {JMP QWORD [RIP+0x912d690]}
.text C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077512a20 6 bytes {JMP QWORD [RIP+0x908d610]}
.text C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077512aa0 6 bytes {JMP QWORD [RIP+0x90ad590]}
.text C:\Windows\System32\svchost.exe[348] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000773a98e0 6 bytes JMP 98bc271
.text C:\Windows\System32\svchost.exe[348] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773c0650 6 bytes JMP 8c9f5c8
.text C:\Windows\System32\svchost.exe[348] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007743acf0 6 bytes JMP 9a324d8
.text C:\Windows\System32\svchost.exe[348] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd549055 3 bytes [B5, 6F, 06]
.text C:\Windows\System32\svchost.exe[348] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5553c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774e3b10 6 bytes {JMP QWORD [RIP+0x8b5c520]}
.text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775113a0 6 bytes {JMP QWORD [RIP+0x8b0ec90]}
.text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077511570 6 bytes {JMP QWORD [RIP+0x90ceac0]}
.text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775115e0 6 bytes {JMP QWORD [RIP+0x91aea50]}
.text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077511620 6 bytes {JMP QWORD [RIP+0x916ea10]}
.text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775116c0 6 bytes {JMP QWORD [RIP+0x91ce970]}
.text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077511750 6 bytes {JMP QWORD [RIP+0x914e8e0]}
.text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077511790 6 bytes {JMP QWORD [RIP+0x904e8a0]}
.text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775117e0 6 bytes {JMP QWORD [RIP+0x906e850]}
.text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077511800 6 bytes {JMP QWORD [RIP+0x918e830]}
.text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775119f0 6 bytes {JMP QWORD [RIP+0x924e640]}
.text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077511b00 6 bytes {JMP QWORD [RIP+0x902e530]}
.text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077511bd0 6 bytes {JMP QWORD [RIP+0x90ee460]}
.text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077511d20 6 bytes {JMP QWORD [RIP+0x91ee310]}
.text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077511d30 6 bytes {JMP QWORD [RIP+0x922e300]}
.text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775120a0 6 bytes {JMP QWORD [RIP+0x910df90]}
.text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077512130 6 bytes {JMP QWORD [RIP+0x920df00]}
.text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775129a0 6 bytes {JMP QWORD [RIP+0x912d690]}
.text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077512a20 6 bytes {JMP QWORD [RIP+0x908d610]}
.text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077512aa0 6 bytes {JMP QWORD [RIP+0x90ad590]}
.text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd549055 3 bytes [B5, 6F, 06]
.text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5553c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000e550a0 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774e3b10 6 bytes {JMP QWORD [RIP+0x8b5c520]}
.text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775113a0 6 bytes {JMP QWORD [RIP+0x8b0ec90]}
.text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077511570 6 bytes {JMP QWORD [RIP+0x90ceac0]}
.text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775115e0 6 bytes {JMP QWORD [RIP+0x91aea50]}
.text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077511620 6 bytes {JMP QWORD [RIP+0x916ea10]}
.text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775116c0 6 bytes {JMP QWORD [RIP+0x91ce970]}
.text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077511750 6 bytes {JMP QWORD [RIP+0x914e8e0]}
.text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077511790 6 bytes {JMP QWORD [RIP+0x904e8a0]}
.text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775117e0 6 bytes {JMP QWORD [RIP+0x906e850]}
.text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077511800 6 bytes {JMP QWORD [RIP+0x918e830]}
.text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775119f0 6 bytes {JMP QWORD [RIP+0x924e640]}
.text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077511b00 6 bytes {JMP QWORD [RIP+0x902e530]}
.text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077511bd0 6 bytes {JMP QWORD [RIP+0x90ee460]}
.text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077511d20 6 bytes {JMP QWORD [RIP+0x91ee310]}
.text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077511d30 6 bytes {JMP QWORD [RIP+0x922e300]}
.text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775120a0 6 bytes {JMP QWORD [RIP+0x910df90]}
.text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077512130 6 bytes {JMP QWORD [RIP+0x920df00]}
.text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775129a0 6 bytes {JMP QWORD [RIP+0x912d690]}
.text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077512a20 6 bytes {JMP QWORD [RIP+0x908d610]}
.text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077512aa0 6 bytes {JMP QWORD [RIP+0x90ad590]}
.text C:\Windows\system32\svchost.exe[904] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000773a98e0 6 bytes {JMP QWORD [RIP+0x8cf6750]}
.text C:\Windows\system32\svchost.exe[904] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773c0650 6 bytes {JMP QWORD [RIP+0x8c9f9e0]}
.text C:\Windows\system32\svchost.exe[904] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007743acf0 6 bytes {JMP QWORD [RIP+0x8c45340]}
.text C:\Windows\system32\svchost.exe[904] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd549055 3 bytes CALL 9000027
.text C:\Windows\system32\svchost.exe[904] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5553c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\svchost.exe[904] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefeef4750 6 bytes {JMP QWORD [RIP+0x14b8e0]}
.text C:\Windows\system32\svchost.exe[904] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefec9a6f0 6 bytes JMP 2
.text C:\Windows\system32\svchost.exe[904] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefecc0c10 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[904] c:\windows\system32\SspiCli.dll!EncryptMessage 0000000000e350a0 6 bytes JMP fcaa5450
.text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774e3b10 6 bytes {JMP QWORD [RIP+0x8b5c520]}
.text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775113a0 6 bytes {JMP QWORD [RIP+0x8b0ec90]}
.text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077511570 6 bytes {JMP QWORD [RIP+0x90ceac0]}
.text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775115e0 6 bytes {JMP QWORD [RIP+0x91aea50]}
.text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077511620 6 bytes {JMP QWORD [RIP+0x916ea10]}
.text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775116c0 6 bytes {JMP QWORD [RIP+0x91ce970]}
.text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077511750 6 bytes {JMP QWORD [RIP+0x914e8e0]}
.text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077511790 6 bytes {JMP QWORD [RIP+0x904e8a0]}
.text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775117e0 6 bytes {JMP QWORD [RIP+0x906e850]}
.text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077511800 6 bytes {JMP QWORD [RIP+0x918e830]}
.text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775119f0 6 bytes {JMP QWORD [RIP+0x924e640]}
.text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077511b00 6 bytes {JMP QWORD [RIP+0x902e530]}
.text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077511bd0 6 bytes {JMP QWORD [RIP+0x90ee460]}
.text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077511d20 6 bytes {JMP QWORD [RIP+0x91ee310]}
.text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077511d30 6 bytes {JMP QWORD [RIP+0x922e300]}
.text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775120a0 6 bytes {JMP QWORD [RIP+0x910df90]}
.text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077512130 6 bytes {JMP QWORD [RIP+0x920df00]}
.text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775129a0 6 bytes {JMP QWORD [RIP+0x912d690]}
.text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077512a20 6 bytes {JMP QWORD [RIP+0x908d610]}
.text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077512aa0 6 bytes {JMP QWORD [RIP+0x90ad590]}
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000753f8332 6 bytes {JMP QWORD [RIP+0x7159001e]}
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000753f8bff 6 bytes {JMP QWORD [RIP+0x714d001e]}
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000753f90d3 6 bytes {JMP QWORD [RIP+0x7108001e]}
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000753f9679 6 bytes {JMP QWORD [RIP+0x7147001e]}
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000753f97d2 6 bytes {JMP QWORD [RIP+0x7141001e]}
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000753fee09 6 bytes {JMP QWORD [RIP+0x715f001e]}
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000753fefc9 3 bytes [FF, 25, 1E]
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000753fefcd 2 bytes [0E, 71]
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000754012a5 6 bytes {JMP QWORD [RIP+0x7153001e]}
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007540291f 6 bytes {JMP QWORD [RIP+0x7126001e]}
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SetParent 0000000075402d64 3 bytes [FF, 25, 1E]
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075402d68 2 bytes [1D, 71]
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075402da4 6 bytes {JMP QWORD [RIP+0x7105001e]}
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075403698 3 bytes [FF, 25, 1E]
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007540369c 2 bytes [1A, 71]
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075403baa 6 bytes JMP 7157000a
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075403c61 6 bytes JMP 7151000a
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075406110 6 bytes JMP 715d000a
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007540612e 6 bytes {JMP QWORD [RIP+0x714a001e]}
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075406c30 6 bytes {JMP QWORD [RIP+0x710b001e]}
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075407603 6 bytes {JMP QWORD [RIP+0x7162001e]}
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075407668 6 bytes {JMP QWORD [RIP+0x7135001e]}
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000754076e0 6 bytes {JMP QWORD [RIP+0x713b001e]}
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007540781f 6 bytes {JMP QWORD [RIP+0x7144001e]}
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007540835c 6 bytes {JMP QWORD [RIP+0x7165001e]}
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007540c4b6 3 bytes [FF, 25, 1E]
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007540c4ba 2 bytes [17, 71]
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007541c112 6 bytes {JMP QWORD [RIP+0x7132001e]}
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007541d0f5 6 bytes {JMP QWORD [RIP+0x712f001e]}
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007541eb96 6 bytes {JMP QWORD [RIP+0x7123001e]}
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007541ec68 3 bytes [FF, 25, 1E]
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007541ec6c 2 bytes [29, 71]
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SendInput 000000007541ff4a 3 bytes [FF, 25, 1E]
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007541ff4e 2 bytes [2C, 71]
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075439f1d 6 bytes {JMP QWORD [RIP+0x7111001e]}
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075441497 6 bytes {JMP QWORD [RIP+0x7102001e]}
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!mouse_event 000000007545027b 6 bytes {JMP QWORD [RIP+0x7168001e]}
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!keybd_event 00000000754502bf 6 bytes {JMP QWORD [RIP+0x716b001e]}
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075456cfc 6 bytes {JMP QWORD [RIP+0x713e001e]}
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075456d5d 6 bytes {JMP QWORD [RIP+0x7138001e]}
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075457dd7 3 bytes [FF, 25, 1E]
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075457ddb 2 bytes [14, 71]
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000754588eb 3 bytes [FF, 25, 1E]
.text E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000754588ef 2 bytes [20, 71]
.text C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774e3b10 6 bytes {JMP QWORD [RIP+0x8b5c520]}
.text C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775113a0 6 bytes {JMP QWORD [RIP+0x8b0ec90]}
.text C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077511570 6 bytes {JMP QWORD [RIP+0x90ceac0]}
.text C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775115e0 6 bytes {JMP QWORD [RIP+0x91aea50]}
.text C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077511620 6 bytes {JMP QWORD [RIP+0x916ea10]}
.text C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775116c0 6 bytes {JMP QWORD [RIP+0x91ce970]}
.text C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077511750 6 bytes {JMP QWORD [RIP+0x914e8e0]}
.text C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077511790 6 bytes {JMP QWORD [RIP+0x904e8a0]}
.text C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775117e0 6 bytes {JMP QWORD [RIP+0x906e850]}
.text C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077511800 6 bytes {JMP QWORD [RIP+0x918e830]}
.text C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775119f0 6 bytes {JMP QWORD [RIP+0x924e640]}
.text C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077511b00 6 bytes {JMP QWORD [RIP+0x902e530]}
.text C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077511bd0 6 bytes {JMP QWORD [RIP+0x90ee460]}
.text C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077511d20 6 bytes {JMP QWORD [RIP+0x91ee310]}
.text C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077511d30 6 bytes {JMP QWORD [RIP+0x922e300]}
.text C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775120a0 6 bytes {JMP QWORD [RIP+0x910df90]}
.text C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077512130 6 bytes {JMP QWORD [RIP+0x920df00]}
.text C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775129a0 6 bytes {JMP QWORD [RIP+0x912d690]}
.text C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077512a20 6 bytes {JMP QWORD [RIP+0x908d610]}
.text C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077512aa0 6 bytes {JMP QWORD [RIP+0x90ad590]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774e3b10 6 bytes {JMP QWORD [RIP+0x8b5c520]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775113a0 6 bytes {JMP QWORD [RIP+0x8b0ec90]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077511570 6 bytes {JMP QWORD [RIP+0x90ceac0]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775115e0 6 bytes {JMP QWORD [RIP+0x91aea50]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077511620 6 bytes {JMP QWORD [RIP+0x916ea10]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775116c0 6 bytes {JMP QWORD [RIP+0x91ce970]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077511750 6 bytes {JMP QWORD [RIP+0x914e8e0]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077511790 6 bytes {JMP QWORD [RIP+0x904e8a0]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775117e0 6 bytes {JMP QWORD [RIP+0x906e850]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077511800 6 bytes {JMP QWORD [RIP+0x918e830]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775119f0 6 bytes {JMP QWORD [RIP+0x924e640]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077511b00 6 bytes {JMP QWORD [RIP+0x902e530]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077511bd0 6 bytes {JMP QWORD [RIP+0x90ee460]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077511d20 6 bytes {JMP QWORD [RIP+0x91ee310]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077511d30 6 bytes {JMP QWORD [RIP+0x922e300]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775120a0 6 bytes {JMP QWORD [RIP+0x910df90]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077512130 6 bytes {JMP QWORD [RIP+0x920df00]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775129a0 6 bytes {JMP QWORD [RIP+0x912d690]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077512a20 6 bytes {JMP QWORD [RIP+0x908d610]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077512aa0 6 bytes {JMP QWORD [RIP+0x90ad590]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000773a98e0 6 bytes {JMP QWORD [RIP+0x8cf6750]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773c0650 6 bytes {JMP QWORD [RIP+0x8c9f9e0]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007743acf0 6 bytes {JMP QWORD [RIP+0x8c45340]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd549055 3 bytes [B5, 6F, 06]
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5553c0 5 bytes [FF, 25, 70, AC, 0C]
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefee422d0 6 bytes JMP fb169340
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\GDI32.dll!BitBlt 000007fefee424b8 6 bytes JMP 0
