| |
| |||||||
Log-Analyse und Auswertung: Windows 7: "HealthAlert" befällt alle BrowserWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
 |
| |
21.01.2015, 17:28
| #1 |
| |  Windows 7: "HealthAlert" befällt alle Browser Hallo Leute, ich habe mir durch die Installation einer Anwendung (und trotz höchster Aufmerksamkeit, was das angeht) etwas eingefangen. Nämlich wird nun in allen Browsern (IE und Firefox) immer Werbung eingeblendet. Drunter steht immer "Ad by Health Alert". Auch wird normaler Text auf Websites zu Links gemacht. Nun habe ich mein Möglichstes versucht: Deinstallieren über Systemsteuerung, Deinstallieren mit dem Revo Uninstaller, Bereinigen der Registry, Zurücksetzen von Firefox, Neuinstallation der Browser, Malwarebytes, Spybot und SUPERAntiSpyware liefen - allein, es hilft nichts: "HealthAlert" ist immer noch da :-/ Ich bin mit meiner ohnehin beschränkten Weisheit am Ende. Würde mich freuen, wenn von euch jemand Rat weiß! Vielen Dank schon mal im Voraus. (Die Logfiles will er mir hier leider partout nicht einfügen, weil zu lang. Darum häng ich sie an.) |
|
21.01.2015, 17:31
| #2 |
| /// the machine /// TB-Ausbilder    | Windows 7: "HealthAlert" befällt alle Browser Hi,
__________________Logs bitte immer in den Thread posten. Zur Not aufteilen und mehrere Posts nutzen. Ich kann auf Arbeit keine Anhänge öffnen, danke.  So funktioniert es:Posten in CODE-Tags Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
__________________ |
|
21.01.2015, 17:37
| #3 |
| | Windows 7: "HealthAlert" befällt alle Browser Ok, versuchen wirs:
__________________defogger.txt Code:
ATTFilter
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 16:48 on 21/01/2015 (Bernhard)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
-=E.O.F=-
FRST.txt FRST Logfile: FRST Logfile: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 19-01-2015
Ran by XXXXX (administrator) on XXXXX-PC on 21-01-2015 16:50:00
Running from C:\Users\XXXXX\Downloads
Loaded Profiles: XXXXX (Available profiles: XXXXX)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 10 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Conexant Systems Inc.) C:\Windows\System32\CxAudMsg64.exe
() C:\Program Files (x86)\GNU\GnuPG\dirmngr.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Rational Thought Solutions) C:\ProgramData\TExOqonDHMW\pyFWawfV.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(Dropbox, Inc.) C:\Users\XXXXX\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_14_0_0_145.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_14_0_0_145.exe
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2809856 2012-01-16] (ELAN Microelectronics Corp.)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-02-27] (Intel Corporation)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5227112 2015-01-09] (AVAST Software)
Winlogon\Notify\igfxcui: C:\Windows\SYSTEM32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
Startup: C:\Users\XXXXX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\XXXXX\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll (AVAST Software)
BootExecute: autocheck autochk * sdnclean64.exe
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
ProxyServer: [S-1-5-21-1390501103-4066318671-3342385200-1000] => 176.61.136.76:8080
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com
HKU\S-1-5-21-1390501103-4066318671-3342385200-1000\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.google.de/
HKU\S-1-5-21-1390501103-4066318671-3342385200-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.newsmap.jp/
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1390501103-4066318671-3342385200-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Hosts: 129.187.254.40 asa01.lrz.de
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1
FireFox:
========
FF ProfilePath: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox
FF NetworkProxy: "ftp", "127.0.0.1"
FF NetworkProxy: "ftp_port", 4001
FF NetworkProxy: "gopher", "127.0.0.1"
FF NetworkProxy: "gopher_port", 4001
FF NetworkProxy: "http", "127.0.0.1"
FF NetworkProxy: "http_port", 4001
FF NetworkProxy: "no_proxies_on", ""
FF NetworkProxy: "socks", "127.0.0.1"
FF NetworkProxy: "socks_port", 4001
FF NetworkProxy: "socks_remote_dns", true
FF NetworkProxy: "ssl", "127.0.0.1"
FF NetworkProxy: "ssl_port", 4001
FF NetworkProxy: "type", 1
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_14_0_0_145.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_14_0_0_145.dll ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.51.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre7\bin\new_plugin\npjp2.dll No File
