| |
| |||||||
Log-Analyse und Auswertung: Win 7: Spam an Thunderbird portables Adressbuch "gesammelte Adressen"Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
 |
18.07.2014, 23:59
| #1 |
 |  Win 7: Spam an Thunderbird portables Adressbuch "gesammelte Adressen" Guten Abend zusammen, heute hat jemand von meiner Emailadresse Spammails an meine Freunde und Bekannten verschickt. Als Absender war dabei meine Emailadresse angegeben (meinname@yahoo.de). Warum ich nun auf einen evtl. Trojaner oder ähnliches tippe is Folgendes: Bei mir läuft Thunderbird v 24.6.0 in der portable apps version auf meinem PC, über den ich auf mein Yahoo-konto zugreife. Nun wurden aber nur Spammails an Kontakte geschickt, die sich in meinem lokalen Adressbuch "gesammelte Adressen" in Thunderbird befanden. Von den Kontakten in meinem Adressbuch bei Yahoo hat keiner eine Spammail erhalten. Der Header der Spammails ist weiter unten zu finden. Die 3 Logs (Addition, FRST und Gmer) habe ich angelegt. Über Hilfe würde ich mich sehr freuen. Grüße beamling Hier der Header: Code:
ATTFilter Return-Path: meinname@yahoo.com
Received: from mail.downcode.co.uk ([212.48.65.124]) by mx-ha.web.de (mxweb106) with ESMTPS (Nemesis) id 0LuwJh-1WQE4k1xzt-0100Z3 for <EinerMeinerKontakte@web.de>; Fri, 18 Jul 2014 05:42:07 +0200
Received: from [195.88.214.118] (port=4431 helo=myhtc.biz) by mail.downcode.co.uk with esmtpa (Exim 4.82) (envelope-from <meinname@yahoo.com>) id 1X7z3X-0007zI-BG; Fri, 18 Jul 2014 04:42:00 +0100
Message-ID: <C9C18A70120AC3905BF74D022E7EFEA9@myhtc.biz>
From: "meinname" <meinname@yahoo.com>
To: "hier stehen meine Bekannten>
Subject: =?ISO-8859-1?Q?********_-_7=2F18=2F2014_4=3A41=3A53_?= =?ISO-8859-1?Q?AM?=
Date: Thu, 18 Jul 2014 04:41:53 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_A457_28FC9DF3.0778CE4D"
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3522.110
X-MIMEOLE: Produced By Microsoft MimeOLE V16.4.3522.110
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - mail.downcode.co.uk
X-AntiAbuse: Original Domain - web.de
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - yahoo.com
X-Get-Message-Sender-Via: mail.downcode.co.uk: authenticated_id: admin@myhtc.biz
Envelope-To: <derBekannte@web.de>
X-UI-Filterresults: unknown:5;V01:K0:edKk+N3axgs=:INz9r12iP9oInCpH1eKbJ2kiWV
Addition, FRST und Gmer-logs im Anhang, die sind wohl zu lang. |
|
19.07.2014, 05:36
| #2 |
| /// the machine /// TB-Ausbilder    | Win 7: Spam an Thunderbird portables Adressbuch "gesammelte Adressen" Hi,
__________________Logs bitte immer in den Thread posten. Zur Not aufteilen und mehrere Posts nutzen. Ich kann auf Arbeit keine Anhänge öffnen, danke.  So funktioniert es:Posten in CODE-Tags Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
__________________ |
|
19.07.2014, 09:05
| #3 |
| | Win 7: Spam an Thunderbird portables Adressbuch "gesammelte Adressen" Oh entschuldigung. Hier die Logs:
__________________Addition: FRST Additions Logfile: Code:
ATTFilter Additional scan result of Farbar Recovery Scan Tool (x64) Version: 15-07-2014 01
Ran by Standardbenutzer at 2014-07-19 00:18:10
Running from C:\Users\Standardbenutzer\Desktop
Boot Mode: Normal
==========================================================
==================== Security Center ========================
AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
==================== Installed Programs ======================
Adobe Flash Player 14 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 14.0.0.145 - Adobe Systems Incorporated)
Adobe Flash Player 14 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 14.0.0.145 - Adobe Systems Incorporated)
Adobe Photoshop Lightroom 4.4 64-bit (HKLM\...\{63E66D61-AE73-4C3A-AF04-36236F7A6581}) (Version: 4.4.2 - Adobe)
AMD APP SDK Runtime (Version: 10.0.1016.4 - Advanced Micro Devices Inc.) Hidden
AMD Catalyst Install Manager (HKLM\...\{E85D1C80-28C4-76B8-5A5A-2C8D8B38D5D9}) (Version: 8.0.891.0 - Advanced Micro Devices, Inc.)
AMD Drag and Drop Transcoding (Version: 2.00.0000 - Advanced Micro Devices, Inc.) Hidden
AMD Fuel (Version: 2012.1116.1515.27190 - Ihr Firmenname) Hidden
AMD Media Foundation Decoders (Version: 1.0.71116.1554 - Advanced Micro Devices, Inc.) Hidden
AMD VISION Engine Control Center (x32 Version: 2012.1116.1515.27190 - Ihr Firmenname) Hidden
AquaSoft DiaShow 8 Ultimate (HKLM-x32\...\AquaSoft DiaShow 8 Ultimate) (Version: 8.5.07 - AquaSoft)
AquaSoft DiaShow 8 Ultimate (x32 Version: 8.5.07 - AquaSoft) Hidden
avast! Free Antivirus (HKLM-x32\...\avast) (Version: 9.0.2021 - AVAST Software)
AviSynth 2.6 (HKLM-x32\...\AviSynth) (Version: 2.6.0.2 - GPL Public release.)
Catalyst Control Center - Branding (x32 Version: 1.00.0000 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Graphics Previews Common (x32 Version: 2012.1116.1515.27190 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center InstallProxy (x32 Version: 2012.0928.1532.26058 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Localization All (x32 Version: 2012.1116.1515.27190 - Advanced Micro Devices, Inc.) Hidden
CCC Help Chinese Standard (x32 Version: 2012.1116.1514.27190 - Advanced Micro Devices, Inc.) Hidden
CCC Help Chinese Traditional (x32 Version: 2012.1116.1514.27190 - Advanced Micro Devices, Inc.) Hidden
CCC Help Czech (x32 Version: 2012.1116.1514.27190 - Advanced Micro Devices, Inc.) Hidden
CCC Help Danish (x32 Version: 2012.1116.1514.27190 - Advanced Micro Devices, Inc.) Hidden
CCC Help Dutch (x32 Version: 2012.1116.1514.27190 - Advanced Micro Devices, Inc.) Hidden
CCC Help English (x32 Version: 2012.1116.1514.27190 - Advanced Micro Devices, Inc.) Hidden
CCC Help Finnish (x32 Version: 2012.1116.1514.27190 - Advanced Micro Devices, Inc.) Hidden
CCC Help French (x32 Version: 2012.1116.1514.27190 - Advanced Micro Devices, Inc.) Hidden
CCC Help German (x32 Version: 2012.1116.1514.27190 - Advanced Micro Devices, Inc.) Hidden
CCC Help Greek (x32 Version: 2012.1116.1514.27190 - Advanced Micro Devices, Inc.) Hidden
CCC Help Hungarian (x32 Version: 2012.1116.1514.27190 - Advanced Micro Devices, Inc.) Hidden
CCC Help Italian (x32 Version: 2012.1116.1514.27190 - Advanced Micro Devices, Inc.) Hidden
CCC Help Japanese (x32 Version: 2012.1116.1514.27190 - Advanced Micro Devices, Inc.) Hidden
CCC Help Korean (x32 Version: 2012.1116.1514.27190 - Advanced Micro Devices, Inc.) Hidden
CCC Help Norwegian (x32 Version: 2012.1116.1514.27190 - Advanced Micro Devices, Inc.) Hidden
CCC Help Polish (x32 Version: 2012.1116.1514.27190 - Advanced Micro Devices, Inc.) Hidden
CCC Help Portuguese (x32 Version: 2012.1116.1514.27190 - Advanced Micro Devices, Inc.) Hidden
CCC Help Russian (x32 Version: 2012.1116.1514.27190 - Advanced Micro Devices, Inc.) Hidden
CCC Help Spanish (x32 Version: 2012.1116.1514.27190 - Advanced Micro Devices, Inc.) Hidden
CCC Help Swedish (x32 Version: 2012.1116.1514.27190 - Advanced Micro Devices, Inc.) Hidden
CCC Help Thai (x32 Version: 2012.1116.1514.27190 - Advanced Micro Devices, Inc.) Hidden
CCC Help Turkish (x32 Version: 2012.1116.1514.27190 - Advanced Micro Devices, Inc.) Hidden
ccc-utility64 (Version: 2012.1116.1515.27190 - Advanced Micro Devices, Inc.) Hidden
Corel Paint Shop Pro X (HKLM-x32\...\{1A15507A-8551-4626-915D-3D5FA095CC1B}) (Version: 10.01 - Corel Inc)
CorsixTH 0.30 (HKLM-x32\...\CorsixTH) (Version: 0.30 - CorsixTH Team)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version: - )
Fences (HKLM-x32\...\Fences) (Version: - Stardock Corporation)
Fences (Version: 1.0 - Stardock Corporation) Hidden
ffdshow v1.1.3892 [2011-06-20] (HKLM-x32\...\ffdshow_is1) (Version: 1.1.3892.0 - )
Fotogalerie (x32 Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Full Tilt Poker (HKCU\...\{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}) (Version: 4.55.4.WIN.FullTilt.COM - )
Full Tilt Poker.Eu (HKCU\...\{127BEFB3-24B2-4B44-8E99-AD22C2A5A8ED}) (Version: 4.55.4.WIN.FullTilt.EU - )
Haali Media Splitter (HKLM-x32\...\HaaliMkx) (Version: - )
Helix YUV Codecs (remove only) (HKLM-x32\...\HelixYUVCodecs) (Version: - )
JDownloader 0.9 (HKLM-x32\...\5513-1208-7298-9440) (Version: 0.9 - AppWork GmbH)
K-Lite Codec Pack 9.1.0 (64-bit) (HKLM\...\KLiteCodecPack64_is1) (Version: 9.1.0 - )
LAME v3.99.3 (for Windows) (HKLM-x32\...\LAME_is1) (Version: - )
Malwarebytes Anti-Malware Version 2.0.2.1012 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (DEU) (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.5.1 (Deutsch) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1031) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6015.5000 - Microsoft Corporation) Hidden
Microsoft Image Composite Editor (HKLM\...\{B821CDAA-34DE-46FD-87C9-E6EE7158DB5D}) (Version: 1.4.4 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30214.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Movie Maker (x32 Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Mozilla Firefox 30.0 (x86 de) (HKLM-x32\...\Mozilla Firefox 30.0 (x86 de)) (Version: 30.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla)
MSVCRT (x32 Version: 15.4.2862.0708 - Microsoft) Hidden
MSVCRT110 (x32 Version: 16.4.1108.0727 - Microsoft) Hidden
MSVCRT110_amd64 (Version: 16.4.1109.0912 - Microsoft) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Mystique TV Player (HKLM-x32\...\Mystique TV Player_is1) (Version: - CM&V)
Paint.NET v3.5.11 (HKLM\...\{72EF03F5-0507-4861-9A44-D99FD4C41418}) (Version: 3.61.0 - dotPDN LLC)
PDF24 Creator 6.0.1 (HKLM-x32\...\{81A6F461-0DBA-4F12-B56F-0E977EC10576}_is1) (Version: - PDF24.org)
PDFCreator (HKLM-x32\...\{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}) (Version: 1.6.1 - pdfforge)
Photo Gallery (x32 Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Project64 1.6 (HKLM-x32\...\{9559F7CA-5E34-4237-A2D9-D856464AD727}) (Version: 1.6 - Project64)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 1.00.0008 - Realtek)
Realtek HDMI Audio Driver for ATI (HKLM-x32\...\{5449FB4F-1802-4D5B-A6D8-087DB1142147}) (Version: 6.0.1.5897 - Realtek Semiconductor Corp.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7083 - Realtek Semiconductor Corp.)
ROCCAT Kone Mouse Driver (HKLM-x32\...\{9733747E-E53D-4C17-977E-3A872AFB93E1}) (Version: 1.0 - ROCCAT)
Secure Eraser (HKLM-x32\...\Secure Eraser_is1) (Version: 4.2.0.1 - ASCOMP Software GmbH)
SES Driver (HKLM\...\{D8CC254C-C671-4664-9A38-FA368D1E2C97}) (Version: 1.0.0 - Western Digital)
Skype™ 6.16 (HKLM-x32\...\{7A3C7E05-EE37-47D6-99E1-2EB05A3DA3F7}) (Version: 6.16.105 - Skype Technologies S.A.)
TeamSpeak 3 Client (HKCU\...\TeamSpeak 3 Client) (Version: 3.0.15 - TeamSpeak Systems GmbH)
TrueCrypt (HKLM-x32\...\TrueCrypt) (Version: 7.1a - TrueCrypt Foundation)
w3arena.net Launcher 1.8.7 (HKLM-x32\...\{56AF84FB-F466-4DF1-8CC3-19F4CFCDF8C8}) (Version: 1.8.7 - w3arena)
Warcraft III (HKLM-x32\...\Warcraft III) (Version: - )
Warcraft III: All Products (HKCU\...\Warcraft III) (Version: - )
Windows Driver Package - Western Digital Technologies (WDC_SAM) WDC_SAM (01/19/2011 1.0.0009.0) (HKLM\...\4CA7CFBB29889F25ACB3DF6E3A42BAE29EB43B20) (Version: 01/19/2011 1.0.0009.0 - Western Digital Technologies)
Windows Live Communications Platform (x32 Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3528.0331 - Microsoft Corporation)
Windows Live Essentials (x32 Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Windows Live ID Sign-in Assistant (Version: 7.250.4311.0 - Microsoft Corporation) Hidden
Windows Live Installer (x32 Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Windows Live Photo Common (x32 Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Windows Live PIMT Platform (x32 Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Windows Live SOXE (x32 Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Windows Live SOXE Definitions (x32 Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Windows Live UX Platform (x32 Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Windows Live UX Platform Language Pack (x32 Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
WinRAR 4.20 (32-Bit) (HKLM-x32\...\WinRAR archiver) (Version: 4.20.0 - win.rar GmbH)
Xvid Video Codec (HKLM-x32\...\Xvid Video Codec 1.3.2) (Version: 1.3.2 - Xvid Team)
==================== Restore Points =========================
Could not list Restore Points. Check "winmgmt" service or repair WMI.
==================== Hosts content: ==========================
2009-07-14 04:34 - 2009-06-10 23:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
==================== Scheduled Tasks (whitelisted) =============
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => ?
==================== Loaded Modules (whitelisted) =============
2014-02-14 23:53 - 2012-09-07 17:57 - 00559424 _____ () C:\Program Files (x86)\Secure Eraser\SecEraser64.dll
2012-11-16 16:27 - 2012-11-16 16:27 - 00103424 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Proxy.Native.dll
2013-06-18 15:49 - 2013-06-18 15:49 - 00016384 _____ () C:\Program Files (x86)\ATI Technologies\ATI.ACE\Branding\Branding.dll
2012-11-16 16:09 - 2012-11-16 16:09 - 00369152 _____ () C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll
==================== Alternate Data Streams (whitelisted) =========
==================== Safe Mode (whitelisted) ===================
==================== EXE Association (whitelisted) =============
==================== MSCONFIG/TASK MANAGER disabled items =========
MSCONFIG\Services: OpenVPNService => 3
MSCONFIG\Services: PDF Architect Helper Service => 2
MSCONFIG\Services: PDF Architect Service => 2
MSCONFIG\Services: SkypeUpdate => 2
MSCONFIG\Services: Steam Client Service => 3
MSCONFIG\startupreg: PDFPrint => C:\Program Files (x86)\PDF24\pdf24.exe
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
==================== Faulty Device Manager Devices =============
Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft-Teredo-Tunneling-Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
==================== Event log errors: =========================
Application errors:
==================
Error: (07/19/2014 00:12:10 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: Fuel.Service.exe, Version: 1.0.0.0, Zeitstempel: 0x50a6a1b0
Name des fehlerhaften Moduls: Device.dll, Version: 4.1.0.0, Zeitstempel: 0x4f55e10b
Ausnahmecode: 0xc0000005
Fehleroffset: 0x00000000000033c1
ID des fehlerhaften Prozesses: 0x668
Startzeit der fehlerhaften Anwendung: 0xFuel.Service.exe0
Pfad der fehlerhaften Anwendung: Fuel.Service.exe1
Pfad des fehlerhaften Moduls: Fuel.Service.exe2
Berichtskennung: Fuel.Service.exe3
Error: (07/18/2014 08:21:25 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: Fuel.Service.exe, Version: 1.0.0.0, Zeitstempel: 0x50a6a1b0
Name des fehlerhaften Moduls: Device.dll, Version: 4.1.0.0, Zeitstempel: 0x4f55e10b
Ausnahmecode: 0xc0000005
Fehleroffset: 0x00000000000033c1
ID des fehlerhaften Prozesses: 0x654
Startzeit der fehlerhaften Anwendung: 0xFuel.Service.exe0
Pfad der fehlerhaften Anwendung: Fuel.Service.exe1
Pfad des fehlerhaften Moduls: Fuel.Service.exe2
Berichtskennung: Fuel.Service.exe3
Error: (07/18/2014 08:07:19 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in
Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
Error: (07/18/2014 05:32:15 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in
Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
Error: (07/18/2014 05:32:12 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in
Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
Error: (07/18/2014 05:32:12 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in
Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
Error: (07/18/2014 05:16:17 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT-AUTORITÄT)
Description: Fehler beim Herunterladen der Zeichenfolgen der Leistungsindikatoren für Dienst "WmiApRpl" (WmiApRpl). Der Fehlercode ist das erste DWORD im Datenbereich.
Error: (07/18/2014 05:16:17 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT-AUTORITÄT)
Description: Die Zeichenfolgen der Leistungsindikatoren in der Leistungsindikatorenregistrierung werden beschädigt wenn der Prozess "Performance" auf dem Erweiterungsleistungsindikator-Anbieter ausgeführt wird. Der Wert "BaseIndex" aus der Leistungsregistrierung ist das erste DWORD im Datenbereich, der Wert "LastCounter" ist das zweite DWORD im Datenbereich und der Werte "LastHelp" ist das dritte DWORD im Datenbereich.
Error: (07/18/2014 05:16:17 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT-AUTORITÄT)
Description: Die Zeichenfolgen der Leistungsindikatoren in der Leistungsindikatorenregistrierung werden beschädigt wenn der Prozess "Performance" auf dem Erweiterungsleistungsindikator-Anbieter ausgeführt wird. Der Wert "BaseIndex" aus der Leistungsregistrierung ist das erste DWORD im Datenbereich, der Wert "LastCounter" ist das zweite DWORD im Datenbereich und der Werte "LastHelp" ist das dritte DWORD im Datenbereich.
Error: (07/18/2014 05:08:53 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in
Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
System errors:
=============
Error: (07/19/2014 00:12:10 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Dienst "AMD FUEL Service" wurde unerwartet beendet. Dies ist bereits 1 Mal passiert.
Error: (07/19/2014 00:11:58 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Error: (07/18/2014 09:52:10 PM) (Source: volsnap) (EventID: 36) (User: )
Description: Die Schattenkopien von Volume "C:" wurden abgebrochen, weil der Schattenkopiespeicher nicht auf ein benutzerdefiniertes Limit vergrößert werden konnte.
Error: (07/18/2014 08:21:25 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Dienst "AMD FUEL Service" wurde unerwartet beendet. Dies ist bereits 1 Mal passiert.
Error: (07/18/2014 05:04:30 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Dienst "AMD FUEL Service" wurde unerwartet beendet. Dies ist bereits 1 Mal passiert.
Error: (07/18/2014 03:07:20 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Dienst "AMD FUEL Service" wurde unerwartet beendet. Dies ist bereits 1 Mal passiert.
Error: (07/17/2014 11:14:53 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Dienst "AMD FUEL Service" wurde unerwartet beendet. Dies ist bereits 1 Mal passiert.
Error: (07/17/2014 09:33:44 PM) (Source: volsnap) (EventID: 36) (User: )
Description: Die Schattenkopien von Volume "C:" wurden abgebrochen, weil der Schattenkopiespeicher nicht auf ein benutzerdefiniertes Limit vergrößert werden konnte.
Error: (07/17/2014 07:13:44 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Dienst "AMD FUEL Service" wurde unerwartet beendet. Dies ist bereits 1 Mal passiert.
Error: (07/17/2014 04:37:12 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Dienst "AMD FUEL Service" wurde unerwartet beendet. Dies ist bereits 1 Mal passiert.
Microsoft Office Sessions:
=========================
Error: (07/19/2014 00:12:10 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Fuel.Service.exe1.0.0.050a6a1b0Device.dll4.1.0.04f55e10bc000000500000000000033c166801cfa2b53d6a4392C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exeC:\Program Files\ATI Technologies\ATI.ACE\Fuel\Device.dll8fda9331-0ec8-11e4-8691-00241ddf508f
Error: (07/18/2014 08:21:25 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Fuel.Service.exe1.0.0.050a6a1b0Device.dll4.1.0.04f55e10bc000000500000000000033c165401cfa299b08975b6C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exeC:\Program Files\ATI Technologies\ATI.ACE\Fuel\Device.dll537a2817-0ea8-11e4-8725-00241ddf508f
Error: (07/18/2014 08:07:19 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Program Files (x86)\ESET\ESET Online Scanner\ESETSmartInstaller.exe
Error: (07/18/2014 05:32:15 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Users\Standardbenutzer\Desktop\esetsmartinstaller_deu.exe
Error: (07/18/2014 05:32:12 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Users\Standardbenutzer\Desktop\esetsmartinstaller_deu.exe
Error: (07/18/2014 05:32:12 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Users\Standardbenutzer\Desktop\esetsmartinstaller_deu.exe
Error: (07/18/2014 05:16:17 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT-AUTORITÄT)
Description: WmiApRplWmiApRpl8F20300004D070000
Error: (07/18/2014 05:16:17 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT-AUTORITÄT)
Description: Performance1637070000000000000000000009030000
Error: (07/18/2014 05:16:17 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT-AUTORITÄT)
Description: Performance1637070000000000000000000009030000
Error: (07/18/2014 05:08:53 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Users\Standardbenutzer\Desktop\esetsmartinstaller_deu.exe
CodeIntegrity Errors:
===================================
Date: 2012-07-01 17:57:31.300
Description: Windows konnte die Abbildintegrität der Datei "\Device\CdRom0\Drivers\USB20\sisport.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
Date: 2012-07-01 17:57:29.210
Description: Windows konnte die Abbildintegrität der Datei "\Device\CdRom0\Drivers\USB20\sisport.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
==================== Memory info ===========================
Percentage of memory in use: 40%
Total physical RAM: 4094.49 MB
Available physical RAM: 2426.64 MB
Total Pagefile: 8187.16 MB
Available Pagefile: 6311.77 MB
Total Virtual: 8192 MB
Available Virtual: 8191.84 MB
==================== Drives ================================
Drive c: () (Fixed) (Total:53.71 GB) (Free:14.7 GB) NTFS
Drive d: (WIN XP) (Fixed) (Total:48.83 GB) (Free:23.82 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive e: (Daten) (Fixed) (Total:363.22 GB) (Free:169.51 GB) NTFS
==================== MBR & Partition Table ==================
==================== End Of Log ============================
FRST Logfile: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 15-07-2014 01
Ran by Standardbenutzer (ATTENTION: The logged in user is not administrator) on *****-PC on 19-07-2014 00:17:48
Running from C:\Users\Standardbenutzer\Desktop
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11
Boot Mode: Normal
==================== Processes (Whitelisted) =================
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(ROCCAT) C:\Program Files (x86)\ROCCAT\Kone Mouse\KoneHID.EXE
(AVAST Software) C:\Program Files\AVAST\AvastUI.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(ROCCAT) C:\Program Files (x86)\ROCCAT\Kone Mouse\OSD.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13662936 2013-10-24] (Realtek Semiconductor)
HKLM-x32\...\Run: [Kone] => C:\Program Files (x86)\ROCCAT\Kone Mouse\KoneHID.EXE [1666560 2011-02-18] (ROCCAT)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [641704 2012-11-16] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST\AvastUI.exe [4086432 2014-07-06] (AVAST Software)
HKLM\...\Runonce: [MSPCLOCK] - rundll32.exe streamci,StreamingDeviceSetup {97ebaacc-95bd-11d0-a3ea-00a0c9223196},{53172480-4791-11D0-A5D6-28DB04C10000},{53172480-4791-11D0-A5D6-28DB04C10000}
HKLM\...\Runonce: [MSPQM] - rundll32.exe streamci,StreamingDeviceSetup {DDF4358E-BB2C-11D0-A42F-00A0C9223196},{97EBAACB-95BD-11D0-A3EA-00A0C9223196},{97EBAACB-95BD-11D0-A3EA-00A0C9223196}
HKLM\...\Runonce: [MSKSSRV] - rundll32.exe streamci,StreamingDeviceSetup {96E080C7-143C-11D1-B40F-00A0C9223196},{3C0D501A-140B-11D1-B40F-00A0C9223196},{3C0D501A-140B-11D1-B40F-00A0C9223196}
HKLM\...\Runonce: [MSTEE.CxTransform] - rundll32.exe streamci,StreamingDeviceSetup {cfd669f1-9bc2-11d0-8299-0000f822fe8a},{CF1DDA2C-9743-11D0-A3EE-00A0C9223196},{CF1DDA2C-9743-11D0-A3EE-00A0C9223196},C:\Windows\inf\ksfilter.inf,MSTEE.Interface.Install
HKLM\...\Runonce: [MSTEE.Splitter] - rundll32.exe streamci,StreamingDeviceSetup {cfd669f1-9bc2-11d0-8299-0000f822fe8a},{0A4252A0-7E70-11D0-A5D6-28DB04C10000},{0A4252A0-7E70-11D0-A5D6-28DB04C10000},C:\Windows\inf\ksfilter.inf,MSTEE.Interface.Install
HKLM\...\Runonce: [WDM_DRMKAUD] - rundll32.exe streamci,StreamingDeviceSetup {EEC12DB6-AD9C-4168-8658-B03DAEF417FE},{ABD61E00-9350-47e2-A632-4438B90C6641},{FFBB6E3F-CCFE-4D84-90D9-421418B03A8E},C:\Windows\inf\WDMAUDIO.inf,WDM_DRMKAUD.Interface.Install
HKLM-x32\...\Runonce: [aswAhAScr.dll] - "C:\Program Files\AVAST\aswRegSvr.exe" "C:\Program Files\AVAST\AhAScr.dll" [X]
HKLM-x32\...\Runonce: [aswasOutExt.dll] - "C:\Program Files\AVAST\aswRegSvr.exe" "C:\Program Files\AVAST\asOutExt.dll" [X]
HKLM-x32\...\Runonce: [aswasOutExt64.dll] - "C:\Program Files\AVAST\aswRegSvr64.exe" "C:\Program Files\AVAST\asOutExt64.dll" [X]
HKLM-x32\...\RunOnce: [20130912] - C:\Program Files\AVAST\setup\emupdate\8d82f117-e080-45ee-9fc2-382e142b1119.exe /check [74088 2013-09-20] (AVAST Software)
HKLM-x32\...\RunOnce: [20131224] - C:\Program Files\AVAST\setup\emupdate\19320634-36df-44dd-a42b-feebf7e1a453.exe /check [181136 2014-04-29] (AVAST Software)
HKLM-x32\...\Runonce: [freem4atomp3converteropab] - [X]
HKLM-x32\...\Runonce: [SpUninstallCleanUp] - REG delete HKEY_LOCAL_MACHINE\Software\SearchProtect /f [X]
HKLM-x32\...\RunOnce: [20140526] - C:\Program Files\AVAST\setup\emupdate\e92b0ee4-0af7-4a72-8787-242a94894a92.exe /check [182720 2014-05-27] (AVAST Software)
HKLM-x32\...\RunOnce: [20140529] - C:\Program Files\AVAST\setup\emupdate\822dd55d-ad6c-4a40-a6d9-c822b6268856.exe /check [183208 2014-05-30] (AVAST Software)
HKLM-x32\...\RunOnce: [ Malwarebytes Anti-Malware (cleanup)] - "C:\ProgramData\Malwarebytes\ Malwarebytes Anti-Malware \mbamdor.exe" "C:\ProgramData\Malwarebytes\ Malwarebytes Anti-Malware " [54072 2014-05-12] (Malwarebytes Corporation)
HKU\.DEFAULT\...\RunOnce: [SPReview] - C:\Windows\System32\SPReview\SPReview.exe [301568 2012-12-21] (Microsoft Corporation)
HKU\S-1-5-21-3278078431-535217013-2662550515-1001\...\Run: [Akamai NetSession Interface] => "C:\Users\Standardbenutzer\AppData\Local\Akamai\netsession_win.exe"
HKU\S-1-5-21-3278078431-535217013-2662550515-1001\...\MountPoints2: {0972c94d-c786-11e1-8265-00241ddf508f} - J:\unlock.exe autoplay=true
HKU\S-1-5-21-3278078431-535217013-2662550515-1001\...\MountPoints2: {11fe8b0a-099a-11e2-b644-00241ddf508f} - G:\Autorun.exe
ShellIconOverlayIdentifiers: 00avast -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST\ashShA64.dll (AVAST Software)
==================== Internet (Whitelisted) ====================
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xFA19FFF41745CE01
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
URLSearchHook: HKCU - (No Name) - {00000000-6E41-4FD3-8538-502F5495E5FC} - No File
SearchScopes: HKCU - {BF3DE226-70BD-4BE9-BC47-D3612B7920ED} URL = hxxp://websearch.ask.com/redirect?client=ie&tb=NDV&o=15765&src=kw&q={searchTerms}&locale=&apn_ptnrs=NY&apn_dtid=YYYYYYYYDE&apn_uid=F65F8253-4059-4066-B74C-50FAC716EF22&apn_sauid=B7E7D51B-4BC9-40D9-8A38-9D18BF2A5BEA
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST\aswWebRepIE64.dll (AVAST Software)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST\aswWebRepIE.dll (AVAST Software)
BHO-x32: Microsoft-Konto-Anmelde-Hilfsprogramm -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{3AE06AF8-C412-41B8-A0A4-481AA6EFCF70}: [NameServer]73.42.43.62,82.212.62.62
FireFox:
========
FF ProfilePath: C:\Users\Standardbenutzer\AppData\Roaming\Mozilla\Firefox\Profiles\jnn9fg5b.default-1372953077302
FF Homepage: https://www.startpage.com/
FF NetworkProxy: "backup.ftp", "190.0.17.202"
FF NetworkProxy: "backup.ftp_port", 8080
FF NetworkProxy: "backup.socks", "190.0.17.202"
FF NetworkProxy: "backup.socks_port", 8080
FF NetworkProxy: "backup.ssl", "190.0.17.202"
FF NetworkProxy: "backup.ssl_port", 8080
FF NetworkProxy: "ftp", "190.0.17.202"
FF NetworkProxy: "ftp_port", 8080
FF NetworkProxy: "http", "190.0.17.202"
FF NetworkProxy: "http_port", 8080
FF NetworkProxy: "share_proxy_settings", true
FF NetworkProxy: "socks", "190.0.17.202"
FF NetworkProxy: "socks_port", 8080
FF NetworkProxy: "ssl", "190.0.17.202"
FF NetworkProxy: "ssl_port", 8080
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_14_0_0_145.dll ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_14_0_0_145.dll ()
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @t.garena.com/garenatalk - C:\Program Files (x86)\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll No File
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\amazondotcom-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\eBay-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\leo_ende_de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\yahoo-de.xml
FF Extension: DownloadHelper - C:\Users\Standardbenutzer\AppData\Roaming\Mozilla\Firefox\Profiles\jnn9fg5b.default-1372953077302\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [2014-03-25]
FF Extension: Adblock Plus - C:\Users\Standardbenutzer\AppData\Roaming\Mozilla\Firefox\Profiles\jnn9fg5b.default-1372953077302\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2013-08-03]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST\WebRep\FF
FF Extension: avast! Online Security - C:\Program Files\AVAST\WebRep\FF [2012-09-22]
==================== Services (Whitelisted) =================
R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [361984 2012-11-16] (Advanced Micro Devices, Inc.) [File not signed]
R2 avast! Antivirus; C:\Program Files\AVAST\AvastSvc.exe [50344 2014-07-06] (AVAST Software)
R2 lmhosts; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
R2 NlaSvc; C:\Windows\System32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
R2 nsi; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
==================== Drivers (Whitelisted) ====================
R2 AODDriver4.1; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [53888 2012-03-05] (Advanced Micro Devices)
S3 Apowersoft_AudioDevice; C:\Windows\System32\drivers\Apowersoft_AudioDevice.sys [31920 2013-06-02] (Wondershare)
S3 Asushwio; C:\Windows\SysWOW64\drivers\Asushwio.sys [5824 2000-03-29] () [File not signed]
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2014-07-06] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [79184 2014-07-06] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2014-07-06] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2014-07-06] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1041168 2014-07-06] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [427360 2014-07-06] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [92008 2014-07-06] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [224896 2014-07-06] ()
R3 kncbda; C:\Windows\System32\DRIVERS\kncbda64.sys [180736 2008-08-13] (ODSoft multimedia)
R3 KoneFltr; C:\Windows\System32\drivers\Kone.sys [15488 2008-12-11] (ROCCAT Ltd)
R0 MBAMSwissArmy; C:\Windows\System32\drivers\MBAMSwissArmy.sys [122584 2014-07-18] (Malwarebytes Corporation)
R1 Serial; C:\Windows\System32\DRIVERS\serial.sys [94208 2009-07-14] (Brother Industries Ltd.)