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefee45be0 6 bytes {JMP QWORD [RIP+0x59a450]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefee48384 6 bytes {JMP QWORD [RIP+0x427cac]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefee489c4 6 bytes {JMP QWORD [RIP+0x40766c]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\GDI32.dll!GetPixel 000007fefee4933c 6 bytes {JMP QWORD [RIP+0x536cf4]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefee4b9e8 6 bytes {JMP QWORD [RIP+0x5d4648]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefee4c8b0 6 bytes {JMP QWORD [RIP+0x5b3780]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00000000772a6ef0 6 bytes {JMP QWORD [RIP+0x9139140]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000772a8184 6 bytes {JMP QWORD [RIP+0x9217eac]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SetParent 00000000772a8530 6 bytes {JMP QWORD [RIP+0x9157b00]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SetWindowLongA 00000000772a9bcc 6 bytes {JMP QWORD [RIP+0x8eb6464]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!PostMessageA 00000000772aa404 6 bytes {JMP QWORD [RIP+0x8ef5c2c]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!EnableWindow 00000000772aaaa0 6 bytes {JMP QWORD [RIP+0x9255590]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!MoveWindow 00000000772aaad0 6 bytes {JMP QWORD [RIP+0x9175560]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00000000772ac720 6 bytes {JMP QWORD [RIP+0x9113910]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!RegisterHotKey 00000000772acd50 6 bytes {JMP QWORD [RIP+0x91f32e0]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!PostThreadMessageA 00000000772ad2b0 6 bytes {JMP QWORD [RIP+0x8f32d80]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SendMessageA 00000000772ad338 6 bytes {JMP QWORD [RIP+0x8f72cf8]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000772adc40 6 bytes {JMP QWORD [RIP+0x90523f0]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00000000772af510 6 bytes {JMP QWORD [RIP+0x9230b20]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000772af874 6 bytes {JMP QWORD [RIP+0x8e707bc]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 00000000772afac0 6 bytes {JMP QWORD [RIP+0x8fd0570]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000772b0b74 6 bytes {JMP QWORD [RIP+0x8f4f4bc]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000772b33b0 6 bytes {JMP QWORD [RIP+0x8eccc80]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00000000772b4d4d 5 bytes {JMP QWORD [RIP+0x8e8b2e4]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!GetKeyState 00000000772b5010 6 bytes {JMP QWORD [RIP+0x90eb020]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000772b5438 6 bytes {JMP QWORD [RIP+0x900abf8]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SendMessageW 00000000772b6b50 6 bytes {JMP QWORD [RIP+0x8f894e0]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!PostMessageW 00000000772b76e4 6 bytes {JMP QWORD [RIP+0x8f0894c]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000772bdd90 4 bytes [FF, 25, A0, 22]
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SendDlgItemMessageW + 5 00000000772bdd95 1 byte [09]
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!GetClipboardData 00000000772be874 6 bytes {JMP QWORD [RIP+0x91c17bc]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000772bf780 6 bytes {JMP QWORD [RIP+0x91808b0]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000772c28e4 6 bytes {JMP QWORD [RIP+0x901d74c]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!mouse_event 00000000772c3894 6 bytes {JMP QWORD [RIP+0x8e1c79c]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000772c8a10 6 bytes {JMP QWORD [RIP+0x90b7620]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000772c8be0 6 bytes {JMP QWORD [RIP+0x8f97450]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000772c8c20 6 bytes {JMP QWORD [RIP+0x8e37410]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SendInput 00000000772c8cd0 6 bytes {JMP QWORD [RIP+0x9097360]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!BlockInput 00000000772cad60 6 bytes {JMP QWORD [RIP+0x91952d0]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000772f14e0 6 bytes {JMP QWORD [RIP+0x922eb50]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!keybd_event 00000000773145a4 6 bytes {JMP QWORD [RIP+0x8daba8c]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007731cc08 6 bytes {JMP QWORD [RIP+0x9003428]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007731df18 6 bytes {JMP QWORD [RIP+0x8f82118]}
.text C:\Windows\Explorer.EXE[3588] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd0f50a0 6 bytes {JMP QWORD [RIP+0x8af90]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3700] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000773a98e0 6 bytes {JMP QWORD [RIP+0x8cf6750]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3700] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773c0650 6 bytes {JMP QWORD [RIP+0x8c9f9e0]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3700] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007743acf0 6 bytes {JMP QWORD [RIP+0x8c45340]}
.text C:\Windows\system32\igfxsrvc.exe[3932] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefee422d0 6 bytes {JMP QWORD [RIP+0x55dd60]}
.text C:\Windows\system32\igfxsrvc.exe[3932] C:\Windows\system32\GDI32.dll!BitBlt 000007fefee424b8 6 bytes {JMP QWORD [RIP+0x57db78]}
.text C:\Windows\system32\igfxsrvc.exe[3932] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefee45be0 6 bytes {JMP QWORD [RIP+0x59a450]}
.text C:\Windows\system32\igfxsrvc.exe[3932] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefee48384 6 bytes {JMP QWORD [RIP+0x427cac]}
.text C:\Windows\system32\igfxsrvc.exe[3932] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefee489c4 6 bytes {JMP QWORD [RIP+0x40766c]}
.text C:\Windows\system32\igfxsrvc.exe[3932] C:\Windows\system32\GDI32.dll!GetPixel 000007fefee4933c 6 bytes {JMP QWORD [RIP+0x536cf4]}
.text C:\Windows\system32\igfxsrvc.exe[3932] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefee4b9e8 6 bytes {JMP QWORD [RIP+0x5d4648]}
.text C:\Windows\system32\igfxsrvc.exe[3932] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefee4c8b0 6 bytes {JMP QWORD [RIP+0x5b3780]}
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776bf9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000776bf9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776bfcb0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000776bfcb4 2 bytes [F6, 70]
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776bfd64 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000776bfd68 2 bytes [E1, 70]
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776bfdc8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000776bfdcc 2 bytes [E7, 70]
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776bfec0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000776bfec4 2 bytes [DE, 70]
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776bffa4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000776bffa8 2 bytes [EA, 70]
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776c0004 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776c0008 2 bytes [02, 71]
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776c0084 3 bytes JMP 7100000a
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776c0088 2 bytes JMP 7100000a
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776c00b4 3 bytes JMP 70e5000a
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776c00b8 2 bytes JMP 70e5000a
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776c03b8 3 bytes JMP 70d3000a
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776c03bc 2 bytes JMP 70d3000a
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776c0550 3 bytes JMP 7106000a
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776c0554 2 bytes JMP 7106000a
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776c0694 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776c0698 2 bytes [F3, 70]
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776c088c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776c0890 2 bytes [DB, 70]
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776c08a4 3 bytes JMP 70d6000a
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776c08a8 2 bytes JMP 70d6000a
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776c0df4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776c0df8 2 bytes [F0, 70]
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776c0ed8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776c0edc 2 bytes [D8, 70]
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776c1be4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776c1be8 2 bytes [ED, 70]
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776c1cb4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776c1cb8 2 bytes [FC, 70]
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776c1d8c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776c1d90 2 bytes [F9, 70]
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776e1287 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 0000000076de103d 6 bytes {JMP QWORD [RIP+0x719b001e]}
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000076de1072 6 bytes {JMP QWORD [RIP+0x7198001e]}
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 0000000076e0c9b5 6 bytes {JMP QWORD [RIP+0x718f001e]}
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007725f776 6 bytes {JMP QWORD [RIP+0x719e001e]}
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000077262c91 4 bytes {CALL QWORD [RIP+0x71ac000a]}
.text C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3208] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007725f776 6 bytes {JMP QWORD [RIP+0x719e001e]}
.text C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3208] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000077262c91 4 bytes {CALL QWORD [RIP+0x71ac000a]}
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776bf9e0 3 bytes JMP 71af000a
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000776bf9e4 2 bytes JMP 71af000a
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776bfcb0 3 bytes [FF, 25, 1E]
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000776bfcb4 2 bytes [F6, 70]
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776bfd64 3 bytes JMP 70e2000a
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000776bfd68 2 bytes JMP 70e2000a
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776bfdc8 3 bytes [FF, 25, 1E]
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000776bfdcc 2 bytes [E7, 70]
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776bfec0 3 bytes [FF, 25, 1E]
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000776bfec4 2 bytes [DE, 70]
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776bffa4 3 bytes [FF, 25, 1E]
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000776bffa8 2 bytes [EA, 70]
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776c0004 3 bytes [FF, 25, 1E]
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776c0008 2 bytes [02, 71]
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776c0084 3 bytes JMP 7100000a
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776c0088 2 bytes
|
|
15.04.2014, 09:36
| #5 |
| | Umleitung zu fake java-update gmer.log Teil II Code:
ATTFilter JMP 7100000a
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776c00b4 3 bytes JMP 70e5000a
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776c00b8 2 bytes JMP 70e5000a
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776c03b8 3 bytes JMP 70d3000a
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776c03bc 2 bytes JMP 70d3000a
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776c0550 3 bytes JMP 7106000a
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776c0554 2 bytes JMP 7106000a
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776c0694 3 bytes [FF, 25, 1E]
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776c0698 2 bytes [F3, 70]
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776c088c 3 bytes [FF, 25, 1E]
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776c0890 2 bytes [DB, 70]
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776c08a4 3 bytes JMP 70d6000a
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776c08a8 2 bytes JMP 70d6000a
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776c0df4 3 bytes [FF, 25, 1E]
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776c0df8 2 bytes [F0, 70]
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776c0ed8 3 bytes [FF, 25, 1E]
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776c0edc 2 bytes [D8, 70]
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776c1be4 3 bytes [FF, 25, 1E]
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776c1be8 2 bytes [ED, 70]
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776c1cb4 3 bytes [FF, 25, 1E]
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776c1cb8 2 bytes [FC, 70]
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776c1d8c 3 bytes [FF, 25, 1E]
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776c1d90 2 bytes [F9, 70]
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776e1287 6 bytes JMP 71a8000a
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076de103d 6 bytes {JMP QWORD [RIP+0x719b001e]}
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076de1072 6 bytes {JMP QWORD [RIP+0x7198001e]}
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076e0c9b5 6 bytes {JMP QWORD [RIP+0x718f001e]}
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007725f776 6 bytes {JMP QWORD [RIP+0x719e001e]}
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000077262c91 4 bytes CALL 71ac0000
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763f2642 6 bytes {JMP QWORD [RIP+0x7195001e]}
.text C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000763f5429 6 bytes {JMP QWORD [RIP+0x7192001e]}
.text C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774e3b10 6 bytes {JMP QWORD [RIP+0x8b5c520]}
.text C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775113a0 6 bytes {JMP QWORD [RIP+0x8b0ec90]}
.text C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077511570 6 bytes {JMP QWORD [RIP+0x90ceac0]}
.text C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775115e0 6 bytes {JMP QWORD [RIP+0x91aea50]}
.text C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077511620 6 bytes {JMP QWORD [RIP+0x916ea10]}
.text C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775116c0 6 bytes {JMP QWORD [RIP+0x91ce970]}
.text C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077511750 6 bytes {JMP QWORD [RIP+0x914e8e0]}
.text C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077511790 6 bytes {JMP QWORD [RIP+0x904e8a0]}
.text C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775117e0 6 bytes {JMP QWORD [RIP+0x906e850]}
.text C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077511800 6 bytes {JMP QWORD [RIP+0x918e830]}
.text C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775119f0 6 bytes {JMP QWORD [RIP+0x924e640]}
.text C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077511b00 6 bytes {JMP QWORD [RIP+0x902e530]}
.text C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077511bd0 6 bytes {JMP QWORD [RIP+0x90ee460]}
.text C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077511d20 6 bytes {JMP QWORD [RIP+0x91ee310]}
.text C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077511d30 6 bytes {JMP QWORD [RIP+0x922e300]}
.text C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775120a0 6 bytes {JMP QWORD [RIP+0x910df90]}
.text C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077512130 6 bytes {JMP QWORD [RIP+0x920df00]}
.text C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775129a0 6 bytes {JMP QWORD [RIP+0x912d690]}
.text C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077512a20 6 bytes {JMP QWORD [RIP+0x908d610]}
.text C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077512aa0 6 bytes {JMP QWORD [RIP+0x90ad590]}
.text C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\System32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd549055 3 bytes [B5, 6F, 06]
.text C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5553c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\System32\GDI32.dll!DeleteDC 000007fefee422d0 6 bytes {JMP QWORD [RIP+0x55dd60]}
.text C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\System32\GDI32.dll!BitBlt 000007fefee424b8 6 bytes {JMP QWORD [RIP+0x57db78]}
.text C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\System32\GDI32.dll!MaskBlt 000007fefee45be0 6 bytes {JMP QWORD [RIP+0x59a450]}
.text C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\System32\GDI32.dll!CreateDCW 000007fefee48384 6 bytes {JMP QWORD [RIP+0x427cac]}
.text C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\System32\GDI32.dll!CreateDCA 000007fefee489c4 6 bytes {JMP QWORD [RIP+0x40766c]}
.text C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\System32\GDI32.dll!GetPixel 000007fefee4933c 6 bytes {JMP QWORD [RIP+0x536cf4]}
.text C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\System32\GDI32.dll!StretchBlt 000007fefee4b9e8 6 bytes {JMP QWORD [RIP+0x5d4648]}
.text C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\System32\GDI32.dll!PlgBlt 000007fefee4c8b0 6 bytes {JMP QWORD [RIP+0x5b3780]}