FF Plugin-x32: @java.com/JavaPlugin,version=10.51.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\blekko-ssl.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\duckduckgo-ssl-javascript-free.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\google-de-ssl.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\google-encrypted-no-personalization.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\ixquick---deutsch.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\ixquick-ssl-pictures---deutsch.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\ixquick-ssl-pictures---english.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\ixquick.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\leo-eng-ger.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\leo-esp-ale.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\leo-fra-all.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\metager2.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\ssl-wikipedia-deutsch.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\ssl-wikipedia-english.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\startpage-https---deutsch.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\startpage-https.xml
FF Extension: HTTPS-Everywhere - C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\Extensions\https-everywhere@eff.org [2014-08-03]
FF Extension: DownloadHelper - C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [2014-08-03]
FF Extension: JonDoFox - C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\Extensions\{437be45a-4114-11dd-b9ab-71d256d89593}.xpi [2014-07-23]
FF Extension: NoScript - C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2014-07-22]
FF Extension: Cookie Controller - C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\Extensions\{ac2cfa60-bc96-11e0-962b-0800200c9a66}.xpi [2014-07-22]
FF Extension: Adblock Plus - C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-06-11]
FF Extension: ProfileSwitcher - C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\Extensions\{fa8476cf-a98c-4e08-99b4-65a69cb4b7d4}.xpi [2014-06-11]
FF Extension: Ghostery - C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\26bmkjs9.default-1421850433756\Extensions\firefox@ghostery.com.xpi [2015-01-21]
FF Extension: No Name - C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\26bmkjs9.default-1421850433756\Extensions\jid1-P34HaABBBpOerQ@jetpack.xpi [2015-01-21]
FF HKLM-x32\...\Firefox\Extensions: [{D19CA586-DD6C-4a0a-96F8-14644F340D60}] - C:\Program Files (x86)\Common Files\McAfee\SystemCore
Chrome:
=======
==================== Services (Whitelisted) =================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-23] (SUPERAntiSpyware.com)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-12-04] (AVAST Software)
S4 DamageGuardSvc; C:\Program Files\Lenovo\Instant Reset\DamageGuardSvc.exe [572976 2012-02-13] (Lenovo (Beijing) Limited)
R2 DirMngr; C:\Program Files (x86)\GNU\GnuPG\dirmngr.exe [218112 2013-10-07] () [File not signed]
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed]
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [161560 2012-02-28] (Intel Corporation)
R2 pyFWawfV; C:\ProgramData\TExOqonDHMW\pyFWawfV.exe [2734400 2015-01-21] (Rational Thought Solutions)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [3921880 2013-10-15] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1042272 2013-09-20] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171416 2013-09-13] (Safer-Networking Ltd.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2014-12-04] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [83280 2014-12-04] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2014-12-04] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2014-12-04] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1050432 2014-12-04] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [436624 2014-12-04] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [116728 2014-12-04] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [267632 2014-12-04] ()
R3 bcbtums; C:\Windows\System32\drivers\bcbtums.sys [134696 2012-02-02] (Broadcom Corporation.)
S4 DamageGuard; C:\Windows\System32\DRIVERS\DamageGuardX64.sys [217392 2012-02-10] (Lenovo)
S4 dgFltr; C:\Windows\System32\drivers\dgFltrX64.sys [23648 2011-12-13] (Lenovo)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 vpnva; C:\Windows\System32\DRIVERS\vpnva64-6.sys [52080 2013-10-10] (Cisco Systems, Inc.)