S4 sptd; C:\Windows\System32\Drivers\sptd.sys [386680 2014-07-13] (Duplex Secure Ltd.)
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
S3 GGSAFERDriver; \??\C:\Program Files (x86)\Garena Plus\Room\safedrv.sys [X]
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2014-07-19 00:16 - 2014-07-19 00:17 - 00012195 _____ () C:\Users\Standardbenutzer\Desktop\FRST.txt
2014-07-19 00:15 - 2014-07-19 00:15 - 02086912 _____ (Farbar) C:\Users\Standardbenutzer\Desktop\FRST64.exe
2014-07-19 00:11 - 2014-07-19 00:11 - 00050477 _____ () C:\Users\Standardbenutzer\Desktop\Defogger.exe
2014-07-19 00:11 - 2014-07-19 00:11 - 00000586 _____ () C:\Users\Standardbenutzer\Desktop\defogger_disable.log
2014-07-19 00:11 - 2014-07-19 00:11 - 00000020 _____ () C:\Users\*****\defogger_reenable
2014-07-19 00:06 - 2014-07-19 00:06 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\Thunderbird
2014-07-18 23:43 - 2014-07-18 23:43 - 00004362 _____ () C:\Users\Standardbenutzer\Desktop\emails.txt
2014-07-18 17:09 - 2014-07-18 17:09 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-07-18 17:08 - 2014-07-18 17:08 - 02347384 _____ (ESET) C:\Users\Standardbenutzer\Desktop\esetsmartinstaller_deu.exe
2014-07-18 16:52 - 2014-07-18 17:04 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware
2014-07-18 16:52 - 2014-07-18 16:53 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-07-18 16:52 - 2014-07-18 16:52 - 00001102 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2014-07-18 16:52 - 2014-07-18 16:52 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware
2014-07-18 16:52 - 2014-07-18 16:52 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-07-18 16:52 - 2014-05-12 07:26 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-07-18 16:52 - 2014-05-12 07:26 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-07-18 16:52 - 2014-05-12 07:25 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-07-18 16:51 - 2014-07-18 23:59 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Standardbenutzer\Desktop\mbam-setup-2.0.2.1012.exe
2014-07-18 16:43 - 2014-07-19 00:17 - 00000000 ____D () C:\FRST
2014-07-18 16:20 - 2014-07-19 00:11 - 00000502 _____ () C:\Users\Standardbenutzer\Desktop\Neues Textdokument.txt
2014-07-17 18:02 - 2014-07-17 18:02 - 00001679 _____ () C:\Users\Standardbenutzer\Desktop\Player.exe - Verknüpfung.lnk
2014-07-17 17:53 - 2014-07-17 17:53 - 00001493 _____ () C:\Users\Standardbenutzer\Desktop\ts3client_win64.exe - Verknüpfung.lnk
2014-07-17 17:36 - 2014-07-17 17:36 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TeamSpeak 3 Client
2014-07-16 20:29 - 2014-07-16 20:29 - 00001374 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Photo Gallery.lnk
2014-07-16 20:29 - 2014-07-16 20:29 - 00001305 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Movie Maker.lnk
2014-07-16 20:29 - 2014-07-16 20:29 - 00000000 ____D () C:\Windows\de
2014-07-15 20:14 - 2014-07-16 20:23 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Local\Windows Live
2014-07-15 19:41 - 2014-07-15 19:41 - 00000000 ____D () C:\Users\Standardbenutzer\Documents\DVDVideoSoft
2014-07-15 19:41 - 2014-07-15 19:41 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\DVDVideoSoft
2014-07-15 19:40 - 2014-07-15 20:05 - 00000000 ____D () C:\Users\*****\AppData\Roaming\DVDVideoSoft
2014-07-13 18:11 - 2014-07-13 18:11 - 00000000 ____D () C:\Users\Standardbenutzer\Desktop\Neuer Ordner
2014-07-13 13:01 - 2014-07-13 13:12 - 00000000 ____D () C:\Users\Standardbenutzer\.DVDslideshowGUI
2014-07-13 13:01 - 2014-07-13 13:01 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\ImgBurn
2014-07-13 12:54 - 2014-07-13 13:00 - 00000000 ____D () C:\Users\*****\.DVDslideshowGUI
2014-07-13 12:54 - 2014-07-13 12:54 - 00034936 _____ () C:\Windows\SysWOW64\uninstHelixYUV.exe
2014-07-13 12:54 - 2014-07-13 12:54 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Haali Media Splitter
2014-07-13 12:54 - 2014-07-13 12:54 - 00000000 ____D () C:\Program Files (x86)\Haali
2014-07-13 12:53 - 2014-07-13 12:53 - 07760687 _____ () C:\Users\*****\AppData\Roaming\SetupGFD.exe
2014-07-13 12:53 - 2014-07-13 12:53 - 05514668 _____ () C:\Users\*****\AppData\Roaming\Imgburn.exe
2014-07-13 12:53 - 2014-07-13 12:53 - 05243208 _____ () C:\Users\*****\AppData\Roaming\AvsP.exe
2014-07-13 12:53 - 2014-07-13 12:53 - 05082084 _____ () C:\Users\*****\AppData\Roaming\Avisynth.exe
2014-07-13 12:53 - 2014-07-13 12:53 - 01357348 _____ () C:\Users\*****\AppData\Roaming\MatroskaSplitter.exe
2014-07-13 12:53 - 2014-07-13 12:53 - 00117723 _____ () C:\Users\*****\AppData\Roaming\yuvcodecs-1.3.exe
2014-07-13 12:53 - 2014-07-13 12:53 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AviSynth 2.5
2014-07-13 12:53 - 2014-07-13 12:53 - 00000000 ____D () C:\Program Files (x86)\AviSynth 2.5
2014-07-09 20:01 - 2014-06-30 04:09 - 00519168 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-07-09 20:01 - 2014-06-30 04:04 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-07-09 20:01 - 2014-06-18 04:18 - 00692736 _____ (Microsoft Corporation) C:\Windows\system32\osk.exe
2014-07-09 20:01 - 2014-06-18 03:51 - 00646144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\osk.exe
2014-07-09 20:01 - 2014-06-18 03:10 - 03157504 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-07-09 20:01 - 2014-06-06 12:10 - 00624128 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll
2014-07-09 20:01 - 2014-06-06 11:44 - 00509440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2014-07-09 20:01 - 2014-05-30 10:08 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-07-09 20:01 - 2014-05-30 10:08 - 00340992 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-07-09 20:01 - 2014-05-30 10:08 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2014-07-09 20:01 - 2014-05-30 10:08 - 00307200 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2014-07-09 20:01 - 2014-05-30 10:08 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2014-07-09 20:01 - 2014-05-30 10:08 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2014-07-09 20:01 - 2014-05-30 10:08 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2014-07-09 20:01 - 2014-05-30 09:52 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2014-07-09 20:01 - 2014-05-30 09:52 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2014-07-09 20:01 - 2014-05-30 09:52 - 00247808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2014-07-09 20:01 - 2014-05-30 09:52 - 00220160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2014-07-09 20:01 - 2014-05-30 09:52 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2014-07-09 20:01 - 2014-05-30 09:52 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2014-07-09 20:01 - 2014-05-30 09:52 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2014-07-09 20:01 - 2014-05-30 08:45 - 00497152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys
2014-07-09 20:00 - 2014-06-20 22:14 - 00266424 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-07-09 20:00 - 2014-06-20 21:39 - 00240824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-07-09 20:00 - 2014-06-19 03:39 - 23464448 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-07-09 20:00 - 2014-06-19 03:06 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-07-09 20:00 - 2014-06-19 03:06 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-07-09 20:00 - 2014-06-19 02:48 - 02768384 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-07-09 20:00 - 2014-06-19 02:42 - 00548352 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-07-09 20:00 - 2014-06-19 02:42 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-07-09 20:00 - 2014-06-19 02:41 - 00083968 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-07-09 20:00 - 2014-06-19 02:41 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-07-09 20:00 - 2014-06-19 02:32 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-07-09 20:00 - 2014-06-19 02:31 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-07-09 20:00 - 2014-06-19 02:26 - 00598016 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-07-09 20:00 - 2014-06-19 02:24 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-07-09 20:00 - 2014-06-19 02:24 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-07-09 20:00 - 2014-06-19 02:23 - 00752640 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-07-09 20:00 - 2014-06-19 02:16 - 17276416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-07-09 20:00 - 2014-06-19 02:14 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-07-09 20:00 - 2014-06-19 02:09 - 00452608 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-07-09 20:00 - 2014-06-19 01:59 - 00038400 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-07-09 20:00 - 2014-06-19 01:56 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-07-09 20:00 - 2014-06-19 01:53 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-07-09 20:00 - 2014-06-19 01:51 - 05721088 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-07-09 20:00 - 2014-06-19 01:50 - 00085504 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-07-09 20:00 - 2014-06-19 01:48 - 00292864 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-07-09 20:00 - 2014-06-19 01:39 - 00608768 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-07-09 20:00 - 2014-06-19 01:38 - 00455168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-07-09 20:00 - 2014-06-19 01:37 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-07-09 20:00 - 2014-06-19 01:36 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-07-09 20:00 - 2014-06-19 01:35 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2014-07-09 20:00 - 2014-06-19 01:33 - 00631808 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-07-09 20:00 - 2014-06-19 01:32 - 02179072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-07-09 20:00 - 2014-06-19 01:28 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-07-09 20:00 - 2014-06-19 01:28 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-07-09 20:00 - 2014-06-19 01:27 - 02040832 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-07-09 20:00 - 2014-06-19 01:27 - 01249280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-07-09 20:00 - 2014-06-19 01:25 - 00442368 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-07-09 20:00 - 2014-06-19 01:23 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-07-09 20:00 - 2014-06-19 01:22 - 00592896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-07-09 20:00 - 2014-06-19 01:12 - 00367616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-07-09 20:00 - 2014-06-19 01:06 - 00032256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-07-09 20:00 - 2014-06-19 01:01 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-07-09 20:00 - 2014-06-19 00:59 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-07-09 20:00 - 2014-06-19 00:58 - 02266112 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-07-09 20:00 - 2014-06-19 00:58 - 00239616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-07-09 20:00 - 2014-06-19 00:52 - 04254720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-07-09 20:00 - 2014-06-19 00:51 - 13527040 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-07-09 20:00 - 2014-06-19 00:49 - 00526336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-07-09 20:00 - 2014-06-19 00:46 - 01068032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2014-07-09 20:00 - 2014-06-19 00:45 - 01964544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-07-09 20:00 - 2014-06-19 00:35 - 11742208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-07-09 20:00 - 2014-06-19 00:34 - 01393664 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-07-09 20:00 - 2014-06-19 00:15 - 00846336 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-07-09 20:00 - 2014-06-19 00:13 - 01791488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-07-09 20:00 - 2014-06-19 00:09 - 01139200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-07-09 20:00 - 2014-06-19 00:07 - 00704512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-07-09 20:00 - 2014-06-05 16:45 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-07-09 20:00 - 2014-06-05 16:26 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2014-07-09 20:00 - 2014-06-05 16:25 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2014-07-06 09:25 - 2014-07-06 09:25 - 00043152 _____ (AVAST Software) C:\Windows\avastSS.scr
2014-07-05 22:39 - 2014-07-05 22:39 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\LibreOffice
2014-07-05 15:56 - 2014-07-05 15:56 - 00000719 _____ () C:\Users\Standardbenutzer\Desktop\USA Praesentation - Verknüpfung.lnk
2014-07-05 14:19 - 2014-07-05 14:20 - 00000000 ____D () C:\Program Files (x86)\w3arena
2014-07-05 14:19 - 2014-07-05 14:19 - 00000925 _____ () C:\Users\Public\Desktop\w3arena.lnk
2014-07-05 14:19 - 2014-07-05 14:19 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\w3arena.net Launcher 1.8.7
2014-06-22 18:23 - 2014-06-22 18:35 - 00000000 ____D () C:\Users\Standardbenutzer\Desktop\bilderrahmen
2014-06-19 09:15 - 2014-06-19 09:15 - 00000631 _____ () C:\Users\Standardbenutzer\Desktop\Fotos.lnk
==================== One Month Modified Files and Folders =======
2014-07-19 00:17 - 2014-07-19 00:16 - 00012195 _____ () C:\Users\Standardbenutzer\Desktop\FRST.txt
2014-07-19 00:17 - 2014-07-18 16:43 - 00000000 ____D () C:\FRST
2014-07-19 00:16 - 2012-07-01 12:21 - 01091419 _____ () C:\Windows\WindowsUpdate.log
2014-07-19 00:15 - 2014-07-19 00:15 - 02086912 _____ (Farbar) C:\Users\Standardbenutzer\Desktop\FRST64.exe
2014-07-19 00:13 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-07-19 00:13 - 2009-07-14 06:51 - 00179134 _____ () C:\Windows\setupact.log
2014-07-19 00:11 - 2014-07-19 00:11 - 00050477 _____ () C:\Users\Standardbenutzer\Desktop\Defogger.exe
2014-07-19 00:11 - 2014-07-19 00:11 - 00000586 _____ () C:\Users\Standardbenutzer\Desktop\defogger_disable.log
2014-07-19 00:11 - 2014-07-19 00:11 - 00000020 _____ () C:\Users\*****\defogger_reenable
2014-07-19 00:11 - 2014-07-18 16:20 - 00000502 _____ () C:\Users\Standardbenutzer\Desktop\Neues Textdokument.txt
2014-07-19 00:11 - 2012-07-01 12:21 - 00000000 ____D () C:\Users\*****
2014-07-19 00:06 - 2014-07-19 00:06 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\Thunderbird
2014-07-18 23:59 - 2014-07-18 16:51 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Standardbenutzer\Desktop\mbam-setup-2.0.2.1012.exe
2014-07-18 23:43 - 2014-07-18 23:43 - 00004362 _____ () C:\Users\Standardbenutzer\Desktop\emails.txt
2014-07-18 23:39 - 2013-07-04 20:49 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-07-18 20:29 - 2009-07-14 06:45 - 00014752 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-07-18 20:29 - 2009-07-14 06:45 - 00014752 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-07-18 17:16 - 2009-07-14 19:58 - 01702830 _____ () C:\Windows\system32\perfh007.dat
2014-07-18 17:16 - 2009-07-14 19:58 - 00461314 _____ () C:\Windows\system32\perfc007.dat
2014-07-18 17:16 - 2009-07-14 07:13 - 00006264 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-07-18 17:09 - 2014-07-18 17:09 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-07-18 17:08 - 2014-07-18 17:08 - 02347384 _____ (ESET) C:\Users\Standardbenutzer\Desktop\esetsmartinstaller_deu.exe
2014-07-18 17:05 - 2012-07-01 18:14 - 00321324 _____ () C:\Windows\PFRO.log
2014-07-18 17:04 - 2014-07-18 16:52 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware
2014-07-18 17:03 - 2014-04-07 22:03 - 00000000 ____D () C:\Users\*****\AppData\Local\DM
2014-07-18 17:03 - 2014-03-09 15:06 - 00000000 ____D () C:\Users\*****\AppData\Roaming\SupTab
2014-07-18 16:53 - 2014-07-18 16:52 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-07-18 16:52 - 2014-07-18 16:52 - 00001102 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2014-07-18 16:52 - 2014-07-18 16:52 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware
2014-07-18 16:52 - 2014-07-18 16:52 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-07-18 16:43 - 2012-11-10 10:37 - 00000000 ____D () C:\Program Files (x86)\Java
2014-07-17 21:46 - 2012-07-01 19:03 - 00000000 ____D () C:\ProgramData\boost_interprocess
2014-07-17 17:53 - 2014-07-17 17:53 - 00001493 _____ () C:\Users\Standardbenutzer\Desktop\ts3client_win64.exe - Verknüpfung.lnk
2014-07-17 17:36 - 2014-07-17 17:36 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TeamSpeak 3 Client
2014-07-17 17:36 - 2012-07-01 19:05 - 00000000 ____D () C:\Program Files\TeamSpeak 3 Client
2014-07-17 17:30 - 2012-07-01 20:08 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\TS3Client
2014-07-17 17:30 - 2012-07-01 19:06 - 00000000 ____D () C:\Users\*****\AppData\Roaming\TS3Client
2014-07-16 20:29 - 2014-07-16 20:29 - 00001374 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Photo Gallery.lnk
2014-07-16 20:29 - 2014-07-16 20:29 - 00001305 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Movie Maker.lnk
2014-07-16 20:29 - 2014-07-16 20:29 - 00000000 ____D () C:\Windows\de
2014-07-16 20:28 - 2013-06-23 14:46 - 00000000 ____D () C:\Program Files (x86)\Windows Live
2014-07-16 20:27 - 2012-07-28 20:12 - 00064120 _____ () C:\Windows\DirectX.log
2014-07-16 20:23 - 2014-07-15 20:14 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Local\Windows Live
2014-07-15 20:05 - 2014-07-15 19:40 - 00000000 ____D () C:\Users\*****\AppData\Roaming\DVDVideoSoft
2014-07-15 19:41 - 2014-07-15 19:41 - 00000000 ____D () C:\Users\Standardbenutzer\Documents\DVDVideoSoft
2014-07-15 19:41 - 2014-07-15 19:41 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\DVDVideoSoft
2014-07-13 18:11 - 2014-07-13 18:11 - 00000000 ____D () C:\Users\Standardbenutzer\Desktop\Neuer Ordner
2014-07-13 13:47 - 2014-07-13 13:40 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\AquaSoft
2014-07-13 13:40 - 2014-07-13 13:40 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Local\AquaSoft
2014-07-13 13:32 - 2012-07-01 20:01 - 00076712 _____ () C:\Users\Standardbenutzer\AppData\Local\GDIPFONTCACHEV1.DAT
2014-07-13 13:31 - 2009-07-14 06:45 - 00321040 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-07-13 13:23 - 2012-07-01 17:48 - 00076712 _____ () C:\Users\*****\AppData\Local\GDIPFONTCACHEV1.DAT
2014-07-13 13:12 - 2014-07-13 13:01 - 00000000 ____D () C:\Users\Standardbenutzer\.DVDslideshowGUI
2014-07-13 13:01 - 2014-07-13 13:01 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\ImgBurn
2014-07-13 13:01 - 2012-07-01 20:01 - 00000000 ____D () C:\Users\Standardbenutzer
2014-07-13 13:00 - 2014-07-13 12:54 - 00000000 ____D () C:\Users\*****\.DVDslideshowGUI
2014-07-13 12:54 - 2014-07-13 12:54 - 00034936 _____ () C:\Windows\SysWOW64\uninstHelixYUV.exe
2014-07-13 12:54 - 2014-07-13 12:54 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Haali Media Splitter
2014-07-13 12:54 - 2014-07-13 12:54 - 00000000 ____D () C:\Program Files (x86)\Haali
2014-07-13 12:53 - 2014-07-13 12:53 - 07760687 _____ () C:\Users\*****\AppData\Roaming\SetupGFD.exe
2014-07-13 12:53 - 2014-07-13 12:53 - 05514668 _____ () C:\Users\*****\AppData\Roaming\Imgburn.exe
2014-07-13 12:53 - 2014-07-13 12:53 - 05243208 _____ () C:\Users\*****\AppData\Roaming\AvsP.exe
2014-07-13 12:53 - 2014-07-13 12:53 - 05082084 _____ () C:\Users\*****\AppData\Roaming\Avisynth.exe
2014-07-13 12:53 - 2014-07-13 12:53 - 01357348 _____ () C:\Users\*****\AppData\Roaming\MatroskaSplitter.exe
2014-07-13 12:53 - 2014-07-13 12:53 - 00117723 _____ () C:\Users\*****\AppData\Roaming\yuvcodecs-1.3.exe
2014-07-13 12:53 - 2014-07-13 12:53 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AviSynth 2.5
2014-07-13 12:53 - 2014-07-13 12:53 - 00000000 ____D () C:\Program Files (x86)\AviSynth 2.5
2014-07-12 16:26 - 2009-07-14 07:08 - 00032640 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-07-12 09:29 - 2012-08-05 16:44 - 00000000 ____D () C:\Users\Standardbenutzer\Documents\Meine PSP-Dateien
2014-07-12 09:11 - 2014-03-21 20:01 - 00000000 ____D () C:\Users\Standardbenutzer\Documents\Adobe
2014-07-12 09:11 - 2012-07-01 20:12 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\Adobe
2014-07-10 19:16 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\rescache
2014-07-10 18:41 - 2014-05-06 10:19 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-07-10 18:41 - 2009-07-14 20:18 - 00000000 ____D () C:\Program Files\Windows Journal
2014-07-10 18:41 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\SysWOW64\Dism
2014-07-10 18:41 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\system32\Dism
2014-07-09 23:21 - 2013-08-09 16:16 - 00000000 ____D () C:\Windows\system32\MRT
2014-07-09 23:20 - 2012-07-01 17:44 - 96441528 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-07-09 19:39 - 2013-04-13 16:31 - 00699056 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-07-09 19:39 - 2013-04-13 16:31 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-07-06 19:25 - 2013-07-12 11:47 - 00000000 ____D () C:\Users\Standardbenutzer\Desktop\Domi
2014-07-06 17:45 - 2012-09-22 20:39 - 00000000 ____D () C:\Program Files\AVAST
2014-07-06 09:25 - 2014-07-06 09:25 - 00043152 _____ (AVAST Software) C:\Windows\avastSS.scr
2014-07-06 09:25 - 2014-04-20 11:24 - 00029208 _____ () C:\Windows\system32\Drivers\aswHwid.sys
2014-07-06 09:25 - 2014-04-02 16:50 - 00001763 _____ () C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2014-07-06 09:25 - 2013-12-20 16:32 - 00092008 _____ (AVAST Software) C:\Windows\system32\Drivers\aswstm.sys
2014-07-06 09:25 - 2013-03-06 18:44 - 00224896 _____ () C:\Windows\system32\Drivers\aswVmm.sys
2014-07-06 09:25 - 2013-03-06 18:44 - 00065776 _____ () C:\Windows\system32\Drivers\aswRvrt.sys
2014-07-06 09:25 - 2012-09-22 20:40 - 01041168 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsnx.sys
2014-07-06 09:25 - 2012-09-22 20:40 - 00427360 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsp.sys
2014-07-06 09:25 - 2012-09-22 20:40 - 00093568 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2014-07-06 09:25 - 2012-09-22 20:39 - 00307344 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2014-07-06 09:25 - 2012-09-22 20:39 - 00079184 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2014-07-05 22:39 - 2014-07-05 22:39 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\LibreOffice
2014-07-05 15:56 - 2014-07-05 15:56 - 00000719 _____ () C:\Users\Standardbenutzer\Desktop\USA Praesentation - Verknüpfung.lnk
2014-07-05 14:20 - 2014-07-05 14:19 - 00000000 ____D () C:\Program Files (x86)\w3arena
2014-07-05 14:19 - 2014-07-05 14:19 - 00000925 _____ () C:\Users\Public\Desktop\w3arena.lnk
2014-07-05 14:19 - 2014-07-05 14:19 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\w3arena.net Launcher 1.8.7
2014-06-30 04:09 - 2014-07-09 20:01 - 00519168 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-06-30 04:04 - 2014-07-09 20:01 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-06-24 06:27 - 2014-05-04 13:55 - 00015351 _____ () C:\Users\Standardbenutzer\Desktop\Gewicht.ods
2014-06-22 18:35 - 2014-06-22 18:23 - 00000000 ____D () C:\Users\Standardbenutzer\Desktop\bilderrahmen
2014-06-20 22:14 - 2014-07-09 20:00 - 00266424 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-06-20 21:39 - 2014-07-09 20:00 - 00240824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-06-20 13:01 - 2012-08-23 22:51 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\Mp3tag
2014-06-19 09:15 - 2014-06-19 09:15 - 00000631 _____ () C:\Users\Standardbenutzer\Desktop\Fotos.lnk
2014-06-19 03:39 - 2014-07-09 20:00 - 23464448 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-06-19 03:06 - 2014-07-09 20:00 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-06-19 03:06 - 2014-07-09 20:00 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-06-19 02:48 - 2014-07-09 20:00 - 02768384 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-06-19 02:42 - 2014-07-09 20:00 - 00548352 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-06-19 02:42 - 2014-07-09 20:00 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-06-19 02:41 - 2014-07-09 20:00 - 00083968 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-06-19 02:41 - 2014-07-09 20:00 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-06-19 02:32 - 2014-07-09 20:00 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-06-19 02:31 - 2014-07-09 20:00 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-06-19 02:26 - 2014-07-09 20:00 - 00598016 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-06-19 02:24 - 2014-07-09 20:00 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-06-19 02:24 - 2014-07-09 20:00 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-06-19 02:23 - 2014-07-09 20:00 - 00752640 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-06-19 02:16 - 2014-07-09 20:00 - 17276416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-06-19 02:14 - 2014-07-09 20:00 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-06-19 02:09 - 2014-07-09 20:00 - 00452608 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-06-19 01:59 - 2014-07-09 20:00 - 00038400 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-06-19 01:56 - 2014-07-09 20:00 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-06-19 01:53 - 2014-07-09 20:00 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-06-19 01:51 - 2014-07-09 20:00 - 05721088 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-06-19 01:50 - 2014-07-09 20:00 - 00085504 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-06-19 01:48 - 2014-07-09 20:00 - 00292864 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-06-19 01:39 - 2014-07-09 20:00 - 00608768 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-06-19 01:38 - 2014-07-09 20:00 - 00455168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-06-19 01:37 - 2014-07-09 20:00 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-06-19 01:36 - 2014-07-09 20:00 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-06-19 01:35 - 2014-07-09 20:00 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2014-06-19 01:33 - 2014-07-09 20:00 - 00631808 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-06-19 01:32 - 2014-07-09 20:00 - 02179072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-06-19 01:28 - 2014-07-09 20:00 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-06-19 01:28 - 2014-07-09 20:00 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-06-19 01:27 - 2014-07-09 20:00 - 02040832 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-06-19 01:27 - 2014-07-09 20:00 - 01249280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-06-19 01:25 - 2014-07-09 20:00 - 00442368 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-06-19 01:23 - 2014-07-09 20:00 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-06-19 01:22 - 2014-07-09 20:00 - 00592896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-06-19 01:12 - 2014-07-09 20:00 - 00367616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-06-19 01:06 - 2014-07-09 20:00 - 00032256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-06-19 01:01 - 2014-07-09 20:00 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-06-19 00:59 - 2014-07-09 20:00 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-06-19 00:58 - 2014-07-09 20:00 - 02266112 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-06-19 00:58 - 2014-07-09 20:00 - 00239616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-06-19 00:52 - 2014-07-09 20:00 - 04254720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-06-19 00:51 - 2014-07-09 20:00 - 13527040 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-06-19 00:49 - 2014-07-09 20:00 - 00526336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-06-19 00:46 - 2014-07-09 20:00 - 01068032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2014-06-19 00:45 - 2014-07-09 20:00 - 01964544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-06-19 00:35 - 2014-07-09 20:00 - 11742208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-06-19 00:34 - 2014-07-09 20:00 - 01393664 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-06-19 00:15 - 2014-07-09 20:00 - 00846336 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-06-19 00:13 - 2014-07-09 20:00 - 01791488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-06-19 00:09 - 2014-07-09 20:00 - 01139200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-06-19 00:07 - 2014-07-09 20:00 - 00704512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
Some content of TEMP:
====================
C:\Users\*****\AppData\Local\Temp\amazonicon_v4.exe
C:\Users\*****\AppData\Local\Temp\amazoninstallernircmdc.exe
C:\Users\*****\AppData\Local\Temp\sdanircmdc.exe
C:\Users\*****\AppData\Local\Temp\sdapskill.exe
C:\Users\*****\AppData\Local\Temp\sdaspwn.exe
C:\Users\*****\AppData\Local\Temp\vcredist_x64_vs2010.exe
C:\Users\Standardbenutzer\AppData\Local\Temp\i4jdel0.exe
==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
==================== End Of Log ============================
--- --- --- --- --- --- Geändert von Beamling (19.07.2014 um 09:20 Uhr) |
|
19.07.2014, 09:07
| #4 |
| | Win 7: Spam an Thunderbird portables Adressbuch "gesammelte Adressen" Gmer Teil 1: Code:
ATTFilter GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2014-07-19 00:32:48
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000AAKS-00A7B2 rev.01.03B01 465,76GB
Running: iw14ewr4.exe; Driver: C:\Users\******\AppData\Local\Temp\axdiifod.sys
---- User code sections - GMER 2.1 ----
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d31360 5 bytes JMP 000000014a200460
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d313b0 5 bytes JMP 000000014a200450
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d31510 5 bytes JMP 000000014a200370
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d31560 5 bytes JMP 000000014a200470
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d31570 5 bytes JMP 000000014a2003e0
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d31620 5 bytes JMP 000000014a200320
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d31650 5 bytes JMP 000000014a2003b0
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d31670 5 bytes JMP 000000014a200390
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d316b0 5 bytes JMP 000000014a2002e0
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d31730 5 bytes JMP 000000014a2002d0
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d31750 5 bytes JMP 000000014a200310
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d31790 5 bytes JMP 000000014a2003c0
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d317e0 5 bytes JMP 000000014a2003f0
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d31940 5 bytes JMP 000000014a200230
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d31b00 5 bytes JMP 000000014a200480
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d31b30 5 bytes JMP 000000014a2003a0
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d31c10 5 bytes JMP 000000014a2002f0
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d31c20 5 bytes JMP 000000014a200350
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d31c80 5 bytes JMP 000000014a200290
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d31d10 5 bytes JMP 000000014a2002b0
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d31d30 5 bytes JMP 000000014a2003d0
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d31d40 5 bytes JMP 000000014a200330
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d31db0 5 bytes JMP 000000014a200410
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d31de0 5 bytes JMP 000000014a200240
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d320a0 5 bytes JMP 000000014a2001e0
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d32160 5 bytes JMP 000000014a200250
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d32190 5 bytes JMP 000000014a200490
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d321a0 5 bytes JMP 000000014a2004a0
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d321d0 5 bytes JMP 000000014a200300
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d321e0 5 bytes JMP 000000014a200360
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d32240 5 bytes JMP 000000014a2002a0
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d32290 5 bytes JMP 000000014a2002c0
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d322c0 5 bytes JMP 000000014a200380
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d322d0 5 bytes JMP 000000014a200340
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d325c0 5 bytes JMP 000000014a200440
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d327c0 5 bytes JMP 000000014a200260
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d327d0 5 bytes JMP 000000014a200270
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d327e0 5 bytes JMP 000000014a200400
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d329a0 5 bytes JMP 000000014a2001f0
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d329b0 5 bytes JMP 000000014a200210
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d32a20 5 bytes JMP 000000014a200200
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d32a80 5 bytes JMP 000000014a200420
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d32a90 5 bytes JMP 000000014a200430
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d32aa0 5 bytes JMP 000000014a200220
.text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d32b80 5 bytes JMP 000000014a200280
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d31360 5 bytes JMP 0000000100040460
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d313b0 5 bytes JMP 0000000100040450
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d31510 5 bytes JMP 0000000100040370
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d31560 5 bytes JMP 0000000100040470
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d31570 5 bytes JMP 00000001000403e0
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d31620 5 bytes JMP 0000000100040320
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d31650 5 bytes JMP 00000001000403b0
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d31670 5 bytes JMP 0000000100040390
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d316b0 5 bytes JMP 00000001000402e0
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d31730 5 bytes JMP 00000001000402d0
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d31750 5 bytes JMP 0000000100040310
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d31790 5 bytes JMP 00000001000403c0
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d317e0 5 bytes JMP 00000001000403f0
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d31940 5 bytes JMP 0000000100040230
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d31b00 5 bytes JMP 0000000100040480
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d31b30 5 bytes JMP 00000001000403a0
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d31c10 5 bytes JMP 00000001000402f0
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d31c20 5 bytes JMP 0000000100040350
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d31c80 5 bytes JMP 0000000100040290
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d31d10 5 bytes JMP 00000001000402b0
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d31d30 5 bytes JMP 00000001000403d0
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d31d40 5 bytes JMP 0000000100040330
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d31db0 5 bytes JMP 0000000100040410
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d31de0 5 bytes JMP 0000000100040240
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d320a0 5 bytes JMP 00000001000401e0
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d32160 5 bytes JMP 0000000100040250
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d32190 5 bytes JMP 0000000100040490
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d321a0 5 bytes JMP 00000001000404a0
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d321d0 5 bytes JMP 0000000100040300
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d321e0 5 bytes JMP 0000000100040360
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d32240 5 bytes JMP 00000001000402a0
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d32290 5 bytes JMP 00000001000402c0
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d322c0 5 bytes JMP 0000000100040380
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d322d0 5 bytes JMP 0000000100040340
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d325c0 5 bytes JMP 0000000100040440
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d327c0 5 bytes JMP 0000000100040260
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d327d0 5 bytes JMP 0000000100040270
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d327e0 5 bytes JMP 0000000100040400
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d329a0 5 bytes JMP 00000001000401f0
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d329b0 5 bytes JMP 0000000100040210
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d32a20 5 bytes JMP 0000000100040200
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d32a80 5 bytes JMP 0000000100040420
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d32a90 5 bytes JMP 0000000100040430
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d32aa0 5 bytes JMP 0000000100040220
.text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d32b80 5 bytes JMP 0000000100040280
.text C:\Windows\system32\wininit.exe[504] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b1ef8d 1 byte [62]
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d31360 5 bytes JMP 0000000100040460
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d313b0 5 bytes JMP 0000000100040450
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d31510 5 bytes JMP 0000000100040370
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d31560 5 bytes JMP 0000000100040470
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d31570 5 bytes JMP 00000001000403e0
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d31620 5 bytes JMP 0000000100040320
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d31650 5 bytes JMP 00000001000403b0
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d31670 5 bytes JMP 0000000100040390
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d316b0 5 bytes JMP 00000001000402e0
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d31730 5 bytes JMP 00000001000402d0
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d31750 5 bytes JMP 0000000100040310
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d31790 5 bytes JMP 00000001000403c0
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d317e0 5 bytes JMP 00000001000403f0
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d31940 5 bytes JMP 0000000100040230
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d31b00 5 bytes JMP 0000000100040480
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d31b30 5 bytes JMP 00000001000403a0
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d31c10 5 bytes JMP 00000001000402f0
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d31c20 5 bytes JMP 0000000100040350
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d31c80 5 bytes JMP 0000000100040290
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d31d10 5 bytes JMP 00000001000402b0
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d31d30 5 bytes JMP 00000001000403d0
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d31d40 5 bytes JMP 0000000100040330
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d31db0 5 bytes JMP 0000000100040410
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d31de0 5 bytes JMP 0000000100040240
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d320a0 5 bytes JMP 00000001000401e0
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d32160 5 bytes JMP 0000000100040250
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d32190 5 bytes JMP 0000000100040490
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d321a0 5 bytes JMP 00000001000404a0
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d321d0 5 bytes JMP 0000000100040300
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d321e0 5 bytes JMP 0000000100040360
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d32240 5 bytes JMP 00000001000402a0
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d32290 5 bytes JMP 00000001000402c0
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d322c0 5 bytes JMP 0000000100040380
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d322d0 5 bytes JMP 0000000100040340
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d325c0 5 bytes JMP 0000000100040440
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d327c0 5 bytes JMP 0000000100040260
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d327d0 5 bytes JMP 0000000100040270
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d327e0 5 bytes JMP 0000000100040400
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d329a0 5 bytes JMP 00000001000401f0
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d329b0 5 bytes JMP 0000000100040210
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d32a20 5 bytes JMP 0000000100040200
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d32a80 5 bytes JMP 0000000100040420
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d32a90 5 bytes JMP 0000000100040430
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d32aa0 5 bytes JMP 0000000100040220
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d32b80 5 bytes JMP 0000000100040280
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d31360 5 bytes JMP 0000000076e90460
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d313b0 5 bytes JMP 0000000076e90450
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d31510 5 bytes JMP 0000000076e90370
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d31560 5 bytes JMP 0000000076e90470
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d31570 5 bytes JMP 0000000076e903e0
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d31620 5 bytes JMP 0000000076e90320
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d31650 5 bytes JMP 0000000076e903b0
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d31670 5 bytes JMP 0000000076e90390
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d316b0 5 bytes JMP 0000000076e902e0
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d31730 5 bytes JMP 0000000076e902d0
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d31750 5 bytes JMP 0000000076e90310
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d31790 5 bytes JMP 0000000076e903c0
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d317e0 5 bytes JMP 0000000076e903f0
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d31940 5 bytes JMP 0000000076e90230
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d31b00 5 bytes JMP 0000000076e90480
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d31b30 5 bytes JMP 0000000076e903a0
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d31c10 5 bytes JMP 0000000076e902f0
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d31c20 5 bytes JMP 0000000076e90350
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d31c80 5 bytes JMP 0000000076e90290
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d31d10 5 bytes JMP 0000000076e902b0
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d31d30 5 bytes JMP 0000000076e903d0
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d31d40 5 bytes JMP 0000000076e90330
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d31db0 5 bytes JMP 0000000076e90410
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d31de0 5 bytes JMP 0000000076e90240
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d320a0 5 bytes JMP 0000000076e901e0
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d32160 5 bytes JMP 0000000076e90250
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d32190 5 bytes JMP 0000000076e90490