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776bf9e0 3 bytes JMP 71af000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000776bf9e4 2 bytes JMP 71af000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776bfcb0 3 bytes JMP 70f7000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000776bfcb4 2 bytes JMP 70f7000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776bfd64 3 bytes JMP 70e2000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000776bfd68 2 bytes JMP 70e2000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776bfdc8 3 bytes JMP 70e8000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000776bfdcc 2 bytes JMP 70e8000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776bfec0 3 bytes JMP 70df000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000776bfec4 2 bytes JMP 70df000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776bffa4 3 bytes JMP 70eb000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000776bffa8 2 bytes JMP 70eb000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776c0004 3 bytes JMP 7103000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776c0008 2 bytes JMP 7103000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776c0084 3 bytes JMP 7100000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776c0088 2 bytes JMP 7100000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776c00b4 3 bytes JMP 70e5000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776c00b8 2 bytes JMP 70e5000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776c03b8 3 bytes JMP 70d3000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776c03bc 2 bytes JMP 70d3000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776c0550 3 bytes JMP 7106000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776c0554 2 bytes JMP 7106000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776c0694 3 bytes JMP 70f4000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776c0698 2 bytes JMP 70f4000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776c088c 3 bytes JMP 70dc000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776c0890 2 bytes JMP 70dc000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776c08a4 3 bytes JMP 70d6000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776c08a8 2 bytes JMP 70d6000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776c0df4 3 bytes JMP 70f1000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776c0df8 2 bytes JMP 70f1000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776c0ed8 3 bytes JMP 70d9000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776c0edc 2 bytes JMP 70d9000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776c1be4 3 bytes JMP 70ee000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776c1be8 2 bytes JMP 70ee000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776c1cb4 3 bytes JMP 70fd000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776c1cb8 2 bytes JMP 70fd000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776c1d8c 3 bytes JMP 70fa000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776c1d90 2 bytes JMP 70fa000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776e1287 6 bytes JMP 71a8000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076de103d 6 bytes JMP 719c000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076de1072 6 bytes JMP 7199000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076e0c9b5 6 bytes JMP 7190000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007725f776 6 bytes JMP 719f000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000077262c91 4 bytes CALL 71ac0000
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000763258b3 6 bytes JMP 7184000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076325ea6 6 bytes JMP 717e000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076327bcc 6 bytes JMP 718d000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007632b895 6 bytes JMP 7175000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007632c332 6 bytes JMP 717b000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007632cbfb 6 bytes JMP 7187000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007632e743 6 bytes JMP 718a000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007635480f 6 bytes JMP 7178000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000753f8332 6 bytes JMP 7160000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000753f8bff 6 bytes JMP 7154000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000753f90d3 6 bytes JMP 710f000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000753f9679 6 bytes JMP 714e000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000753f97d2 6 bytes JMP 7148000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000753fee09 6 bytes JMP 7166000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000753fefc9 3 bytes JMP 7115000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000753fefcd 2 bytes JMP 7115000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000754012a5 6 bytes JMP 715a000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007540291f 6 bytes JMP 712d000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SetParent 0000000075402d64 3 bytes JMP 7124000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075402d68 2 bytes JMP 7124000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075402da4 6 bytes JMP 710c000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075403698 3 bytes JMP 7121000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007540369c 2 bytes JMP 7121000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075403baa 6 bytes JMP 715d000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075403c61 6 bytes JMP 7157000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075406110 6 bytes JMP 7163000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007540612e 6 bytes JMP 7151000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075406c30 6 bytes JMP 7112000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075407603 6 bytes JMP 7169000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075407668 6 bytes JMP 713c000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000754076e0 6 bytes JMP 7142000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007540781f 6 bytes JMP 714b000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007540835c 6 bytes JMP 716c000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007540c4b6 3 bytes JMP 711e000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007540c4ba 2 bytes JMP 711e000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007541c112 6 bytes JMP 7139000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007541d0f5 6 bytes JMP 7136000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007541eb96 6 bytes JMP 712a000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007541ec68 3 bytes JMP 7130000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007541ec6c 2 bytes JMP 7130000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SendInput 000000007541ff4a 3 bytes JMP 7133000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007541ff4e 2 bytes JMP 7133000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075439f1d 6 bytes JMP 7118000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075441497 6 bytes JMP 7109000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!mouse_event 000000007545027b 6 bytes JMP 716f000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!keybd_event 00000000754502bf 6 bytes JMP 7172000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075456cfc 6 bytes JMP 7145000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075456d5d 6 bytes JMP 713f000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075457dd7 3 bytes JMP 711b000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075457ddb 2 bytes JMP 711b000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000754588eb 3 bytes JMP 7127000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000754588ef 2 bytes JMP 7127000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763f2642 6 bytes JMP 7196000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000763f5429 6 bytes JMP 7193000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000750e124e 6 bytes JMP 7181000a
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000763a1465 2 bytes [3A, 76]
.text C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763a14bb 2 bytes [3A, 76]
.text ... * 2
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000776bf9e0 3 bytes JMP 71af000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000776bf9e4 2 bytes JMP 71af000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000776bfcb0 3 bytes JMP 70f7000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000776bfcb4 2 bytes JMP 70f7000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000776bfd64 3 bytes JMP 70e2000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000776bfd68 2 bytes JMP 70e2000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000776bfdc8 3 bytes JMP 70e8000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000776bfdcc 2 bytes JMP 70e8000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000776bfec0 3 bytes JMP 70df000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000776bfec4 2 bytes JMP 70df000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000776bffa4 3 bytes JMP 70eb000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000776bffa8 2 bytes JMP 70eb000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776c0004 3 bytes JMP 7103000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776c0008 2 bytes JMP 7103000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776c0084 3 bytes JMP 7100000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776c0088 2 bytes JMP 7100000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776c00b4 3 bytes JMP 70e5000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776c00b8 2 bytes JMP 70e5000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776c03b8 3 bytes JMP 70d3000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776c03bc 2 bytes JMP 70d3000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776c0550 3 bytes JMP 7106000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776c0554 2 bytes JMP 7106000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776c0694 3 bytes JMP 70f4000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776c0698 2 bytes JMP 70f4000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776c088c 3 bytes JMP 70dc000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776c0890 2 bytes JMP 70dc000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776c08a4 3 bytes JMP 70d6000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776c08a8 2 bytes JMP 70d6000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776c0df4 3 bytes JMP 70f1000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776c0df8 2 bytes JMP 70f1000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776c0ed8 3 bytes JMP 70d9000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776c0edc 2 bytes JMP 70d9000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776c1be4 3 bytes JMP 70ee000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776c1be8 2 bytes JMP 70ee000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776c1cb4 3 bytes JMP 70fd000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776c1cb8 2 bytes JMP 70fd000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776c1d8c 3 bytes JMP 70fa000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776c1d90 2 bytes JMP 70fa000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776e1287 6 bytes JMP 71a8000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076de103d 6 bytes JMP 719c000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076de1072 6 bytes JMP 7199000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076e0c9b5 6 bytes JMP 7190000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007725f776 6 bytes JMP 719f000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000077262c91 4 bytes CALL 71ac0000
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000753f8332 6 bytes JMP 7160000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000753f8bff 6 bytes JMP 7154000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000753f90d3 6 bytes JMP 710f000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000753f9679 6 bytes JMP 714e000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000753f97d2 6 bytes JMP 7148000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000753fee09 6 bytes JMP 7166000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000753fefc9 3 bytes JMP 7115000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000753fefcd 2 bytes JMP 7115000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000754012a5 6 bytes JMP 715a000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007540291f 6 bytes JMP 712d000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SetParent 0000000075402d64 3 bytes JMP 7124000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075402d68 2 bytes JMP 7124000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075402da4 6 bytes JMP 710c000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075403698 3 bytes JMP 7121000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007540369c 2 bytes JMP 7121000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075403baa 6 bytes JMP 715d000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075403c61 6 bytes JMP 7157000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075406110 6 bytes JMP 7163000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007540612e 6 bytes JMP 7151000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075406c30 6 bytes JMP 7112000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075407603 6 bytes JMP 7169000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075407668 6 bytes JMP 713c000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000754076e0 6 bytes JMP 7142000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007540781f 6 bytes JMP 714b000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007540835c 6 bytes JMP 716c000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007540c4b6 3 bytes JMP 711e000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007540c4ba 2 bytes JMP 711e000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007541c112 6 bytes JMP 7139000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007541d0f5 6 bytes JMP 7136000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007541eb96 6 bytes JMP 712a000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007541ec68 3 bytes JMP 7130000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007541ec6c 2 bytes JMP 7130000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SendInput 000000007541ff4a 3 bytes JMP 7133000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007541ff4e 2 bytes JMP 7133000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075439f1d 6 bytes JMP 7118000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075441497 6 bytes JMP 7109000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!mouse_event 000000007545027b 6 bytes JMP 716f000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!keybd_event 00000000754502bf 6 bytes JMP 7172000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075456cfc 6 bytes JMP 7145000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075456d5d 6 bytes JMP 713f000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075457dd7 3 bytes JMP 711b000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075457ddb 2 bytes JMP 711b000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000754588eb 3 bytes JMP 7127000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000754588ef 2 bytes JMP 7127000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000763258b3 6 bytes JMP 7184000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076325ea6 6 bytes JMP 717e000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076327bcc 6 bytes JMP 718d000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007632b895 6 bytes JMP 7175000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007632c332 6 bytes JMP 717b000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007632cbfb 6 bytes JMP 7187000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007632e743 6 bytes JMP 718a000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007635480f 6 bytes JMP 7178000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000763f2642 6 bytes JMP 7196000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000763f5429 6 bytes JMP 7193000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000750e124e 6 bytes JMP 7181000a
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000763a1465 2 bytes [3A, 76]
.text C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763a14bb 2 bytes [3A, 76]
.text ... * 2
---- Processes - GMER 2.1 ----
Library C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\wxmsw28uh_vc.dll (*** suspicious ***) @ C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe [916](2014-01-03 00:45:04) 0000000004260000
Library C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\libcef.dll (*** suspicious ***) @ C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe [916](2013-10-18 23:55:02) 0000000068d30000
Library C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\icudt.dll (*** suspicious ***) @ C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe [916] (ICU Data DLL/The ICU Project)(2013-10-18 23:55:00) 000000006d490000
---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ...
Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ...
Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ...
---- EOF - GMER 2.1 ----
|
|
16.04.2014, 09:55
| #6 |
| /// the machine /// TB-Ausbilder | Umleitung zu fake java-update hi, Scan mit Combofix
__________________ --> Umleitung zu fake java-update |
|
16.04.2014, 22:21
| #7 |
| | Umleitung zu fake java-update Hi, Code:
ATTFilter ComboFix 14-04-12.01 - Tobselo 16.04.2014 22:49:33.2.2 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.49.1031.18.1979.1128 [GMT 2:00]
ausgeführt von:: c:\users\Tobselo\Desktop\ComboFix.exe
AV: COMODO Antivirus *Disabled/Updated* {B74CC7D2-B407-E1DC-1033-DD315BCDC8C8}
FW: COMODO Firewall *Disabled* {8F7746F7-FE68-E084-3B6C-7404A51E8FB3}
SP: COMODO Antivirus *Disabled/Updated* {0C2D2636-923D-EE52-2A83-E643204A8275}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((( Dateien erstellt von 2014-03-16 bis 2014-04-16 ))))))))))))))))))))))))))))))
.
.