U3 BcmSqlStartupSvc; No ImagePath
S3 btwampfl; \??\C:\Windows\system32\drivers\btwampfl.sys [X]
S3 btwaudio; system32\drivers\btwaudio.sys [X]
S3 btwavdt; system32\drivers\btwavdt.sys [X]
S3 btwl2cap; system32\DRIVERS\btwl2cap.sys [X]
S3 btwrchid; system32\DRIVERS\btwrchid.sys [X]
U2 CLKMSVC10_3A60B698; No ImagePath
U2 CLKMSVC10_C3B3B687; No ImagePath
S3 clwvd; system32\DRIVERS\clwvd.sys [X]
U2 DriverService; No ImagePath
S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X]
U2 iATAgentService; No ImagePath
U2 idealife Update Service; No ImagePath
U3 IGRS; No ImagePath
U2 IviRegMgr; No ImagePath
S3 massfilter; system32\drivers\massfilter.sys [X]
S3 massfilter_hs; system32\drivers\massfilter_hs.sys [X]
U2 nvUpdatusService; No ImagePath
U2 Oasis2Service; No ImagePath
U2 PCCarerService; No ImagePath
U2 ReadyComm.DirectRouter; No ImagePath
U2 RichVideo; No ImagePath
U2 RtLedService; No ImagePath
U2 SeaPort; No ImagePath
U2 SoftwareService; No ImagePath
U3 SQLWriter; No ImagePath
S3 taphss6; system32\DRIVERS\taphss6.sys [X]
S3 vm332avs; System32\Drivers\vm332avs.sys [X]
S3 ZTEusbmdm6k; system32\DRIVERS\ZTEusbmdm6k.sys [X]
S3 ZTEusbnmea; system32\DRIVERS\ZTEusbnmea.sys [X]
S3 ZTEusbser6k; system32\DRIVERS\ZTEusbser6k.sys [X]
==================== NetSvcs (Whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
==================== One Month Created Files and Folders ========
(If an entry is included in the fixlist, the file\folder will be moved.)
2015-01-21 16:50 - 2015-01-21 16:50 - 00016961 _____ () C:\Users\XXXXX\Downloads\FRST.txt
2015-01-21 16:49 - 2015-01-21 16:50 - 00000000 ____D () C:\FRST
2015-01-21 16:49 - 2015-01-21 16:49 - 02126848 _____ (Farbar) C:\Users\XXXXX\Downloads\FRST64.exe
2015-01-21 16:48 - 2015-01-21 16:48 - 00000478 _____ () C:\Users\XXXXX\Desktop\defogger_disable.log
2015-01-21 16:48 - 2015-01-21 16:48 - 00000000 _____ () C:\Users\XXXXX\defogger_reenable
2015-01-21 16:47 - 2015-01-21 16:47 - 00050477 _____ () C:\Users\XXXXX\Downloads\Defogger.exe
2015-01-21 15:20 - 2015-01-21 16:47 - 00000000 ____D () C:\Users\XXXXX\AppData\Local\HealthAlert
2015-01-21 15:04 - 2015-01-21 16:23 - 00023465 _____ () C:\Users\XXXXX\Desktop\handtaschen.odt
2015-01-21 15:04 - 2015-01-21 15:04 - 00009449 _____ () C:\Users\XXXXX\Desktop\cannabis.odt
2015-01-21 13:48 - 2015-01-21 15:24 - 00000000 ____D () C:\Program Files (x86)\VS Revo Group
2015-01-21 12:59 - 2015-01-21 12:59 - 00001174 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-01-21 12:59 - 2015-01-21 12:59 - 00001162 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-01-21 12:59 - 2015-01-21 12:59 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-01-21 12:42 - 2015-01-21 15:14 - 00007224 _____ () C:\Windows\PFRO.log
2015-01-21 12:42 - 2015-01-21 15:14 - 00000112 _____ () C:\Windows\setupact.log
2015-01-21 12:42 - 2015-01-21 15:14 - 00000022 _____ () C:\Windows\S.dirmngr
2015-01-21 12:42 - 2015-01-21 12:42 - 00000000 _____ () C:\Windows\setuperr.log
2015-01-21 12:23 - 2015-01-21 12:23 - 00003116 _____ () C:\Windows\System32\Tasks\{B1A80AA6-5F61-4EEB-A31D-833CA9CF90F9}
2015-01-21 12:16 - 2015-01-21 12:16 - 00000000 ____D () C:\ProgramData\TExOqonDHMW
2015-01-21 12:14 - 2015-01-21 16:03 - 00015031 _____ () C:\Users\XXXXX\Desktop\fragen - geräuschemacher.odt