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d321a0 5 bytes JMP 0000000076e904a0
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d321d0 5 bytes JMP 0000000076e90300
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d321e0 5 bytes JMP 0000000076e90360
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d32240 5 bytes JMP 0000000076e902a0
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d32290 5 bytes JMP 0000000076e902c0
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d322c0 5 bytes JMP 0000000076e90380
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d322d0 5 bytes JMP 0000000076e90340
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d325c0 5 bytes JMP 0000000076e90440
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d327c0 5 bytes JMP 0000000076e90260
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d327d0 5 bytes JMP 0000000076e90270
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d327e0 5 bytes JMP 0000000076e90400
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d329a0 5 bytes JMP 0000000076e901f0
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d329b0 5 bytes JMP 0000000076e90210
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d32a20 5 bytes JMP 0000000076e90200
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d32a80 5 bytes JMP 0000000076e90420
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d32a90 5 bytes JMP 0000000076e90430
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d32aa0 5 bytes JMP 0000000076e90220
.text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d32b80 5 bytes JMP 0000000076e90280
.text C:\Windows\system32\services.exe[560] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b1ef8d 1 byte [62]
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d31360 5 bytes JMP 0000000076e90460
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d313b0 5 bytes JMP 0000000076e90450
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d31510 5 bytes JMP 0000000076e90370
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d31560 5 bytes JMP 0000000076e90470
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d31570 5 bytes JMP 0000000076e903e0
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d31620 5 bytes JMP 0000000076e90320
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d31650 5 bytes JMP 0000000076e903b0
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d31670 5 bytes JMP 0000000076e90390
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d316b0 5 bytes JMP 0000000076e902e0
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d31730 5 bytes JMP 0000000076e902d0
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d31750 5 bytes JMP 0000000076e90310
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d31790 5 bytes JMP 0000000076e903c0
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d317e0 5 bytes JMP 0000000076e903f0
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d31940 5 bytes JMP 0000000076e90230
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d31b00 5 bytes JMP 0000000076e90480
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d31b30 5 bytes JMP 0000000076e903a0
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d31c10 5 bytes JMP 0000000076e902f0
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d31c20 5 bytes JMP 0000000076e90350
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d31c80 5 bytes JMP 0000000076e90290
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d31d10 5 bytes JMP 0000000076e902b0
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d31d30 5 bytes JMP 0000000076e903d0
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d31d40 5 bytes JMP 0000000076e90330
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d31db0 5 bytes JMP 0000000076e90410
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d31de0 5 bytes JMP 0000000076e90240
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d320a0 5 bytes JMP 0000000076e901e0
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d32160 5 bytes JMP 0000000076e90250
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d32190 5 bytes JMP 0000000076e90490
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d321a0 5 bytes JMP 0000000076e904a0
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d321d0 5 bytes JMP 0000000076e90300
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d321e0 5 bytes JMP 0000000076e90360
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d32240 5 bytes JMP 0000000076e902a0
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d32290 5 bytes JMP 0000000076e902c0
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d322c0 5 bytes JMP 0000000076e90380
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d322d0 5 bytes JMP 0000000076e90340
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d325c0 5 bytes JMP 0000000076e90440
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d327c0 5 bytes JMP 0000000076e90260
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d327d0 5 bytes JMP 0000000076e90270
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d327e0 5 bytes JMP 0000000076e90400
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d329a0 5 bytes JMP 0000000076e901f0
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d329b0 5 bytes JMP 0000000076e90210
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d32a20 5 bytes JMP 0000000076e90200
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d32a80 5 bytes JMP 0000000076e90420
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d32a90 5 bytes JMP 0000000076e90430
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d32aa0 5 bytes JMP 0000000076e90220
.text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d32b80 5 bytes JMP 0000000076e90280
.text C:\Windows\system32\lsass.exe[580] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b1ef8d 1 byte [62]
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d31360 5 bytes JMP 0000000076e90460
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d313b0 5 bytes JMP 0000000076e90450
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d31510 5 bytes JMP 0000000076e90370
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d31560 5 bytes JMP 0000000076e90470
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d31570 5 bytes JMP 0000000076e903e0
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d31620 5 bytes JMP 0000000076e90320
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d31650 5 bytes JMP 0000000076e903b0
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d31670 5 bytes JMP 0000000076e90390
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d316b0 5 bytes JMP 0000000076e902e0
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d31730 5 bytes JMP 0000000076e902d0
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d31750 5 bytes JMP 0000000076e90310
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d31790 5 bytes JMP 0000000076e903c0
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d317e0 5 bytes JMP 0000000076e903f0
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d31940 5 bytes JMP 0000000076e90230
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d31b00 5 bytes JMP 0000000076e90480
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d31b30 5 bytes JMP 0000000076e903a0
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d31c10 5 bytes JMP 0000000076e902f0
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d31c20 5 bytes JMP 0000000076e90350
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d31c80 5 bytes JMP 0000000076e90290
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d31d10 5 bytes JMP 0000000076e902b0
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d31d30 5 bytes JMP 0000000076e903d0
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d31d40 5 bytes JMP 0000000076e90330
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d31db0 5 bytes JMP 0000000076e90410
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d31de0 5 bytes JMP 0000000076e90240
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d320a0 5 bytes JMP 0000000076e901e0
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d32160 5 bytes JMP 0000000076e90250
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d32190 5 bytes JMP 0000000076e90490
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d321a0 5 bytes JMP 0000000076e904a0
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d321d0 5 bytes JMP 0000000076e90300
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d321e0 5 bytes JMP 0000000076e90360
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d32240 5 bytes JMP 0000000076e902a0
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d32290 5 bytes JMP 0000000076e902c0
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d322c0 5 bytes JMP 0000000076e90380
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d322d0 5 bytes JMP 0000000076e90340
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32
|
|
19.07.2014, 09:08
| #5 |
| | Win 7: Spam an Thunderbird portables Adressbuch "gesammelte Adressen" Gmer Teil 2: Code:
ATTFilter \ntdll.dll!NtQueueApcThreadEx 0000000076d325c0 5 bytes JMP 0000000076e90440
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d327c0 5 bytes JMP 0000000076e90260
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d327d0 5 bytes JMP 0000000076e90270
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d327e0 5 bytes JMP 0000000076e90400
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d329a0 5 bytes JMP 0000000076e901f0
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d329b0 5 bytes JMP 0000000076e90210
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d32a20 5 bytes JMP 0000000076e90200
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d32a80 5 bytes JMP 0000000076e90420
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d32a90 5 bytes JMP 0000000076e90430
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d32aa0 5 bytes JMP 0000000076e90220
.text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d32b80 5 bytes JMP 0000000076e90280
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d31360 5 bytes JMP 0000000076e90460
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d313b0 5 bytes JMP 0000000076e90450
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d31510 5 bytes JMP 0000000076e90370
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d31560 5 bytes JMP 0000000076e90470
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d31570 5 bytes JMP 0000000076e903e0
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d31620 5 bytes JMP 0000000076e90320
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d31650 5 bytes JMP 0000000076e903b0
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d31670 5 bytes JMP 0000000076e90390
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d316b0 5 bytes JMP 0000000076e902e0
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d31730 5 bytes JMP 0000000076e902d0
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d31750 5 bytes JMP 0000000076e90310
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d31790 5 bytes JMP 0000000076e903c0
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d317e0 5 bytes JMP 0000000076e903f0
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d31940 5 bytes JMP 0000000076e90230
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d31b00 5 bytes JMP 0000000076e90480
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d31b30 5 bytes JMP 0000000076e903a0
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d31c10 5 bytes JMP 0000000076e902f0
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d31c20 5 bytes JMP 0000000076e90350
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d31c80 5 bytes JMP 0000000076e90290
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d31d10 5 bytes JMP 0000000076e902b0
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d31d30 5 bytes JMP 0000000076e903d0
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d31d40 5 bytes JMP 0000000076e90330
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d31db0 5 bytes JMP 0000000076e90410
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d31de0 5 bytes JMP 0000000076e90240
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d320a0 5 bytes JMP 0000000076e901e0
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d32160 5 bytes JMP 0000000076e90250
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d32190 5 bytes JMP 0000000076e90490
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d321a0 5 bytes JMP 0000000076e904a0
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d321d0 5 bytes JMP 0000000076e90300
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d321e0 5 bytes JMP 0000000076e90360
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d32240 5 bytes JMP 0000000076e902a0
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d32290 5 bytes JMP 0000000076e902c0
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d322c0 5 bytes JMP 0000000076e90380
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d322d0 5 bytes JMP 0000000076e90340
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d325c0 5 bytes JMP 0000000076e90440
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d327c0 5 bytes JMP 0000000076e90260
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d327d0 5 bytes JMP 0000000076e90270
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d327e0 5 bytes JMP 0000000076e90400
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d329a0 5 bytes JMP 0000000076e901f0
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d329b0 5 bytes JMP 0000000076e90210
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d32a20 5 bytes JMP 0000000076e90200
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d32a80 5 bytes JMP 0000000076e90420
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d32a90 5 bytes JMP 0000000076e90430
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d32aa0 5 bytes JMP 0000000076e90220
.text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d32b80 5 bytes JMP 0000000076e90280
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d31360 5 bytes JMP 0000000076e90460
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d313b0 5 bytes JMP 0000000076e90450
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d31510 5 bytes JMP 0000000076e90370
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d31560 5 bytes JMP 0000000076e90470
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d31570 5 bytes JMP 0000000076e903e0
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d31620 5 bytes JMP 0000000076e90320
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d31650 5 bytes JMP 0000000076e903b0
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d31670 5 bytes JMP 0000000076e90390
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d316b0 5 bytes JMP 0000000076e902e0
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d31730 5 bytes JMP 0000000076e902d0
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d31750 5 bytes JMP 0000000076e90310
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d31790 5 bytes JMP 0000000076e903c0
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d317e0 5 bytes JMP 0000000076e903f0
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d31940 5 bytes JMP 0000000076e90230
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d31b00 5 bytes JMP 0000000076e90480
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d31b30 5 bytes JMP 0000000076e903a0
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d31c10 5 bytes JMP 0000000076e902f0
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d31c20 5 bytes JMP 0000000076e90350
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d31c80 5 bytes JMP 0000000076e90290
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d31d10 5 bytes JMP 0000000076e902b0
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d31d30 5 bytes JMP 0000000076e903d0
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d31d40 5 bytes JMP 0000000076e90330
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d31db0 5 bytes JMP 0000000076e90410
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d31de0 5 bytes JMP 0000000076e90240
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d320a0 5 bytes JMP 0000000076e901e0
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d32160 5 bytes JMP 0000000076e90250
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d32190 5 bytes JMP 0000000076e90490
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d321a0 5 bytes JMP 0000000076e904a0
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d321d0 5 bytes JMP 0000000076e90300
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d321e0 5 bytes JMP 0000000076e90360
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d32240 5 bytes JMP 0000000076e902a0
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d32290 5 bytes JMP 0000000076e902c0
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d322c0 5 bytes JMP 0000000076e90380
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d322d0 5 bytes JMP 0000000076e90340
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d325c0 5 bytes JMP 0000000076e90440
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d327c0 5 bytes JMP 0000000076e90260
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d327d0 5 bytes JMP 0000000076e90270
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d327e0 5 bytes JMP 0000000076e90400
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d329a0 5 bytes JMP 0000000076e901f0
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d329b0 5 bytes JMP 0000000076e90210
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d32a20 5 bytes JMP 0000000076e90200
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d32a80 5 bytes JMP 0000000076e90420
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d32a90 5 bytes JMP 0000000076e90430
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d32aa0 5 bytes JMP 0000000076e90220
.text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d32b80 5 bytes JMP 0000000076e90280
.text C:\Windows\system32\atiesrxx.exe[844] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b1ef8d 1 byte [62]
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d31360 5 bytes JMP 0000000076e90460
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d313b0 5 bytes JMP 0000000076e90450
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d31510 5 bytes JMP 0000000076e90370
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d31560 5 bytes JMP 0000000076e90470
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d31570 5 bytes JMP 0000000076e903e0
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d31620 5 bytes JMP 0000000076e90320
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d31650 5 bytes JMP 0000000076e903b0
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d31670 5 bytes JMP 0000000076e90390
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d316b0 5 bytes JMP 0000000076e902e0
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d31730 5 bytes JMP 0000000076e902d0
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d31750 5 bytes JMP 0000000076e90310
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d31790 5 bytes JMP 0000000076e903c0
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d317e0 5 bytes JMP 0000000076e903f0
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d31940 5 bytes JMP 0000000076e90230
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d31b00 5 bytes JMP 0000000076e90480
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d31b30 5 bytes JMP 0000000076e903a0
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d31c10 5 bytes JMP 0000000076e902f0
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d31c20 5 bytes JMP 0000000076e90350
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d31c80 5 bytes JMP 0000000076e90290
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d31d10 5 bytes JMP 0000000076e902b0
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d31d30 5 bytes JMP 0000000076e903d0
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d31d40 5 bytes JMP 0000000076e90330
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d31db0 5 bytes JMP 0000000076e90410
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d31de0 5 bytes JMP 0000000076e90240
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d320a0 5 bytes JMP 0000000076e901e0
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d32160 5 bytes JMP 0000000076e90250
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d32190 5 bytes JMP 0000000076e90490
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d321a0 5 bytes JMP 0000000076e904a0
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d321d0 5 bytes JMP 0000000076e90300
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d321e0 5 bytes JMP 0000000076e90360
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d32240 5 bytes JMP 0000000076e902a0
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d32290 5 bytes JMP 0000000076e902c0
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d322c0 5 bytes JMP 0000000076e90380
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d322d0 5 bytes JMP 0000000076e90340
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d325c0 5 bytes JMP 0000000076e90440
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d327c0 5 bytes JMP 0000000076e90260
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d327d0 5 bytes JMP 0000000076e90270
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d327e0 5 bytes JMP 0000000076e90400
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d329a0 5 bytes JMP 0000000076e901f0
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d329b0 5 bytes JMP 0000000076e90210
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d32a20 5 bytes JMP 0000000076e90200
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d32a80 5 bytes JMP 0000000076e90420
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d32a90 5 bytes JMP 0000000076e90430
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d32aa0 5 bytes JMP 0000000076e90220
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d32b80 5 bytes JMP 0000000076e90280
.text C:\Windows\system32\winlogon.exe[900] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b1ef8d 1 byte [62]
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d31360 5 bytes JMP 0000000076e90460
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d313b0 5 bytes JMP 0000000076e90450
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d31510 5 bytes JMP 0000000076e90370
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d31560 5 bytes JMP 0000000076e90470
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d31570 5 bytes JMP 0000000076e903e0
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d31620 5 bytes JMP 0000000076e90320
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d31650 5 bytes JMP 0000000076e903b0
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d31670 5 bytes JMP 0000000076e90390
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d316b0 5 bytes JMP 0000000076e902e0
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d31730 5 bytes JMP 0000000076e902d0
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d31750 5 bytes JMP 0000000076e90310
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d31790 5 bytes JMP 0000000076e903c0
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d317e0 5 bytes JMP 0000000076e903f0
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d31940 5 bytes JMP 0000000076e90230
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d31b00 5 bytes JMP 0000000076e90480
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d31b30 5 bytes JMP 0000000076e903a0
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d31c10 5 bytes JMP 0000000076e902f0
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d31c20 5 bytes JMP 0000000076e90350
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d31c80 5 bytes JMP 0000000076e90290
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d31d10 5 bytes JMP 0000000076e902b0
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d31d30 5 bytes JMP 0000000076e903d0
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d31d40 5 bytes JMP 0000000076e90330
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d31db0 5 bytes JMP 0000000076e90410
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d31de0 5 bytes JMP 0000000076e90240
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d320a0 5 bytes JMP 0000000076e901e0
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d32160 5 bytes JMP 0000000076e90250
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d32190 5 bytes JMP 0000000076e90490
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d321a0 5 bytes JMP 0000000076e904a0
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d321d0 5 bytes JMP 0000000076e90300
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d321e0 5 bytes JMP 0000000076e90360
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d32240 5 bytes JMP 0000000076e902a0
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d32290 5 bytes JMP 0000000076e902c0
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d322c0 5 bytes JMP 0000000076e90380
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d322d0 5 bytes JMP 0000000076e90340
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d325c0 5 bytes JMP 0000000076e90440
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d327c0 5 bytes JMP 0000000076e90260
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d327d0 5 bytes JMP 0000000076e90270
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d327e0 5 bytes JMP 0000000076e90400
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d329a0 5 bytes JMP 0000000076e901f0
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d329b0 5 bytes JMP 0000000076e90210
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d32a20 5 bytes JMP 0000000076e90200
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d32a80 5 bytes JMP 0000000076e90420
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d32a90 5 bytes JMP 0000000076e90430
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d32aa0 5 bytes JMP 0000000076e90220
.text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d32b80 5 bytes JMP 0000000076e90280
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d31360 5 bytes JMP 0000000076e90460
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d313b0 5 bytes JMP 0000000076e90450
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d31510 5 bytes JMP 0000000076e90370
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d31560 5 bytes JMP 0000000076e90470
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d31570 5 bytes JMP 0000000076e903e0
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d31620 5 bytes JMP 0000000076e90320
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d31650 5 bytes JMP 0000000076e903b0
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d31670 5 bytes JMP 0000000076e90390
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d316b0 5 bytes JMP 0000000076e902e0
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d31730 5 bytes JMP 0000000076e902d0
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d31750 5 bytes JMP 0000000076e90310
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d31790 5 bytes JMP 0000000076e903c0
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d317e0 5 bytes JMP 0000000076e903f0
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d31940 5 bytes JMP 0000000076e90230
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d31b00 5 bytes JMP 0000000076e90480
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d31b30 5 bytes JMP 0000000076e903a0
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d31c10 5 bytes JMP 0000000076e902f0
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d31c20 5 bytes JMP 0000000076e90350
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d31c80 5 bytes JMP 0000000076e90290
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d31d10 5 bytes JMP 0000000076e902b0
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d31d30 5 bytes JMP 0000000076e903d0
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d31d40 5 bytes JMP 0000000076e90330
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d31db0 5 bytes JMP 0000000076e90410
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d31de0 5 bytes JMP 0000000076e90240
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d320a0 5 bytes JMP 0000000076e901e0
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d32160 5 bytes JMP 0000000076e90250
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d32190 5 bytes JMP 0000000076e90490
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d321a0 5 bytes JMP 0000000076e904a0
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d321d0 5 bytes JMP 0000000076e90300
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d321e0 5 bytes JMP 0000000076e90360
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d32240 5 bytes JMP 0000000076e902a0
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d32290 5 bytes JMP 0000000076e902c0
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d322c0 5 bytes JMP 0000000076e90380
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d322d0 5 bytes JMP 0000000076e90340
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d325c0 5 bytes JMP 0000000076e90440
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d327c0 5 bytes JMP 0000000076e90260
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d327d0 5 bytes JMP 0000000076e90270
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d327e0 5 bytes JMP 0000000076e90400
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d329a0 5 bytes JMP 0000000076e901f0
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d329b0 5 bytes JMP 0000000076e90210
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d32a20 5 bytes JMP 0000000076e90200
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d32a80 5 bytes JMP 0000000076e90420
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d32a90 5 bytes JMP 0000000076e90430
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d32aa0 5 bytes JMP 0000000076e90220
.text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d32b80 5 bytes JMP 0000000076e90280
.text C:\Windows\System32\svchost.exe[984] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b1ef8d 1 byte [62]
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d31360 5 bytes JMP 0000000100070460
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d313b0 5 bytes JMP 0000000100070450
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d31510 5 bytes JMP 0000000100070370
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d31560 5 bytes JMP 0000000100070470
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d31570 5 bytes JMP 00000001000703e0
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d31620 5 bytes JMP 0000000100070320
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d31650 5 bytes JMP 00000001000703b0
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d31670 5 bytes JMP 0000000100070390
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d316b0 5 bytes JMP 00000001000702e0
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d31730 5 bytes JMP 00000001000702d0
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d31750 5 bytes JMP 0000000100070310
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d31790 5 bytes JMP 00000001000703c0
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d317e0 5 bytes JMP 00000001000703f0
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d31940 5 bytes JMP 0000000100070230
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d31b00 5 bytes JMP 0000000100070480
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d31b30 5 bytes JMP 00000001000703a0
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d31c10 5 bytes JMP 00000001000702f0
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d31c20 5 bytes JMP 0000000100070350
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d31c80 5 bytes JMP 0000000100070290
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d31d10 5 bytes JMP 00000001000702b0
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d31d30 5 bytes JMP 00000001000703d0
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d31d40 5 bytes JMP 0000000100070330
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d31db0 5 bytes JMP 0000000100070410
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d31de0 5 bytes JMP 0000000100070240
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d320a0 5 bytes JMP 00000001000701e0
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d32160 5 bytes JMP 0000000100070250
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d32190 5 bytes JMP 0000000100070490
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d321a0 5 bytes JMP 00000001000704a0
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d321d0 5 bytes JMP 0000000100070300
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d321e0 5 bytes JMP 0000000100070360
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d32240 5 bytes JMP 00000001000702a0
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d32290 5 bytes JMP 00000001000702c0
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d322c0 5 bytes JMP 0000000100070380
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d322d0 5 bytes JMP 0000000100070340
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d325c0 5 bytes JMP 0000000100070440
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d327c0 5 bytes JMP 0000000100070260
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d327d0 5 bytes JMP 0000000100070270
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d327e0 5 bytes JMP 0000000100070400
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d329a0 5 bytes JMP 00000001000701f0
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d329b0 5 bytes JMP 0000000100070210
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d32a20 5 bytes JMP 0000000100070200
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d32a80 5 bytes JMP 0000000100070420
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d32a90 5 bytes JMP 0000000100070430
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d32aa0 5 bytes JMP 0000000100070220
.text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d32b80 5 bytes JMP 0000000100070280
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d31360 5 bytes JMP 0000000076e90460
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d313b0 5 bytes JMP 0000000076e90450
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d31510 5 bytes JMP 0000000076e90370
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d31560 5 bytes JMP 0000000076e90470
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d31570 5 bytes JMP 0000000076e903e0
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d31620 5 bytes JMP 0000000076e90320
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d31650 5 bytes JMP 0000000076e903b0
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d31670 5 bytes JMP 0000000076e90390
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d316b0 5 bytes JMP 0000000076e902e0
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d31730 5 bytes JMP 0000000076e902d0
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d31750 5 bytes JMP 0000000076e90310
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d31790 5 bytes JMP 0000000076e903c0
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d317e0 5 bytes JMP 0000000076e903f0
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d31940 5 bytes JMP 0000000076e90230
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d31b00 5 bytes JMP 0000000076e90480
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d31b30 5 bytes JMP 0000000076e903a0
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d31c10 5 bytes JMP 0000000076e902f0
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d31c20 5 bytes JMP 0000000076e90350
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d31c80 5 bytes JMP 0000000076e90290
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d31d10 5 bytes JMP 0000000076e902b0
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d31d30 5 bytes JMP 0000000076e903d0
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d31d40 5 bytes JMP 0000000076e90330
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d31db0 5 bytes JMP 0000000076e90410
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d31de0 5 bytes JMP 0000000076e90240
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d320a0 5 bytes JMP 0000000076e901e0
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d32160 5 bytes JMP 0000000076e90250
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d32190 5 bytes JMP 0000000076e90490
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d321a0 5 bytes JMP 0000000076e904a0
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d321d0 5 bytes JMP 0000000076e90300
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d321e0 5 bytes JMP 0000000076e90360
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d32240 5 bytes JMP 0000000076e902a0
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d32290 5 bytes JMP 0000000076e902c0
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d322c0 5 bytes JMP 0000000076e90380
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d322d0 5 bytes JMP 0000000076e90340
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d325c0 5 bytes JMP 0000000076e90440
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d327c0 5 bytes JMP 0000000076e90260
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d327d0 5 bytes JMP 0000000076e90270
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d327e0 5 bytes JMP 0000000076e90400
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d329a0 5 bytes JMP 0000000076e901f0
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d329b0 5 bytes JMP 0000000076e90210
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d32a20 5 bytes JMP 0000000076e90200
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d32a80 5 bytes JMP 0000000076e90420
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d32a90 5 bytes JMP 0000000076e90430
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d32aa0 5 bytes JMP 0000000076e90220
.text C:\Windows\system32\svchost.exe[328] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d32b80 5 bytes JMP 0000000076e90280
.text C:\Windows\system32\svchost.exe[328] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b1ef8d 1 byte [62]
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d31360 5 bytes JMP 0000000076e90460
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d313b0 5 bytes JMP 0000000076e90450
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d31510 5 bytes JMP 0000000076e90370
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d31560 5 bytes JMP 0000000076e90470
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d31570 5 bytes JMP 0000000076e903e0
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d31620 5 bytes JMP 0000000076e90320
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d31650 5 bytes JMP 0000000076e903b0
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d31670 5 bytes JMP 0000000076e90390
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d316b0 5 bytes JMP 0000000076e902e0
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d31730 5 bytes JMP 0000000076e902d0
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d31750 5 bytes JMP 0000000076e90310
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d31790 5 bytes JMP 0000000076e903c0
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d317e0 5 bytes JMP 0000000076e903f0
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d31940 5 bytes JMP 0000000076e90230
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d31b00 5 bytes JMP 0000000076e90480
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d31b30 5 bytes JMP 0000000076e903a0
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d31c10 5 bytes JMP 0000000076e902f0
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d31c20 5 bytes JMP 0000000076e90350
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d31c80 5 bytes JMP 0000000076e90290
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d31d10 5 bytes JMP 0000000076e902b0
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d31d30 5 bytes JMP 0000000076e903d0
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d31d40 5 bytes JMP 0000000076e90330
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d31db0 5 bytes JMP 0000000076e90410
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d31de0 5 bytes JMP 0000000076e90240
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d320a0 5 bytes JMP 0000000076e901e0
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d32160 5 bytes JMP 0000000076e90250
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d32190 5 bytes JMP 0000000076e90490
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d321a0 5 bytes JMP 0000000076e904a0
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d321d0 5 bytes JMP 0000000076e90300
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d321e0 5 bytes JMP 0000000076e90360
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d32240 5 bytes JMP 0000000076e902a0
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d32290 5 bytes JMP 0000000076e902c0
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d322c0 5 bytes JMP 0000000076e90380
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d322d0 5 bytes JMP 0000000076e90340
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d325c0 5 bytes JMP 0000000076e90440
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d327c0 5 bytes JMP 0000000076e90260
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d327d0 5 bytes JMP 0000000076e90270
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d327e0 5 bytes JMP 0000000076e90400
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d329a0 5 bytes JMP 0000000076e901f0
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d329b0 5 bytes JMP 0000000076e90210
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d32a20 5 bytes JMP 0000000076e90200
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d32a80 5 bytes JMP 0000000076e90420
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d32a90 5 bytes JMP 0000000076e90430
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d32aa0 5 bytes JMP 0000000076e90220
.text C:\Windows\system32\atieclxx.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d32b80 5 bytes JMP 0000000076e90280
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d31360 5 bytes JMP 0000000076e90460
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d313b0 5 bytes JMP 0000000076e90450
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d31510 5 bytes JMP 0000000076e90370
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d31560 5 bytes JMP 0000000076e90470
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d31570 5 bytes JMP 0000000076e903e0
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d31620 5 bytes JMP 0000000076e90320
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d31650 5 bytes JMP 0000000076e903b0
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d31670 5 bytes JMP 0000000076e90390
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d316b0 5 bytes JMP 0000000076e902e0
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d31730 5 bytes JMP 0000000076e902d0
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d31750 5 bytes JMP 0000000076e90310
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d31790 5 bytes JMP 0000000076e903c0
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d317e0 5 bytes JMP 0000000076e903f0
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d31940 5 bytes JMP 0000000076e90230
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d31b00 5 bytes JMP 0000000076e90480