2014-04-16 21:00 . 2014-04-16 21:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-04-14 19:15 . 2014-04-14 19:15 -------- d-----w- c:\program files\CCleaner
2014-04-14 17:36 . 2014-04-14 17:57 -------- d-----w- C:\FRST
2014-04-13 19:09 . 2014-04-13 19:09 -------- d-----w- c:\program files (x86)\Common Files\Java
2014-04-13 19:08 . 2014-04-13 19:08 312728 ----a-w- c:\windows\system32\javaws.exe
2014-04-13 19:08 . 2014-04-13 19:08 191384 ----a-w- c:\windows\system32\javaw.exe
2014-04-13 19:08 . 2014-04-13 19:08 190872 ----a-w- c:\windows\system32\java.exe
2014-04-13 19:08 . 2014-04-13 19:08 111000 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
2014-04-13 19:08 . 2014-04-13 19:08 -------- d-----w- c:\program files\Java
2014-04-11 10:16 . 2014-03-31 01:16 23134208 ----a-w- c:\windows\system32\mshtml.dll
2014-04-11 10:16 . 2014-03-31 01:13 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-04-11 10:16 . 2014-03-31 00:13 2724864 ----a-w- c:\windows\SysWow64\mshtml.tlb
2014-04-02 20:56 . 2014-04-02 20:56 -------- d-----w- c:\users\Tobselo\AppData\Local\Skype
2014-04-02 20:55 . 2014-04-02 20:55 -------- d-----w- c:\program files (x86)\Common Files\Skype
2014-04-02 20:55 . 2014-04-02 20:55 -------- d-----r- c:\program files (x86)\Skype
2014-03-26 08:26 . 2014-03-26 08:26 -------- d-----w- c:\program files (x86)\Common Files\SolidWorks Installations-Manager
2014-03-26 08:25 . 2014-03-26 08:25 -------- d-----w- c:\windows\SolidWorks
2014-03-26 08:25 . 2014-03-26 08:25 -------- d-----w- c:\users\Tobselo\AppData\Roaming\SolidWorks
2014-03-22 22:43 . 2014-04-14 19:03 -------- d-----w- C:\AdwCleaner
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-04-13 18:24 . 2013-04-03 22:01 90655440 ----a-w- c:\windows\system32\MRT.exe
2014-03-25 19:22 . 2013-01-16 17:51 105552 ----a-w- c:\windows\system32\drivers\inspect.sys
2014-03-25 19:22 . 2013-01-16 17:51 48360 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2014-03-25 19:22 . 2013-01-16 17:51 738472 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2014-03-25 19:22 . 2013-01-16 17:51 23168 ----a-w- c:\windows\system32\drivers\cmderd.sys
2014-03-25 19:22 . 2013-01-24 20:43 43216 ----a-w- c:\windows\system32\cmdcsr.dll
2014-03-25 19:22 . 2013-01-24 20:43 363504 ----a-w- c:\windows\SysWow64\guard32.dll
2014-03-25 19:22 . 2013-01-24 20:43 453680 ----a-w- c:\windows\system32\guard64.dll
2014-03-25 19:22 . 2013-01-24 20:42 352984 ----a-w- c:\windows\system32\cmdvrt64.dll
2014-03-25 19:22 . 2013-01-24 20:42 45784 ----a-w- c:\windows\system32\cmdkbd64.dll
2014-03-25 19:22 . 2013-01-24 20:42 284888 ----a-w- c:\windows\SysWow64\cmdvrt32.dll
2014-03-25 19:22 . 2013-01-24 20:42 40664 ----a-w- c:\windows\SysWow64\cmdkbd32.dll
2014-03-14 18:23 . 2013-04-03 19:06 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-03-14 18:23 . 2013-04-03 19:06 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-03-04 09:17 . 2014-04-11 10:15 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2014-03-01 05:16 . 2014-03-13 18:00 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-03-01 04:58 . 2014-03-13 18:00 2765824 ----a-w- c:\windows\system32\iertutil.dll
2014-03-01 04:52 . 2014-03-13 18:00 66048 ----a-w- c:\windows\system32\iesetup.dll
2014-03-01 04:51 . 2014-03-13 18:00 48640 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-03-01 04:42 . 2014-03-13 18:00 53760 ----a-w- c:\windows\system32\jsproxy.dll
2014-03-01 04:40 . 2014-03-13 18:00 33792 ----a-w- c:\windows\system32\iernonce.dll
2014-03-01 04:37 . 2014-03-13 18:00 574976 ----a-w- c:\windows\system32\ieui.dll
2014-03-01 04:33 . 2014-03-13 18:00 139264 ----a-w- c:\windows\system32\ieUnatt.exe
2014-03-01 04:33 . 2014-03-13 18:00 111616 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-03-01 04:32 . 2014-03-13 18:00 708608 ----a-w- c:\windows\system32\jscript9diag.dll
2014-03-01 04:23 . 2014-03-13 18:00 940032 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-03-01 04:17 . 2014-03-13 18:00 218624 ----a-w- c:\windows\system32\ie4uinit.exe
2014-03-01 04:02 . 2014-03-13 18:00 195584 ----a-w- c:\windows\system32\msrating.dll
2014-03-01 03:54 . 2014-03-13 18:00 5768704 ----a-w- c:\windows\system32\jscript9.dll
2014-03-01 03:52 . 2014-03-13 18:00 61952 ----a-w- c:\windows\SysWow64\iesetup.dll
2014-03-01 03:51 . 2014-03-13 18:00 51200 ----a-w- c:\windows\SysWow64\ieetwproxystub.dll
2014-03-01 03:42 . 2014-03-13 18:00 627200 ----a-w- c:\windows\system32\msfeeds.dll
2014-03-01 03:38 . 2014-03-13 18:00 112128 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2014-03-01 03:37 . 2014-03-13 18:00 553472 ----a-w- c:\windows\SysWow64\jscript9diag.dll
2014-03-01 03:35 . 2014-03-13 18:00 2041856 ----a-w- c:\windows\system32\inetcpl.cpl
2014-03-01 03:18 . 2014-03-13 18:00 13051904 ----a-w- c:\windows\system32\ieframe.dll
2014-03-01 03:14 . 2014-03-13 18:00 4244480 ----a-w- c:\windows\SysWow64\jscript9.dll
2014-03-01 03:10 . 2014-03-13 18:00 2334208 ----a-w- c:\windows\system32\wininet.dll
2014-03-01 03:00 . 2014-03-13 18:00 1964032 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2014-03-01 02:38 . 2014-03-13 18:00 1393664 ----a-w- c:\windows\system32\urlmon.dll
2014-03-01 02:32 . 2014-03-13 18:00 1820160 ----a-w- c:\windows\SysWow64\wininet.dll
2014-03-01 02:25 . 2014-03-13 18:00 817664 ----a-w- c:\windows\system32\ieapfltr.dll
2014-02-07 01:23 . 2014-03-13 18:00 3156480 ----a-w- c:\windows\system32\win32k.sys
2014-02-04 02:32 . 2014-03-13 17:59 1424384 ----a-w- c:\windows\system32\WindowsCodecs.dll
2014-02-04 02:32 . 2014-03-13 17:59 624128 ----a-w- c:\windows\system32\qedit.dll
2014-02-04 02:04 . 2014-03-13 17:59 1230336 ----a-w- c:\windows\SysWow64\WindowsCodecs.dll
2014-02-04 02:04 . 2014-03-13 17:59 509440 ----a-w- c:\windows\SysWow64\qedit.dll
2014-01-29 02:32 . 2014-03-13 18:00 484864 ----a-w- c:\windows\system32\wer.dll
2014-01-29 02:06 . 2014-03-13 18:00 381440 ----a-w- c:\windows\SysWow64\wer.dll
2014-01-28 02:32 . 2014-03-13 18:00 228864 ----a-w- c:\windows\system32\wwansvc.dll
2014-01-25 14:50 . 2014-01-25 14:50 175 ----a-w- C:\whx.bat
2014-01-25 14:08 . 2014-01-25 14:08 119808 ----a-r- c:\users\Tobselo\AppData\Roaming\Microsoft\Installer\{CCF298AF-9CE1-4B26-B251-486E98A34789}\icons.exe
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{FB16E5C3-A9E2-47A2-8EFC-319E775E62CC}]
c:\program files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedads.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 131248 ----a-w- c:\users\Tobselo\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 131248 ----a-w- c:\users\Tobselo\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 131248 ----a-w- c:\users\Tobselo\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BatteryMon"="c:\program files (x86)\BatteryMon\BatteryMon.exe" [2012-06-15 1344960]
"KiesPreload"="c:\program files (x86)\Samsung\Kies\Kies.exe" [2013-05-23 1561968]
"rfxsrvtray"="e:\tobit radio.fx\Client\rfx-tray.exe" [2013-02-07 1838872]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2014-02-10 20922016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"PrivDogService"="c:\program files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe" [2013-11-15 525480]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-09-05 958576]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe" [2013-09-05 3478392]
"VirtualCloneDrive"="c:\program files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2013-03-10 88984]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2014-03-04 224128]
.
c:\users\Tobselo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2014-1-3 30714328]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
SolidWorks Hintergrund-Downloader.lnk - c:\program files (x86)\Common Files\SolidWorks Installations-Manager\BackgroundDownloading\sldBgDwld.exe /launch_from 0 [2014-3-26 2740264]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 cmdvirth;COMODO Virtual Service Manager;c:\program files\COMODO\COMODO Internet Security\cmdvirth.exe;c:\program files\COMODO\COMODO Internet Security\cmdvirth.exe [x]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssudbus.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssudmdm.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WSDScan;WSD-Scanunterstützung durch UMB;c:\windows\system32\drivers\WSDScan.sys;c:\windows\SYSNATIVE\drivers\WSDScan.sys [x]
S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys;c:\windows\SYSNATIVE\DRIVERS\cmderd.sys [x]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys;c:\windows\SYSNATIVE\DRIVERS\cmdguard.sys [x]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys;c:\windows\SYSNATIVE\DRIVERS\cmdhlp.sys [x]
S2 Radio.fx;Radio.fx Server;e:\tobit radio.fx\Server\rfx-server.exe;e:\tobit radio.fx\Server\rfx-server.exe [x]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys;c:\windows\SYSNATIVE\drivers\IntcHdmi.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]
S3 NETw5s64;Intel(R) Wireless WiFi Link Adaptertreiber für Windows 7 64-Bit;c:\windows\system32\DRIVERS\NETw5s64.sys;c:\windows\SYSNATIVE\DRIVERS\NETw5s64.sys [x]
.
.
--- Andere Dienste/Treiber im Speicher ---
.
*NewlyCreated* - WS2IFSL
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 164016 ----a-w- c:\users\Tobselo\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 164016 ----a-w- c:\users\Tobselo\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 164016 ----a-w- c:\users\Tobselo\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 164016 ----a-w- c:\users\Tobselo\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cistray.exe" [2014-03-25 1275608]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-02 159232]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-02 380928]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-02 358912]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 108144]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-09-20 444904]
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Nach Microsoft E&xcel exportieren - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: {{2F5C139F-79BD-4C84-A95A-E7140525BC55} - {5B06364D-FF00-4BD5-9D01-4379952513F2} - c:\program files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedads.dll
TCP: DhcpNameServer = 192.168.178.1
FF - ProfilePath - c:\users\Tobselo\AppData\Roaming\Mozilla\Firefox\Profiles\ktk825x4.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 0
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
AddRemove-PrivDog - c:\program files (x86)\AdTrustMedia\PrivDog\UninstallTrustedAds.exe
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_175_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_175_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_175.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_175.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_175.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_175.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\COMODO\CIS\Installer\Sym_Cam\CIS]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\Mode\Configurations]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,59,00,53,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\Mode\Data]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\Mode\Options]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Cam]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,59,00,53,00,\
.
Zeit der Fertigstellung: 2014-04-16 23:16:08
ComboFix-quarantined-files.txt 2014-04-16 21:16
.
Vor Suchlauf: 3.640.221.696 Bytes frei
Nach Suchlauf: 3.567.673.344 Bytes frei
.
- - End Of File - - 046B5D252C279C2F4F534A02E1E3E678
A36C5E4F47E84449FF07ED3517B43A31
|
|
17.04.2014, 19:34
| #8 |
| /// the machine /// TB-Ausbilder | Umleitung zu fake java-update Downloade Dir bitte  Malwarebytes Anti-Malware
Downloade Dir bitte  AdwCleaner auf deinen Desktop.
Beende bitte Deine Schutzsoftware um eventuelle Konflikte zu vermeiden.
und ein frisches FRST log bitte.
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
18.04.2014, 20:14
| #9 |
| | Umleitung zu fake java-update Guten Abend, mbam.txt Code:
ATTFilter Malwarebytes Anti-Malware www.malwarebytes.org Suchlauf Datum: 18.04.2014 Suchlauf-Zeit: 19:19:19 Logdatei: Malwarebytes.txt Administrator: Ja Version: 2.00.1.1004 Malware Datenbank: v2014.04.18.07 Rootkit Datenbank: v2014.03.27.01 Lizenz: Testversion Malware Schutz: Aktiviert Bösartiger Webseiten Schutz: Aktiviert Chameleon: Deaktiviert Betriebssystem: Windows 7 Service Pack 1 CPU: x64 Dateisystem: NTFS Benutzer: Tobselo Suchlauf-Art: Bedrohungs-Suchlauf Ergebnis: Abgeschlossen Durchsuchte Objekte: 258516 Verstrichene Zeit: 30 Min, 51 Sek Speicher: Aktiviert Autostart: Aktiviert Dateisystem: Aktiviert Archive: Aktiviert Rootkits: Aktiviert Shuriken: Aktiviert PUP: Aktiviert PUM: Aktiviert Prozesse: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registrierungsschlüssel: 0 (No malicious items detected) Registrierungswerte: 0 (No malicious items detected) Registrierungsdaten: 0 (No malicious items detected) Ordner: 0 (No malicious items detected) Dateien: 4 Hacktool.Agent, C:\Users\Tobselo\Downloads\2-lodda-21.rar, In Quarantäne, [0ff15ea28e727a86535888bce51c1de3], PUP.MailPassView, C:\Users\Tobselo\Downloads\mailpv_setup.exe, In Quarantäne, [35cb659b16ea2bd5c27fc27214f09967], PUP.Optional.OpenCandy, C:\Users\Tobselo\Downloads\winamp565_full_emusic-7plus_all.exe, In Quarantäne, [3fc18d735aa67d839f1edc6fe61e3fc1], PUP.Optional.YourFileDownloader, C:\Users\Tobselo\Downloads\YourFile_downloader.exe, In Quarantäne, [a55bea1613ed14ecb9497ca2926e07f9], Physische Sektoren: 0 (No malicious items detected) (end) Code:
ATTFilter # AdwCleaner v3.023 - Bericht erstellt am 18/04/2014 um 19:29:39
# Aktualisiert 01/04/2014 von Xplode
# Betriebssystem : Windows 7 Professional Service Pack 1 (64 bits)
# Benutzername : Tobselo - TOBSELO-PC
# Gestartet von : C:\Users\Tobselo\Downloads\adwcleaner3023.exe
# Option : Löschen
***** [ Dienste ] *****
***** [ Dateien / Ordner ] *****
***** [ Verknüpfungen ] *****
***** [ Registrierungsdatenbank ] *****
***** [ Browser ] *****
-\\ Internet Explorer v11.0.9600.16521
-\\ Mozilla Firefox v28.0 (de)
[ Datei : C:\Users\Tobselo\AppData\Roaming\Mozilla\Firefox\Profiles\ktk825x4.default\prefs.js ]
*************************
AdwCleaner[R0].txt - [4807 octets] - [23/03/2014 00:43:37]
AdwCleaner[R1].txt - [1166 octets] - [23/03/2014 00:53:56]
AdwCleaner[R2].txt - [1287 octets] - [23/03/2014 00:59:54]
AdwCleaner[R3].txt - [1407 octets] - [23/03/2014 22:47:07]
AdwCleaner[R4].txt - [1610 octets] - [14/04/2014 21:01:56]
AdwCleaner[R5].txt - [1358 octets] - [18/04/2014 19:26:20]
AdwCleaner[R6].txt - [1419 octets] - [18/04/2014 19:28:32]
AdwCleaner[S0].txt - [4665 octets] - [23/03/2014 00:45:11]
AdwCleaner[S1].txt - [1228 octets] - [23/03/2014 00:57:11]
AdwCleaner[S2].txt - [1348 octets] - [23/03/2014 01:03:37]
AdwCleaner[S3].txt - [1623 octets] - [14/04/2014 21:03:50]
AdwCleaner[S4].txt - [1340 octets] - [18/04/2014 19:29:39]
########## EOF - C:\AdwCleaner\AdwCleaner[S4].txt - [1400 octets] ##########
Code:
ATTFilter ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Professional x64
Ran by Tobselo on 18.04.2014 at 19:34:33,21
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services
~~~ Registry Values
Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\privdogservice
~~~ Registry Keys
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FB16E5C3-A9E2-47A2-8EFC-319E775E62CC}
~~~ Files
~~~ Folders
Successfully deleted: [Folder] "C:\ProgramData\adtrustmedia"
Successfully deleted: [Folder] "C:\Program Files (x86)\adtrustmedia"
~~~ FireFox
Successfully deleted the following from C:\Users\Tobselo\AppData\Roaming\mozilla\firefox\profiles\ktk825x4.default\prefs.js
user_pref("extensions.trusted-ads.TrustAd", "{\"r\":[{\"t\":\"FQDN\",\"r\":\"trustedads.adtrustmedia.com\",\"c\":[{\"i\":\"1\",\"s\":[\"display.clickpoint.com\",\"www.africawi
Emptied folder: C:\Users\Tobselo\AppData\Roaming\mozilla\firefox\profiles\ktk825x4.default\minidumps [10 files]
~~~ Event Viewer Logs were cleared
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 18.04.2014 at 20:45:32,08
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-04-2014 01
Ran by Tobselo (administrator) on TOBSELO-PC on 18-04-2014 21:07:09
Running from C:\Users\Tobselo\Desktop
Windows 7 Professional Service Pack 1 (X64) OS Language: German Standard
Internet Explorer Version 11
Boot Mode: Normal
==================== Processes (Whitelisted) =================
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cistray.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(PassMark (R) Software) C:\Program Files (x86)\BatteryMon\BatteryMon.exe
(Samsung) C:\Program Files (x86)\Samsung\Kies\Kies.exe
(Tobit.Software) E:\Tobit Radio.fx\Client\rfx-tray.exe
(Intel Corporation) C:\Windows\system32\igfxsrvc.exe
(PassMark (R) Software) C:\Program Files (x86)\BatteryMon\BatteryMon.exe
(Dropbox, Inc.) C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
(Elaborate Bytes AG) C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cis.exe
() E:\Tobit Radio.fx\Server\rfx-server.exe
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [COMODO Internet Security] => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [1275608 2014-03-25] (COMODO)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1808168 2009-06-18] (Synaptics Incorporated)
HKLM\...\Run: [IgfxTray] => C:\Windows\system32\igfxtray.exe [159232 2009-09-02] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] => C:\Windows\system32\hkcmd.exe [380928 2009-09-02] (Intel Corporation)
HKLM\...\Run: [Persistence] => C:\Windows\system32\igfxpers.exe [358912 2009-09-02] (Intel Corporation)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [108144 2012-11-05] (Microsoft Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [444904 2012-09-20] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-09-05] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe [3478392 2013-09-05] (Adobe Systems Inc.)