2015-01-20 14:05 - 2015-01-20 14:14 - 993524076 _____ () C:\Users\XXXXX\Desktop\Dokumentation-Italy,_Love_it_or_Leave_it-044459-000-A_EQ_1_VA-STA_01626678_MP4-1500_AMM-HBBTV.mp4
2015-01-18 17:45 - 2015-01-18 17:45 - 00056530 _____ () C:\Users\XXXXX\AppData\Local\recently-used.xbel
2015-01-16 23:21 - 2015-01-20 15:28 - 00020905 _____ () C:\Users\XXXXX\Desktop\beamer.odt
2015-01-16 18:11 - 2015-01-16 18:11 - 00021334 _____ () C:\Users\XXXXX\Desktop\mut der studenten.odt
2015-01-13 17:52 - 2015-01-14 01:10 - 00000000 ____D () C:\Users\XXXXX\Documents\Beatport Sync
2015-01-13 17:52 - 2015-01-13 17:52 - 00000000 ____D () C:\Program Files (x86)\Native Instruments
2015-01-11 20:01 - 2015-01-16 22:52 - 00023341 _____ () C:\Users\XXXXX\Desktop\carroll.odt
2015-01-11 15:15 - 2015-01-21 16:10 - 00028958 _____ () C:\Users\XXXXX\Desktop\kinorezension.odt
2015-01-05 19:34 - 2015-01-05 19:34 - 00000000 ___RD () C:\Users\XXXXX\Creative Cloud Files
2015-01-05 19:28 - 2015-01-05 19:28 - 00001108 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Content Viewer.lnk
2015-01-05 19:02 - 2015-01-05 19:02 - 00000000 ___RD () C:\Users\XXXXX\Creative Cloud Files (c3002257@trbvm.com)
2015-01-05 18:49 - 2015-01-05 18:49 - 00000000 ____D () C:\adobeTemp
2014-12-22 14:48 - 2015-01-15 18:18 - 00000000 ____D () C:\Program Files (x86)\Mozilla Thunderbird
==================== One Month Modified Files and Folders =======
(If an entry is included in the fixlist, the file\folder will be moved.)
2015-01-21 16:48 - 2012-07-28 14:05 - 00000000 ____D () C:\Users\XXXXX
2015-01-21 15:22 - 2009-07-14 05:45 - 00032064 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-21 15:22 - 2009-07-14 05:45 - 00032064 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-21 15:18 - 2012-05-31 06:00 - 01449686 _____ () C:\Windows\WindowsUpdate.log
2015-01-21 15:16 - 2012-11-04 14:12 - 00000000 ___RD () C:\Users\XXXXX\Dropbox
2015-01-21 15:15 - 2012-11-03 13:14 - 00000000 ____D () C:\Users\XXXXX\AppData\Roaming\Dropbox
2015-01-21 15:14 - 2013-01-08 23:21 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-01-21 15:14 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-21 15:13 - 2014-08-03 16:30 - 00000000 ____D () C:\Users\XXXXX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\JonDoFox
2015-01-21 15:13 - 2014-02-26 11:50 - 00000000 ____D () C:\AdwCleaner
2015-01-21 15:13 - 2012-07-28 14:06 - 00000972 _____ () C:\Users\XXXXX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-01-21 14:39 - 2013-08-07 13:26 - 00000000 ____D () C:\Users\XXXXX\AppData\Roaming\gnupg
2015-01-21 13:01 - 2014-09-17 16:58 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
2015-01-21 12:53 - 2014-09-21 23:22 - 00003954 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{F6F4E6B6-9A6F-4BFC-AC3D-2222AAD939A2}
2015-01-21 12:44 - 2014-05-30 11:30 - 00004182 _____ () C:\Windows\System32\Tasks\avast! Emergency Update
2015-01-21 12:43 - 2009-07-14 03:34 - 00000529 _____ () C:\Windows\win.ini
2015-01-21 12:42 - 2014-09-10 11:13 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware
2015-01-21 12:41 - 2009-07-14 04:20 - 00000000 __RSD () C:\Windows\Media
2015-01-21 12:38 - 2012-12-20 01:19 - 17342464 ___SH () C:\Users\XXXXX\Desktop\Thumbs.db
2015-01-21 12:22 - 2014-05-13 22:33 - 00000000 ____D () C:\Program Files (x86)\Microsoft Office
2015-01-21 11:24 - 2012-05-31 15:45 - 00696870 _____ () C:\Windows\system32\perfh007.dat