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d31b30 5 bytes JMP 0000000076e903a0
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d31c10 5 bytes JMP 0000000076e902f0
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d31c20 5 bytes JMP 0000000076e90350
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d31c80 5 bytes JMP 0000000076e90290
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d31d10 5 bytes JMP 0000000076e902b0
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d31d30 5 bytes JMP 0000000076e903d0
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d31d40 5 bytes JMP 0000000076e90330
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d31db0 5 bytes JMP 0000000076e90410
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d31de0 5 bytes JMP 0000000076e90240
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d320a0 5 bytes JMP 0000000076e901e0
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d32160 5 bytes JMP 0000000076e90250
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d32190 5 bytes JMP 0000000076e90490
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d321a0 5 bytes JMP 0000000076e904a0
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d321d0 5 bytes JMP 0000000076e90300
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d321e0 5 bytes JMP 0000000076e90360
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d32240 5 bytes JMP 0000000076e902a0
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d32290 5 bytes JMP 0000000076e902c0
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d322c0 5 bytes JMP 0000000076e90380
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d322d0 5 bytes JMP 0000000076e90340
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d325c0 5 bytes JMP 0000000076e90440
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d327c0 5 bytes JMP 0000000076e90260
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d327d0 5 bytes JMP 0000000076e90270
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d327e0 5 bytes JMP 0000000076e90400
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d329a0 5 bytes JMP 0000000076e901f0
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d329b0 5 bytes JMP 0000000076e90210
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d32a20 5 bytes JMP 0000000076e90200
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d32a80 5 bytes JMP 0000000076e90420
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d32a90 5 bytes JMP 0000000076e90430
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d32aa0 5 bytes JMP 0000000076e90220
.text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d32b80 5 bytes JMP 0000000076e90280
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d31360 5 bytes JMP 0000000076e90460
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d313b0 5 bytes JMP 0000000076e90450
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d31510 5 bytes JMP 0000000076e90370
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d31560 5 bytes JMP 0000000076e90470
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d31570 5 bytes JMP 0000000076e903e0
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d31620 5 bytes JMP 0000000076e90320
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d31650 5 bytes JMP 0000000076e903b0
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d31670 5 bytes JMP 0000000076e90390
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d316b0 5 bytes JMP 0000000076e902e0
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d31730 5 bytes JMP 0000000076e902d0
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d31750 5 bytes JMP 0000000076e90310
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d31790 5 bytes JMP 0000000076e903c0
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d317e0 5 bytes JMP 0000000076e903f0
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d31940 5 bytes JMP 0000000076e90230
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d31b00 5 bytes JMP 0000000076e90480
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d31b30 5 bytes JMP 0000000076e903a0
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d31c10 5 bytes JMP 0000000076e902f0
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d31c20 5 bytes JMP 0000000076e90350
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d31c80 5 bytes JMP 0000000076e90290
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d31d10 5 bytes JMP 0000000076e902b0
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d31d30 5 bytes JMP 0000000076e903d0
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d31d40 5 bytes JMP 0000000076e90330
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d31db0 5 bytes JMP 0000000076e90410
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d31de0 5 bytes JMP 0000000076e90240
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d320a0 5 bytes JMP 0000000076e901e0
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d32160 5 bytes JMP 0000000076e90250
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d32190 5 bytes JMP 0000000076e90490
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d321a0 5 bytes JMP 0000000076e904a0
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d321d0 5 bytes JMP 0000000076e90300
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d321e0 5 bytes JMP 0000000076e90360
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d32240 5 bytes JMP 0000000076e902a0
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d32290 5 bytes JMP 0000000076e902c0
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d322c0 5 bytes JMP 0000000076e90380
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d322d0 5 bytes JMP 0000000076e90340
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d325c0 5 bytes JMP 0000000076e90440
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d327c0 5 bytes JMP 0000000076e90260
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d327d0 5 bytes JMP 0000000076e90270
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d327e0 5 bytes JMP 0000000076e90400
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d329a0 5 bytes JMP 0000000076e901f0
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d329b0 5 bytes JMP 0000000076e90210
|
|
19.07.2014, 09:09
| #6 |
| | Win 7: Spam an Thunderbird portables Adressbuch "gesammelte Adressen" Gmer teil 3: Code:
ATTFilter .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d32a20 5 bytes JMP 0000000076e90200
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d32a80 5 bytes JMP 0000000076e90420
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d32a90 5 bytes JMP 0000000076e90430
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d32aa0 5 bytes JMP 0000000076e90220
.text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d32b80 5 bytes JMP 0000000076e90280
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d31360 5 bytes JMP 0000000100070460
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d313b0 5 bytes JMP 0000000100070450
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d31510 5 bytes JMP 0000000100070370
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d31560 5 bytes JMP 0000000100070470
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d31570 5 bytes JMP 00000001000703e0
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d31620 5 bytes JMP 0000000100070320
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d31650 5 bytes JMP 00000001000703b0
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d31670 5 bytes JMP 0000000100070390
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d316b0 5 bytes JMP 00000001000702e0
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d31730 5 bytes JMP 00000001000702d0
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d31750 5 bytes JMP 0000000100070310
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d31790 5 bytes JMP 00000001000703c0
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d317e0 5 bytes JMP 00000001000703f0
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d31940 5 bytes JMP 0000000100070230
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d31b00 5 bytes JMP 0000000100070480
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d31b30 5 bytes JMP 00000001000703a0
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d31c10 5 bytes JMP 00000001000702f0
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d31c20 5 bytes JMP 0000000100070350
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d31c80 5 bytes JMP 0000000100070290
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d31d10 5 bytes JMP 00000001000702b0
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d31d30 5 bytes JMP 00000001000703d0
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d31d40 5 bytes JMP 0000000100070330
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d31db0 5 bytes JMP 0000000100070410
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d31de0 5 bytes JMP 0000000100070240
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d320a0 5 bytes JMP 00000001000701e0
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d32160 5 bytes JMP 0000000100070250
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d32190 5 bytes JMP 0000000100070490
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d321a0 5 bytes JMP 00000001000704a0
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d321d0 5 bytes JMP 0000000100070300
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d321e0 5 bytes JMP 0000000100070360
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d32240 5 bytes JMP 00000001000702a0
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d32290 5 bytes JMP 00000001000702c0
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d322c0 5 bytes JMP 0000000100070380
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d322d0 5 bytes JMP 0000000100070340
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d325c0 5 bytes JMP 0000000100070440
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d327c0 5 bytes JMP 0000000100070260
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d327d0 5 bytes JMP 0000000100070270
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d327e0 5 bytes JMP 0000000100070400
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d329a0 5 bytes JMP 00000001000701f0
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d329b0 5 bytes JMP 0000000100070210
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d32a20 5 bytes JMP 0000000100070200
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d32a80 5 bytes JMP 0000000100070420
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d32a90 5 bytes JMP 0000000100070430
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d32aa0 5 bytes JMP 0000000100070220
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d32b80 5 bytes JMP 0000000100070280
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d31360 5 bytes JMP 0000000076e90460
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d313b0 5 bytes JMP 0000000076e90450
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d31510 5 bytes JMP 0000000076e90370
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d31560 5 bytes JMP 0000000076e90470
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d31570 5 bytes JMP 0000000076e903e0
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d31620 5 bytes JMP 0000000076e90320
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d31650 5 bytes JMP 0000000076e903b0
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d31670 5 bytes JMP 0000000076e90390
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d316b0 5 bytes JMP 0000000076e902e0
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d31730 5 bytes JMP 0000000076e902d0
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d31750 5 bytes JMP 0000000076e90310
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d31790 5 bytes JMP 0000000076e903c0
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d317e0 5 bytes JMP 0000000076e903f0
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d31940 5 bytes JMP 0000000076e90230
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d31b00 5 bytes JMP 0000000076e90480
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d31b30 5 bytes JMP 0000000076e903a0
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d31c10 5 bytes JMP 0000000076e902f0
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d31c20 5 bytes JMP 0000000076e90350
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d31c80 5 bytes JMP 0000000076e90290
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d31d10 5 bytes JMP 0000000076e902b0
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d31d30 5 bytes JMP 0000000076e903d0
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d31d40 5 bytes JMP 0000000076e90330
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d31db0 5 bytes JMP 0000000076e90410
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d31de0 5 bytes JMP 0000000076e90240
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d320a0 5 bytes JMP 0000000076e901e0
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d32160 5 bytes JMP 0000000076e90250
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d32190 5 bytes JMP 0000000076e90490
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d321a0 5 bytes JMP 0000000076e904a0
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d321d0 5 bytes JMP 0000000076e90300
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d321e0 5 bytes JMP 0000000076e90360
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d32240 5 bytes JMP 0000000076e902a0
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d32290 5 bytes JMP 0000000076e902c0
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d322c0 5 bytes JMP 0000000076e90380
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d322d0 5 bytes JMP 0000000076e90340
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d325c0 5 bytes JMP 0000000076e90440
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d327c0 5 bytes JMP 0000000076e90260
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d327d0 5 bytes JMP 0000000076e90270
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d327e0 5 bytes JMP 0000000076e90400
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d329a0 5 bytes JMP 0000000076e901f0
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d329b0 5 bytes JMP 0000000076e90210
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d32a20 5 bytes JMP 0000000076e90200
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d32a80 5 bytes JMP 0000000076e90420
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d32a90 5 bytes JMP 0000000076e90430
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d32aa0 5 bytes JMP 0000000076e90220
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d32b80 5 bytes JMP 0000000076e90280
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d31360 5 bytes JMP 0000000100060460
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d313b0 5 bytes JMP 0000000100060450
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d31510 5 bytes JMP 0000000100060370
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d31560 5 bytes JMP 0000000100060470
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d31570 5 bytes JMP 00000001000603e0
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d31620 5 bytes JMP 0000000100060320
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d31650 5 bytes JMP 00000001000603b0
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d31670 5 bytes JMP 0000000100060390
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d316b0 5 bytes JMP 00000001000602e0
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d31730 5 bytes JMP 00000001000602d0
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d31750 5 bytes JMP 0000000100060310
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d31790 5 bytes JMP 00000001000603c0
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d317e0 5 bytes JMP 00000001000603f0
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d31940 5 bytes JMP 0000000100060230
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d31b00 5 bytes JMP 0000000100060480
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d31b30 5 bytes JMP 00000001000603a0
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d31c10 5 bytes JMP 00000001000602f0
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d31c20 5 bytes JMP 0000000100060350
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d31c80 5 bytes JMP 0000000100060290
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d31d10 5 bytes JMP 00000001000602b0
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d31d30 5 bytes JMP 00000001000603d0
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d31d40 5 bytes JMP 0000000100060330
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d31db0 5 bytes JMP 0000000100060410
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d31de0 5 bytes JMP 0000000100060240
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d320a0 5 bytes JMP 00000001000601e0
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d32160 5 bytes JMP 0000000100060250
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d32190 5 bytes JMP 0000000100060490
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d321a0 5 bytes JMP 00000001000604a0
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d321d0 5 bytes JMP 0000000100060300
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d321e0 5 bytes JMP 0000000100060360
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d32240 5 bytes JMP 00000001000602a0
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d32290 5 bytes JMP 00000001000602c0
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d322c0 5 bytes JMP 0000000100060380
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d322d0 5 bytes JMP 0000000100060340
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d325c0 5 bytes JMP 0000000100060440
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d327c0 5 bytes JMP 0000000100060260
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d327d0 5 bytes JMP 0000000100060270
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d327e0 5 bytes JMP 0000000100060400
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d329a0 5 bytes JMP 00000001000601f0
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d329b0 5 bytes JMP 0000000100060210
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d32a20 5 bytes JMP 0000000100060200
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d32a80 5 bytes JMP 0000000100060420
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d32a90 5 bytes JMP 0000000100060430
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d32aa0 5 bytes JMP 0000000100060220
.text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d32b80 5 bytes JMP 0000000100060280
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d31360 5 bytes JMP 0000000076e90460
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d313b0 5 bytes JMP 0000000076e90450
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d31510 5 bytes JMP 0000000076e90370
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d31560 5 bytes JMP 0000000076e90470
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d31570 5 bytes JMP 0000000076e903e0
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d31620 5 bytes JMP 0000000076e90320
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d31650 5 bytes JMP 0000000076e903b0
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d31670 5 bytes JMP 0000000076e90390
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d316b0 5 bytes JMP 0000000076e902e0
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d31730 5 bytes JMP 0000000076e902d0
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d31750 5 bytes JMP 0000000076e90310
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d31790 5 bytes JMP 0000000076e903c0
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d317e0 5 bytes JMP 0000000076e903f0
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d31940 5 bytes JMP 0000000076e90230
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d31b00 5 bytes JMP 0000000076e90480
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d31b30 5 bytes JMP 0000000076e903a0
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d31c10 5 bytes JMP 0000000076e902f0
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d31c20 5 bytes JMP 0000000076e90350
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d31c80 5 bytes JMP 0000000076e90290
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d31d10 5 bytes JMP 0000000076e902b0
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d31d30 5 bytes JMP 0000000076e903d0
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d31d40 5 bytes JMP 0000000076e90330
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d31db0 5 bytes JMP 0000000076e90410
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d31de0 5 bytes JMP 0000000076e90240
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d320a0 5 bytes JMP 0000000076e901e0
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d32160 5 bytes JMP 0000000076e90250
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d32190 5 bytes JMP 0000000076e90490
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d321a0 5 bytes JMP 0000000076e904a0
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d321d0 5 bytes JMP 0000000076e90300
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d321e0 5 bytes JMP 0000000076e90360
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d32240 5 bytes JMP 0000000076e902a0
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d32290 5 bytes JMP 0000000076e902c0
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d322c0 5 bytes JMP 0000000076e90380
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d322d0 5 bytes JMP 0000000076e90340
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d325c0 5 bytes JMP 0000000076e90440
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d327c0 5 bytes JMP 0000000076e90260
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d327d0 5 bytes JMP 0000000076e90270
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d327e0 5 bytes JMP 0000000076e90400
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d329a0 5 bytes JMP 0000000076e901f0
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d329b0 5 bytes JMP 0000000076e90210
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d32a20 5 bytes JMP 0000000076e90200
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d32a80 5 bytes JMP 0000000076e90420
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d32a90 5 bytes JMP 0000000076e90430
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d32aa0 5 bytes JMP 0000000076e90220
.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d32b80 5 bytes JMP 0000000076e90280
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d31360 5 bytes JMP 0000000076e90460
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d313b0 5 bytes JMP 0000000076e90450
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d31510 5 bytes JMP 0000000076e90370
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d31560 5 bytes JMP 0000000076e90470
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d31570 5 bytes JMP 0000000076e903e0
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d31620 5 bytes JMP 0000000076e90320
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d31650 5 bytes JMP 0000000076e903b0
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d31670 5 bytes JMP 0000000076e90390
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d316b0 5 bytes JMP 0000000076e902e0
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d31730 5 bytes JMP 0000000076e902d0
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d31750 5 bytes JMP 0000000076e90310
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d31790 5 bytes JMP 0000000076e903c0
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d317e0 5 bytes JMP 0000000076e903f0
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d31940 5 bytes JMP 0000000076e90230
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d31b00 5 bytes JMP 0000000076e90480
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d31b30 5 bytes JMP 0000000076e903a0
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d31c10 5 bytes JMP 0000000076e902f0
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d31c20 5 bytes JMP 0000000076e90350
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d31c80 5 bytes JMP 0000000076e90290
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d31d10 5 bytes JMP 0000000076e902b0
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d31d30 5 bytes JMP 0000000076e903d0
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d31d40 5 bytes JMP 0000000076e90330
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d31db0 5 bytes JMP 0000000076e90410
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d31de0 5 bytes JMP 0000000076e90240
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d320a0 5 bytes JMP 0000000076e901e0
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d32160 5 bytes JMP 0000000076e90250
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d32190 5 bytes JMP 0000000076e90490
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d321a0 5 bytes JMP 0000000076e904a0
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d321d0 5 bytes JMP 0000000076e90300
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d321e0 5 bytes JMP 0000000076e90360
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d32240 5 bytes JMP 0000000076e902a0
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d32290 5 bytes JMP 0000000076e902c0
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d322c0 5 bytes JMP 0000000076e90380
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d322d0 5 bytes JMP 0000000076e90340
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d325c0 5 bytes JMP 0000000076e90440
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d327c0 5 bytes JMP 0000000076e90260
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d327d0 5 bytes JMP 0000000076e90270
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d327e0 5 bytes JMP 0000000076e90400
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d329a0 5 bytes JMP 0000000076e901f0
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d329b0 5 bytes JMP 0000000076e90210
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d32a20 5 bytes JMP 0000000076e90200
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d32a80 5 bytes JMP 0000000076e90420
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d32a90 5 bytes JMP 0000000076e90430
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d32aa0 5 bytes JMP 0000000076e90220
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d32b80 5 bytes JMP 0000000076e90280
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d31360 5 bytes JMP 0000000076e90460
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d313b0 5 bytes JMP 0000000076e90450
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d31510 5 bytes JMP 0000000076e90370
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d31560 5 bytes JMP 0000000076e90470
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d31570 5 bytes JMP 0000000076e903e0
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d31620 5 bytes JMP 0000000076e90320
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d31650 5 bytes JMP 0000000076e903b0
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d31670 5 bytes JMP 0000000076e90390
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d316b0 5 bytes JMP 0000000076e902e0
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d31730 5 bytes JMP 0000000076e902d0
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d31750 5 bytes JMP 0000000076e90310
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d31790 5 bytes JMP 0000000076e903c0
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d317e0 5 bytes JMP 0000000076e903f0
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d31940 5 bytes JMP 0000000076e90230
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d31b00 5 bytes JMP 0000000076e90480
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d31b30 5 bytes JMP 0000000076e903a0
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d31c10 5 bytes JMP 0000000076e902f0
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d31c20 5 bytes JMP 0000000076e90350
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d31c80 5 bytes JMP 0000000076e90290
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d31d10 5 bytes JMP 0000000076e902b0
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d31d30 5 bytes JMP 0000000076e903d0
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d31d40 5 bytes JMP 0000000076e90330
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d31db0 5 bytes JMP 0000000076e90410
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d31de0 5 bytes JMP 0000000076e90240
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d320a0 5 bytes JMP 0000000076e901e0
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d32160 5 bytes JMP 0000000076e90250
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d32190 5 bytes JMP 0000000076e90490
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d321a0 5 bytes JMP 0000000076e904a0
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d321d0 5 bytes JMP 0000000076e90300
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d321e0 5 bytes JMP 0000000076e90360
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d32240 5 bytes JMP 0000000076e902a0
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d32290 5 bytes JMP 0000000076e902c0
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d322c0 5 bytes JMP 0000000076e90380
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d322d0 5 bytes JMP 0000000076e90340
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d325c0 5 bytes JMP 0000000076e90440
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d327c0 5 bytes JMP 0000000076e90260
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d327d0 5 bytes JMP 0000000076e90270
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d327e0 5 bytes JMP 0000000076e90400
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d329a0 5 bytes JMP 0000000076e901f0
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d329b0 5 bytes JMP 0000000076e90210
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d32a20 5 bytes JMP 0000000076e90200
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d32a80 5 bytes JMP 0000000076e90420
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d32a90 5 bytes JMP 0000000076e90430
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d32aa0 5 bytes JMP 0000000076e90220
.text C:\Windows\system32\Dwm.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d32b80 5 bytes JMP 0000000076e90280
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d31360 5 bytes JMP 0000000076e90460
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d313b0 5 bytes JMP 0000000076e90450
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d31510 5 bytes JMP 0000000076e90370
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d31560 5 bytes JMP 0000000076e90470
---- EOF - GMER 2.1 ----
|
|
19.07.2014, 09:09
| #7 |
| | Win 7: Spam an Thunderbird portables Adressbuch "gesammelte Adressen" Gmer teil 4: Code:
ATTFilter .text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d31570 5 bytes JMP 0000000076e903e0
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d31620 5 bytes JMP 0000000076e90320
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d31650 5 bytes JMP 0000000076e903b0
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d31670 5 bytes JMP 0000000076e90390
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d316b0 5 bytes JMP 0000000076e902e0
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d31730 5 bytes JMP 0000000076e902d0
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d31750 5 bytes JMP 0000000076e90310
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d31790 5 bytes JMP 0000000076e903c0
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d317e0 5 bytes JMP 0000000076e903f0
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d31940 5 bytes JMP 0000000076e90230
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d31b00 5 bytes JMP 0000000076e90480
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d31b30 5 bytes JMP 0000000076e903a0
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d31c10 5 bytes JMP 0000000076e902f0
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d31c20 5 bytes JMP 0000000076e90350
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d31c80 5 bytes JMP 0000000076e90290
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d31d10 5 bytes JMP 0000000076e902b0
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d31d30 5 bytes JMP 0000000076e903d0
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d31d40 5 bytes JMP 0000000076e90330
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d31db0 5 bytes JMP 0000000076e90410
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d31de0 5 bytes JMP 0000000076e90240
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d320a0 5 bytes JMP 0000000076e901e0
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d32160 5 bytes JMP 0000000076e90250
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d32190 5 bytes JMP 0000000076e90490
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d321a0 5 bytes JMP 0000000076e904a0
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d321d0 5 bytes JMP 0000000076e90300
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d321e0 5 bytes JMP 0000000076e90360
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d32240 5 bytes JMP 0000000076e902a0
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d32290 5 bytes JMP 0000000076e902c0
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d322c0 5 bytes JMP 0000000076e90380
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d322d0 5 bytes JMP 0000000076e90340
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d325c0 5 bytes JMP 0000000076e90440
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d327c0 5 bytes JMP 0000000076e90260
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d327d0 5 bytes JMP 0000000076e90270
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d327e0 5 bytes JMP 0000000076e90400
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d329a0 5 bytes JMP 0000000076e901f0
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d329b0 5 bytes JMP 0000000076e90210
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d32a20 5 bytes JMP 0000000076e90200
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d32a80 5 bytes JMP 0000000076e90420
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d32a90 5 bytes JMP 0000000076e90430
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d32aa0 5 bytes JMP 0000000076e90220
.text C:\Windows\Explorer.EXE[2328] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d32b80 5 bytes JMP 0000000076e90280
.text C:\Windows\Explorer.EXE[2328] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b1ef8d 1 byte [62]
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d31360 5 bytes JMP 0000000076e90460
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d313b0 5 bytes JMP 0000000076e90450
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d31510 5 bytes JMP 0000000076e90370
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d31560 5 bytes JMP 0000000076e90470
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d31570 5 bytes JMP 0000000076e903e0
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d31620 5 bytes JMP 0000000076e90320
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d31650 5 bytes JMP 0000000076e903b0
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d31670 5 bytes JMP 0000000076e90390
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d316b0 5 bytes JMP 0000000076e902e0
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d31730 5 bytes JMP 0000000076e902d0
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d31750 5 bytes JMP 0000000076e90310
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d31790 5 bytes JMP 0000000076e903c0
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d317e0 5 bytes JMP 0000000076e903f0
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d31940 5 bytes JMP 0000000076e90230
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d31b00 5 bytes JMP 0000000076e90480
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d31b30 5 bytes JMP 0000000076e903a0
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d31c10 5 bytes JMP 0000000076e902f0
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d31c20 5 bytes JMP 0000000076e90350
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d31c80 5 bytes JMP 0000000076e90290
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d31d10 5 bytes JMP 0000000076e902b0
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d31d30 5 bytes JMP 0000000076e903d0
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d31d40 5 bytes JMP 0000000076e90330
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d31db0 5 bytes JMP 0000000076e90410
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d31de0 5 bytes JMP 0000000076e90240
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d320a0 5 bytes JMP 0000000076e901e0
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d32160 5 bytes JMP 0000000076e90250
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d32190 5 bytes JMP 0000000076e90490
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d321a0 5 bytes JMP 0000000076e904a0
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d321d0 5 bytes JMP 0000000076e90300
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d321e0 5 bytes JMP 0000000076e90360
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d32240 5 bytes JMP 0000000076e902a0
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d32290 5 bytes JMP 0000000076e902c0
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d322c0 5 bytes JMP 0000000076e90380
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d322d0 5 bytes JMP 0000000076e90340
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d325c0 5 bytes JMP 0000000076e90440
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d327c0 5 bytes JMP 0000000076e90260
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d327d0 5 bytes JMP 0000000076e90270
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d327e0 5 bytes JMP 0000000076e90400
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d329a0 5 bytes JMP 0000000076e901f0
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d329b0 5 bytes JMP 0000000076e90210
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d32a20 5 bytes JMP 0000000076e90200
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d32a80 5 bytes JMP 0000000076e90420
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d32a90 5 bytes JMP 0000000076e90430
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d32aa0 5 bytes JMP 0000000076e90220
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d32b80 5 bytes JMP 0000000076e90280
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2844] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b1ef8d 1 byte [62]
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d31360 5 bytes JMP 0000000076e90460
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d313b0 5 bytes JMP 0000000076e90450
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d31510 5 bytes JMP 0000000076e90370
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d31560 5 bytes JMP 0000000076e90470
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d31570 5 bytes JMP 0000000076e903e0
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d31620 5 bytes JMP 0000000076e90320
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d31650 5 bytes JMP 0000000076e903b0
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d31670 5 bytes JMP 0000000076e90390
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d316b0 5 bytes JMP 0000000076e902e0
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d31730 5 bytes JMP 0000000076e902d0
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d31750 5 bytes JMP 0000000076e90310
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d31790 5 bytes JMP 0000000076e903c0
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d317e0 5 bytes JMP 0000000076e903f0
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d31940 5 bytes JMP 0000000076e90230
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d31b00 5 bytes JMP 0000000076e90480
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d31b30 5 bytes JMP 0000000076e903a0
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d31c10 5 bytes JMP 0000000076e902f0
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d31c20 5 bytes JMP 0000000076e90350
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d31c80 5 bytes JMP 0000000076e90290
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d31d10 5 bytes JMP 0000000076e902b0
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d31d30 5 bytes JMP 0000000076e903d0
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d31d40 5 bytes JMP 0000000076e90330
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d31db0 5 bytes JMP 0000000076e90410
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d31de0 5 bytes JMP 0000000076e90240
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d320a0 5 bytes JMP 0000000076e901e0
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d32160 5 bytes JMP 0000000076e90250
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d32190 5 bytes JMP 0000000076e90490
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d321a0 5 bytes JMP 0000000076e904a0
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d321d0 5 bytes JMP 0000000076e90300
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d321e0 5 bytes JMP 0000000076e90360
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d32240 5 bytes JMP 0000000076e902a0
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d32290 5 bytes JMP 0000000076e902c0
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d322c0 5 bytes JMP 0000000076e90380
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d322d0 5 bytes JMP 0000000076e90340
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d325c0 5 bytes JMP 0000000076e90440
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d327c0 5 bytes JMP 0000000076e90260
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d327d0 5 bytes JMP 0000000076e90270
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d327e0 5 bytes JMP 0000000076e90400
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d329a0 5 bytes JMP 0000000076e901f0
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d329b0 5 bytes JMP 0000000076e90210
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d32a20 5 bytes JMP 0000000076e90200
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d32a80 5 bytes JMP 0000000076e90420
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d32a90 5 bytes JMP 0000000076e90430
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d32aa0 5 bytes JMP 0000000076e90220
.text C:\Program Files\Windows Sidebar\sidebar.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d32b80 5 bytes JMP 0000000076e90280
.text C:\Program Files (x86)\ROCCAT\Kone Mouse\KoneHID.EXE[3020] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007698a2fd 1 byte [62]
.text C:\Program Files (x86)\ROCCAT\Kone Mouse\KoneHID.EXE[3020] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000763a1465 2 bytes [3A, 76]
.text C:\Program Files (x86)\ROCCAT\Kone Mouse\KoneHID.EXE[3020] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763a14bb 2 bytes [3A, 76]
.text ... * 2
.text C:\Program Files\AVAST\AvastUI.exe[2440] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076968791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...]