HKLM-x32\...\Run: [VirtualCloneDrive] => C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [88984 2013-03-10] (Elaborate Bytes AG)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [224128 2014-03-04] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3576753261-1654559635-1618898191-1000\...\Run: [BatteryMon] => C:\Program Files (x86)\BatteryMon\BatteryMon.exe [1344960 2012-06-15] (PassMark (R) Software)
HKU\S-1-5-21-3576753261-1654559635-1618898191-1000\...\Run: [KiesPreload] => C:\Program Files (x86)\Samsung\Kies\Kies.exe [1561968 2013-05-23] (Samsung)
HKU\S-1-5-21-3576753261-1654559635-1618898191-1000\...\Run: [rfxsrvtray] => E:\Tobit Radio.fx\Client\rfx-tray.exe [1838872 2013-02-07] (Tobit.Software)
HKU\S-1-5-21-3576753261-1654559635-1618898191-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [20922016 2014-02-10] (Skype Technologies S.A.)
Startup: C:\Users\Tobselo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
==================== Internet (Whitelisted) ====================
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xCC1D71950A2FCE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre8\bin\ssv.dll (Oracle Corporation)
BHO: Adobe Acrobat Create PDF Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre8\bin\jp2ssv.dll (Oracle Corporation)
BHO: Adobe Acrobat Create PDF from Selection - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Adobe Acrobat Create PDF Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Adobe Acrobat Create PDF from Selection - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1
FireFox:
========
FF ProfilePath: C:\Users\Tobselo\AppData\Roaming\Mozilla\Firefox\Profiles\ktk825x4.default
FF SelectedSearchEngine: Google
FF Homepage: hxxp://www.google.com
FF NetworkProxy: "autoconfig_url", "https://secure.premiumize.me/b14557dbbd9013ae2f69facd9bd86bff/proxy.pac"
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_12_0_0_77.dll ()
FF Plugin: @java.com/DTPlugin,version=11.0.2 - C:\Program Files\Java\jre8\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.0.2 - C:\Program Files\Java\jre8\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.0.5 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.1 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.2 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: adobe.com/AdobeAAMDetect - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @nullsoft.com/winampDetector;version=1 - C:\Program Files (x86)\Winamp Detect\npwachk.dll (Nullsoft, Inc.)
FF Plugin-x32: Adobe Acrobat - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems)
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\amazondotcom-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\eBay-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\leo_ende_de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\yahoo-de.xml
FF Extension: FireShot - C:\Users\Tobselo\AppData\Roaming\Mozilla\Firefox\Profiles\ktk825x4.default\Extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba} [2014-03-14]
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [2013-12-13]
==================== Services (Whitelisted) =================
R2 cmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [6812400 2014-03-25] (COMODO)
S3 cmdvirth; C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [2264280 2014-03-25] (COMODO)
R2 Radio.fx; E:\Tobit Radio.fx\Server\rfx-server.exe [3999512 2013-06-03] ()
==================== Drivers (Whitelisted) ====================
R1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [23168 2014-03-25] (COMODO)
R1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [738472 2014-03-25] (COMODO)
R1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [48360 2014-03-25] (COMODO)
R1 inspect; C:\Windows\System32\DRIVERS\inspect.sys [105552 2014-03-25] (COMODO)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [119512 2014-04-18] (Malwarebytes Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2014-04-18 20:52 - 2014-03-06 11:32 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-04-18 20:52 - 2014-03-06 10:57 - 00548352 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-04-18 20:52 - 2014-03-06 10:32 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-04-18 20:52 - 2014-03-06 10:32 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-04-18 20:52 - 2014-03-06 10:02 - 00455168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-04-18 20:52 - 2014-03-06 09:40 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-04-18 20:51 - 2014-03-06 12:21 - 23549440 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-04-18 20:51 - 2014-03-06 11:31 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-04-18 20:51 - 2014-03-06 11:19 - 17387008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-04-18 20:51 - 2014-03-06 10:59 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-04-18 20:51 - 2014-03-06 10:57 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-04-18 20:51 - 2014-03-06 10:53 - 02767360 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-04-18 20:51 - 2014-03-06 10:40 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-04-18 20:51 - 2014-03-06 10:39 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-04-18 20:51 - 2014-03-06 10:29 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-04-18 20:51 - 2014-03-06 10:29 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-04-18 20:51 - 2014-03-06 10:28 - 00752640 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-04-18 20:51 - 2014-03-06 10:15 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-04-18 20:51 - 2014-03-06 10:11 - 05784064 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-04-18 20:51 - 2014-03-06 10:09 - 00453120 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-04-18 20:51 - 2014-03-06 10:03 - 00586240 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-04-18 20:51 - 2014-03-06 10:02 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-04-18 20:51 - 2014-03-06 10:01 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-04-18 20:51 - 2014-03-06 09:56 - 00038400 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-04-18 20:51 - 2014-03-06 09:48 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-04-18 20:51 - 2014-03-06 09:47 - 02178048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-04-18 20:51 - 2014-03-06 09:46 - 04254720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-04-18 20:51 - 2014-03-06 09:46 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-04-18 20:51 - 2014-03-06 09:45 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-04-18 20:51 - 2014-03-06 09:42 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-04-18 20:51 - 2014-03-06 09:38 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-04-18 20:51 - 2014-03-06 09:36 - 00592896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-04-18 20:51 - 2014-03-06 09:22 - 00367616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-04-18 20:51 - 2014-03-06 09:21 - 00628736 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-04-18 20:51 - 2014-03-06 09:13 - 00032256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-04-18 20:51 - 2014-03-06 09:11 - 02043904 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-04-18 20:51 - 2014-03-06 09:07 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-04-18 20:51 - 2014-03-06 09:01 - 00244224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-04-18 20:51 - 2014-03-06 08:53 - 13551104 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-04-18 20:51 - 2014-03-06 08:46 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-04-18 20:51 - 2014-03-06 08:40 - 01967104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-04-18 20:51 - 2014-03-06 08:36 - 11745792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-04-18 20:51 - 2014-03-06 08:22 - 02260480 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-04-18 20:51 - 2014-03-06 07:58 - 01400832 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-04-18 20:51 - 2014-03-06 07:50 - 00846336 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-04-18 20:51 - 2014-03-06 07:43 - 00704512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-04-18 20:51 - 2014-03-06 07:41 - 01789440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-04-18 20:51 - 2014-03-06 07:36 - 01143808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-04-18 20:45 - 2014-04-18 20:49 - 00001494 _____ () C:\Users\Tobselo\Desktop\JRT.txt
2014-04-18 19:34 - 2014-04-18 19:34 - 00000000 ____D () C:\Windows\ERUNT
2014-04-18 19:33 - 2014-04-18 19:33 - 01016261 _____ (Thisisu) C:\Users\Tobselo\Desktop\JRT.exe
2014-04-18 19:31 - 2014-04-18 19:31 - 00001480 _____ () C:\Users\Tobselo\Desktop\AdwCleaner[S4].txt
2014-04-18 19:24 - 2014-04-18 19:24 - 00001633 _____ () C:\Users\Tobselo\Desktop\Malwarebytes.txt
2014-04-18 18:46 - 2014-04-18 20:58 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-04-18 18:45 - 2014-04-18 18:45 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-18 18:44 - 2014-04-18 18:44 - 17305616 _____ (Malwarebytes Corporation ) C:\Users\Tobselo\Downloads\mbam-setup-2.0.1.1004.exe
2014-04-16 23:16 - 2014-04-16 23:16 - 00023752 _____ () C:\ComboFix.txt
2014-04-16 22:28 - 2014-04-18 21:04 - 00000336 _____ () C:\Windows\setupact.log
2014-04-16 22:28 - 2014-04-18 19:20 - 00002906 _____ () C:\Windows\PFRO.log
2014-04-16 22:28 - 2014-04-16 22:28 - 00000000 _____ () C:\Windows\setuperr.log
2014-04-16 22:10 - 2011-06-26 08:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-04-16 22:10 - 2010-11-07 19:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-04-16 22:10 - 2009-04-20 06:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-04-16 22:10 - 2000-08-31 02:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-04-16 22:10 - 2000-08-31 02:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-04-16 22:10 - 2000-08-31 02:00 - 00098816 _____ () C:\Windows\sed.exe
2014-04-16 22:10 - 2000-08-31 02:00 - 00080412 _____ () C:\Windows\grep.exe
2014-04-16 22:10 - 2000-08-31 02:00 - 00068096 _____ () C:\Windows\zip.exe
2014-04-16 22:09 - 2014-04-16 23:16 - 00000000 ____D () C:\Qoobox
2014-04-16 22:09 - 2014-04-16 22:30 - 00000000 ____D () C:\Windows\erdnt
2014-04-16 22:05 - 2014-04-16 22:07 - 05194807 ____R (Swearware) C:\Users\Tobselo\Desktop\ComboFix.exe
2014-04-14 21:15 - 2014-04-14 21:15 - 00002776 _____ () C:\Windows\System32\Tasks\CCleanerSkipUAC
2014-04-14 21:15 - 2014-04-14 21:15 - 00000822 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2014-04-14 21:15 - 2014-04-14 21:15 - 00000000 ____D () C:\Program Files\CCleaner
2014-04-14 21:13 - 2014-04-14 21:14 - 04765152 _____ (Piriform Ltd) C:\Users\Tobselo\Downloads\ccsetup411.exe
2014-04-14 20:59 - 2014-04-14 21:00 - 01426178 _____ () C:\Users\Tobselo\Downloads\adwcleaner3023.exe
2014-04-14 20:27 - 2014-04-14 20:27 - 00009156 _____ () C:\Users\Tobselo\Desktop\gmer.zip
2014-04-14 20:07 - 2014-04-14 20:16 - 00177488 _____ () C:\Users\Tobselo\Desktop\gmer.log
2014-04-14 19:58 - 2014-04-14 19:58 - 00380416 _____ () C:\Users\Tobselo\Desktop\Gmer-19357.exe
2014-04-14 19:56 - 2014-04-18 21:07 - 00011692 _____ () C:\Users\Tobselo\Desktop\FRST.txt
2014-04-14 19:54 - 2014-04-14 19:54 - 00000476 _____ () C:\Users\Tobselo\Desktop\defogger_disable.log
2014-04-14 19:54 - 2014-04-14 19:54 - 00000000 _____ () C:\Users\Tobselo\defogger_reenable
2014-04-14 19:53 - 2014-04-14 19:53 - 00050477 _____ () C:\Users\Tobselo\Desktop\Defogger.exe
2014-04-14 19:36 - 2014-04-18 21:07 - 00000000 ____D () C:\FRST
2014-04-14 19:33 - 2014-04-14 19:34 - 02157568 _____ (Farbar) C:\Users\Tobselo\Desktop\FRST64.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00312728 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00191384 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00190872 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00111000 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2014-04-13 21:08 - 2014-04-13 21:08 - 00000000 ____D () C:\Program Files\Java
2014-04-13 21:06 - 2014-04-13 21:07 - 34121112 _____ (Oracle Corporation) C:\Users\Tobselo\Downloads\jre-8-windows-x64.exe