2015-01-21 11:24 - 2012-05-31 15:45 - 00148134 _____ () C:\Windows\system32\perfc007.dat
2015-01-21 11:24 - 2009-07-14 06:13 - 01612484 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-20 19:10 - 2012-10-25 20:18 - 00000000 ____D () C:\Users\XXXXX\Desktop\projekte
2015-01-20 14:14 - 2014-09-10 11:14 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-18 17:45 - 2014-06-05 18:46 - 00000000 ____D () C:\Users\XXXXX\AppData\Local\gtk-2.0
2015-01-18 17:45 - 2013-05-06 13:59 - 00000000 ____D () C:\Users\XXXXX\.gimp-2.8
2015-01-15 19:35 - 2014-03-29 12:33 - 00001578 _____ () C:\Windows\system32\TeamViewer9_Hooks.log
2015-01-15 19:35 - 2014-03-20 19:37 - 00001113 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 9.lnk
2015-01-12 22:15 - 2012-11-04 12:01 - 00000000 ____D () C:\Users\XXXXX\AppData\Roaming\Skype
2015-01-06 22:36 - 2014-06-05 19:27 - 00000000 ____D () C:\Program Files (x86)\Steam
2015-01-06 22:36 - 2013-08-13 14:16 - 00000000 ____D () C:\Users\XXXXX\AppData\Roaming\FileZilla
2015-01-06 21:46 - 2012-07-28 14:15 - 00000000 ____D () C:\Users\XXXXX\AppData\Roaming\Adobe
2015-01-06 21:46 - 2012-05-31 06:33 - 00000000 ____D () C:\Program Files (x86)\Adobe
2015-01-06 21:41 - 2014-05-23 18:51 - 00000000 ____D () C:\Program Files\Adobe
2015-01-05 19:34 - 2012-08-03 09:54 - 00000000 ____D () C:\Users\XXXXX\AppData\Local\Adobe
2015-01-05 19:23 - 2014-05-23 18:27 - 00000000 ____D () C:\ProgramData\Package Cache
2015-01-05 09:27 - 2014-01-03 15:45 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileZilla FTP Client
2015-01-05 09:27 - 2014-01-03 15:45 - 00000000 ____D () C:\Program Files (x86)\FileZilla FTP Client
2014-12-25 12:03 - 2009-07-14 05:45 - 05030416 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-12-23 18:40 - 2012-07-28 14:06 - 00077408 _____ () C:\Users\XXXXX\AppData\Local\GDIPFONTCACHEV1.DAT
2014-12-22 20:23 - 2012-11-23 19:24 - 00000000 ____D () C:\Users\XXXXX\AppData\Local\Thunderbird
==================== Files in the root of some directories =======
2014-07-16 01:16 - 2014-07-16 01:16 - 0071813 _____ () C:\Users\XXXXX\AppData\Roaming\gmic_grain_orwo_np20.cimgz
2014-07-16 01:22 - 2014-07-16 01:22 - 3107745 _____ () C:\Users\XXXXX\AppData\Roaming\update1593.gmic
2013-07-26 23:38 - 2014-02-26 00:35 - 0000215 _____ () C:\Users\XXXXX\AppData\Roaming\WB.CFG
2013-12-15 15:16 - 2013-12-15 15:16 - 0000006 _____ () C:\Users\XXXXX\AppData\Roaming\WBPU-Q5-TTL.DAT
2013-06-18 19:16 - 2014-01-28 09:35 - 0000005 _____ () C:\Users\XXXXX\AppData\Roaming\WBPU-TTL.DAT
2013-05-12 23:36 - 2014-03-13 13:05 - 0000600 _____ () C:\Users\XXXXX\AppData\Local\PUTTY.RND
2015-01-18 17:45 - 2015-01-18 17:45 - 0056530 _____ () C:\Users\XXXXX\AppData\Local\recently-used.xbel
Some content of TEMP:
====================
C:\Users\XXXXX\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmppax6sy.dll
C:\Users\XXXXX\AppData\Local\Temp\Quarantine.exe
C:\Users\XXXXX\AppData\Local\Temp\sqlite3.dll
==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2015-01-14 12:40
==================== End Of Log ============================
--- --- --- --- --- --- [/CODE] Addition.txt Code:
ATTFilter
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 19-01-2015
Ran by XXXXX at 2015-01-21 16:50:46
Running from C:\Users\XXXXX\Downloads
Boot Mode: Normal
==========================================================