.text C:\Program Files\AVAST\AvastUI.exe[2440] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007698a2fd 1 byte [62]
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d31360 5 bytes JMP 00000001001b0460
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d313b0 5 bytes JMP 00000001001b0450
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d31510 5 bytes JMP 00000001001b0370
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d31560 5 bytes JMP 00000001001b0470
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d31570 5 bytes JMP 00000001001b03e0
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d31620 5 bytes JMP 00000001001b0320
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d31650 5 bytes JMP 00000001001b03b0
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d31670 5 bytes JMP 00000001001b0390
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d316b0 5 bytes JMP 00000001001b02e0
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d31730 5 bytes JMP 00000001001b02d0
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d31750 5 bytes JMP 00000001001b0310
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d31790 5 bytes JMP 00000001001b03c0
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d317e0 5 bytes JMP 00000001001b03f0
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d31940 5 bytes JMP 00000001001b0230
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d31b00 5 bytes JMP 00000001001b0480
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d31b30 5 bytes JMP 00000001001b03a0
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d31c10 5 bytes JMP 00000001001b02f0
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d31c20 5 bytes JMP 00000001001b0350
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d31c80 5 bytes JMP 00000001001b0290
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d31d10 5 bytes JMP 00000001001b02b0
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d31d30 5 bytes JMP 00000001001b03d0
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d31d40 5 bytes JMP 00000001001b0330
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d31db0 5 bytes JMP 00000001001b0410
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d31de0 5 bytes JMP 00000001001b0240
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d320a0 5 bytes JMP 00000001001b01e0
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d32160 5 bytes JMP 00000001001b0250
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d32190 5 bytes JMP 00000001001b0490
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d321a0 5 bytes JMP 00000001001b04a0
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d321d0 5 bytes JMP 00000001001b0300
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d321e0 5 bytes JMP 00000001001b0360
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d32240 5 bytes JMP 00000001001b02a0
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d32290 5 bytes JMP 00000001001b02c0
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d322c0 5 bytes JMP 00000001001b0380
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d322d0 5 bytes JMP 00000001001b0340
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d325c0 5 bytes JMP 00000001001b0440
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d327c0 5 bytes JMP 00000001001b0260
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d327d0 5 bytes JMP 00000001001b0270
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d327e0 5 bytes JMP 00000001001b0400
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d329a0 5 bytes JMP 00000001001b01f0
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d329b0 5 bytes JMP 00000001001b0210
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d32a20 5 bytes JMP 00000001001b0200
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d32a80 5 bytes JMP 00000001001b0420
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d32a90 5 bytes JMP 00000001001b0430
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d32aa0 5 bytes JMP 00000001001b0220
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d32b80 5 bytes JMP 00000001001b0280
.text C:\Program Files (x86)\ROCCAT\Kone Mouse\osd.exe[3756] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007698a2fd 1 byte [62]
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d31360 5 bytes JMP 0000000076e90460
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d313b0 5 bytes JMP 0000000076e90450
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d31510 5 bytes JMP 0000000076e90370
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d31560 5 bytes JMP 0000000076e90470
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d31570 5 bytes JMP 0000000076e903e0
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d31620 5 bytes JMP 0000000076e90320
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d31650 5 bytes JMP 0000000076e903b0
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d31670 5 bytes JMP 0000000076e90390
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d316b0 5 bytes JMP 0000000076e902e0
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d31730 5 bytes JMP 0000000076e902d0
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d31750 5 bytes JMP 0000000076e90310
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d31790 5 bytes JMP 0000000076e903c0
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d317e0 5 bytes JMP 0000000076e903f0
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d31940 5 bytes JMP 0000000076e90230
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d31b00 5 bytes JMP 0000000076e90480
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d31b30 5 bytes JMP 0000000076e903a0
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d31c10 5 bytes JMP 0000000076e902f0
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d31c20 5 bytes JMP 0000000076e90350
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d31c80 5 bytes JMP 0000000076e90290
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d31d10 5 bytes JMP 0000000076e902b0
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d31d30 5 bytes JMP 0000000076e903d0
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d31d40 5 bytes JMP 0000000076e90330
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d31db0 5 bytes JMP 0000000076e90410
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d31de0 5 bytes JMP 0000000076e90240
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d320a0 5 bytes JMP 0000000076e901e0
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d32160 5 bytes JMP 0000000076e90250
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d32190 5 bytes JMP 0000000076e90490
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d321a0 5 bytes JMP 0000000076e904a0
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d321d0 5 bytes JMP 0000000076e90300
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d321e0 5 bytes JMP 0000000076e90360
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d32240 5 bytes JMP 0000000076e902a0
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d32290 5 bytes JMP 0000000076e902c0
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d322c0 5 bytes JMP 0000000076e90380
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d322d0 5 bytes JMP 0000000076e90340
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d325c0 5 bytes JMP 0000000076e90440
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d327c0 5 bytes JMP 0000000076e90260
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d327d0 5 bytes JMP 0000000076e90270
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d327e0 5 bytes JMP 0000000076e90400
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d329a0 5 bytes JMP 0000000076e901f0
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d329b0 5 bytes JMP 0000000076e90210
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d32a20 5 bytes JMP 0000000076e90200
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d32a80 5 bytes JMP 0000000076e90420
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d32a90 5 bytes JMP 0000000076e90430
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d32aa0 5 bytes JMP 0000000076e90220
.text C:\Windows\system32\SearchIndexer.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d32b80 5 bytes JMP 0000000076e90280
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3864] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b1ef8d 1 byte [62]
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d31360 5 bytes JMP 0000000076e90460
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d313b0 5 bytes JMP 0000000076e90450
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d31510 5 bytes JMP 0000000076e90370
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d31560 5 bytes JMP 0000000076e90470
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d31570 5 bytes JMP 0000000076e903e0
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d31620 5 bytes JMP 0000000076e90320
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d31650 5 bytes JMP 0000000076e903b0
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d31670 5 bytes JMP 0000000076e90390
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d316b0 5 bytes JMP 0000000076e902e0
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d31730 5 bytes JMP 0000000076e902d0
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d31750 5 bytes JMP 0000000076e90310
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d31790 5 bytes JMP 0000000076e903c0
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d317e0 5 bytes JMP 0000000076e903f0
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d31940 5 bytes JMP 0000000076e90230
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d31b00 5 bytes JMP 0000000076e90480
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d31b30 5 bytes JMP 0000000076e903a0
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d31c10 5 bytes JMP 0000000076e902f0
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d31c20 5 bytes JMP 0000000076e90350
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d31c80 5 bytes JMP 0000000076e90290
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d31d10 5 bytes JMP 0000000076e902b0
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d31d30 5 bytes JMP 0000000076e903d0
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d31d40 5 bytes JMP 0000000076e90330
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d31db0 5 bytes JMP 0000000076e90410
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d31de0 5 bytes JMP 0000000076e90240
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d320a0 5 bytes JMP 0000000076e901e0
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d32160 5 bytes JMP 0000000076e90250
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d32190 5 bytes JMP 0000000076e90490
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d321a0 5 bytes JMP 0000000076e904a0
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d321d0 5 bytes JMP 0000000076e90300
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d321e0 5 bytes JMP 0000000076e90360
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d32240 5 bytes JMP 0000000076e902a0
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d32290 5 bytes JMP 0000000076e902c0
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d322c0 5 bytes JMP 0000000076e90380
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d322d0 5 bytes JMP 0000000076e90340
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d325c0 5 bytes JMP 0000000076e90440
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d327c0 5 bytes JMP 0000000076e90260
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d327d0 5 bytes JMP 0000000076e90270
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d327e0 5 bytes JMP 0000000076e90400
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d329a0 5 bytes JMP 0000000076e901f0
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d329b0 5 bytes JMP 0000000076e90210
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d32a20 5 bytes JMP 0000000076e90200
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d32a80 5 bytes JMP 0000000076e90420
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d32a90 5 bytes JMP 0000000076e90430
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d32aa0 5 bytes JMP 0000000076e90220
.text C:\Windows\system32\wbem\wmiprvse.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d32b80 5 bytes JMP 0000000076e90280
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d31360 5 bytes JMP 0000000076e90460
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d313b0 5 bytes JMP 0000000076e90450
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d31510 5 bytes JMP 0000000076e90370
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d31560 5 bytes JMP 0000000076e90470
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d31570 5 bytes JMP 0000000076e903e0
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d31620 5 bytes JMP 0000000076e90320
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d31650 5 bytes JMP 0000000076e903b0
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d31670 5 bytes JMP 0000000076e90390
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d316b0 5 bytes JMP 0000000076e902e0
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d31730 5 bytes JMP 0000000076e902d0
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d31750 5 bytes JMP 0000000076e90310
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d31790 5 bytes JMP 0000000076e903c0
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d317e0 5 bytes JMP 0000000076e903f0
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d31940 5 bytes JMP 0000000076e90230
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d31b00 5 bytes JMP 0000000076e90480
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d31b30 5 bytes JMP 0000000076e903a0
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d31c10 5 bytes JMP 0000000076e902f0
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d31c20 5 bytes JMP 0000000076e90350
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d31c80 5 bytes JMP 0000000076e90290
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d31d10 5 bytes JMP 0000000076e902b0
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d31d30 5 bytes JMP 0000000076e903d0
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d31d40 5 bytes JMP 0000000076e90330
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d31db0 5 bytes JMP 0000000076e90410
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d31de0 5 bytes JMP 0000000076e90240
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d320a0 5 bytes JMP 0000000076e901e0
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d32160 5 bytes JMP 0000000076e90250
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d32190 5 bytes JMP 0000000076e90490
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d321a0 5 bytes JMP 0000000076e904a0
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d321d0 5 bytes JMP 0000000076e90300
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d321e0 5 bytes JMP 0000000076e90360
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d32240 5 bytes JMP 0000000076e902a0
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d32290 5 bytes JMP 0000000076e902c0
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d322c0 5 bytes JMP 0000000076e90380
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d322d0 5 bytes JMP 0000000076e90340
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d325c0 5 bytes JMP 0000000076e90440
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d327c0 5 bytes JMP 0000000076e90260
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d327d0 5 bytes JMP 0000000076e90270
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d327e0 5 bytes JMP 0000000076e90400
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d329a0 5 bytes JMP 0000000076e901f0
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d329b0 5 bytes JMP 0000000076e90210
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d32a20 5 bytes JMP 0000000076e90200
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d32a80 5 bytes JMP 0000000076e90420
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d32a90 5 bytes JMP 0000000076e90430
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d32aa0 5 bytes JMP 0000000076e90220
.text C:\Windows\System32\svchost.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d32b80 5 bytes JMP 0000000076e90280
.text C:\Windows\System32\svchost.exe[4284] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b1ef8d 1 byte [62]
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d31360 5 bytes JMP 0000000100060460
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d313b0 5 bytes JMP 0000000100060450
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d31510 5 bytes JMP 0000000100060370
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d31560 5 bytes JMP 0000000100060470
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d31570 5 bytes JMP 00000001000603e0
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d31620 5 bytes JMP 0000000100060320
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d31650 5 bytes JMP 00000001000603b0
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d31670 5 bytes JMP 0000000100060390
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d316b0 5 bytes JMP 00000001000602e0
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d31730 5 bytes JMP 00000001000602d0
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d31750 5 bytes JMP 0000000100060310
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d31790 5 bytes JMP 00000001000603c0
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d317e0 5 bytes JMP 00000001000603f0
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d31940 5 bytes JMP 0000000100060230
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d31b00 5 bytes JMP 0000000100060480
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d31b30 5 bytes JMP 00000001000603a0
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d31c10 5 bytes JMP 00000001000602f0
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d31c20 5 bytes JMP 0000000100060350
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d31c80 5 bytes JMP 0000000100060290
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d31d10 5 bytes JMP 00000001000602b0
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d31d30 5 bytes JMP 00000001000603d0
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d31d40 5 bytes JMP 0000000100060330
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d31db0 5 bytes JMP 0000000100060410
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d31de0 5 bytes JMP 0000000100060240
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d320a0 5 bytes JMP 00000001000601e0
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d32160 5 bytes JMP 0000000100060250
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d32190 5 bytes JMP 0000000100060490
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d321a0 5 bytes JMP 00000001000604a0
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d321d0 5 bytes JMP 0000000100060300
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d321e0 5 bytes JMP 0000000100060360
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d32240 5 bytes JMP 00000001000602a0
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d32290 5 bytes JMP 00000001000602c0
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d322c0 5 bytes JMP 0000000100060380
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d322d0 5 bytes JMP 0000000100060340
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d325c0 5 bytes JMP 0000000100060440
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d327c0 5 bytes JMP 0000000100060260
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d327d0 5 bytes JMP 0000000100060270
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d327e0 5 bytes JMP 0000000100060400
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d329a0 5 bytes JMP 00000001000601f0
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d329b0 5 bytes JMP 0000000100060210
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d32a20 5 bytes JMP 0000000100060200
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d32a80 5 bytes JMP 0000000100060420
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d32a90 5 bytes JMP 0000000100060430
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d32aa0 5 bytes JMP 0000000100060220
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d32b80 5 bytes JMP 0000000100060280
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2028] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076b1ef8d 1 byte [62]
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d31360 5 bytes JMP 0000000076e90460
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d313b0 5 bytes JMP 0000000076e90450
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d31510 5 bytes JMP 0000000076e90370
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d31560 5 bytes JMP 0000000076e90470
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d31570 5 bytes JMP 0000000076e903e0
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d31620 5 bytes JMP 0000000076e90320
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d31650 5 bytes JMP 0000000076e903b0
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d31670 5 bytes JMP 0000000076e90390
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d316b0 5 bytes JMP 0000000076e902e0
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d31730 5 bytes JMP 0000000076e902d0
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d31750 5 bytes JMP 0000000076e90310
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d31790 5 bytes JMP 0000000076e903c0
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d317e0 5 bytes JMP 0000000076e903f0
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d31940 5 bytes JMP 0000000076e90230
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d31b00 5 bytes JMP 0000000076e90480
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d31b30 5 bytes JMP 0000000076e903a0
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d31c10 5 bytes JMP 0000000076e902f0
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d31c20 5 bytes JMP 0000000076e90350
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d31c80 5 bytes JMP 0000000076e90290
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d31d10 5 bytes JMP 0000000076e902b0
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d31d30 5 bytes JMP 0000000076e903d0
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d31d40 5 bytes JMP 0000000076e90330
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d31db0 5 bytes JMP 0000000076e90410
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d31de0 5 bytes JMP 0000000076e90240
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d320a0 5 bytes JMP 0000000076e901e0
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d32160 5 bytes JMP 0000000076e90250
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d32190 5 bytes JMP 0000000076e90490
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d321a0 5 bytes JMP 0000000076e904a0
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d321d0 5 bytes JMP 0000000076e90300
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d321e0 5 bytes JMP 0000000076e90360
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d32240 5 bytes JMP 0000000076e902a0
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d32290 5 bytes JMP 0000000076e902c0
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d322c0 5 bytes JMP 0000000076e90380
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d322d0 5 bytes JMP 0000000076e90340
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d325c0 5 bytes JMP 0000000076e90440
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d327c0 5 bytes JMP 0000000076e90260
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d327d0 5 bytes JMP 0000000076e90270
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d327e0 5 bytes JMP 0000000076e90400
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d329a0 5 bytes JMP 0000000076e901f0
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d329b0 5 bytes JMP 0000000076e90210
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d32a20 5 bytes JMP 0000000076e90200
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d32a80 5 bytes JMP 0000000076e90420
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d32a90 5 bytes JMP 0000000076e90430
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d32aa0 5 bytes JMP 0000000076e90220
.text C:\Windows\system32\AUDIODG.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d32b80 5 bytes JMP 0000000076e90280
.text C:\Users\Standardbenutzer\Desktop\iw14ewr4.exe[356] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007698a2fd 1 byte [62]
---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015833d0a57
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0015833d0a57 (not active ControlSet)
|
|
19.07.2014, 20:50
| #8 |
| /// the machine /// TB-Ausbilder | Win 7: Spam an Thunderbird portables Adressbuch "gesammelte Adressen" hi, Scan mit Combofix
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
19.07.2014, 22:36
| #9 |
| | Win 7: Spam an Thunderbird portables Adressbuch "gesammelte Adressen" Hallo Schrauber, danke für die schnelle Unterstützung! Hier der Combofix-Log Code:
ATTFilter ComboFix 14-07-19.01 - ******* 19.07.2014 23:11:57.1.4 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.49.1031.18.4094.2550 [GMT 2:00]
ausgeführt von:: c:\users\Standardbenutzer\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\*******\AppData\Local\TempDIR
c:\users\*******\AppData\Roaming\Avisynth.exe
c:\users\*******\AppData\Roaming\AvsP.exe
c:\users\*******\AppData\Roaming\Imgburn.exe
c:\users\*******\AppData\Roaming\MatroskaSplitter.exe
c:\users\*******\AppData\Roaming\SetupGFD.exe
c:\users\*******\AppData\Roaming\yuvcodecs-1.3.exe
c:\users\Standardbenutzer\AppData\Local\TempFullTiltPokerEuSetup.exe
c:\windows\IsUn0407.exe
.
.
((((((((((((((((((((((( Dateien erstellt von 2014-06-19 bis 2014-07-19 ))))))))))))))))))))))))))))))
.
.
2014-07-19 21:16 . 2014-07-19 21:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-07-19 21:16 . 2014-07-19 21:16 -------- d-----w- c:\users\*******\AppData\Local\temp
2014-07-18 22:06 . 2014-07-19 16:31 -------- d-----w- c:\users\Standardbenutzer\AppData\Roaming\Thunderbird
2014-07-18 15:09 . 2014-07-18 15:09 -------- d-----w- c:\program files (x86)\ESET
2014-07-18 14:52 . 2014-07-18 14:53 122584 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-07-18 14:52 . 2014-07-18 15:04 -------- d-----w- c:\program files (x86)\ Malwarebytes Anti-Malware
2014-07-18 14:52 . 2014-07-18 14:52 -------- d-----w- c:\programdata\Malwarebytes
2014-07-18 14:52 . 2014-05-12 05:26 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-07-18 14:52 . 2014-05-12 05:26 91352 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-07-18 14:52 . 2014-05-12 05:25 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-07-18 14:43 . 2014-07-18 22:18 -------- d-----w- C:\FRST
2014-07-18 12:58 . 2014-07-02 03:09 10924376 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C4C77FB4-BA0B-40C3-85B6-0B1BC3532356}\mpengine.dll
2014-07-16 18:29 . 2014-07-16 18:29 -------- d-----w- c:\windows\de
2014-07-15 18:14 . 2014-07-16 18:23 -------- d-----w- c:\users\Standardbenutzer\AppData\Local\Windows Live
2014-07-15 17:41 . 2014-07-15 17:41 -------- d-----w- c:\users\Standardbenutzer\AppData\Roaming\DVDVideoSoft
2014-07-15 17:40 . 2014-07-15 18:05 -------- d-----w- c:\users\*******\AppData\Roaming\DVDVideoSoft
2014-07-13 11:40 . 2014-07-13 11:47 -------- d-----w- c:\users\Standardbenutzer\AppData\Roaming\AquaSoft
2014-07-13 11:40 . 2014-07-13 11:40 -------- d-----w- c:\users\Standardbenutzer\AppData\Local\AquaSoft
2014-07-13 11:30 . 2014-07-13 11:30 386680 ----a-w- c:\windows\system32\drivers\sptd.sys
2014-07-13 11:29 . 2014-07-13 11:29 -------- dc-h--w- c:\programdata\{3C060505-DF86-4BC0-8DF4-E59FE3326A8A}
2014-07-13 11:29 . 2014-07-13 11:29 -------- d-----w- c:\program files (x86)\Common Files\AquaSoft
2014-07-13 11:29 . 2014-07-13 11:29 -------- d-----w- c:\program files (x86)\AquaSoft
2014-07-13 11:01 . 2014-07-13 11:12 -------- d-----w- c:\users\Standardbenutzer\.DVDslideshowGUI
2014-07-13 11:01 . 2014-07-13 11:01 -------- d-----w- c:\users\Standardbenutzer\AppData\Roaming\ImgBurn
2014-07-13 10:54 . 2014-07-13 11:00 -------- d-----w- c:\users\*******\.DVDslideshowGUI
2014-07-13 10:54 . 2014-07-13 10:54 34936 ----a-w- c:\windows\SysWow64\uninstHelixYUV.exe
2014-07-13 10:54 . 2014-07-13 10:54 -------- d-----w- c:\program files (x86)\Haali
2014-07-13 10:53 . 2014-07-13 10:53 -------- d-----w- c:\program files (x86)\AviSynth 2.5
2014-07-09 18:00 . 2014-06-19 00:53 48640 ----a-w- c:\program files\Internet Explorer\DiagnosticsHub_is.dll
2014-07-06 07:25 . 2014-07-06 07:25 43152 ----a-w- c:\windows\avastSS.scr
2014-07-05 20:39 . 2014-07-05 20:39 -------- d-----w- c:\users\Standardbenutzer\AppData\Roaming\LibreOffice
2014-07-05 12:19 . 2014-07-05 12:20 -------- d-----w- c:\program files (x86)\w3arena
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-07-09 21:20 . 2012-07-01 15:44 96441528 ----a-w- c:\windows\system32\MRT.exe
2014-07-09 17:39 . 2013-04-13 14:31 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-07-09 17:39 . 2013-04-13 14:31 699056 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-07-06 07:25 . 2012-09-22 18:40 427360 ----a-w- c:\windows\system32\drivers\aswsp.sys
2014-07-06 07:25 . 2014-04-20 09:24 29208 ----a-w- c:\windows\system32\drivers\aswHwid.sys
2014-07-06 07:25 . 2013-12-20 14:32 92008 ----a-w- c:\windows\system32\drivers\aswstm.sys
2014-07-06 07:25 . 2013-03-06 16:44 224896 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2014-07-06 07:25 . 2013-03-06 16:44 65776 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2014-07-06 07:25 . 2012-09-22 18:40 93568 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2014-07-06 07:25 . 2012-09-22 18:40 1041168 ----a-w- c:\windows\system32\drivers\aswsnx.sys
2014-07-06 07:25 . 2012-09-22 18:39 79184 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2014-07-06 07:25 . 2012-09-22 18:39 307344 ----a-w- c:\windows\system32\aswBoot.exe
2014-05-08 09:32 . 2014-06-17 08:32 3178496 ----a-w- c:\windows\system32\rdpcorets.dll
2014-05-08 09:32 . 2014-06-17 08:32 16384 ----a-w- c:\windows\system32\RdpGroupPolicyExtension.dll
2014-04-25 02:34 . 2014-06-17 08:33 801280 ----a-w- c:\windows\system32\usp10.dll
2014-04-25 02:06 . 2014-06-17 08:33 626688 ----a-w- c:\windows\SysWow64\usp10.dll
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Kone"="c:\program files (x86)\ROCCAT\Kone Mouse\KoneHID.EXE" [2011-02-18 1666560]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-11-16 641704]
"AvastUI.exe"="c:\program files\AVAST\AvastUI.exe" [2014-07-06 4086432]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"SpUninstallCleanUp"="REG delete HKEY_LOCAL_MACHINE\Software\SearchProtect" [X]
"20130912"="c:\program files\AVAST\setup\emupdate\8d82f117-e080-45ee-9fc2-382e142b1119.exe" [2013-09-20 74088]
"20131224"="c:\program files\AVAST\setup\emupdate\19320634-36df-44dd-a42b-feebf7e1a453.exe" [2014-04-29 181136]
"20140526"="c:\program files\AVAST\setup\emupdate\e92b0ee4-0af7-4a72-8787-242a94894a92.exe" [2014-05-27 182720]
"20140529"="c:\program files\AVAST\setup\emupdate\822dd55d-ad6c-4a40-a6d9-c822b6268856.exe" [2014-05-30 183208]
" Malwarebytes Anti-Malware (cleanup)"="c:\programdata\Malwarebytes\ Malwarebytes Anti-Malware \mbamdor.exe" [2014-05-12 54072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys;c:\windows\SYSNATIVE\drivers\aswStm.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 Apowersoft_AudioDevice;Apowersoft_AudioDevice;c:\windows\system32\drivers\Apowersoft_AudioDevice.sys;c:\windows\SYSNATIVE\drivers\Apowersoft_AudioDevice.sys [x]
R3 Asushwio;Asushwio;c:\windows\system32\drivers\Asushwio.sys;c:\windows\SYSNATIVE\drivers\Asushwio.sys [x]
R3 BrSerIb;Brother Serial Interface Driver(WDM);c:\windows\system32\DRIVERS\BrSerIb.sys;c:\windows\SYSNATIVE\DRIVERS\BrSerIb.sys [x]
R3 BrUsbSIb;Brother Serial USB Driver(WDM);c:\windows\system32\DRIVERS\BrUsbSIb.sys;c:\windows\SYSNATIVE\DRIVERS\BrUsbSIb.sys [x]
R3 GGSAFERDriver;GGSAFER Driver;c:\program files (x86)\Garena Plus\Room\safedrv.sys;c:\program files (x86)\Garena Plus\Room\safedrv.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
R3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\DRIVERS\ss_bbus.sys;c:\windows\SYSNATIVE\DRIVERS\ss_bbus.sys [x]
R3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\DRIVERS\ss_bmdfl.sys;c:\windows\SYSNATIVE\DRIVERS\ss_bmdfl.sys [x]
R3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\DRIVERS\ss_bmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ss_bmdm.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64.sys [x]
R4 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S0 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys;c:\windows\SYSNATIVE\drivers\aswSnx.sys [x]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys;c:\windows\SYSNATIVE\drivers\aswSP.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [x]
S2 AODDriver4.1;AODDriver4.1;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [x]
S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys;c:\windows\SYSNATIVE\drivers\aswHwid.sys [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys [x]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys;c:\windows\SYSNATIVE\DRIVERS\amdiox64.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]
S3 kncbda;Mystique CaBiX DVB-C2;c:\windows\system32\DRIVERS\kncbda64.sys;c:\windows\SYSNATIVE\DRIVERS\kncbda64.sys [x]
S3 KoneFltr;ROCCAT Kone;c:\windows\system32\drivers\Kone.sys;c:\windows\SYSNATIVE\drivers\Kone.sys [x]
.
.
Inhalt des "geplante Tasks" Ordners
.