2014-04-11 12:15 - 2014-03-04 11:44 - 01163264 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2014-04-11 12:15 - 2014-03-04 11:44 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2014-04-11 12:15 - 2014-03-04 11:44 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2014-04-11 12:15 - 2014-03-04 11:44 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2014-04-11 12:15 - 2014-03-04 11:44 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2014-04-11 12:15 - 2014-03-04 11:17 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2014-04-11 12:15 - 2014-03-04 11:16 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2014-04-11 12:15 - 2014-03-04 11:16 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2014-04-11 12:15 - 2014-03-04 11:16 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2014-04-11 12:15 - 2014-03-04 10:09 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2014-04-11 12:15 - 2014-03-04 10:09 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2014-04-11 12:15 - 2014-02-04 04:35 - 00274880 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\msiscsi.sys
2014-04-11 12:15 - 2014-02-04 04:35 - 00190912 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\storport.sys
2014-04-11 12:15 - 2014-02-04 04:35 - 00027584 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\Diskdump.sys
2014-04-11 12:15 - 2014-02-04 04:28 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\iologmsg.dll
2014-04-11 12:15 - 2014-02-04 04:00 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iologmsg.dll
2014-04-11 12:15 - 2014-01-24 04:37 - 01684928 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ntfs.sys
2014-04-02 22:56 - 2014-04-02 22:56 - 00000000 ____D () C:\Users\Tobselo\AppData\Local\Skype
2014-04-02 22:55 - 2014-04-02 22:55 - 00002699 _____ () C:\Users\Public\Desktop\Skype.lnk
2014-04-02 22:55 - 2014-04-02 22:55 - 00000000 ___RD () C:\Program Files (x86)\Skype
2014-03-31 01:35 - 2014-03-31 01:35 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-03-26 10:25 - 2014-03-26 10:25 - 00000000 ____D () C:\Windows\SolidWorks
2014-03-26 10:25 - 2014-03-26 10:25 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\SolidWorks
2014-03-25 12:30 - 2014-03-25 12:32 - 00000000 ____D () C:\Users\Tobselo\Documents\Werzi
2014-03-23 00:43 - 2014-04-18 19:29 - 00000000 ____D () C:\AdwCleaner
2014-03-23 00:41 - 2014-03-23 00:42 - 01950720 _____ () C:\Users\Tobselo\Downloads\adwcleaner_3.022.exe
2014-03-22 18:56 - 2014-03-22 18:56 - 00000512 __RSH () C:\ProgramData\ntuser.pol
==================== One Month Modified Files and Folders =======
2014-04-18 21:07 - 2014-04-14 19:56 - 00011692 _____ () C:\Users\Tobselo\Desktop\FRST.txt
2014-04-18 21:07 - 2014-04-14 19:36 - 00000000 ____D () C:\FRST
2014-04-18 21:06 - 2013-04-01 21:32 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\Skype
2014-04-18 21:05 - 2013-04-03 23:10 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\Dropbox
2014-04-18 21:04 - 2014-04-16 22:28 - 00000336 _____ () C:\Windows\setupact.log
2014-04-18 21:04 - 2013-04-01 21:05 - 01474832 _____ () C:\Windows\system32\Drivers\sfi.dat
2014-04-18 21:04 - 2013-03-31 19:54 - 02080658 _____ () C:\Windows\WindowsUpdate.log
2014-04-18 21:04 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-04-18 21:03 - 2011-04-12 09:43 - 00699682 _____ () C:\Windows\system32\perfh007.dat
2014-04-18 21:03 - 2011-04-12 09:43 - 00149790 _____ () C:\Windows\system32\perfc007.dat
2014-04-18 21:03 - 2009-07-14 07:13 - 01620684 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-04-18 21:02 - 2009-07-14 06:45 - 00034608 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-18 21:02 - 2009-07-14 06:45 - 00034608 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-18 20:58 - 2014-04-18 18:46 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-04-18 20:57 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\PolicyDefinitions
2014-04-18 20:49 - 2014-04-18 20:45 - 00001494 _____ () C:\Users\Tobselo\Desktop\JRT.txt
2014-04-18 19:34 - 2014-04-18 19:34 - 00000000 ____D () C:\Windows\ERUNT
2014-04-18 19:33 - 2014-04-18 19:33 - 01016261 _____ (Thisisu) C:\Users\Tobselo\Desktop\JRT.exe
2014-04-18 19:31 - 2014-04-18 19:31 - 00001480 _____ () C:\Users\Tobselo\Desktop\AdwCleaner[S4].txt
2014-04-18 19:29 - 2014-03-23 00:43 - 00000000 ____D () C:\AdwCleaner
2014-04-18 19:24 - 2014-04-18 19:24 - 00001633 _____ () C:\Users\Tobselo\Desktop\Malwarebytes.txt
2014-04-18 19:20 - 2014-04-16 22:28 - 00002906 _____ () C:\Windows\PFRO.log
2014-04-18 19:19 - 2013-04-01 21:27 - 00000000 ____D () C:\Program Files (x86)\JDownloader 2
2014-04-18 18:45 - 2014-04-18 18:45 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-18 18:44 - 2014-04-18 18:44 - 17305616 _____ (Malwarebytes Corporation ) C:\Users\Tobselo\Downloads\mbam-setup-2.0.1.1004.exe
2014-04-17 00:55 - 2013-04-03 21:40 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\vlc
2014-04-16 23:16 - 2014-04-16 23:16 - 00023752 _____ () C:\ComboFix.txt
2014-04-16 23:16 - 2014-04-16 22:09 - 00000000 ____D () C:\Qoobox
2014-04-16 23:00 - 2009-07-14 04:34 - 00000215 _____ () C:\Windows\system.ini
2014-04-16 22:45 - 2009-07-14 05:20 - 00000000 __RHD () C:\Users\Default
2014-04-16 22:30 - 2014-04-16 22:09 - 00000000 ____D () C:\Windows\erdnt
2014-04-16 22:28 - 2014-04-16 22:28 - 00000000 _____ () C:\Windows\setuperr.log
2014-04-16 22:07 - 2014-04-16 22:05 - 05194807 ____R (Swearware) C:\Users\Tobselo\Desktop\ComboFix.exe
2014-04-14 21:17 - 2013-10-17 20:43 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\Winamp
2014-04-14 21:17 - 2013-05-06 00:21 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\FileZilla
2014-04-14 21:17 - 2013-03-31 20:50 - 00000000 ____D () C:\Windows\Panther
2014-04-14 21:15 - 2014-04-14 21:15 - 00002776 _____ () C:\Windows\System32\Tasks\CCleanerSkipUAC
2014-04-14 21:15 - 2014-04-14 21:15 - 00000822 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2014-04-14 21:15 - 2014-04-14 21:15 - 00000000 ____D () C:\Program Files\CCleaner
2014-04-14 21:14 - 2014-04-14 21:13 - 04765152 _____ (Piriform Ltd) C:\Users\Tobselo\Downloads\ccsetup411.exe
2014-04-14 21:00 - 2014-04-14 20:59 - 01426178 _____ () C:\Users\Tobselo\Downloads\adwcleaner3023.exe
2014-04-14 20:27 - 2014-04-14 20:27 - 00009156 _____ () C:\Users\Tobselo\Desktop\gmer.zip
2014-04-14 20:16 - 2014-04-14 20:07 - 00177488 _____ () C:\Users\Tobselo\Desktop\gmer.log
2014-04-14 20:07 - 2013-03-31 19:54 - 00000000 ____D () C:\Users\Tobselo
2014-04-14 19:58 - 2014-04-14 19:58 - 00380416 _____ () C:\Users\Tobselo\Desktop\Gmer-19357.exe
2014-04-14 19:54 - 2014-04-14 19:54 - 00000476 _____ () C:\Users\Tobselo\Desktop\defogger_disable.log
2014-04-14 19:54 - 2014-04-14 19:54 - 00000000 _____ () C:\Users\Tobselo\defogger_reenable
2014-04-14 19:53 - 2014-04-14 19:53 - 00050477 _____ () C:\Users\Tobselo\Desktop\Defogger.exe
2014-04-14 19:34 - 2014-04-14 19:33 - 02157568 _____ (Farbar) C:\Users\Tobselo\Desktop\FRST64.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00312728 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00191384 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00190872 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00111000 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2014-04-13 21:08 - 2014-04-13 21:08 - 00000000 ____D () C:\Program Files\Java
2014-04-13 21:07 - 2014-04-13 21:06 - 34121112 _____ (Oracle Corporation) C:\Users\Tobselo\Downloads\jre-8-windows-x64.exe
2014-04-13 20:34 - 2013-04-01 20:59 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-04-13 20:33 - 2014-03-12 21:30 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\TV-Browser
2014-04-13 20:30 - 2013-04-20 14:47 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-04-13 20:28 - 2013-08-02 00:17 - 00000000 ____D () C:\Windows\system32\MRT
2014-04-13 20:24 - 2013-04-04 00:01 - 90655440 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-04-13 18:49 - 2013-08-28 21:52 - 00013092 _____ () C:\Users\Tobselo\Documents\Stromzähler.xlsx
2014-04-09 21:54 - 2013-12-03 21:58 - 00000000 ____D () C:\Users\Tobselo\AppData\Local\AdTrustMedia
2014-04-02 22:56 - 2014-04-02 22:56 - 00000000 ____D () C:\Users\Tobselo\AppData\Local\Skype
2014-04-02 22:55 - 2014-04-02 22:55 - 00002699 _____ () C:\Users\Public\Desktop\Skype.lnk
2014-04-02 22:55 - 2014-04-02 22:55 - 00000000 ___RD () C:\Program Files (x86)\Skype
2014-04-02 22:55 - 2013-04-01 21:32 - 00000000 ____D () C:\ProgramData\Skype
2014-04-02 22:50 - 2013-04-01 22:04 - 00054108 _____ () C:\Windows\system32\Drivers\fvstore.dat
2014-04-02 22:32 - 2013-04-01 21:05 - 00000000 ____D () C:\Windows\System32\Tasks\COMODO
2014-04-02 22:31 - 2013-04-01 21:05 - 00001838 _____ () C:\Users\Public\Desktop\COMODO Internet Security.lnk
2014-03-31 01:35 - 2014-03-31 01:35 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-03-26 10:25 - 2014-03-26 10:25 - 00000000 ____D () C:\Windows\SolidWorks
2014-03-26 10:25 - 2014-03-26 10:25 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\SolidWorks
2014-03-25 21:22 - 2013-01-24 22:43 - 00453680 _____ (COMODO) C:\Windows\system32\guard64.dll
2014-03-25 21:22 - 2013-01-24 22:43 - 00363504 _____ (COMODO) C:\Windows\SysWOW64\guard32.dll
2014-03-25 21:22 - 2013-01-24 22:43 - 00043216 _____ (COMODO) C:\Windows\system32\cmdcsr.dll
2014-03-25 21:22 - 2013-01-24 22:42 - 00352984 _____ (COMODO) C:\Windows\system32\cmdvrt64.dll
2014-03-25 21:22 - 2013-01-24 22:42 - 00284888 _____ (COMODO) C:\Windows\SysWOW64\cmdvrt32.dll
2014-03-25 21:22 - 2013-01-24 22:42 - 00045784 _____ (COMODO) C:\Windows\system32\cmdkbd64.dll
2014-03-25 21:22 - 2013-01-24 22:42 - 00040664 _____ (COMODO) C:\Windows\SysWOW64\cmdkbd32.dll
2014-03-25 21:22 - 2013-01-16 19:51 - 00738472 _____ (COMODO) C:\Windows\system32\Drivers\cmdguard.sys
2014-03-25 21:22 - 2013-01-16 19:51 - 00105552 _____ (COMODO) C:\Windows\system32\Drivers\inspect.sys
2014-03-25 21:22 - 2013-01-16 19:51 - 00048360 _____ (COMODO) C:\Windows\system32\Drivers\cmdhlp.sys
2014-03-25 21:22 - 2013-01-16 19:51 - 00023168 _____ (COMODO) C:\Windows\system32\Drivers\cmderd.sys
2014-03-25 12:32 - 2014-03-25 12:30 - 00000000 ____D () C:\Users\Tobselo\Documents\Werzi
2014-03-23 14:19 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\rescache
2014-03-23 00:42 - 2014-03-23 00:41 - 01950720 _____ () C:\Users\Tobselo\Downloads\adwcleaner_3.022.exe
2014-03-22 18:56 - 2014-03-22 18:56 - 00000512 __RSH () C:\ProgramData\ntuser.pol
2014-03-22 18:56 - 2009-07-14 05:20 - 00000000 ___HD () C:\Windows\system32\GroupPolicy
2014-03-22 18:56 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\SysWOW64\GroupPolicy
Some content of TEMP:
====================
C:\Users\Tobselo\AppData\Local\Temp\Quarantine.exe
==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
LastRegBack: 2014-04-11 13:36
==================== End Of Log ============================
|
|
19.04.2014, 12:28
| #10 |
| /// the machine /// TB-Ausbilder | Umleitung zu fake java-updateESET Online Scanner
Downloade Dir bitte  SecurityCheck und:
und ein frisches FRST log bitte. Noch Probleme? 
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
19.04.2014, 20:57
| #11 |
| | Umleitung zu fake java-update Hey, Problem existiert nach wie vor! Frohe Ostern! Gruß, Tobi ESET: Code:
ATTFilter ESETSmartInstaller@High as downloader log:
Can not open internetESETSmartInstaller@High as downloader log:
Can not open internet# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=9ea26bf10d6ccf4fa5882f060fae21aa
# engine=17955
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2014-04-19 07:38:29
# local_time=2014-04-19 09:38:29 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=3074 16777213 100 84 27612 43558131 0 0
# compatibility_mode=5893 16776574 100 94 24220636 149566159 0 0
# scanned=153294
# found=5
# cleaned=0
# scan_time=11825
sh=AB3A1E36ECBB52F2666380331A42FF1EBAE91454 ft=1 fh=fe256c697b32839a vn="a variant of Win32/AdWare.BetterSurf.C application" ac=I fn="C:\ProgramData\Comodo\Cis\Quarantine\data\{857D07C5-A12B-43AC-AFEB-6B92E3B089B3}"
sh=8C5EB12AF1A9EB8E8DB08B95B3459E002D9D6EF5 ft=1 fh=8ec3e6ab7109e42f vn="a variant of Win32/AdWare.BetterSurf.C application" ac=I fn="C:\ProgramData\Comodo\Cis\Quarantine\data\{BCF3B375-DA63-4610-87B9-18AB270E8395}"
sh=AB3A1E36ECBB52F2666380331A42FF1EBAE91454 ft=1 fh=fe256c697b32839a vn="a variant of Win32/AdWare.BetterSurf.C application" ac=I fn="C:\Users\All Users\Comodo\Cis\Quarantine\data\{857D07C5-A12B-43AC-AFEB-6B92E3B089B3}"
sh=8C5EB12AF1A9EB8E8DB08B95B3459E002D9D6EF5 ft=1 fh=8ec3e6ab7109e42f vn="a variant of Win32/AdWare.BetterSurf.C application" ac=I fn="C:\Users\All Users\Comodo\Cis\Quarantine\data\{BCF3B375-DA63-4610-87B9-18AB270E8395}"
sh=143436581F74658DC6A67F39CEDFD9EC1D1D52B7 ft=1 fh=a0d842eed01264c5 vn="a variant of Win32/Packed.VMProtect.ABD trojan" ac=I fn="C:\Users\Tobselo\Tools\X-Ways WinHex 17.3 SR-5\X-Ways WinHex 17.3 SR-5\keygen\keygen.exe"
Code:
ATTFilter Results of screen317's Security Check version 0.99.81
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
COMODO Antivirus
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Java version out of Date!