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Spybot - Search and Destroy (Enabled - Out of date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
==================== Installed Programs ======================
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
7-Zip 9.20 (HKLM-x32\...\7-Zip) (Version: - )
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 14.0.0.178 - Adobe Systems Incorporated)
Adobe Flash Player 11 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 11.8.800.94 - Adobe Systems Incorporated)
Adobe Flash Player 14 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 14.0.0.145 - Adobe Systems Incorporated)
Adobe Reader X (10.1.10) - Deutsch (HKLM-x32\...\{AC76BA86-7AD7-1031-7B44-AA1000000001}) (Version: 10.1.10 - Adobe Systems Incorporated)
Adobe® Content Viewer (HKLM-x32\...\com.adobe.dmp.contentviewer) (Version: 3.4.3 - Adobe Systems, Incorporated)
Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver (HKLM-x32\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 2.0.9.9 - Atheros Communications Inc.)
Audacity 2.0.3 (HKLM-x32\...\Audacity_is1) (Version: 2.0.3 - Audacity Team)
Avast Free Antivirus (HKLM-x32\...\Avast) (Version: 10.0.2208 - AVAST Software)
CCleaner (HKLM\...\CCleaner) (Version: 4.11 - Piriform)
Cisco AnyConnect Secure Mobility Client (HKLM-x32\...\Cisco AnyConnect Secure Mobility Client) (Version: 3.1.04072 - Cisco Systems, Inc.)
Cisco AnyConnect Secure Mobility Client (x32 Version: 3.1.04072 - Cisco Systems, Inc.) Hidden
Conexant HD Audio (HKLM\...\CNXT_AUDIO_HDA) (Version: 8.54.32.50 - Conexant)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Dolby Advanced Audio v2 (HKLM-x32\...\{B9E70C7A-9F85-4A39-A4A3-BFA3C3BF7613}) (Version: 7.2.7000.11 - Dolby Laboratories Inc)
Dropbox (HKU\S-1-5-21-1390501103-4066318671-3342385200-1000\...\Dropbox) (Version: 3.0.3 - Dropbox, Inc.)
Edna & Harvey: The Breakout (HKLM-x32\...\Steam App 255320) (Version: - Daedalic Entertainment)
FileZilla Client 3.9.0.6 (HKLM-x32\...\FileZilla Client) (Version: 3.9.0.6 - Tim Kosse)
GEAR driver installer for AMD64 and Intel EM64T (HKLM\...\{50CBBEC7-1010-41C5-8718-A1A6FEDD9C3A}) (Version: 2.001.2 - GEAR Software, Inc.)
GIMP 2.8.10 (HKLM\...\GIMP-2_is1) (Version: 2.8.10 - The GIMP Team)
G'MIC for GIMP Version 1.5.9.3 (HKLM-x32\...\G'MIC for GIMP_is1) (Version: 1.5.9.3 - )
Gpg4win (2.2.1) (HKLM-x32\...\GPG4Win) (Version: 2.2.1 - The Gpg4win Project)
Intel(R) Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.0.3.1427 - Intel Corporation)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.3062 - Intel Corporation)
Intel(R) Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 11.0.0.1032 - Intel Corporation)
Intel(R) SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
Intel(R) USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 1.0.4.220 - Intel Corporation)
Intel® Trusted Connect Service Client (HKLM\...\{09536BA1-E498-4CC3-B834-D884A67D7E34}) (Version: 1.23.605.1 - Intel Corporation)
Java 7 Update 51 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217025FF}) (Version: 7.0.510 - Oracle)
Java(TM) 7 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217000F0}) (Version: 7.0.0 - Oracle)
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
LAME v3.99.3 (for Windows) (HKLM-x32\...\LAME_is1) (Version: - )
Lenovo pointing device (HKLM\...\Elantech) (Version: 10.4.2.8 - ELAN Microelectronic Corp.)