2014-07-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-04-13 17:39]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-07-06 07:25 634872 ----a-w- c:\program files\AVAST\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2013-10-24 13662936]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"MSPCLOCK"="streamci" [X]
"MSPQM"="streamci" [X]
"MSKSSRV"="streamci" [X]
"MSTEE.CxTransform"="streamci" [X]
"MSTEE.Splitter"="streamci" [X]
"WDM_DRMKAUD"="streamci" [X]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files (x86)\Stardock Fences\FencesMenu64.dll" [2010-06-22 253288]
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mDefault_Search_URL = www.google.com
mDefault_Page_URL = about:blank
mStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
mSearch Page = www.google.com
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{3AE06AF8-C412-41B8-A0A4-481AA6EFCF70}: NameServer = 73.42.43.62,82.212.62.62
FF - ProfilePath - c:\users\*******\AppData\Roaming\Mozilla\Firefox\Profiles\uzjhbkbi.default\
FF - user.js: extensions.shownSelectionUI - true
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
URLSearchHooks-{00000000-6E41-4FD3-8538-502F5495E5FC} - (no file)
Wow6432Node-HKLM-RunOnce-aswAhAScr.dll - c:\program files\AVAST\aswRegSvr.exe
Wow6432Node-HKLM-RunOnce-aswasOutExt.dll - c:\program files\AVAST\aswRegSvr.exe
Wow6432Node-HKLM-RunOnce-aswasOutExt64.dll - c:\program files\AVAST\aswRegSvr64.exe
Wow6432Node-HKLM-RunOnce-freem4atomp3converteropab - (no file)
Wow6432Node-HKU-Default-RunOnce-SPReview - c:\windows\System32\SPReview\SPReview.exe
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
AddRemove-5513-1208-7298-9440 - c:\program files (x86)\JDownloader\JDUninstall.exe
AddRemove-HelixYUVCodecs - c:\windows\system32\uninstHelixYUV.exe
AddRemove-LAME_is1 - e:\portableprogramme\Audacity\unins000.exe
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_USERS\S-1-5-21-3278078431-535217013-2662550515-1001_Classes\clsid]
@DACL=(02 0000)
.
[HKEY_USERS\S-1-5-21-3278078431-535217013-2662550515-1001_Classes\clsid\{1AC77AE9-9EC6-405A-9F9B-C06AB3C10B71}]
@DACL=(02 0000)
@="CShellStitcher Object"
"AppID"="{A71DEA97-5C28-4647-93F8-9414D2E3551E}"
.
[HKEY_USERS\S-1-5-21-3278078431-535217013-2662550515-1001_Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_14_0_0_145_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_14_0_0_145_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_145.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.14"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_145.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_145.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_145.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2014-07-19 23:18:17
ComboFix-quarantined-files.txt 2014-07-19 21:18
.
Vor Suchlauf: 9 Verzeichnis(se), 15.082.405.888 Bytes frei
Nach Suchlauf: 13 Verzeichnis(se), 15.646.220.288 Bytes frei
.
- - End Of File - - 4B05992FFD89A6BC72B8917B88E80457
A36C5E4F47E84449FF07ED3517B43A31
|
|
20.07.2014, 16:42
| #10 |
| /// the machine /// TB-Ausbilder | Win 7: Spam an Thunderbird portables Adressbuch "gesammelte Adressen" Downloade Dir bitte  Malwarebytes Anti-Malware
Downloade Dir bitte  AdwCleaner auf deinen Desktop.
Beende bitte Deine Schutzsoftware um eventuelle Konflikte zu vermeiden.
und ein frisches FRST log bitte.
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
20.07.2014, 21:25
| #11 |
| | Win 7: Spam an Thunderbird portables Adressbuch "gesammelte Adressen" Hier die Mbam.txt: Code:
ATTFilter Malwarebytes Anti-Malware www.malwarebytes.org Suchlauf Datum: 20.07.2014 Suchlauf-Zeit: 21:29:26 Logdatei: Mbam.txt Administrator: Nein Version: 2.00.2.1012 Malware Datenbank: v2014.07.20.05 Rootkit Datenbank: v2014.07.17.01 Lizenz: Kostenlos Malware Schutz: Deaktiviert Bösartiger Webseiten Schutz: Deaktiviert Self-protection: Deaktiviert Betriebssystem: Windows 7 Service Pack 1 CPU: x64 Dateisystem: NTFS Benutzer: Standardbenutzer Suchlauf-Art: Bedrohungs-Suchlauf Ergebnis: Abgeschlossen Durchsuchte Objekte: 262600 Verstrichene Zeit: 7 Min, 16 Sek Speicher: Aktiviert Autostart: Aktiviert Dateisystem: Aktiviert Archive: Aktiviert Rootkits: Aktiviert Heuristics: Aktiviert PUP: Aktiviert PUM: Aktiviert Prozesse: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registrierungsschlüssel: 0 (No malicious items detected) Registrierungswerte: 0 (No malicious items detected) Registrierungsdaten: 0 (No malicious items detected) Ordner: 0 (No malicious items detected) Dateien: 0 (No malicious items detected) Physische Sektoren: 0 (No malicious items detected) (end) Code:
ATTFilter # AdwCleaner v3.216 - Bericht erstellt am 20/07/2014 um 21:52:34
# Aktualisiert 17/07/2014 von Xplode
# Betriebssystem : Windows 7 Professional Service Pack 1 (64 bits)
# Benutzername : ******* - *******-PC
# Gestartet von : C:\Users\Standardbenutzer\Desktop\adwcleaner_3.216.exe
# Option : Löschen
***** [ Dienste ] *****
***** [ Dateien / Ordner ] *****
Ordner Gelöscht : C:\ProgramData\WPM
Ordner Gelöscht : C:\Users\*******\AppData\Local\PackageAware
Ordner Gelöscht : C:\Users\*******\AppData\Roaming\pdfforge
Ordner Gelöscht : C:\Users\*******\AppData\Roaming\SupTab
Ordner Gelöscht : C:\Users\*******\AppData\Roaming\sweet-page
Datei Gelöscht : C:\Users\*******\AppData\Roaming\Mozilla\Firefox\Profiles\uzjhbkbi.default\searchplugins\Askcom.xml
Datei Gelöscht : C:\Users\*******\AppData\Roaming\Mozilla\Firefox\Profiles\uzjhbkbi.default\user.js
***** [ Verknüpfungen ] *****
***** [ Registrierungsdatenbank ] *****
Schlüssel Gelöscht : HKLM\SOFTWARE\Google\Chrome\Extensions\mkcedibhemacmilmkpndpkoidlnmgngg
Schlüssel Gelöscht : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\wajam.com
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\apntoolbarinstaller_RASAPI32
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\apntoolbarinstaller_RASMANCS
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasapi32
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasmancs
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASAPI32
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASMANCS
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Schlüssel Gelöscht : HKCU\Software\OCS
Schlüssel Gelöscht : HKCU\Software\AppDataLow\Software\LyricsWoofer
Schlüssel Gelöscht : HKLM\Software\SupTab
Schlüssel Gelöscht : HKLM\Software\supWPM
Schlüssel Gelöscht : HKLM\Software\Wpm
***** [ Browser ] *****
-\\ Internet Explorer v11.0.9600.17207
-\\ Mozilla Firefox v30.0 (de)
[ Datei : C:\Users\*******\AppData\Roaming\Mozilla\Firefox\Profiles\uzjhbkbi.default\prefs.js ]
Zeile gelöscht : user_pref("extensions.wajam.affiliate_id", "6447");
Zeile gelöscht : user_pref("extensions.wajam.firstrun", "false");
Zeile gelöscht : user_pref("extensions.wajam.log_send_info", "false");
Zeile gelöscht : user_pref("extensions.wajam.mappingListJsonString", "{\"version\":\"0.21087\",\"supported_sites\":{\"google\":{\"patterns\":[\"^hxxp\\\\:\\/\\/www\\\\.google\\\\..{2,3}(|\\\\\\/ig|\\\\\\/firefox)\",\"[...]
Zeile gelöscht : user_pref("extensions.wajam.no_trace", "false");
Zeile gelöscht : user_pref("extensions.wajam.server_current_mapping_version", "0.21087");
Zeile gelöscht : user_pref("extensions.wajam.trace_log", "1374786379468 - processInstallationUpgrade - version set to : 1.26\n1374786379468 - processBrowserLoad - Bad mappingListJsonString: null\n1374786380012 - onFla[...]
Zeile gelöscht : user_pref("extensions.wajam.unique_id", "896BF33B255A659980291143C8DCEFF7");
Zeile gelöscht : user_pref("extensions.wajam.user_current_mapping_version", "0");
Zeile gelöscht : user_pref("extensions.wajam.version", "1.26");
[ Datei : C:\Users\Standardbenutzer\AppData\Roaming\Mozilla\Firefox\Profiles\jnn9fg5b.default-1372953077302\prefs.js ]
*************************
AdwCleaner[R0].txt - [3832 octets] - [20/07/2014 21:51:27]
AdwCleaner[S0].txt - [3709 octets] - [20/07/2014 21:52:34]
########## EOF - \AdwCleaner\AdwCleaner[S0].txt - [3769 octets] ##########
JRT: Code:
ATTFilter ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Professional x64
Ran by ****** on 20.07.2014 at 22:01:54,71
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services
~~~ Registry Values
~~~ Registry Keys
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{BF3DE226-70BD-4BE9-BC47-D3612B7920ED}
Successfully deleted: [Registry Key] "hkey_current_user\software\microsoft\internet explorer\low rights\elevationpolicy\{a5aa24ea-11b8-4113-95ae-9ed71deaf12a}"
~~~ Files
~~~ Folders
Successfully deleted: [Folder] "C:\ProgramData\boost_interprocess"
~~~ FireFox
Successfully deleted: [Folder] C:\Users\******\AppData\Roaming\mozilla\firefox\profiles\uzjhbkbi.default\extensions\staged
~~~ Event Viewer Logs were cleared
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 20.07.2014 at 22:07:03,64
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 20-07-2014
Ran by Standardbenutzer (ATTENTION: The logged in user is not administrator) on *********-PC on 20-07-2014 22:19:50
Running from C:\Users\Standardbenutzer\Desktop
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11
Boot Mode: Normal
==================== Processes (Whitelisted) =================
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(ROCCAT) C:\Program Files (x86)\ROCCAT\Kone Mouse\KoneHID.EXE
(AVAST Software) C:\Program Files\AVAST\AvastUI.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ROCCAT) C:\Program Files (x86)\ROCCAT\Kone Mouse\OSD.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13662936 2013-10-24] (Realtek Semiconductor)
HKLM-x32\...\Run: [Kone] => C:\Program Files (x86)\ROCCAT\Kone Mouse\KoneHID.EXE [1666560 2011-02-18] (ROCCAT)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [641704 2012-11-16] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST\AvastUI.exe [4086432 2014-07-06] (AVAST Software)
HKLM\...\RunOnce: [MSPCLOCK] => rundll32.exe streamci,StreamingDeviceSetup {97ebaacc-95bd-11d0-a3ea-00a0c9223196},{53172480-4791-11D (the data entry has 60 more characters).
HKLM\...\RunOnce: [MSPQM] => rundll32.exe streamci,StreamingDeviceSetup {DDF4358E-BB2C-11D0-A42F-00A0C9223196},{97EBAACB-95BD-11D (the data entry has 60 more characters).
HKLM\...\RunOnce: [MSKSSRV] => rundll32.exe streamci,StreamingDeviceSetup {96E080C7-143C-11D1-B40F-00A0C9223196},{3C0D501A-140B-11D (the data entry has 60 more characters).
HKLM\...\RunOnce: [MSTEE.CxTransform] => rundll32.exe streamci,StreamingDeviceSetup {cfd669f1-9bc2-11d0-8299-0000f822fe8a},{CF1DDA2C-9743-11D (the data entry has 112 more characters).
HKLM\...\RunOnce: [MSTEE.Splitter] => rundll32.exe streamci,StreamingDeviceSetup {cfd669f1-9bc2-11d0-8299-0000f822fe8a},{0A4252A0-7E70-11D (the data entry has 112 more characters).
HKLM\...\RunOnce: [WDM_DRMKAUD] => rundll32.exe streamci,StreamingDeviceSetup {EEC12DB6-AD9C-4168-8658-B03DAEF417FE},{ABD61E00-9350-47e (the data entry has 118 more characters).
HKLM-x32\...\RunOnce: [20130912] => C:\Program Files\AVAST\setup\emupdate\8d82f117-e080-45ee-9fc2-382e142b1119.exe [74088 2013-09-20] (AVAST Software)
HKLM-x32\...\RunOnce: [20131224] => C:\Program Files\AVAST\setup\emupdate\19320634-36df-44dd-a42b-feebf7e1a453.exe [181136 2014-04-29] (AVAST Software)
HKLM-x32\...\RunOnce: [SpUninstallCleanUp] => REG delete HKEY_LOCAL_MACHINE\Software\SearchProtect /f
HKLM-x32\...\RunOnce: [20140526] => C:\Program Files\AVAST\setup\emupdate\e92b0ee4-0af7-4a72-8787-242a94894a92.exe [182720 2014-05-27] (AVAST Software)
HKLM-x32\...\RunOnce: [20140529] => C:\Program Files\AVAST\setup\emupdate\822dd55d-ad6c-4a40-a6d9-c822b6268856.exe [183208 2014-05-30] (AVAST Software)
HKLM-x32\...\RunOnce: [ Malwarebytes Anti-Malware (cleanup)] => C:\ProgramData\Malwarebytes\ Malwarebytes Anti-Malware \mbamdor.exe [54072 2014-05-12] (Malwarebytes Corporation)
HKU\S-1-5-21-3278078431-535217013-2662550515-1001\...\Run: [Akamai NetSession Interface] => "C:\Users\Standardbenutzer\AppData\Local\Akamai\netsession_win.exe"
HKU\S-1-5-21-3278078431-535217013-2662550515-1001\...\MountPoints2: {0972c94d-c786-11e1-8265-00241ddf508f} - J:\unlock.exe autoplay=true
HKU\S-1-5-21-3278078431-535217013-2662550515-1001\...\MountPoints2: {11fe8b0a-099a-11e2-b644-00241ddf508f} - G:\Autorun.exe
ShellIconOverlayIdentifiers: 00avast -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST\ashShA64.dll (AVAST Software)
==================== Internet (Whitelisted) ====================
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xFA19FFF41745CE01
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
URLSearchHook: HKCU - (No Name) - {00000000-6E41-4FD3-8538-502F5495E5FC} - No File
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM-x32 - DefaultScope value is missing.
SearchScopes: HKCU - {BF3DE226-70BD-4BE9-BC47-D3612B7920ED} URL = hxxp://websearch.ask.com/redirect?client=ie&tb=NDV&o=15765&src=kw&q={searchTerms}&locale=&apn_ptnrs=NY&apn_dtid=YYYYYYYYDE&apn_uid=F65F8253-4059-4066-B74C-50FAC716EF22&apn_sauid=B7E7D51B-4BC9-40D9-8A38-9D18BF2A5BEA
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST\aswWebRepIE64.dll (AVAST Software)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST\aswWebRepIE.dll (AVAST Software)
BHO-x32: Microsoft-Konto-Anmelde-Hilfsprogramm -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{3AE06AF8-C412-41B8-A0A4-481AA6EFCF70}: [NameServer]73.42.43.62,82.212.62.62
FireFox:
========
FF ProfilePath: C:\Users\Standardbenutzer\AppData\Roaming\Mozilla\Firefox\Profiles\jnn9fg5b.default-1372953077302
FF Homepage: https://www.startpage.com/
FF NetworkProxy: "backup.ftp", "190.0.17.202"
FF NetworkProxy: "backup.ftp_port", 8080
FF NetworkProxy: "backup.socks", "190.0.17.202"
FF NetworkProxy: "backup.socks_port", 8080
FF NetworkProxy: "backup.ssl", "190.0.17.202"
FF NetworkProxy: "backup.ssl_port", 8080
FF NetworkProxy: "ftp", "190.0.17.202"
FF NetworkProxy: "ftp_port", 8080
FF NetworkProxy: "http", "190.0.17.202"
FF NetworkProxy: "http_port", 8080
FF NetworkProxy: "share_proxy_settings", true
FF NetworkProxy: "socks", "190.0.17.202"
FF NetworkProxy: "socks_port", 8080
FF NetworkProxy: "ssl", "190.0.17.202"
FF NetworkProxy: "ssl_port", 8080
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_14_0_0_145.dll ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_14_0_0_145.dll ()
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @t.garena.com/garenatalk - C:\Program Files (x86)\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll No File
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\amazondotcom-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\eBay-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\leo_ende_de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\yahoo-de.xml
FF Extension: DownloadHelper - C:\Users\Standardbenutzer\AppData\Roaming\Mozilla\Firefox\Profiles\jnn9fg5b.default-1372953077302\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [2014-03-25]
FF Extension: Adblock Plus - C:\Users\Standardbenutzer\AppData\Roaming\Mozilla\Firefox\Profiles\jnn9fg5b.default-1372953077302\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2013-08-03]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST\WebRep\FF
FF Extension: avast! Online Security - C:\Program Files\AVAST\WebRep\FF [2012-09-22]
==================== Services (Whitelisted) =================
R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [361984 2012-11-16] (Advanced Micro Devices, Inc.) [File not signed]
R2 avast! Antivirus; C:\Program Files\AVAST\AvastSvc.exe [50344 2014-07-06] (AVAST Software)
R2 lmhosts; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
R2 NlaSvc; C:\Windows\System32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
R2 nsi; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
==================== Drivers (Whitelisted) ====================
R2 AODDriver4.1; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [53888 2012-03-05] (Advanced Micro Devices)
S3 Apowersoft_AudioDevice; C:\Windows\System32\drivers\Apowersoft_AudioDevice.sys [31920 2013-06-02] (Wondershare)
S3 Asushwio; C:\Windows\SysWOW64\drivers\Asushwio.sys [5824 2000-03-29] () [File not signed]
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2014-07-06] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [79184 2014-07-06] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2014-07-06] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2014-07-06] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1041168 2014-07-06] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [427360 2014-07-06] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [92008 2014-07-06] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [224896 2014-07-06] ()
R3 kncbda; C:\Windows\System32\DRIVERS\kncbda64.sys [180736 2008-08-13] (ODSoft multimedia)
R3 KoneFltr; C:\Windows\System32\drivers\Kone.sys [15488 2008-12-11] (ROCCAT Ltd)
R0 MBAMSwissArmy; C:\Windows\System32\drivers\MBAMSwissArmy.sys [122584 2014-07-18] (Malwarebytes Corporation)
R1 Serial; C:\Windows\System32\DRIVERS\serial.sys [94208 2009-07-14] (Brother Industries Ltd.)
S4 sptd; C:\Windows\System32\Drivers\sptd.sys [386680 2014-07-13] (Duplex Secure Ltd.)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
S3 GGSAFERDriver; \??\C:\Program Files (x86)\Garena Plus\Room\safedrv.sys [X]
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2014-07-20 22:17 - 2014-07-20 22:17 - 00000000 ____D () C:\Users\Standardbenutzer\Desktop\FRST-OlderVersion
2014-07-20 22:13 - 2014-07-20 22:13 - 00001149 _____ () C:\Users\*********\Desktop\JRT2.txt
2014-07-20 22:07 - 2014-07-20 22:07 - 00001151 _____ () C:\Users\*********\Desktop\JRT.txt
2014-07-20 22:01 - 2014-07-20 22:01 - 01016261 _____ (Thisisu) C:\Users\Standardbenutzer\Desktop\JRT.exe
2014-07-20 22:01 - 2014-07-20 22:01 - 00000000 ____D () C:\Windows\ERUNT
2014-07-20 21:52 - 2014-07-20 21:52 - 00003847 _____ () C:\Users\Standardbenutzer\Desktop\AdwCleaner[S0].txt
2014-07-20 21:51 - 2014-07-20 22:00 - 00000000 ____D () C:\AdwCleaner
2014-07-20 21:50 - 2014-07-20 21:50 - 01354223 _____ () C:\Users\Standardbenutzer\Desktop\adwcleaner_3.216.exe
2014-07-20 21:50 - 2014-07-20 21:50 - 00001169 _____ () C:\Users\Standardbenutzer\Desktop\Mbam.txt
2014-07-19 23:18 - 2014-07-19 23:18 - 00019635 _____ () C:\ComboFix.txt
2014-07-19 23:10 - 2014-07-19 23:18 - 00000000 ____D () C:\Qoobox
2014-07-19 23:10 - 2014-07-19 23:17 - 00000000 ____D () C:\Windows\erdnt
2014-07-19 23:10 - 2011-06-26 08:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-07-19 23:10 - 2010-11-07 19:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-07-19 23:10 - 2009-04-20 06:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-07-19 23:10 - 2000-08-31 02:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-07-19 23:10 - 2000-08-31 02:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-07-19 23:10 - 2000-08-31 02:00 - 00098816 _____ () C:\Windows\sed.exe
2014-07-19 23:10 - 2000-08-31 02:00 - 00080412 _____ () C:\Windows\grep.exe
2014-07-19 23:10 - 2000-08-31 02:00 - 00068096 _____ () C:\Windows\zip.exe
2014-07-19 23:08 - 2014-07-19 23:08 - 05222180 ____R (Swearware) C:\Users\Standardbenutzer\Desktop\ComboFix.exe
2014-07-19 00:32 - 2014-07-19 00:36 - 00269213 _____ () C:\Users\Standardbenutzer\Desktop\Gmer.log
2014-07-19 00:25 - 2014-07-19 00:25 - 00380416 _____ () C:\Users\Standardbenutzer\Desktop\iw14ewr4.exe
2014-07-19 00:18 - 2014-07-19 00:18 - 00028895 _____ () C:\Users\Standardbenutzer\Desktop\Addition.txt
2014-07-19 00:16 - 2014-07-20 22:19 - 00042193 _____ () C:\Users\Standardbenutzer\Desktop\FRSTalt.txt
2014-07-19 00:16 - 2014-07-20 22:19 - 00011481 _____ () C:\Users\Standardbenutzer\Desktop\FRST.txt
2014-07-19 00:15 - 2014-07-20 22:17 - 02089984 _____ (Farbar) C:\Users\Standardbenutzer\Desktop\FRST64.exe
2014-07-19 00:11 - 2014-07-19 00:11 - 00050477 _____ () C:\Users\Standardbenutzer\Desktop\Defogger.exe
2014-07-19 00:11 - 2014-07-19 00:11 - 00000586 _____ () C:\Users\Standardbenutzer\Desktop\defogger_disable.log
2014-07-19 00:11 - 2014-07-19 00:11 - 00000020 _____ () C:\Users\*********\defogger_reenable
2014-07-19 00:06 - 2014-07-19 18:31 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\Thunderbird
2014-07-18 23:43 - 2014-07-18 23:43 - 00004362 _____ () C:\Users\Standardbenutzer\Desktop\emails.txt
2014-07-18 17:09 - 2014-07-18 17:09 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-07-18 17:08 - 2014-07-18 17:08 - 02347384 _____ (ESET) C:\Users\Standardbenutzer\Desktop\esetsmartinstaller_deu.exe
2014-07-18 16:52 - 2014-07-18 17:04 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware
2014-07-18 16:52 - 2014-07-18 16:53 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-07-18 16:52 - 2014-07-18 16:52 - 00001102 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2014-07-18 16:52 - 2014-07-18 16:52 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware
2014-07-18 16:52 - 2014-07-18 16:52 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-07-18 16:52 - 2014-05-12 07:26 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-07-18 16:52 - 2014-05-12 07:26 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-07-18 16:52 - 2014-05-12 07:25 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-07-18 16:51 - 2014-07-18 23:59 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Standardbenutzer\Desktop\mbam-setup-2.0.2.1012.exe
2014-07-18 16:43 - 2014-07-20 22:19 - 00000000 ____D () C:\FRST
2014-07-18 16:20 - 2014-07-19 00:11 - 00000502 _____ () C:\Users\Standardbenutzer\Desktop\Neues Textdokument.txt
2014-07-17 18:02 - 2014-07-17 18:02 - 00001679 _____ () C:\Users\Standardbenutzer\Desktop\Player.exe - Verknüpfung.lnk
2014-07-17 17:53 - 2014-07-17 17:53 - 00001493 _____ () C:\Users\Standardbenutzer\Desktop\ts3client_win64.exe - Verknüpfung.lnk
2014-07-17 17:36 - 2014-07-17 17:36 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TeamSpeak 3 Client
2014-07-16 20:29 - 2014-07-16 20:29 - 00001374 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Photo Gallery.lnk
2014-07-16 20:29 - 2014-07-16 20:29 - 00001305 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Movie Maker.lnk
2014-07-16 20:29 - 2014-07-16 20:29 - 00000000 ____D () C:\Windows\de
2014-07-15 20:14 - 2014-07-16 20:23 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Local\Windows Live
2014-07-15 19:41 - 2014-07-15 19:41 - 00000000 ____D () C:\Users\Standardbenutzer\Documents\DVDVideoSoft
2014-07-15 19:41 - 2014-07-15 19:41 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\DVDVideoSoft
2014-07-15 19:40 - 2014-07-15 20:05 - 00000000 ____D () C:\Users\*********\AppData\Roaming\DVDVideoSoft
2014-07-13 18:11 - 2014-07-13 18:11 - 00000000 ____D () C:\Users\Standardbenutzer\Desktop\Neuer Ordner
2014-07-13 13:40 - 2014-07-13 13:47 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\AquaSoft
2014-07-13 13:40 - 2014-07-13 13:40 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Local\AquaSoft
2014-07-13 13:30 - 2014-07-13 13:30 - 00386680 _____ (Duplex Secure Ltd.) C:\Windows\system32\Drivers\sptd.sys
2014-07-13 13:29 - 2014-07-13 13:29 - 00001083 _____ () C:\Users\Public\Desktop\DiaShow 8 Ultimate.lnk
2014-07-13 13:29 - 2014-07-13 13:29 - 00000000 __HDC () C:\ProgramData\{3C060505-DF86-4BC0-8DF4-E59FE3326A8A}
2014-07-13 13:29 - 2014-07-13 13:29 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AquaSoft
2014-07-13 13:29 - 2014-07-13 13:29 - 00000000 ____D () C:\Program Files (x86)\AquaSoft
2014-07-13 13:01 - 2014-07-13 13:12 - 00000000 ____D () C:\Users\Standardbenutzer\.DVDslideshowGUI
2014-07-13 13:01 - 2014-07-13 13:01 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\ImgBurn
2014-07-13 12:54 - 2014-07-13 13:00 - 00000000 ____D () C:\Users\*********\.DVDslideshowGUI
2014-07-13 12:54 - 2014-07-13 12:54 - 00034936 _____ () C:\Windows\SysWOW64\uninstHelixYUV.exe
2014-07-13 12:54 - 2014-07-13 12:54 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Haali Media Splitter
2014-07-13 12:54 - 2014-07-13 12:54 - 00000000 ____D () C:\Program Files (x86)\Haali
2014-07-13 12:53 - 2014-07-13 12:53 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AviSynth 2.5
2014-07-13 12:53 - 2014-07-13 12:53 - 00000000 ____D () C:\Program Files (x86)\AviSynth 2.5
2014-07-09 20:01 - 2014-06-30 04:09 - 00519168 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-07-09 20:01 - 2014-06-30 04:04 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-07-09 20:01 - 2014-06-18 04:18 - 00692736 _____ (Microsoft Corporation) C:\Windows\system32\osk.exe
2014-07-09 20:01 - 2014-06-18 03:51 - 00646144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\osk.exe
2014-07-09 20:01 - 2014-06-18 03:10 - 03157504 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-07-09 20:01 - 2014-06-06 12:10 - 00624128 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll
2014-07-09 20:01 - 2014-06-06 11:44 - 00509440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2014-07-09 20:01 - 2014-05-30 10:08 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-07-09 20:01 - 2014-05-30 10:08 - 00340992 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-07-09 20:01 - 2014-05-30 10:08 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2014-07-09 20:01 - 2014-05-30 10:08 - 00307200 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2014-07-09 20:01 - 2014-05-30 10:08 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2014-07-09 20:01 - 2014-05-30 10:08 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2014-07-09 20:01 - 2014-05-30 10:08 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2014-07-09 20:01 - 2014-05-30 09:52 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2014-07-09 20:01 - 2014-05-30 09:52 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2014-07-09 20:01 - 2014-05-30 09:52 - 00247808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2014-07-09 20:01 - 2014-05-30 09:52 - 00220160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2014-07-09 20:01 - 2014-05-30 09:52 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2014-07-09 20:01 - 2014-05-30 09:52 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2014-07-09 20:01 - 2014-05-30 09:52 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2014-07-09 20:01 - 2014-05-30 08:45 - 00497152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys
2014-07-09 20:00 - 2014-06-20 22:14 - 00266424 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-07-09 20:00 - 2014-06-20 21:39 - 00240824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-07-09 20:00 - 2014-06-19 03:39 - 23464448 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-07-09 20:00 - 2014-06-19 03:06 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-07-09 20:00 - 2014-06-19 03:06 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-07-09 20:00 - 2014-06-19 02:48 - 02768384 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-07-09 20:00 - 2014-06-19 02:42 - 00548352 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-07-09 20:00 - 2014-06-19 02:42 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-07-09 20:00 - 2014-06-19 02:41 - 00083968 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-07-09 20:00 - 2014-06-19 02:41 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-07-09 20:00 - 2014-06-19 02:32 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-07-09 20:00 - 2014-06-19 02:31 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-07-09 20:00 - 2014-06-19 02:26 - 00598016 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-07-09 20:00 - 2014-06-19 02:24 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-07-09 20:00 - 2014-06-19 02:24 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-07-09 20:00 - 2014-06-19 02:23 - 00752640 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-07-09 20:00 - 2014-06-19 02:16 - 17276416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-07-09 20:00 - 2014-06-19 02:14 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-07-09 20:00 - 2014-06-19 02:09 - 00452608 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-07-09 20:00 - 2014-06-19 01:59 - 00038400 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-07-09 20:00 - 2014-06-19 01:56 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-07-09 20:00 - 2014-06-19 01:53 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-07-09 20:00 - 2014-06-19 01:51 - 05721088 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-07-09 20:00 - 2014-06-19 01:50 - 00085504 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-07-09 20:00 - 2014-06-19 01:48 - 00292864 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-07-09 20:00 - 2014-06-19 01:39 - 00608768 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-07-09 20:00 - 2014-06-19 01:38 - 00455168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-07-09 20:00 - 2014-06-19 01:37 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-07-09 20:00 - 2014-06-19 01:36 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-07-09 20:00 - 2014-06-19 01:35 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2014-07-09 20:00 - 2014-06-19 01:33 - 00631808 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-07-09 20:00 - 2014-06-19 01:32 - 02179072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-07-09 20:00 - 2014-06-19 01:28 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-07-09 20:00 - 2014-06-19 01:28 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-07-09 20:00 - 2014-06-19 01:27 - 02040832 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-07-09 20:00 - 2014-06-19 01:27 - 01249280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-07-09 20:00 - 2014-06-19 01:25 - 00442368 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-07-09 20:00 - 2014-06-19 01:23 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-07-09 20:00 - 2014-06-19 01:22 - 00592896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-07-09 20:00 - 2014-06-19 01:12 - 00367616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-07-09 20:00 - 2014-06-19 01:06 - 00032256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-07-09 20:00 - 2014-06-19 01:01 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-07-09 20:00 - 2014-06-19 00:59 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-07-09 20:00 - 2014-06-19 00:58 - 02266112 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-07-09 20:00 - 2014-06-19 00:58 - 00239616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-07-09 20:00 - 2014-06-19 00:52 - 04254720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-07-09 20:00 - 2014-06-19 00:51 - 13527040 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-07-09 20:00 - 2014-06-19 00:49 - 00526336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-07-09 20:00 - 2014-06-19 00:46 - 01068032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2014-07-09 20:00 - 2014-06-19 00:45 - 01964544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-07-09 20:00 - 2014-06-19 00:35 - 11742208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-07-09 20:00 - 2014-06-19 00:34 - 01393664 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-07-09 20:00 - 2014-06-19 00:15 - 00846336 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-07-09 20:00 - 2014-06-19 00:13 - 01791488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-07-09 20:00 - 2014-06-19 00:09 - 01139200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-07-09 20:00 - 2014-06-19 00:07 - 00704512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-07-09 20:00 - 2014-06-05 16:45 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-07-09 20:00 - 2014-06-05 16:26 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2014-07-09 20:00 - 2014-06-05 16:25 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2014-07-06 09:25 - 2014-07-06 09:25 - 00043152 _____ (AVAST Software) C:\Windows\avastSS.scr