Adobe Flash Player 12.0.0.77
Adobe Reader XI
Mozilla Firefox (28.0)
````````Process Check: objlist.exe by Laurent````````
Comodo Firewall cmdagent.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:
````````````````````End of Log``````````````````````
FRST Logfile: FRST Logfile: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 19-04-2014
Ran by Tobselo (administrator) on TOBSELO-PC on 19-04-2014 21:51:31
Running from C:\Users\Tobselo\Desktop
Windows 7 Professional Service Pack 1 (X64) OS Language: German Standard
Internet Explorer Version 11
Boot Mode: Normal
==================== Processes (Whitelisted) =================
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cistray.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Samsung) C:\Program Files (x86)\Samsung\Kies\Kies.exe
(Tobit.Software) E:\Tobit Radio.fx\Client\rfx-tray.exe
(Intel Corporation) C:\Windows\system32\igfxsrvc.exe
(Dropbox, Inc.) C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
(Elaborate Bytes AG) C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cis.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
() E:\Tobit Radio.fx\Server\rfx-server.exe
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [COMODO Internet Security] => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [1275608 2014-03-25] (COMODO)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1808168 2009-06-18] (Synaptics Incorporated)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [108144 2012-11-05] (Microsoft Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [444904 2012-09-20] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-09-05] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe [3478392 2013-09-05] (Adobe Systems Inc.)
HKLM-x32\...\Run: [VirtualCloneDrive] => C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [88984 2013-03-10] (Elaborate Bytes AG)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [224128 2014-03-04] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3576753261-1654559635-1618898191-1000\...\Run: [BatteryMon] => C:\Program Files (x86)\BatteryMon\BatteryMon.exe [1344960 2012-06-15] (PassMark (R) Software)
HKU\S-1-5-21-3576753261-1654559635-1618898191-1000\...\Run: [KiesPreload] => C:\Program Files (x86)\Samsung\Kies\Kies.exe [1561968 2013-05-23] (Samsung)
HKU\S-1-5-21-3576753261-1654559635-1618898191-1000\...\Run: [rfxsrvtray] => E:\Tobit Radio.fx\Client\rfx-tray.exe [1838872 2013-02-07] (Tobit.Software)
HKU\S-1-5-21-3576753261-1654559635-1618898191-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [20922016 2014-02-10] (Skype Technologies S.A.)
Startup: C:\Users\Tobselo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
==================== Internet (Whitelisted) ====================
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xCC1D71950A2FCE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre8\bin\ssv.dll (Oracle Corporation)
BHO: Adobe Acrobat Create PDF Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre8\bin\jp2ssv.dll (Oracle Corporation)
BHO: Adobe Acrobat Create PDF from Selection - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Adobe Acrobat Create PDF Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Adobe Acrobat Create PDF from Selection - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1
FireFox:
========
FF ProfilePath: C:\Users\Tobselo\AppData\Roaming\Mozilla\Firefox\Profiles\ktk825x4.default
FF SelectedSearchEngine: Google
FF Homepage: hxxp://www.google.com
FF NetworkProxy: "autoconfig_url", "https://secure.premiumize.me/b14557dbbd9013ae2f69facd9bd86bff/proxy.pac"
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_12_0_0_77.dll ()
FF Plugin: @java.com/DTPlugin,version=11.0.2 - C:\Program Files\Java\jre8\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.0.2 - C:\Program Files\Java\jre8\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.0.5 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.1 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.2 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: adobe.com/AdobeAAMDetect - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @nullsoft.com/winampDetector;version=1 - C:\Program Files (x86)\Winamp Detect\npwachk.dll (Nullsoft, Inc.)
FF Plugin-x32: Adobe Acrobat - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems)
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\amazondotcom-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\eBay-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\leo_ende_de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\yahoo-de.xml
FF Extension: FireShot - C:\Users\Tobselo\AppData\Roaming\Mozilla\Firefox\Profiles\ktk825x4.default\Extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba} [2014-03-14]
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [2013-12-13]
==================== Services (Whitelisted) =================
R2 cmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [6812400 2014-03-25] (COMODO)
S3 cmdvirth; C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [2264280 2014-03-25] (COMODO)
R2 Radio.fx; E:\Tobit Radio.fx\Server\rfx-server.exe [3999512 2013-06-03] ()
==================== Drivers (Whitelisted) ====================
R1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [23168 2014-03-25] (COMODO)
R1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [738472 2014-03-25] (COMODO)
R1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [48360 2014-03-25] (COMODO)
R1 inspect; C:\Windows\System32\DRIVERS\inspect.sys [105552 2014-03-25] (COMODO)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [119512 2014-04-18] (Malwarebytes Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2014-04-19 21:49 - 2014-04-19 21:49 - 00000732 _____ () C:\Users\Tobselo\Desktop\checkup.txt
2014-04-19 21:49 - 2014-04-19 21:49 - 00000000 ____D () C:\Users\Tobselo\Desktop\FRST-OlderVersion
2014-04-19 21:44 - 2014-04-19 21:44 - 00987448 _____ () C:\Users\Tobselo\Desktop\SecurityCheck.exe
2014-04-19 18:14 - 2014-04-19 18:14 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-04-19 18:12 - 2014-04-19 18:12 - 02347384 _____ (ESET) C:\Users\Tobselo\Downloads\esetsmartinstaller_enu.exe
2014-04-18 20:52 - 2014-03-06 11:32 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-04-18 20:52 - 2014-03-06 10:57 - 00548352 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-04-18 20:52 - 2014-03-06 10:32 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-04-18 20:52 - 2014-03-06 10:32 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-04-18 20:52 - 2014-03-06 10:02 - 00455168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-04-18 20:52 - 2014-03-06 09:40 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-04-18 20:51 - 2014-03-06 12:21 - 23549440 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-04-18 20:51 - 2014-03-06 11:31 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-04-18 20:51 - 2014-03-06 11:19 - 17387008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-04-18 20:51 - 2014-03-06 10:59 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-04-18 20:51 - 2014-03-06 10:57 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-04-18 20:51 - 2014-03-06 10:53 - 02767360 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-04-18 20:51 - 2014-03-06 10:40 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-04-18 20:51 - 2014-03-06 10:39 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-04-18 20:51 - 2014-03-06 10:29 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-04-18 20:51 - 2014-03-06 10:29 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-04-18 20:51 - 2014-03-06 10:28 - 00752640 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-04-18 20:51 - 2014-03-06 10:15 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-04-18 20:51 - 2014-03-06 10:11 - 05784064 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-04-18 20:51 - 2014-03-06 10:09 - 00453120 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-04-18 20:51 - 2014-03-06 10:03 - 00586240 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-04-18 20:51 - 2014-03-06 10:02 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-04-18 20:51 - 2014-03-06 10:01 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-04-18 20:51 - 2014-03-06 09:56 - 00038400 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-04-18 20:51 - 2014-03-06 09:48 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-04-18 20:51 - 2014-03-06 09:47 - 02178048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-04-18 20:51 - 2014-03-06 09:46 - 04254720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-04-18 20:51 - 2014-03-06 09:46 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-04-18 20:51 - 2014-03-06 09:45 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-04-18 20:51 - 2014-03-06 09:42 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-04-18 20:51 - 2014-03-06 09:38 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-04-18 20:51 - 2014-03-06 09:36 - 00592896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-04-18 20:51 - 2014-03-06 09:22 - 00367616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-04-18 20:51 - 2014-03-06 09:21 - 00628736 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-04-18 20:51 - 2014-03-06 09:13 - 00032256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-04-18 20:51 - 2014-03-06 09:11 - 02043904 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-04-18 20:51 - 2014-03-06 09:07 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-04-18 20:51 - 2014-03-06 09:01 - 00244224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-04-18 20:51 - 2014-03-06 08:53 - 13551104 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-04-18 20:51 - 2014-03-06 08:46 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-04-18 20:51 - 2014-03-06 08:40 - 01967104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-04-18 20:51 - 2014-03-06 08:36 - 11745792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-04-18 20:51 - 2014-03-06 08:22 - 02260480 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-04-18 20:51 - 2014-03-06 07:58 - 01400832 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-04-18 20:51 - 2014-03-06 07:50 - 00846336 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-04-18 20:51 - 2014-03-06 07:43 - 00704512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-04-18 20:51 - 2014-03-06 07:41 - 01789440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-04-18 20:51 - 2014-03-06 07:36 - 01143808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-04-18 20:45 - 2014-04-18 20:49 - 00001494 _____ () C:\Users\Tobselo\Desktop\JRT.txt
2014-04-18 19:34 - 2014-04-18 19:34 - 00000000 ____D () C:\Windows\ERUNT
2014-04-18 19:33 - 2014-04-18 19:33 - 01016261 _____ (Thisisu) C:\Users\Tobselo\Desktop\JRT.exe
2014-04-18 19:31 - 2014-04-18 19:31 - 00001480 _____ () C:\Users\Tobselo\Desktop\AdwCleaner[S4].txt
2014-04-18 19:24 - 2014-04-18 19:24 - 00001633 _____ () C:\Users\Tobselo\Desktop\Malwarebytes.txt
2014-04-18 18:46 - 2014-04-18 20:58 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-04-18 18:45 - 2014-04-18 18:45 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-18 18:44 - 2014-04-18 18:44 - 17305616 _____ (Malwarebytes Corporation ) C:\Users\Tobselo\Downloads\mbam-setup-2.0.1.1004.exe
2014-04-16 23:16 - 2014-04-16 23:16 - 00023752 _____ () C:\ComboFix.txt
2014-04-16 22:28 - 2014-04-18 21:04 - 00000336 _____ () C:\Windows\setupact.log
2014-04-16 22:28 - 2014-04-18 19:20 - 00002906 _____ () C:\Windows\PFRO.log
2014-04-16 22:28 - 2014-04-16 22:28 - 00000000 _____ () C:\Windows\setuperr.log
2014-04-16 22:10 - 2011-06-26 08:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-04-16 22:10 - 2010-11-07 19:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-04-16 22:10 - 2009-04-20 06:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-04-16 22:10 - 2000-08-31 02:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-04-16 22:10 - 2000-08-31 02:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-04-16 22:10 - 2000-08-31 02:00 - 00098816 _____ () C:\Windows\sed.exe
2014-04-16 22:10 - 2000-08-31 02:00 - 00080412 _____ () C:\Windows\grep.exe
2014-04-16 22:10 - 2000-08-31 02:00 - 00068096 _____ () C:\Windows\zip.exe
2014-04-16 22:09 - 2014-04-16 23:16 - 00000000 ____D () C:\Qoobox
2014-04-16 22:09 - 2014-04-16 22:30 - 00000000 ____D () C:\Windows\erdnt
2014-04-16 22:05 - 2014-04-16 22:07 - 05194807 ____R (Swearware) C:\Users\Tobselo\Desktop\ComboFix.exe
2014-04-14 21:15 - 2014-04-14 21:15 - 00002776 _____ () C:\Windows\System32\Tasks\CCleanerSkipUAC
2014-04-14 21:15 - 2014-04-14 21:15 - 00000822 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2014-04-14 21:15 - 2014-04-14 21:15 - 00000000 ____D () C:\Program Files\CCleaner
2014-04-14 21:13 - 2014-04-14 21:14 - 04765152 _____ (Piriform Ltd) C:\Users\Tobselo\Downloads\ccsetup411.exe
2014-04-14 20:59 - 2014-04-14 21:00 - 01426178 _____ () C:\Users\Tobselo\Downloads\adwcleaner3023.exe
2014-04-14 20:27 - 2014-04-14 20:27 - 00009156 _____ () C:\Users\Tobselo\Desktop\gmer.zip
2014-04-14 20:07 - 2014-04-14 20:16 - 00177488 _____ () C:\Users\Tobselo\Desktop\gmer.log
2014-04-14 19:58 - 2014-04-14 19:58 - 00380416 _____ () C:\Users\Tobselo\Desktop\Gmer-19357.exe
2014-04-14 19:56 - 2014-04-19 21:51 - 00011275 _____ () C:\Users\Tobselo\Desktop\FRST.txt