Lenovo_Wireless_Driver (HKLM-x32\...\{28ABE740-47F3-441B-9437-852F6A64EFF8}) (Version: 1.02.01 - Lenovo)
Luhmann für Einsteiger (HKLM-x32\...\"Luhmann für Einsteiger"_is1) (Version: 2.0 - Michael Gerth)
Malwarebytes Anti-Malware Version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.20913.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411 (HKLM-x32\...\{5DA8F6CD-C70E-39D8-8430-3D9808D6BD17}) (Version: 9.0.30411 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM-x32\...\{6AFCA4E1-9B78-3640-8F72-A7BF33448200}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Mozilla Firefox 35.0 (x86 de) (HKLM-x32\...\Mozilla Firefox 35.0 (x86 de)) (Version: 35.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 35.0 - Mozilla)
Mozilla Thunderbird 31.4.0 (x86 de) (HKLM-x32\...\Mozilla Thunderbird 31.4.0 (x86 de)) (Version: 31.4.0 - Mozilla)
Native Instruments Beatport Sync (HKLM-x32\...\Native Instruments Beatport Sync) (Version: - )
NirSoft Wireless Network Watcher (HKLM-x32\...\NirSoft Wireless Network Watcher) (Version: - )
OpenOffice 4.0.1 (HKLM-x32\...\{0AEC308E-7EB3-47F7-BB59-F2C9C6166B27}) (Version: 4.01.9714 - Apache Software Foundation)
PDFCreator (HKLM-x32\...\{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}) (Version: 1.7.2 - pdfforge)
Pidgin (HKLM-x32\...\Pidgin) (Version: 2.10.9 - )
pidgin-otr 4.0.0-1 (HKLM-x32\...\pidgin-otr) (Version: 4.0.0-1 - Cypherpunks CA)
Realtek USB 2.0 Reader Driver (HKLM-x32\...\{62BBB2F0-E220-4821-A564-730807D2C34D}) (Version: 6.1.7601.39016 - Realtek Semiconductor Corp.)
Revo Uninstaller 1.95 (HKLM-x32\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
Shared C Run-time for x64 (HKLM\...\{EF79C448-6946-4D71-8134-03407888C054}) (Version: 10.0.0 - McAfee)
Skype™ 6.1 (HKLM-x32\...\{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}) (Version: 6.1.129 - Skype Technologies S.A.)
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.2.25 - Safer-Networking Ltd.)
Steam (HKLM-x32\...\Steam) (Version: - Valve Corporation)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1146 - SUPERAntiSpyware.com)
System Requirements Lab for Intel (HKLM-x32\...\{C7CA731B-BF9A-46D9-92CF-8A8737AE9240}) (Version: 4.5.13.0 - Husdawg, LLC)
TeamViewer 9 (HKLM-x32\...\TeamViewer 9) (Version: 9.0.32494 - TeamViewer)
The Night of the Rabbit (HKLM-x32\...\Steam App 230820) (Version: - Daedalic Entertainment)
TOM Productions Game of Robot (HKLM-x32\...\TomGameOfRobot) (Version: - )
TOM Productions RobView (HKLM-x32\...\TomRobView) (Version: - )
VLC media player 2.1.3 (HKLM-x32\...\VLC media player) (Version: 2.1.3 - VideoLAN)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3508.1109 - Microsoft Corporation)
Windows Live Mesh ActiveX control for remote connections (HKLM-x32\...\{C5398A89-516C-4DAF-BA07-EE7949090E56}) (Version: 15.4.5722.2 - Microsoft Corporation)
Windows-Treiberpaket - Lenovo (ACPIVPC) System (12/15/2011 7.1.0.1) (HKLM\...\99841829BE839365AA67B2AD0E50D371F59F8A1E) (Version: 12/15/2011 7.1.0.1 - Lenovo)
==================== Custom CLSID (selected items): ==========================
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