2014-07-05 22:39 - 2014-07-05 22:39 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\LibreOffice
2014-07-05 15:56 - 2014-07-05 15:56 - 00000719 _____ () C:\Users\Standardbenutzer\Desktop\USA Praesentation - Verknüpfung.lnk
2014-07-05 14:19 - 2014-07-05 14:20 - 00000000 ____D () C:\Program Files (x86)\w3arena
2014-07-05 14:19 - 2014-07-05 14:19 - 00000925 _____ () C:\Users\Public\Desktop\w3arena.lnk
2014-07-05 14:19 - 2014-07-05 14:19 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\w3arena.net Launcher 1.8.7
2014-06-22 18:23 - 2014-06-22 18:35 - 00000000 ____D () C:\Users\Standardbenutzer\Desktop\bilderrahmen
==================== One Month Modified Files and Folders =======
2014-07-20 22:19 - 2014-07-19 00:16 - 00042193 _____ () C:\Users\Standardbenutzer\Desktop\FRSTalt.txt
2014-07-20 22:19 - 2014-07-19 00:16 - 00011481 _____ () C:\Users\Standardbenutzer\Desktop\FRST.txt
2014-07-20 22:19 - 2014-07-18 16:43 - 00000000 ____D () C:\FRST
2014-07-20 22:17 - 2014-07-20 22:17 - 00000000 ____D () C:\Users\Standardbenutzer\Desktop\FRST-OlderVersion
2014-07-20 22:17 - 2014-07-19 00:15 - 02089984 _____ (Farbar) C:\Users\Standardbenutzer\Desktop\FRST64.exe
2014-07-20 22:17 - 2012-07-01 12:21 - 01140831 _____ () C:\Windows\WindowsUpdate.log
2014-07-20 22:14 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-07-20 22:14 - 2009-07-14 06:51 - 00179414 _____ () C:\Windows\setupact.log
2014-07-20 22:13 - 2014-07-20 22:13 - 00001149 _____ () C:\Users\*********\Desktop\JRT2.txt
2014-07-20 22:07 - 2014-07-20 22:07 - 00001151 _____ () C:\Users\*********\Desktop\JRT.txt
2014-07-20 22:01 - 2014-07-20 22:01 - 01016261 _____ (Thisisu) C:\Users\Standardbenutzer\Desktop\JRT.exe
2014-07-20 22:01 - 2014-07-20 22:01 - 00000000 ____D () C:\Windows\ERUNT
2014-07-20 22:01 - 2009-07-14 06:45 - 00014752 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-07-20 22:01 - 2009-07-14 06:45 - 00014752 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-07-20 22:00 - 2014-07-20 21:51 - 00000000 ____D () C:\AdwCleaner
2014-07-20 21:53 - 2012-07-01 18:14 - 00322184 _____ () C:\Windows\PFRO.log
2014-07-20 21:52 - 2014-07-20 21:52 - 00003847 _____ () C:\Users\Standardbenutzer\Desktop\AdwCleaner[S0].txt
2014-07-20 21:50 - 2014-07-20 21:50 - 01354223 _____ () C:\Users\Standardbenutzer\Desktop\adwcleaner_3.216.exe
2014-07-20 21:50 - 2014-07-20 21:50 - 00001169 _____ () C:\Users\Standardbenutzer\Desktop\Mbam.txt
2014-07-20 21:39 - 2013-07-04 20:49 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-07-20 17:53 - 2012-08-05 16:44 - 00000000 ____D () C:\Users\Standardbenutzer\Documents\Meine PSP-Dateien
2014-07-19 23:18 - 2014-07-19 23:18 - 00019635 _____ () C:\ComboFix.txt
2014-07-19 23:18 - 2014-07-19 23:10 - 00000000 ____D () C:\Qoobox
2014-07-19 23:18 - 2009-07-14 06:57 - 00001547 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2014-07-19 23:18 - 2009-07-14 05:20 - 00000000 __RHD () C:\Users\Default
2014-07-19 23:17 - 2014-07-19 23:10 - 00000000 ____D () C:\Windows\erdnt
2014-07-19 23:16 - 2009-07-14 04:34 - 00000215 _____ () C:\Windows\system.ini
2014-07-19 23:08 - 2014-07-19 23:08 - 05222180 ____R (Swearware) C:\Users\Standardbenutzer\Desktop\ComboFix.exe
2014-07-19 20:54 - 2009-07-14 19:58 - 01717372 _____ () C:\Windows\system32\perfh007.dat
2014-07-19 20:54 - 2009-07-14 19:58 - 00465832 _____ () C:\Windows\system32\perfc007.dat
2014-07-19 20:54 - 2009-07-14 07:13 - 00006264 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-07-19 18:31 - 2014-07-19 00:06 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\Thunderbird
2014-07-19 00:36 - 2014-07-19 00:32 - 00269213 _____ () C:\Users\Standardbenutzer\Desktop\Gmer.log
2014-07-19 00:25 - 2014-07-19 00:25 - 00380416 _____ () C:\Users\Standardbenutzer\Desktop\iw14ewr4.exe
2014-07-19 00:18 - 2014-07-19 00:18 - 00028895 _____ () C:\Users\Standardbenutzer\Desktop\Addition.txt
2014-07-19 00:11 - 2014-07-19 00:11 - 00050477 _____ () C:\Users\Standardbenutzer\Desktop\Defogger.exe
2014-07-19 00:11 - 2014-07-19 00:11 - 00000586 _____ () C:\Users\Standardbenutzer\Desktop\defogger_disable.log
2014-07-19 00:11 - 2014-07-19 00:11 - 00000020 _____ () C:\Users\*********\defogger_reenable
2014-07-19 00:11 - 2014-07-18 16:20 - 00000502 _____ () C:\Users\Standardbenutzer\Desktop\Neues Textdokument.txt
2014-07-19 00:11 - 2012-07-01 12:21 - 00000000 ____D () C:\Users\*********
2014-07-18 23:59 - 2014-07-18 16:51 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Standardbenutzer\Desktop\mbam-setup-2.0.2.1012.exe
2014-07-18 23:43 - 2014-07-18 23:43 - 00004362 _____ () C:\Users\Standardbenutzer\Desktop\emails.txt
2014-07-18 17:09 - 2014-07-18 17:09 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-07-18 17:08 - 2014-07-18 17:08 - 02347384 _____ (ESET) C:\Users\Standardbenutzer\Desktop\esetsmartinstaller_deu.exe
2014-07-18 17:04 - 2014-07-18 16:52 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware
2014-07-18 17:03 - 2014-04-07 22:03 - 00000000 ____D () C:\Users\*********\AppData\Local\DM
2014-07-18 16:53 - 2014-07-18 16:52 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-07-18 16:52 - 2014-07-18 16:52 - 00001102 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2014-07-18 16:52 - 2014-07-18 16:52 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware
2014-07-18 16:52 - 2014-07-18 16:52 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-07-18 16:43 - 2012-11-10 10:37 - 00000000 ____D () C:\Program Files (x86)\Java
2014-07-17 18:02 - 2014-07-17 18:02 - 00001679 _____ () C:\Users\Standardbenutzer\Desktop\Player.exe - Verknüpfung.lnk
2014-07-17 17:53 - 2014-07-17 17:53 - 00001493 _____ () C:\Users\Standardbenutzer\Desktop\ts3client_win64.exe - Verknüpfung.lnk
2014-07-17 17:36 - 2014-07-17 17:36 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TeamSpeak 3 Client
2014-07-17 17:36 - 2012-07-01 19:05 - 00000000 ____D () C:\Program Files\TeamSpeak 3 Client
2014-07-17 17:30 - 2012-07-01 20:08 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\TS3Client
2014-07-17 17:30 - 2012-07-01 19:06 - 00000000 ____D () C:\Users\*********\AppData\Roaming\TS3Client
2014-07-16 20:29 - 2014-07-16 20:29 - 00001374 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Photo Gallery.lnk
2014-07-16 20:29 - 2014-07-16 20:29 - 00001305 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Movie Maker.lnk
2014-07-16 20:29 - 2014-07-16 20:29 - 00000000 ____D () C:\Windows\de
2014-07-16 20:28 - 2013-06-23 14:46 - 00000000 ____D () C:\Program Files (x86)\Windows Live
2014-07-16 20:27 - 2012-07-28 20:12 - 00064120 _____ () C:\Windows\DirectX.log
2014-07-16 20:23 - 2014-07-15 20:14 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Local\Windows Live
2014-07-15 20:05 - 2014-07-15 19:40 - 00000000 ____D () C:\Users\*********\AppData\Roaming\DVDVideoSoft
2014-07-15 19:41 - 2014-07-15 19:41 - 00000000 ____D () C:\Users\Standardbenutzer\Documents\DVDVideoSoft
2014-07-15 19:41 - 2014-07-15 19:41 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\DVDVideoSoft
2014-07-13 18:11 - 2014-07-13 18:11 - 00000000 ____D () C:\Users\Standardbenutzer\Desktop\Neuer Ordner
2014-07-13 13:47 - 2014-07-13 13:40 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\AquaSoft
2014-07-13 13:40 - 2014-07-13 13:40 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Local\AquaSoft
2014-07-13 13:32 - 2012-07-01 20:01 - 00076712 _____ () C:\Users\Standardbenutzer\AppData\Local\GDIPFONTCACHEV1.DAT
2014-07-13 13:31 - 2009-07-14 06:45 - 00321040 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-07-13 13:30 - 2014-07-13 13:30 - 00386680 _____ (Duplex Secure Ltd.) C:\Windows\system32\Drivers\sptd.sys
2014-07-13 13:29 - 2014-07-13 13:29 - 00001083 _____ () C:\Users\Public\Desktop\DiaShow 8 Ultimate.lnk
2014-07-13 13:29 - 2014-07-13 13:29 - 00000000 __HDC () C:\ProgramData\{3C060505-DF86-4BC0-8DF4-E59FE3326A8A}
2014-07-13 13:29 - 2014-07-13 13:29 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AquaSoft
2014-07-13 13:29 - 2014-07-13 13:29 - 00000000 ____D () C:\Program Files (x86)\AquaSoft
2014-07-13 13:23 - 2012-07-01 17:48 - 00076712 _____ () C:\Users\*********\AppData\Local\GDIPFONTCACHEV1.DAT
2014-07-13 13:12 - 2014-07-13 13:01 - 00000000 ____D () C:\Users\Standardbenutzer\.DVDslideshowGUI
2014-07-13 13:01 - 2014-07-13 13:01 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\ImgBurn
2014-07-13 13:01 - 2012-07-01 20:01 - 00000000 ____D () C:\Users\Standardbenutzer
2014-07-13 13:00 - 2014-07-13 12:54 - 00000000 ____D () C:\Users\*********\.DVDslideshowGUI
2014-07-13 12:54 - 2014-07-13 12:54 - 00034936 _____ () C:\Windows\SysWOW64\uninstHelixYUV.exe
2014-07-13 12:54 - 2014-07-13 12:54 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Haali Media Splitter
2014-07-13 12:54 - 2014-07-13 12:54 - 00000000 ____D () C:\Program Files (x86)\Haali
2014-07-13 12:53 - 2014-07-13 12:53 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AviSynth 2.5
2014-07-13 12:53 - 2014-07-13 12:53 - 00000000 ____D () C:\Program Files (x86)\AviSynth 2.5
2014-07-12 16:26 - 2009-07-14 07:08 - 00032640 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-07-12 09:11 - 2014-03-21 20:01 - 00000000 ____D () C:\Users\Standardbenutzer\Documents\Adobe
2014-07-12 09:11 - 2012-07-01 20:12 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\Adobe
2014-07-10 19:16 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\rescache
2014-07-10 18:41 - 2014-05-06 10:19 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-07-10 18:41 - 2009-07-14 20:18 - 00000000 ____D () C:\Program Files\Windows Journal
2014-07-10 18:41 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\SysWOW64\Dism
2014-07-10 18:41 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\system32\Dism
2014-07-09 23:21 - 2013-08-09 16:16 - 00000000 ____D () C:\Windows\system32\MRT
2014-07-09 23:20 - 2012-07-01 17:44 - 96441528 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-07-09 19:39 - 2013-04-13 16:31 - 00699056 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-07-09 19:39 - 2013-04-13 16:31 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-07-06 19:25 - 2013-07-12 11:47 - 00000000 ____D () C:\Users\Standardbenutzer\Desktop\Domi
2014-07-06 17:45 - 2012-09-22 20:39 - 00000000 ____D () C:\Program Files\AVAST
2014-07-06 09:25 - 2014-07-06 09:25 - 00043152 _____ (AVAST Software) C:\Windows\avastSS.scr
2014-07-06 09:25 - 2014-04-20 11:24 - 00029208 _____ () C:\Windows\system32\Drivers\aswHwid.sys
2014-07-06 09:25 - 2014-04-02 16:50 - 00001763 _____ () C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2014-07-06 09:25 - 2013-12-20 16:32 - 00092008 _____ (AVAST Software) C:\Windows\system32\Drivers\aswstm.sys
2014-07-06 09:25 - 2013-03-06 18:44 - 00224896 _____ () C:\Windows\system32\Drivers\aswVmm.sys
2014-07-06 09:25 - 2013-03-06 18:44 - 00065776 _____ () C:\Windows\system32\Drivers\aswRvrt.sys
2014-07-06 09:25 - 2012-09-22 20:40 - 01041168 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsnx.sys
2014-07-06 09:25 - 2012-09-22 20:40 - 00427360 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsp.sys
2014-07-06 09:25 - 2012-09-22 20:40 - 00093568 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2014-07-06 09:25 - 2012-09-22 20:39 - 00307344 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2014-07-06 09:25 - 2012-09-22 20:39 - 00079184 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2014-07-05 22:39 - 2014-07-05 22:39 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\LibreOffice
2014-07-05 15:56 - 2014-07-05 15:56 - 00000719 _____ () C:\Users\Standardbenutzer\Desktop\USA Praesentation - Verknüpfung.lnk
2014-07-05 14:20 - 2014-07-05 14:19 - 00000000 ____D () C:\Program Files (x86)\w3arena
2014-07-05 14:19 - 2014-07-05 14:19 - 00000925 _____ () C:\Users\Public\Desktop\w3arena.lnk
2014-07-05 14:19 - 2014-07-05 14:19 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\w3arena.net Launcher 1.8.7
2014-06-30 04:09 - 2014-07-09 20:01 - 00519168 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-06-30 04:04 - 2014-07-09 20:01 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-06-24 06:27 - 2014-05-04 13:55 - 00015351 _____ () C:\Users\Standardbenutzer\Desktop\Gewicht.ods
2014-06-22 18:35 - 2014-06-22 18:23 - 00000000 ____D () C:\Users\Standardbenutzer\Desktop\bilderrahmen
2014-06-20 22:14 - 2014-07-09 20:00 - 00266424 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-06-20 21:39 - 2014-07-09 20:00 - 00240824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-06-20 13:01 - 2012-08-23 22:51 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\Mp3tag
Some content of TEMP:
====================
C:\Users\*********\AppData\Local\Temp\Quarantine.exe
==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
==================== End Of Log ============================
|
|
21.07.2014, 12:02
| #12 |
| /// the machine /// TB-Ausbilder | Win 7: Spam an Thunderbird portables Adressbuch "gesammelte Adressen"ESET Online Scanner
Downloade Dir bitte  SecurityCheck und:
und ein frisches FRST log bitte. Noch Probleme? 
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
22.07.2014, 20:57
| #13 |
| | Win 7: Spam an Thunderbird portables Adressbuch "gesammelte Adressen" Hallo Schrauber, hier die Logs: log.txt: Code:
ATTFilter ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=019fbe3046bca84abd0e70c9f15addf7
# engine=19241
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2014-07-18 03:32:02
# local_time=2014-07-18 05:32:02 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# lang=1031
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='avast! Antivirus'
# compatibility_mode=783 16777213 100 97 1036005 170118012 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776573 100 94 1647 157327372 0 0
# scanned=50202
# found=8
# cleaned=0
# scan_time=1045
sh=D2BC806A05A53DE0B69451EE2457CBAAB005F812 ft=1 fh=c71c0011240d44a4 vn="Variante von Win32/Thinknice.B evtl. unerwünschte Anwendung" ac=I fn="C:\Program Files (x86)\SupTab\DpInterface32.dll"
sh=C6E90F14A7F66692913A92E8A2BE7EE89EF782D2 ft=1 fh=442affd5ebd5cadb vn="Variante von Win32/Thinknice.B evtl. unerwünschte Anwendung" ac=I fn="C:\Program Files (x86)\SupTab\SupTab.dll"
sh=2E2BB652F379B4D07CB02EDA1D899F32DC26C75C ft=1 fh=a66cfc69df6b1857 vn="Variante von Win32/InstallCore.LN evtl. unerwünschte Anwendung" ac=I fn="C:\Users\*****\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FYASB7PL\JDownloaderSetup_CH[1].exe"
sh=C4420C6E94B8CAACCB3811384280D8A93CB0A37D ft=1 fh=25f111c507a31a21 vn="Win32/Toolbar.Conduit.R evtl. unerwünschte Anwendung" ac=I fn="C:\Users\*****\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FYASB7PL\sp-downloader[1].exe"
sh=212ED8B01386C69F4610FB0D8ECEC6EC59F34EB9 ft=1 fh=ca9f110549e6e28e vn="Win32/Conduit.SearchProtect.Q evtl. unerwünschte Anwendung" ac=I fn="C:\Users\*****\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X75RAZH8\SPSetup[1].exe"
sh=341564D541DD7F21749D4E2523FB440E8AEDA425 ft=1 fh=3b6e53ef77d6871c vn="Win32/InstallMonetizer.AZ evtl. unerwünschte Anwendung" ac=I fn="C:\Users\*****\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X75RAZH8\Tiny_download_manager_7956[1].exe"
sh=16068B8977B4DC562AE782D91BC009472667E331 ft=1 fh=c3b5a87b7d152749 vn="Variante von Win32/DownloadSponsor.A evtl. unerwünschte Anwendung" ac=I fn="C:\Users\*****\AppData\Local\Temp\OCS\ocs_v71a.exe"
sh=81C94CAE2EB974AA65C9D43063D0BFC4BE7BADD4 ft=0 fh=0000000000000000 vn="Mehrere Bedrohungen" ac=I fn="C:\Users\Standardbenutzer\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\1c770262-229e8e16"
ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=019fbe3046bca84abd0e70c9f15addf7
# engine=19241
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2014-07-18 05:35:52
# local_time=2014-07-18 07:35:52 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# lang=1031
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='avast! Antivirus'
# compatibility_mode=783 16777213 100 97 1043435 170125442 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776573 100 94 9077 157334802 0 0
# scanned=532152
# found=8
# cleaned=0
# scan_time=7311
sh=D2BC806A05A53DE0B69451EE2457CBAAB005F812 ft=1 fh=c71c0011240d44a4 vn="Variante von Win32/Thinknice.B evtl. unerwünschte Anwendung" ac=I fn="C:\Program Files (x86)\SupTab\DpInterface32.dll"
sh=C6E90F14A7F66692913A92E8A2BE7EE89EF782D2 ft=1 fh=442affd5ebd5cadb vn="Variante von Win32/Thinknice.B evtl. unerwünschte Anwendung" ac=I fn="C:\Program Files (x86)\SupTab\SupTab.dll"
sh=2E2BB652F379B4D07CB02EDA1D899F32DC26C75C ft=1 fh=a66cfc69df6b1857 vn="Variante von Win32/InstallCore.LN evtl. unerwünschte Anwendung" ac=I fn="C:\Users\*****\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FYASB7PL\JDownloaderSetup_CH[1].exe"
sh=C4420C6E94B8CAACCB3811384280D8A93CB0A37D ft=1 fh=25f111c507a31a21 vn="Win32/Toolbar.Conduit.R evtl. unerwünschte Anwendung" ac=I fn="C:\Users\*****\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FYASB7PL\sp-downloader[1].exe"
sh=212ED8B01386C69F4610FB0D8ECEC6EC59F34EB9 ft=1 fh=ca9f110549e6e28e vn="Win32/Conduit.SearchProtect.Q evtl. unerwünschte Anwendung" ac=I fn="C:\Users\*****\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X75RAZH8\SPSetup[1].exe"
sh=341564D541DD7F21749D4E2523FB440E8AEDA425 ft=1 fh=3b6e53ef77d6871c vn="Win32/InstallMonetizer.AZ evtl. unerwünschte Anwendung" ac=I fn="C:\Users\*****\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X75RAZH8\Tiny_download_manager_7956[1].exe"
sh=16068B8977B4DC562AE782D91BC009472667E331 ft=1 fh=c3b5a87b7d152749 vn="Variante von Win32/DownloadSponsor.A evtl. unerwünschte Anwendung" ac=I fn="C:\Users\*****\AppData\Local\Temp\OCS\ocs_v71a.exe"
sh=81C94CAE2EB974AA65C9D43063D0BFC4BE7BADD4 ft=0 fh=0000000000000000 vn="Mehrere Bedrohungen" ac=I fn="C:\Users\Standardbenutzer\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\1c770262-229e8e16"
ESETSmartInstaller@High as downloader log:
Can not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internet# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=019fbe3046bca84abd0e70c9f15addf7
# engine=19277
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2014-07-21 08:21:58
# local_time=2014-07-21 10:21:58 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# lang=1031
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='avast! Antivirus'
# compatibility_mode=783 16777213 100 97 1312601 170394608 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776573 100 94 88126 157603968 0 0
# scanned=42073
# found=0
# cleaned=0
# scan_time=780
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=12
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=019fbe3046bca84abd0e70c9f15addf7
# engine=19295
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2014-07-22 05:49:25
# local_time=2014-07-22 07:49:25 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# lang=1031
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='avast! Antivirus'
# compatibility_mode=783 16777213 100 97 1389848 170471855 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776573 100 94 10866 157681215 0 0
# scanned=526280
# found=0
# cleaned=0
# scan_time=7140
Checkup.txt: Code:
ATTFilter Results of screen317's Security Check version 0.99.85
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
avast! Antivirus
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Adobe Flash Player 14.0.0.145
Mozilla Firefox (30.0)
````````Process Check: objlist.exe by Laurent````````
AVAST AvastSvc.exe
AVAST AvastUI.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:
````````````````````End of Log``````````````````````
Was mich am meisten interessiert: Konntest du in irgendeiner Log.datei sehen, ob der PC mit was auch immer infiziert ist? Danke für deine Hilfe  FRST Logfile: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 21-07-2014
Ran by Standardbenutzer (ATTENTION: The logged in user is not administrator) on ********-PC on 22-07-2014 21:49:55
Running from C:\Users\Standardbenutzer\Desktop
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11
Boot Mode: Normal
==================== Processes (Whitelisted) =================
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(ROCCAT) C:\Program Files (x86)\ROCCAT\Kone Mouse\KoneHID.EXE
(AVAST Software) C:\Program Files\AVAST\AvastUI.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ROCCAT) C:\Program Files (x86)\ROCCAT\Kone Mouse\OSD.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13662936 2013-10-24] (Realtek Semiconductor)
HKLM-x32\...\Run: [Kone] => C:\Program Files (x86)\ROCCAT\Kone Mouse\KoneHID.EXE [1666560 2011-02-18] (ROCCAT)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [641704 2012-11-16] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST\AvastUI.exe [4086432 2014-07-06] (AVAST Software)
HKLM\...\RunOnce: [MSPCLOCK] => rundll32.exe streamci,StreamingDeviceSetup {97ebaacc-95bd-11d0-a3ea-00a0c9223196},{53172480-4791-11D (the data entry has 60 more characters).
HKLM\...\RunOnce: [MSPQM] => rundll32.exe streamci,StreamingDeviceSetup {DDF4358E-BB2C-11D0-A42F-00A0C9223196},{97EBAACB-95BD-11D (the data entry has 60 more characters).
HKLM\...\RunOnce: [MSKSSRV] => rundll32.exe streamci,StreamingDeviceSetup {96E080C7-143C-11D1-B40F-00A0C9223196},{3C0D501A-140B-11D (the data entry has 60 more characters).
HKLM\...\RunOnce: [MSTEE.CxTransform] => rundll32.exe streamci,StreamingDeviceSetup {cfd669f1-9bc2-11d0-8299-0000f822fe8a},{CF1DDA2C-9743-11D (the data entry has 112 more characters).
HKLM\...\RunOnce: [MSTEE.Splitter] => rundll32.exe streamci,StreamingDeviceSetup {cfd669f1-9bc2-11d0-8299-0000f822fe8a},{0A4252A0-7E70-11D (the data entry has 112 more characters).
HKLM\...\RunOnce: [WDM_DRMKAUD] => rundll32.exe streamci,StreamingDeviceSetup {EEC12DB6-AD9C-4168-8658-B03DAEF417FE},{ABD61E00-9350-47e (the data entry has 118 more characters).
HKLM-x32\...\RunOnce: [20130912] => C:\Program Files\AVAST\setup\emupdate\8d82f117-e080-45ee-9fc2-382e142b1119.exe [74088 2013-09-20] (AVAST Software)
HKLM-x32\...\RunOnce: [20131224] => C:\Program Files\AVAST\setup\emupdate\19320634-36df-44dd-a42b-feebf7e1a453.exe [181136 2014-04-29] (AVAST Software)
HKLM-x32\...\RunOnce: [SpUninstallCleanUp] => REG delete HKEY_LOCAL_MACHINE\Software\SearchProtect /f
HKLM-x32\...\RunOnce: [20140526] => C:\Program Files\AVAST\setup\emupdate\e92b0ee4-0af7-4a72-8787-242a94894a92.exe [182720 2014-05-27] (AVAST Software)
HKLM-x32\...\RunOnce: [20140529] => C:\Program Files\AVAST\setup\emupdate\822dd55d-ad6c-4a40-a6d9-c822b6268856.exe [183208 2014-05-30] (AVAST Software)
HKLM-x32\...\RunOnce: [ Malwarebytes Anti-Malware (cleanup)] => C:\ProgramData\Malwarebytes\ Malwarebytes Anti-Malware \mbamdor.exe [54072 2014-05-12] (Malwarebytes Corporation)
HKU\S-1-5-21-3278078431-535217013-2662550515-1001\...\Run: [Akamai NetSession Interface] => "C:\Users\Standardbenutzer\AppData\Local\Akamai\netsession_win.exe"
HKU\S-1-5-21-3278078431-535217013-2662550515-1001\...\MountPoints2: {0972c94d-c786-11e1-8265-00241ddf508f} - J:\unlock.exe autoplay=true
HKU\S-1-5-21-3278078431-535217013-2662550515-1001\...\MountPoints2: {11fe8b0a-099a-11e2-b644-00241ddf508f} - G:\Autorun.exe
ShellIconOverlayIdentifiers: 00avast -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST\ashShA64.dll (AVAST Software)
==================== Internet (Whitelisted) ====================
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xFA19FFF41745CE01
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
URLSearchHook: HKCU - (No Name) - {00000000-6E41-4FD3-8538-502F5495E5FC} - No File
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM-x32 - DefaultScope value is missing.
SearchScopes: HKCU - {BF3DE226-70BD-4BE9-BC47-D3612B7920ED} URL = hxxp://websearch.ask.com/redirect?client=ie&tb=NDV&o=15765&src=kw&q={searchTerms}&locale=&apn_ptnrs=NY&apn_dtid=YYYYYYYYDE&apn_uid=F65F8253-4059-4066-B74C-50FAC716EF22&apn_sauid=B7E7D51B-4BC9-40D9-8A38-9D18BF2A5BEA
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST\aswWebRepIE64.dll (AVAST Software)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST\aswWebRepIE.dll (AVAST Software)
BHO-x32: Microsoft-Konto-Anmelde-Hilfsprogramm -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{3AE06AF8-C412-41B8-A0A4-481AA6EFCF70}: [NameServer]73.42.43.62,82.212.62.62
FireFox:
========
FF ProfilePath: C:\Users\Standardbenutzer\AppData\Roaming\Mozilla\Firefox\Profiles\jnn9fg5b.default-1372953077302
FF Homepage: https://www.startpage.com/
FF NetworkProxy: "backup.ftp", "190.0.17.202"
FF NetworkProxy: "backup.ftp_port", 8080
FF NetworkProxy: "backup.socks", "190.0.17.202"
FF NetworkProxy: "backup.socks_port", 8080
FF NetworkProxy: "backup.ssl", "190.0.17.202"
FF NetworkProxy: "backup.ssl_port", 8080
FF NetworkProxy: "ftp", "190.0.17.202"
FF NetworkProxy: "ftp_port", 8080
FF NetworkProxy: "http", "190.0.17.202"
FF NetworkProxy: "http_port", 8080
FF NetworkProxy: "share_proxy_settings", true
FF NetworkProxy: "socks", "190.0.17.202"
FF NetworkProxy: "socks_port", 8080
FF NetworkProxy: "ssl", "190.0.17.202"
FF NetworkProxy: "ssl_port", 8080
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_14_0_0_145.dll ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_14_0_0_145.dll ()
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @t.garena.com/garenatalk - C:\Program Files (x86)\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll No File
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\amazondotcom-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\eBay-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\leo_ende_de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\yahoo-de.xml
FF Extension: DownloadHelper - C:\Users\Standardbenutzer\AppData\Roaming\Mozilla\Firefox\Profiles\jnn9fg5b.default-1372953077302\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [2014-03-25]
FF Extension: Adblock Plus - C:\Users\Standardbenutzer\AppData\Roaming\Mozilla\Firefox\Profiles\jnn9fg5b.default-1372953077302\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2013-08-03]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST\WebRep\FF
FF Extension: avast! Online Security - C:\Program Files\AVAST\WebRep\FF [2012-09-22]
==================== Services (Whitelisted) =================
R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [361984 2012-11-16] (Advanced Micro Devices, Inc.) [File not signed]
R2 avast! Antivirus; C:\Program Files\AVAST\AvastSvc.exe [50344 2014-07-06] (AVAST Software)
R2 lmhosts; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
R2 NlaSvc; C:\Windows\System32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
R2 nsi; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
==================== Drivers (Whitelisted) ====================
R2 AODDriver4.1; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [53888 2012-03-05] (Advanced Micro Devices)
S3 Apowersoft_AudioDevice; C:\Windows\System32\drivers\Apowersoft_AudioDevice.sys [31920 2013-06-02] (Wondershare)
S3 Asushwio; C:\Windows\SysWOW64\drivers\Asushwio.sys [5824 2000-03-29] () [File not signed]
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2014-07-06] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [79184 2014-07-06] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2014-07-06] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2014-07-06] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1041168 2014-07-06] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [427360 2014-07-06] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [92008 2014-07-06] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [224896 2014-07-06] ()
R3 kncbda; C:\Windows\System32\DRIVERS\kncbda64.sys [180736 2008-08-13] (ODSoft multimedia)
R3 KoneFltr; C:\Windows\System32\drivers\Kone.sys [15488 2008-12-11] (ROCCAT Ltd)
R0 MBAMSwissArmy; C:\Windows\System32\drivers\MBAMSwissArmy.sys [122584 2014-07-18] (Malwarebytes Corporation)
R1 Serial; C:\Windows\System32\DRIVERS\serial.sys [94208 2009-07-14] (Brother Industries Ltd.)