2014-04-14 19:54 - 2014-04-14 19:54 - 00000476 _____ () C:\Users\Tobselo\Desktop\defogger_disable.log
2014-04-14 19:54 - 2014-04-14 19:54 - 00000000 _____ () C:\Users\Tobselo\defogger_reenable
2014-04-14 19:53 - 2014-04-14 19:53 - 00050477 _____ () C:\Users\Tobselo\Desktop\Defogger.exe
2014-04-14 19:36 - 2014-04-19 21:51 - 00000000 ____D () C:\FRST
2014-04-14 19:33 - 2014-04-19 21:49 - 02055680 _____ (Farbar) C:\Users\Tobselo\Desktop\FRST64.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00312728 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00191384 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00190872 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00111000 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2014-04-13 21:08 - 2014-04-13 21:08 - 00000000 ____D () C:\Program Files\Java
2014-04-13 21:06 - 2014-04-13 21:07 - 34121112 _____ (Oracle Corporation) C:\Users\Tobselo\Downloads\jre-8-windows-x64.exe
2014-04-11 12:15 - 2014-03-04 11:44 - 01163264 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2014-04-11 12:15 - 2014-03-04 11:44 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2014-04-11 12:15 - 2014-03-04 11:44 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2014-04-11 12:15 - 2014-03-04 11:44 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2014-04-11 12:15 - 2014-03-04 11:44 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2014-04-11 12:15 - 2014-03-04 11:17 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2014-04-11 12:15 - 2014-03-04 11:16 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2014-04-11 12:15 - 2014-03-04 11:16 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2014-04-11 12:15 - 2014-03-04 11:16 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2014-04-11 12:15 - 2014-03-04 10:09 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2014-04-11 12:15 - 2014-03-04 10:09 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2014-04-11 12:15 - 2014-02-04 04:35 - 00274880 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\msiscsi.sys
2014-04-11 12:15 - 2014-02-04 04:35 - 00190912 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\storport.sys
2014-04-11 12:15 - 2014-02-04 04:35 - 00027584 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\Diskdump.sys
2014-04-11 12:15 - 2014-02-04 04:28 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\iologmsg.dll
2014-04-11 12:15 - 2014-02-04 04:00 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iologmsg.dll
2014-04-11 12:15 - 2014-01-24 04:37 - 01684928 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ntfs.sys
2014-04-02 22:56 - 2014-04-02 22:56 - 00000000 ____D () C:\Users\Tobselo\AppData\Local\Skype
2014-04-02 22:55 - 2014-04-02 22:55 - 00002699 _____ () C:\Users\Public\Desktop\Skype.lnk
2014-04-02 22:55 - 2014-04-02 22:55 - 00000000 ___RD () C:\Program Files (x86)\Skype
2014-03-31 01:35 - 2014-03-31 01:35 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-03-26 10:25 - 2014-03-26 10:25 - 00000000 ____D () C:\Windows\SolidWorks
2014-03-26 10:25 - 2014-03-26 10:25 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\SolidWorks
2014-03-25 12:30 - 2014-03-25 12:32 - 00000000 ____D () C:\Users\Tobselo\Documents\Werzi
2014-03-23 00:43 - 2014-04-18 19:29 - 00000000 ____D () C:\AdwCleaner
2014-03-23 00:41 - 2014-03-23 00:42 - 01950720 _____ () C:\Users\Tobselo\Downloads\adwcleaner_3.022.exe
2014-03-22 18:56 - 2014-03-22 18:56 - 00000512 __RSH () C:\ProgramData\ntuser.pol
==================== One Month Modified Files and Folders =======
2014-04-19 21:51 - 2014-04-14 19:56 - 00011275 _____ () C:\Users\Tobselo\Desktop\FRST.txt
2014-04-19 21:51 - 2014-04-14 19:36 - 00000000 ____D () C:\FRST
2014-04-19 21:49 - 2014-04-19 21:49 - 00000732 _____ () C:\Users\Tobselo\Desktop\checkup.txt
2014-04-19 21:49 - 2014-04-19 21:49 - 00000000 ____D () C:\Users\Tobselo\Desktop\FRST-OlderVersion
2014-04-19 21:49 - 2014-04-14 19:33 - 02055680 _____ (Farbar) C:\Users\Tobselo\Desktop\FRST64.exe
2014-04-19 21:46 - 2013-04-01 21:05 - 01474832 _____ () C:\Windows\system32\Drivers\sfi.dat
2014-04-19 21:44 - 2014-04-19 21:44 - 00987448 _____ () C:\Users\Tobselo\Desktop\SecurityCheck.exe
2014-04-19 21:42 - 2013-03-31 19:54 - 01049348 _____ () C:\Windows\WindowsUpdate.log
2014-04-19 19:04 - 2011-04-12 09:43 - 00699682 _____ () C:\Windows\system32\perfh007.dat
2014-04-19 19:04 - 2011-04-12 09:43 - 00149790 _____ () C:\Windows\system32\perfc007.dat
2014-04-19 19:04 - 2009-07-14 07:13 - 01620684 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-04-19 18:14 - 2014-04-19 18:14 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-04-19 18:12 - 2014-04-19 18:12 - 02347384 _____ (ESET) C:\Users\Tobselo\Downloads\esetsmartinstaller_enu.exe
2014-04-18 21:11 - 2009-07-14 06:45 - 00034608 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-18 21:11 - 2009-07-14 06:45 - 00034608 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-18 21:06 - 2013-04-01 21:32 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\Skype
2014-04-18 21:05 - 2013-04-03 23:10 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\Dropbox
2014-04-18 21:04 - 2014-04-16 22:28 - 00000336 _____ () C:\Windows\setupact.log
2014-04-18 21:04 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-04-18 20:58 - 2014-04-18 18:46 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-04-18 20:57 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\PolicyDefinitions
2014-04-18 20:49 - 2014-04-18 20:45 - 00001494 _____ () C:\Users\Tobselo\Desktop\JRT.txt
2014-04-18 19:34 - 2014-04-18 19:34 - 00000000 ____D () C:\Windows\ERUNT
2014-04-18 19:33 - 2014-04-18 19:33 - 01016261 _____ (Thisisu) C:\Users\Tobselo\Desktop\JRT.exe
2014-04-18 19:31 - 2014-04-18 19:31 - 00001480 _____ () C:\Users\Tobselo\Desktop\AdwCleaner[S4].txt
2014-04-18 19:29 - 2014-03-23 00:43 - 00000000 ____D () C:\AdwCleaner
2014-04-18 19:24 - 2014-04-18 19:24 - 00001633 _____ () C:\Users\Tobselo\Desktop\Malwarebytes.txt
2014-04-18 19:20 - 2014-04-16 22:28 - 00002906 _____ () C:\Windows\PFRO.log
2014-04-18 19:19 - 2013-04-01 21:27 - 00000000 ____D () C:\Program Files (x86)\JDownloader 2
2014-04-18 18:45 - 2014-04-18 18:45 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-18 18:44 - 2014-04-18 18:44 - 17305616 _____ (Malwarebytes Corporation ) C:\Users\Tobselo\Downloads\mbam-setup-2.0.1.1004.exe
2014-04-17 00:55 - 2013-04-03 21:40 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\vlc
2014-04-16 23:16 - 2014-04-16 23:16 - 00023752 _____ () C:\ComboFix.txt
2014-04-16 23:16 - 2014-04-16 22:09 - 00000000 ____D () C:\Qoobox
2014-04-16 23:00 - 2009-07-14 04:34 - 00000215 _____ () C:\Windows\system.ini
2014-04-16 22:45 - 2009-07-14 05:20 - 00000000 __RHD () C:\Users\Default
2014-04-16 22:30 - 2014-04-16 22:09 - 00000000 ____D () C:\Windows\erdnt
2014-04-16 22:28 - 2014-04-16 22:28 - 00000000 _____ () C:\Windows\setuperr.log
2014-04-16 22:07 - 2014-04-16 22:05 - 05194807 ____R (Swearware) C:\Users\Tobselo\Desktop\ComboFix.exe
2014-04-14 21:17 - 2013-10-17 20:43 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\Winamp
2014-04-14 21:17 - 2013-05-06 00:21 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\FileZilla
2014-04-14 21:17 - 2013-03-31 20:50 - 00000000 ____D () C:\Windows\Panther
2014-04-14 21:15 - 2014-04-14 21:15 - 00002776 _____ () C:\Windows\System32\Tasks\CCleanerSkipUAC
2014-04-14 21:15 - 2014-04-14 21:15 - 00000822 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2014-04-14 21:15 - 2014-04-14 21:15 - 00000000 ____D () C:\Program Files\CCleaner
2014-04-14 21:14 - 2014-04-14 21:13 - 04765152 _____ (Piriform Ltd) C:\Users\Tobselo\Downloads\ccsetup411.exe
2014-04-14 21:00 - 2014-04-14 20:59 - 01426178 _____ () C:\Users\Tobselo\Downloads\adwcleaner3023.exe
2014-04-14 20:27 - 2014-04-14 20:27 - 00009156 _____ () C:\Users\Tobselo\Desktop\gmer.zip
2014-04-14 20:16 - 2014-04-14 20:07 - 00177488 _____ () C:\Users\Tobselo\Desktop\gmer.log
2014-04-14 20:07 - 2013-03-31 19:54 - 00000000 ____D () C:\Users\Tobselo
2014-04-14 19:58 - 2014-04-14 19:58 - 00380416 _____ () C:\Users\Tobselo\Desktop\Gmer-19357.exe
2014-04-14 19:54 - 2014-04-14 19:54 - 00000476 _____ () C:\Users\Tobselo\Desktop\defogger_disable.log
2014-04-14 19:54 - 2014-04-14 19:54 - 00000000 _____ () C:\Users\Tobselo\defogger_reenable
2014-04-14 19:53 - 2014-04-14 19:53 - 00050477 _____ () C:\Users\Tobselo\Desktop\Defogger.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00312728 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00191384 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00190872 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00111000 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2014-04-13 21:08 - 2014-04-13 21:08 - 00000000 ____D () C:\Program Files\Java
2014-04-13 21:07 - 2014-04-13 21:06 - 34121112 _____ (Oracle Corporation) C:\Users\Tobselo\Downloads\jre-8-windows-x64.exe
2014-04-13 20:34 - 2013-04-01 20:59 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-04-13 20:33 - 2014-03-12 21:30 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\TV-Browser
2014-04-13 20:30 - 2013-04-20 14:47 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-04-13 20:28 - 2013-08-02 00:17 - 00000000 ____D () C:\Windows\system32\MRT
2014-04-13 20:24 - 2013-04-04 00:01 - 90655440 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-04-13 18:49 - 2013-08-28 21:52 - 00013092 _____ () C:\Users\Tobselo\Documents\Stromzähler.xlsx
2014-04-09 21:54 - 2013-12-03 21:58 - 00000000 ____D () C:\Users\Tobselo\AppData\Local\AdTrustMedia
2014-04-02 22:56 - 2014-04-02 22:56 - 00000000 ____D () C:\Users\Tobselo\AppData\Local\Skype
2014-04-02 22:55 - 2014-04-02 22:55 - 00002699 _____ () C:\Users\Public\Desktop\Skype.lnk
2014-04-02 22:55 - 2014-04-02 22:55 - 00000000 ___RD () C:\Program Files (x86)\Skype
2014-04-02 22:55 - 2013-04-01 21:32 - 00000000 ____D () C:\ProgramData\Skype
2014-04-02 22:50 - 2013-04-01 22:04 - 00054108 _____ () C:\Windows\system32\Drivers\fvstore.dat
2014-04-02 22:32 - 2013-04-01 21:05 - 00000000 ____D () C:\Windows\System32\Tasks\COMODO
2014-04-02 22:31 - 2013-04-01 21:05 - 00001838 _____ () C:\Users\Public\Desktop\COMODO Internet Security.lnk
2014-03-31 01:35 - 2014-03-31 01:35 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-03-26 10:25 - 2014-03-26 10:25 - 00000000 ____D () C:\Windows\SolidWorks
2014-03-26 10:25 - 2014-03-26 10:25 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\SolidWorks
2014-03-25 21:22 - 2013-01-24 22:43 - 00453680 _____ (COMODO) C:\Windows\system32\guard64.dll
2014-03-25 21:22 - 2013-01-24 22:43 - 00363504 _____ (COMODO) C:\Windows\SysWOW64\guard32.dll
2014-03-25 21:22 - 2013-01-24 22:43 - 00043216 _____ (COMODO) C:\Windows\system32\cmdcsr.dll
2014-03-25 21:22 - 2013-01-24 22:42 - 00352984 _____ (COMODO) C:\Windows\system32\cmdvrt64.dll
2014-03-25 21:22 - 2013-01-24 22:42 - 00284888 _____ (COMODO) C:\Windows\SysWOW64\cmdvrt32.dll
2014-03-25 21:22 - 2013-01-24 22:42 - 00045784 _____ (COMODO) C:\Windows\system32\cmdkbd64.dll
2014-03-25 21:22 - 2013-01-24 22:42 - 00040664 _____ (COMODO) C:\Windows\SysWOW64\cmdkbd32.dll
2014-03-25 21:22 - 2013-01-16 19:51 - 00738472 _____ (COMODO) C:\Windows\system32\Drivers\cmdguard.sys
2014-03-25 21:22 - 2013-01-16 19:51 - 00105552 _____ (COMODO) C:\Windows\system32\Drivers\inspect.sys
2014-03-25 21:22 - 2013-01-16 19:51 - 00048360 _____ (COMODO) C:\Windows\system32\Drivers\cmdhlp.sys
2014-03-25 21:22 - 2013-01-16 19:51 - 00023168 _____ (COMODO) C:\Windows\system32\Drivers\cmderd.sys
2014-03-25 12:32 - 2014-03-25 12:30 - 00000000 ____D () C:\Users\Tobselo\Documents\Werzi
2014-03-23 14:19 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\rescache
2014-03-23 00:42 - 2014-03-23 00:41 - 01950720 _____ () C:\Users\Tobselo\Downloads\adwcleaner_3.022.exe
2014-03-22 18:56 - 2014-03-22 18:56 - 00000512 __RSH () C:\ProgramData\ntuser.pol
2014-03-22 18:56 - 2009-07-14 05:20 - 00000000 ___HD () C:\Windows\system32\GroupPolicy
2014-03-22 18:56 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\SysWOW64\GroupPolicy
Some content of TEMP:
====================
C:\Users\Tobselo\AppData\Local\Temp\npp.6.5.5.Installer.exe
C:\Users\Tobselo\AppData\Local\Temp\Quarantine.exe
==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
LastRegBack: 2014-04-19 17:51
==================== End Of Log ============================
--- --- --- --- --- --- Geändert von Tobselo (19.04.2014 um 21:10 Uhr) |
|
20.04.2014, 18:08
| #12 | |
| /// the machine /// TB-Ausbilder | Umleitung zu fake java-updateZitat:
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
20.04.2014, 20:14
| #13 |
| | Umleitung zu fake java-update Ist nur ein Keygenerator für ein Programm... |
|
21.04.2014, 20:18
| #14 |
| /// the machine /// TB-Ausbilder | Umleitung zu fake java-update Löschen, alles gecrackte und geklaute, auch an Software, fliegt umgehend auch, oder es gibt keinen weitren Support.
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
21.04.2014, 20:28
| #15 |
| | Umleitung zu fake java-update Ok, ist weg. |
|
| Themen zu Umleitung zu fake java-update |
| bereits, browser, defogger, defogger_disable.log, fake, falsche, falschen, firefox, frst.txt, gmer.log, hacktool.agent, hilfe, java update, java-update, problem, pup.mailpassview, pup.optional.opencandy, seite, seiten, umleitung |
Linear-Darstellung