S4 sptd; C:\Windows\System32\Drivers\sptd.sys [386680 2014-07-13] (Duplex Secure Ltd.)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
S3 GGSAFERDriver; \??\C:\Program Files (x86)\Garena Plus\Room\safedrv.sys [X]
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2014-07-22 21:49 - 2014-07-22 21:49 - 00011538 _____ () C:\Users\Standardbenutzer\Desktop\FRST.txt
2014-07-22 21:49 - 2014-07-22 21:49 - 00000000 ____D () C:\Users\Standardbenutzer\Desktop\FRST-OlderVersion
2014-07-22 21:06 - 2014-07-22 21:06 - 00000674 _____ () C:\Users\Standardbenutzer\Desktop\checkup.txt
2014-07-22 20:59 - 2014-07-22 20:59 - 00854390 _____ () C:\Users\Standardbenutzer\Desktop\SecurityCheck.exe
2014-07-20 23:01 - 2014-07-21 20:09 - 00000000 ____D () C:\ProgramData\boost_interprocess
2014-07-20 22:01 - 2014-07-20 22:01 - 00000000 ____D () C:\Windows\ERUNT
2014-07-20 21:51 - 2014-07-20 22:00 - 00000000 ____D () C:\AdwCleaner
2014-07-19 23:18 - 2014-07-19 23:18 - 00019635 _____ () C:\ComboFix.txt
2014-07-19 23:10 - 2014-07-19 23:18 - 00000000 ____D () C:\Qoobox
2014-07-19 23:10 - 2014-07-19 23:17 - 00000000 ____D () C:\Windows\erdnt
2014-07-19 23:10 - 2011-06-26 08:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-07-19 23:10 - 2010-11-07 19:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-07-19 23:10 - 2009-04-20 06:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-07-19 23:10 - 2000-08-31 02:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-07-19 23:10 - 2000-08-31 02:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-07-19 23:10 - 2000-08-31 02:00 - 00098816 _____ () C:\Windows\sed.exe
2014-07-19 23:10 - 2000-08-31 02:00 - 00080412 _____ () C:\Windows\grep.exe
2014-07-19 23:10 - 2000-08-31 02:00 - 00068096 _____ () C:\Windows\zip.exe
2014-07-19 23:08 - 2014-07-19 23:08 - 05222180 ____R (Swearware) C:\Users\Standardbenutzer\Desktop\ComboFix.exe
2014-07-19 00:25 - 2014-07-19 00:25 - 00380416 _____ () C:\Users\Standardbenutzer\Desktop\iw14ewr4.exe
2014-07-19 00:15 - 2014-07-22 21:49 - 02090496 _____ (Farbar) C:\Users\Standardbenutzer\Desktop\FRST64.exe
2014-07-19 00:11 - 2014-07-19 00:11 - 00050477 _____ () C:\Users\Standardbenutzer\Desktop\Defogger.exe
2014-07-19 00:11 - 2014-07-19 00:11 - 00000586 _____ () C:\Users\Standardbenutzer\Desktop\defogger_disable.log
2014-07-19 00:11 - 2014-07-19 00:11 - 00000020 _____ () C:\Users\********\defogger_reenable
2014-07-19 00:06 - 2014-07-19 18:31 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\Thunderbird
2014-07-18 23:43 - 2014-07-18 23:43 - 00004362 _____ () C:\Users\Standardbenutzer\Desktop\emails.txt
2014-07-18 17:08 - 2014-07-18 17:08 - 02347384 _____ (ESET) C:\Users\Standardbenutzer\Desktop\esetsmartinstaller_deu.exe
2014-07-18 16:52 - 2014-07-18 17:04 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware
2014-07-18 16:52 - 2014-07-18 16:53 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-07-18 16:52 - 2014-07-18 16:52 - 00001102 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2014-07-18 16:52 - 2014-07-18 16:52 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware
2014-07-18 16:52 - 2014-07-18 16:52 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-07-18 16:52 - 2014-05-12 07:26 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-07-18 16:52 - 2014-05-12 07:26 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-07-18 16:52 - 2014-05-12 07:25 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-07-18 16:51 - 2014-07-18 23:59 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Standardbenutzer\Desktop\mbam-setup-2.0.2.1012.exe
2014-07-18 16:43 - 2014-07-22 21:49 - 00000000 ____D () C:\FRST
2014-07-17 18:02 - 2014-07-17 18:02 - 00001679 _____ () C:\Users\Standardbenutzer\Desktop\Player.exe - Verknüpfung.lnk
2014-07-17 17:53 - 2014-07-17 17:53 - 00001493 _____ () C:\Users\Standardbenutzer\Desktop\ts3client_win64.exe - Verknüpfung.lnk
2014-07-17 17:36 - 2014-07-17 17:36 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TeamSpeak 3 Client
2014-07-16 20:29 - 2014-07-16 20:29 - 00001374 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Photo Gallery.lnk
2014-07-16 20:29 - 2014-07-16 20:29 - 00001305 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Movie Maker.lnk
2014-07-16 20:29 - 2014-07-16 20:29 - 00000000 ____D () C:\Windows\de
2014-07-15 20:14 - 2014-07-16 20:23 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Local\Windows Live
2014-07-15 19:41 - 2014-07-15 19:41 - 00000000 ____D () C:\Users\Standardbenutzer\Documents\DVDVideoSoft
2014-07-15 19:41 - 2014-07-15 19:41 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\DVDVideoSoft
2014-07-15 19:40 - 2014-07-15 20:05 - 00000000 ____D () C:\Users\********\AppData\Roaming\DVDVideoSoft
2014-07-13 18:11 - 2014-07-13 18:11 - 00000000 ____D () C:\Users\Standardbenutzer\Desktop\Neuer Ordner
2014-07-13 13:40 - 2014-07-13 13:47 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\AquaSoft
2014-07-13 13:40 - 2014-07-13 13:40 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Local\AquaSoft
2014-07-13 13:30 - 2014-07-13 13:30 - 00386680 _____ (Duplex Secure Ltd.) C:\Windows\system32\Drivers\sptd.sys
2014-07-13 13:29 - 2014-07-13 13:29 - 00001083 _____ () C:\Users\Public\Desktop\DiaShow 8 Ultimate.lnk
2014-07-13 13:29 - 2014-07-13 13:29 - 00000000 __HDC () C:\ProgramData\{3C060505-DF86-4BC0-8DF4-E59FE3326A8A}
2014-07-13 13:29 - 2014-07-13 13:29 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AquaSoft
2014-07-13 13:29 - 2014-07-13 13:29 - 00000000 ____D () C:\Program Files (x86)\AquaSoft
2014-07-13 13:01 - 2014-07-13 13:12 - 00000000 ____D () C:\Users\Standardbenutzer\.DVDslideshowGUI
2014-07-13 13:01 - 2014-07-13 13:01 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\ImgBurn
2014-07-13 12:54 - 2014-07-13 13:00 - 00000000 ____D () C:\Users\********\.DVDslideshowGUI
2014-07-13 12:54 - 2014-07-13 12:54 - 00034936 _____ () C:\Windows\SysWOW64\uninstHelixYUV.exe
2014-07-13 12:54 - 2014-07-13 12:54 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Haali Media Splitter
2014-07-13 12:54 - 2014-07-13 12:54 - 00000000 ____D () C:\Program Files (x86)\Haali
2014-07-13 12:53 - 2014-07-13 12:53 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AviSynth 2.5
2014-07-13 12:53 - 2014-07-13 12:53 - 00000000 ____D () C:\Program Files (x86)\AviSynth 2.5
2014-07-09 20:01 - 2014-06-30 04:09 - 00519168 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-07-09 20:01 - 2014-06-30 04:04 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-07-09 20:01 - 2014-06-18 04:18 - 00692736 _____ (Microsoft Corporation) C:\Windows\system32\osk.exe
2014-07-09 20:01 - 2014-06-18 03:51 - 00646144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\osk.exe
2014-07-09 20:01 - 2014-06-18 03:10 - 03157504 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-07-09 20:01 - 2014-06-06 12:10 - 00624128 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll
2014-07-09 20:01 - 2014-06-06 11:44 - 00509440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2014-07-09 20:01 - 2014-05-30 10:08 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-07-09 20:01 - 2014-05-30 10:08 - 00340992 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-07-09 20:01 - 2014-05-30 10:08 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2014-07-09 20:01 - 2014-05-30 10:08 - 00307200 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2014-07-09 20:01 - 2014-05-30 10:08 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2014-07-09 20:01 - 2014-05-30 10:08 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2014-07-09 20:01 - 2014-05-30 10:08 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2014-07-09 20:01 - 2014-05-30 09:52 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2014-07-09 20:01 - 2014-05-30 09:52 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2014-07-09 20:01 - 2014-05-30 09:52 - 00247808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2014-07-09 20:01 - 2014-05-30 09:52 - 00220160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2014-07-09 20:01 - 2014-05-30 09:52 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2014-07-09 20:01 - 2014-05-30 09:52 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2014-07-09 20:01 - 2014-05-30 09:52 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2014-07-09 20:01 - 2014-05-30 08:45 - 00497152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys
2014-07-09 20:00 - 2014-06-20 22:14 - 00266424 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-07-09 20:00 - 2014-06-20 21:39 - 00240824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-07-09 20:00 - 2014-06-19 03:39 - 23464448 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-07-09 20:00 - 2014-06-19 03:06 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-07-09 20:00 - 2014-06-19 03:06 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-07-09 20:00 - 2014-06-19 02:48 - 02768384 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-07-09 20:00 - 2014-06-19 02:42 - 00548352 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-07-09 20:00 - 2014-06-19 02:42 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-07-09 20:00 - 2014-06-19 02:41 - 00083968 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-07-09 20:00 - 2014-06-19 02:41 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-07-09 20:00 - 2014-06-19 02:32 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-07-09 20:00 - 2014-06-19 02:31 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-07-09 20:00 - 2014-06-19 02:26 - 00598016 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-07-09 20:00 - 2014-06-19 02:24 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-07-09 20:00 - 2014-06-19 02:24 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-07-09 20:00 - 2014-06-19 02:23 - 00752640 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-07-09 20:00 - 2014-06-19 02:16 - 17276416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-07-09 20:00 - 2014-06-19 02:14 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-07-09 20:00 - 2014-06-19 02:09 - 00452608 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-07-09 20:00 - 2014-06-19 01:59 - 00038400 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-07-09 20:00 - 2014-06-19 01:56 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-07-09 20:00 - 2014-06-19 01:53 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-07-09 20:00 - 2014-06-19 01:51 - 05721088 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-07-09 20:00 - 2014-06-19 01:50 - 00085504 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-07-09 20:00 - 2014-06-19 01:48 - 00292864 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-07-09 20:00 - 2014-06-19 01:39 - 00608768 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-07-09 20:00 - 2014-06-19 01:38 - 00455168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-07-09 20:00 - 2014-06-19 01:37 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-07-09 20:00 - 2014-06-19 01:36 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-07-09 20:00 - 2014-06-19 01:35 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2014-07-09 20:00 - 2014-06-19 01:33 - 00631808 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-07-09 20:00 - 2014-06-19 01:32 - 02179072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-07-09 20:00 - 2014-06-19 01:28 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-07-09 20:00 - 2014-06-19 01:28 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-07-09 20:00 - 2014-06-19 01:27 - 02040832 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-07-09 20:00 - 2014-06-19 01:27 - 01249280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-07-09 20:00 - 2014-06-19 01:25 - 00442368 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-07-09 20:00 - 2014-06-19 01:23 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-07-09 20:00 - 2014-06-19 01:22 - 00592896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-07-09 20:00 - 2014-06-19 01:12 - 00367616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-07-09 20:00 - 2014-06-19 01:06 - 00032256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-07-09 20:00 - 2014-06-19 01:01 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-07-09 20:00 - 2014-06-19 00:59 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-07-09 20:00 - 2014-06-19 00:58 - 02266112 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-07-09 20:00 - 2014-06-19 00:58 - 00239616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-07-09 20:00 - 2014-06-19 00:52 - 04254720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-07-09 20:00 - 2014-06-19 00:51 - 13527040 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-07-09 20:00 - 2014-06-19 00:49 - 00526336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-07-09 20:00 - 2014-06-19 00:46 - 01068032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2014-07-09 20:00 - 2014-06-19 00:45 - 01964544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-07-09 20:00 - 2014-06-19 00:35 - 11742208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-07-09 20:00 - 2014-06-19 00:34 - 01393664 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-07-09 20:00 - 2014-06-19 00:15 - 00846336 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-07-09 20:00 - 2014-06-19 00:13 - 01791488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-07-09 20:00 - 2014-06-19 00:09 - 01139200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-07-09 20:00 - 2014-06-19 00:07 - 00704512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-07-09 20:00 - 2014-06-05 16:45 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-07-09 20:00 - 2014-06-05 16:26 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2014-07-09 20:00 - 2014-06-05 16:25 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2014-07-06 09:25 - 2014-07-06 09:25 - 00043152 _____ (AVAST Software) C:\Windows\avastSS.scr
2014-07-05 22:39 - 2014-07-05 22:39 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\LibreOffice
2014-07-05 15:56 - 2014-07-05 15:56 - 00000719 _____ () C:\Users\Standardbenutzer\Desktop\USA Praesentation - Verknüpfung.lnk
2014-07-05 14:19 - 2014-07-05 14:20 - 00000000 ____D () C:\Program Files (x86)\w3arena
2014-07-05 14:19 - 2014-07-05 14:19 - 00000925 _____ () C:\Users\Public\Desktop\w3arena.lnk
2014-07-05 14:19 - 2014-07-05 14:19 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\w3arena.net Launcher 1.8.7
2014-06-22 18:23 - 2014-06-22 18:35 - 00000000 ____D () C:\Users\Standardbenutzer\Desktop\bilderrahmen
==================== One Month Modified Files and Folders =======
2014-07-22 21:50 - 2014-07-22 21:49 - 00011538 _____ () C:\Users\Standardbenutzer\Desktop\FRST.txt
2014-07-22 21:49 - 2014-07-22 21:49 - 00000000 ____D () C:\Users\Standardbenutzer\Desktop\FRST-OlderVersion
2014-07-22 21:49 - 2014-07-19 00:15 - 02090496 _____ (Farbar) C:\Users\Standardbenutzer\Desktop\FRST64.exe
2014-07-22 21:49 - 2014-07-18 16:43 - 00000000 ____D () C:\FRST
2014-07-22 21:39 - 2013-07-04 20:49 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-07-22 21:06 - 2014-07-22 21:06 - 00000674 _____ () C:\Users\Standardbenutzer\Desktop\checkup.txt
2014-07-22 20:59 - 2014-07-22 20:59 - 00854390 _____ () C:\Users\Standardbenutzer\Desktop\SecurityCheck.exe
2014-07-22 18:32 - 2012-07-01 12:21 - 01189639 _____ () C:\Windows\WindowsUpdate.log
2014-07-22 16:51 - 2009-07-14 06:45 - 00014752 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-07-22 16:51 - 2009-07-14 06:45 - 00014752 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-07-22 16:43 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-07-22 16:43 - 2009-07-14 06:51 - 00179582 _____ () C:\Windows\setupact.log
2014-07-21 22:08 - 2009-07-14 19:58 - 01731914 _____ () C:\Windows\system32\perfh007.dat
2014-07-21 22:08 - 2009-07-14 19:58 - 00470350 _____ () C:\Windows\system32\perfc007.dat
2014-07-21 22:08 - 2009-07-14 07:13 - 00006264 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-07-21 20:09 - 2014-07-20 23:01 - 00000000 ____D () C:\ProgramData\boost_interprocess
2014-07-20 22:01 - 2014-07-20 22:01 - 00000000 ____D () C:\Windows\ERUNT
2014-07-20 22:00 - 2014-07-20 21:51 - 00000000 ____D () C:\AdwCleaner
2014-07-20 21:53 - 2012-07-01 18:14 - 00322184 _____ () C:\Windows\PFRO.log
2014-07-20 17:53 - 2012-08-05 16:44 - 00000000 ____D () C:\Users\Standardbenutzer\Documents\Meine PSP-Dateien
2014-07-19 23:18 - 2014-07-19 23:18 - 00019635 _____ () C:\ComboFix.txt
2014-07-19 23:18 - 2014-07-19 23:10 - 00000000 ____D () C:\Qoobox
2014-07-19 23:18 - 2009-07-14 06:57 - 00001547 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2014-07-19 23:18 - 2009-07-14 05:20 - 00000000 __RHD () C:\Users\Default
2014-07-19 23:17 - 2014-07-19 23:10 - 00000000 ____D () C:\Windows\erdnt
2014-07-19 23:16 - 2009-07-14 04:34 - 00000215 _____ () C:\Windows\system.ini
2014-07-19 23:08 - 2014-07-19 23:08 - 05222180 ____R (Swearware) C:\Users\Standardbenutzer\Desktop\ComboFix.exe
2014-07-19 18:31 - 2014-07-19 00:06 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\Thunderbird
2014-07-19 00:25 - 2014-07-19 00:25 - 00380416 _____ () C:\Users\Standardbenutzer\Desktop\iw14ewr4.exe
2014-07-19 00:11 - 2014-07-19 00:11 - 00050477 _____ () C:\Users\Standardbenutzer\Desktop\Defogger.exe
2014-07-19 00:11 - 2014-07-19 00:11 - 00000586 _____ () C:\Users\Standardbenutzer\Desktop\defogger_disable.log
2014-07-19 00:11 - 2014-07-19 00:11 - 00000020 _____ () C:\Users\********\defogger_reenable
2014-07-19 00:11 - 2012-07-01 12:21 - 00000000 ____D () C:\Users\********
2014-07-18 23:59 - 2014-07-18 16:51 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Standardbenutzer\Desktop\mbam-setup-2.0.2.1012.exe
2014-07-18 23:43 - 2014-07-18 23:43 - 00004362 _____ () C:\Users\Standardbenutzer\Desktop\emails.txt
2014-07-18 17:08 - 2014-07-18 17:08 - 02347384 _____ (ESET) C:\Users\Standardbenutzer\Desktop\esetsmartinstaller_deu.exe
2014-07-18 17:04 - 2014-07-18 16:52 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware
2014-07-18 17:03 - 2014-04-07 22:03 - 00000000 ____D () C:\Users\********\AppData\Local\DM
2014-07-18 16:53 - 2014-07-18 16:52 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-07-18 16:52 - 2014-07-18 16:52 - 00001102 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2014-07-18 16:52 - 2014-07-18 16:52 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware
2014-07-18 16:52 - 2014-07-18 16:52 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-07-18 16:43 - 2012-11-10 10:37 - 00000000 ____D () C:\Program Files (x86)\Java
2014-07-17 18:02 - 2014-07-17 18:02 - 00001679 _____ () C:\Users\Standardbenutzer\Desktop\Player.exe - Verknüpfung.lnk
2014-07-17 17:53 - 2014-07-17 17:53 - 00001493 _____ () C:\Users\Standardbenutzer\Desktop\ts3client_win64.exe - Verknüpfung.lnk
2014-07-17 17:36 - 2014-07-17 17:36 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TeamSpeak 3 Client
2014-07-17 17:36 - 2012-07-01 19:05 - 00000000 ____D () C:\Program Files\TeamSpeak 3 Client
2014-07-17 17:30 - 2012-07-01 20:08 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\TS3Client
2014-07-17 17:30 - 2012-07-01 19:06 - 00000000 ____D () C:\Users\********\AppData\Roaming\TS3Client
2014-07-16 20:29 - 2014-07-16 20:29 - 00001374 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Photo Gallery.lnk
2014-07-16 20:29 - 2014-07-16 20:29 - 00001305 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Movie Maker.lnk
2014-07-16 20:29 - 2014-07-16 20:29 - 00000000 ____D () C:\Windows\de
2014-07-16 20:28 - 2013-06-23 14:46 - 00000000 ____D () C:\Program Files (x86)\Windows Live
2014-07-16 20:27 - 2012-07-28 20:12 - 00064120 _____ () C:\Windows\DirectX.log
2014-07-16 20:23 - 2014-07-15 20:14 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Local\Windows Live
2014-07-15 20:05 - 2014-07-15 19:40 - 00000000 ____D () C:\Users\********\AppData\Roaming\DVDVideoSoft
2014-07-15 19:41 - 2014-07-15 19:41 - 00000000 ____D () C:\Users\Standardbenutzer\Documents\DVDVideoSoft
2014-07-15 19:41 - 2014-07-15 19:41 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\DVDVideoSoft
2014-07-13 18:11 - 2014-07-13 18:11 - 00000000 ____D () C:\Users\Standardbenutzer\Desktop\Neuer Ordner
2014-07-13 13:47 - 2014-07-13 13:40 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\AquaSoft
2014-07-13 13:40 - 2014-07-13 13:40 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Local\AquaSoft
2014-07-13 13:32 - 2012-07-01 20:01 - 00076712 _____ () C:\Users\Standardbenutzer\AppData\Local\GDIPFONTCACHEV1.DAT
2014-07-13 13:31 - 2009-07-14 06:45 - 00321040 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-07-13 13:30 - 2014-07-13 13:30 - 00386680 _____ (Duplex Secure Ltd.) C:\Windows\system32\Drivers\sptd.sys
2014-07-13 13:29 - 2014-07-13 13:29 - 00001083 _____ () C:\Users\Public\Desktop\DiaShow 8 Ultimate.lnk
2014-07-13 13:29 - 2014-07-13 13:29 - 00000000 __HDC () C:\ProgramData\{3C060505-DF86-4BC0-8DF4-E59FE3326A8A}
2014-07-13 13:29 - 2014-07-13 13:29 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AquaSoft
2014-07-13 13:29 - 2014-07-13 13:29 - 00000000 ____D () C:\Program Files (x86)\AquaSoft
2014-07-13 13:23 - 2012-07-01 17:48 - 00076712 _____ () C:\Users\********\AppData\Local\GDIPFONTCACHEV1.DAT
2014-07-13 13:12 - 2014-07-13 13:01 - 00000000 ____D () C:\Users\Standardbenutzer\.DVDslideshowGUI
2014-07-13 13:01 - 2014-07-13 13:01 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\ImgBurn
2014-07-13 13:01 - 2012-07-01 20:01 - 00000000 ____D () C:\Users\Standardbenutzer
2014-07-13 13:00 - 2014-07-13 12:54 - 00000000 ____D () C:\Users\********\.DVDslideshowGUI
2014-07-13 12:54 - 2014-07-13 12:54 - 00034936 _____ () C:\Windows\SysWOW64\uninstHelixYUV.exe
2014-07-13 12:54 - 2014-07-13 12:54 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Haali Media Splitter
2014-07-13 12:54 - 2014-07-13 12:54 - 00000000 ____D () C:\Program Files (x86)\Haali
2014-07-13 12:53 - 2014-07-13 12:53 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AviSynth 2.5
2014-07-13 12:53 - 2014-07-13 12:53 - 00000000 ____D () C:\Program Files (x86)\AviSynth 2.5
2014-07-12 16:26 - 2009-07-14 07:08 - 00032640 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-07-12 09:11 - 2014-03-21 20:01 - 00000000 ____D () C:\Users\Standardbenutzer\Documents\Adobe
2014-07-12 09:11 - 2012-07-01 20:12 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\Adobe
2014-07-10 19:16 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\rescache
2014-07-10 18:41 - 2014-05-06 10:19 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-07-10 18:41 - 2009-07-14 20:18 - 00000000 ____D () C:\Program Files\Windows Journal
2014-07-10 18:41 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\SysWOW64\Dism
2014-07-10 18:41 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\system32\Dism
2014-07-09 23:21 - 2013-08-09 16:16 - 00000000 ____D () C:\Windows\system32\MRT
2014-07-09 23:20 - 2012-07-01 17:44 - 96441528 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-07-09 19:39 - 2013-04-13 16:31 - 00699056 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-07-09 19:39 - 2013-04-13 16:31 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-07-06 19:25 - 2013-07-12 11:47 - 00000000 ____D () C:\Users\Standardbenutzer\Desktop\Domi
2014-07-06 17:45 - 2012-09-22 20:39 - 00000000 ____D () C:\Program Files\AVAST
2014-07-06 09:25 - 2014-07-06 09:25 - 00043152 _____ (AVAST Software) C:\Windows\avastSS.scr
2014-07-06 09:25 - 2014-04-20 11:24 - 00029208 _____ () C:\Windows\system32\Drivers\aswHwid.sys
2014-07-06 09:25 - 2014-04-02 16:50 - 00001763 _____ () C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2014-07-06 09:25 - 2013-12-20 16:32 - 00092008 _____ (AVAST Software) C:\Windows\system32\Drivers\aswstm.sys
2014-07-06 09:25 - 2013-03-06 18:44 - 00224896 _____ () C:\Windows\system32\Drivers\aswVmm.sys
2014-07-06 09:25 - 2013-03-06 18:44 - 00065776 _____ () C:\Windows\system32\Drivers\aswRvrt.sys
2014-07-06 09:25 - 2012-09-22 20:40 - 01041168 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsnx.sys
2014-07-06 09:25 - 2012-09-22 20:40 - 00427360 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsp.sys
2014-07-06 09:25 - 2012-09-22 20:40 - 00093568 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2014-07-06 09:25 - 2012-09-22 20:39 - 00307344 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2014-07-06 09:25 - 2012-09-22 20:39 - 00079184 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2014-07-05 22:39 - 2014-07-05 22:39 - 00000000 ____D () C:\Users\Standardbenutzer\AppData\Roaming\LibreOffice
2014-07-05 15:56 - 2014-07-05 15:56 - 00000719 _____ () C:\Users\Standardbenutzer\Desktop\USA Praesentation - Verknüpfung.lnk
2014-07-05 14:20 - 2014-07-05 14:19 - 00000000 ____D () C:\Program Files (x86)\w3arena
2014-07-05 14:19 - 2014-07-05 14:19 - 00000925 _____ () C:\Users\Public\Desktop\w3arena.lnk
2014-07-05 14:19 - 2014-07-05 14:19 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\w3arena.net Launcher 1.8.7
2014-06-30 04:09 - 2014-07-09 20:01 - 00519168 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-06-30 04:04 - 2014-07-09 20:01 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-06-24 06:27 - 2014-05-04 13:55 - 00015351 _____ () C:\Users\Standardbenutzer\Desktop\Gewicht.ods
2014-06-22 18:35 - 2014-06-22 18:23 - 00000000 ____D () C:\Users\Standardbenutzer\Desktop\bilderrahmen
==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
==================== End Of Log ============================
--- --- --- |
|
23.07.2014, 12:07
| #14 |
| /// the machine /// TB-Ausbilder | Win 7: Spam an Thunderbird portables Adressbuch "gesammelte Adressen" Ja wir haben jede Menge Adware entfernt. Drücke bitte die Windowstaste + R Taste und schreibe notepad in das Ausführen Fenster. Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument Code:
ATTFilter HKLM-x32\...\RunOnce: [SpUninstallCleanUp] => REG delete HKEY_LOCAL_MACHINE\Software\SearchProtect /f
Speichere diese bitte als Fixlist.txt auf deinem Desktop (oder dem Verzeichnis in dem sich FRST befindet).
Fertig Die Reihenfolge ist hier entscheidend.
Falls Du Lob oder Kritik abgeben möchtest kannst Du das hier tun Hier noch ein paar Tipps zur Absicherung deines Systems. Ich kann garnicht zu oft erwähnen, wie wichtig es ist, dass dein System Up to Date ist.
Anti- Viren Software
Zusätzlicher Schutz
Sicheres Browsen
Alternative Browser Andere Browser tendieren zu etwas mehr Sicherheit als der IE, da diese keine Active X Elemente verwenden. Diese können von Spyware zur Infektion deines Systems missbraucht werden.
Performance Bereinige regelmäßig deine Temp Files. Ich empfehle hierzu TFC Halte dich fern von jedlichen Registry Cleanern. Diese Schaden deinem System mehr als sie helfen. Hier ein paar ( englishe ) Links Miekemoes Blogspot ( MVP ) Bill Castner ( MVP ) Don'ts
Hinweis: Bitte gib mir eine kurze Rückmeldung wenn alles erledigt ist und keine Fragen mehr vorhanden sind, so das ich diesen Thread aus meinen Abos löschen kann.
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
23.07.2014, 18:52
| #15 |
| | Win 7: Spam an Thunderbird portables Adressbuch "gesammelte Adressen" danke für die Info. Hier der log. scheint nicht geklappt zu haben: Code:
ATTFilter Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 23-07-2014 01
Ran by Standardbenutzer at 2014-07-23 19:50:01 Run:1
Running from C:\Users\Standardbenutzer\Desktop
Boot Mode: Normal
==============================================
Content of fixlist:
*****************
HKLM-x32\...\RunOnce: [SpUninstallCleanUp] => REG delete HKEY_LOCAL_MACHINE\Software\SearchProtect /f
*****************
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\\HKLM-x32\...\RunOnce: [SpUninstallCleanUp] => REG delete HKEY_LOCAL_MACHINE\Software\SearchProtect /f => Value not found.
==== End of Fixlog ====
|
|
| Themen zu Win 7: Spam an Thunderbird portables Adressbuch "gesammelte Adressen" |
| anhang, conduit.search, conduit.search entfernen, emailadresse, erhalte, folgendes, freunde, live, nemesis, please, sweet-page, sweet-page entfernen, trojaner, version, win32/conduit.searchprotect.q, win32/downloadsponsor.a, win32/installcore.ln, win32/installmonetizer.az, win32/thinknice.b, win32/toolbar.conduit.r, windows, windows live, windows live mail, zusammen |
Linear-Darstellung