CustomCLSID: HKU\S-1-5-21-1390501103-4066318671-3342385200-1000_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\XXXXX\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1390501103-4066318671-3342385200-1000_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\XXXXX\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1390501103-4066318671-3342385200-1000_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\XXXXX\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1390501103-4066318671-3342385200-1000_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\XXXXX\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1390501103-4066318671-3342385200-1000_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\XXXXX\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1390501103-4066318671-3342385200-1000_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\XXXXX\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1390501103-4066318671-3342385200-1000_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\XXXXX\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1390501103-4066318671-3342385200-1000_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\XXXXX\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1390501103-4066318671-3342385200-1000_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\XXXXX\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
==================== Restore Points =========================
05-01-2015 10:01:41 Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.51106
05-01-2015 19:22:54 Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030
05-01-2015 19:23:10 Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.51106
05-01-2015 19:23:30 Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030
15-01-2015 19:53:52 Geplanter Prüfpunkt
21-01-2015 12:22:10 Compatibility Pack für 2007 Office System wird entfernt
21-01-2015 13:49:12 Revo Uninstaller's restore point - Health Alert
==================== Hosts content: ==========================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2009-07-14 03:34 - 2012-08-11 11:03 - 00000857 ____N C:\Windows\system32\Drivers\etc\hosts
129.187.254.40 asa01.lrz.de
==================== Scheduled Tasks (whitelisted) =============
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
Task: {05097749-D97D-4BCD-AA4C-CEBA836ECFD2} - System32\Tasks\AdobeFlashPlayerUpdate => C:\Windows\SysWOW64\FlashPlayerUpdateService.exe
Task: {2B1A6D53-C9B3-4EC1-845B-F1DE8A2ACA6F} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe
Task: {368BAEFA-3A0D-41F2-AE00-43A61A3626C8} - System32\Tasks\{E4332331-D67D-4513-9806-CFD97646C852} => pcalua.exe -a "C:\Program Files (x86)\Infogrames\Desperados\DESPERADOS.EXE"
Task: {3E54E1B0-D2FB-4CE5-AF14-5DA813F67B76} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-02-20] (Piriform Ltd)
Task: {580D69B1-8C77-4228-A513-69716C96C8B3} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2014-12-04] (AVAST Software)
Task: {63C29834-105D-40F3-8586-9324A00273AC} - System32\Tasks\{095E5590-1400-40B0-AE06-6FC4C7A09EEB} => pcalua.exe -a D:\drivers\Touchpad\Synaptics\15.3.39\Setup.exe -d D:\drivers\Touchpad\Synaptics\15.3.39
Task: {89B6C4B7-9050-43D3-B868-F79EFD44E887} - System32\Tasks\{C79057DC-567D-4C5E-8604-0B0AE525CEF6} => pcalua.exe -a C:\Users\XXXXX\Downloads\MediathekView_4\MediathekView-WinXp.exe -d C:\Users\XXXXX\Downloads\MediathekView_4
Task: {924976B3-7CCC-4AAD-9BDA-90FD4DAAC271} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program => C:\Program Files\Lenovo\Customer Feedback Program\Lenovo.TVT.CustomerFeedback.Agent.exe
Task: {9AC15011-4A53-401B-94FA-ABB421265EDC} - System32\Tasks\AdobeFlashPlayerUpdate 2 => C:\Windows\SysWOW64\FlashPlayerUpdateService.exe
Task: {A495FCC9-88C1-4328-AE1F-6DF5EF1CFB7A} - System32\Tasks\{0ACFBB90-BCD6-46DA-9827-D0185001CD0E} => pcalua.exe -a F:\SW.exe -d F:\
Task: {B0BEAA77-5311-415D-A646-3F712476D76F} - System32\Tasks\CreateHardwareScanTask => C:\Program Files\Lenovo\Lenovo Solution Center\App\LSCService.exe
Task: {CB8F204F-CB44-467C-9A1A-84506D583B1E} - System32\Tasks\{B1A80AA6-5F61-4EEB-A31D-833CA9CF90F9} => pcalua.exe -a C:\ProgramData\HealthAlert\uninstall.exe -c /kb=y /ic=1
Task: {F13EE5A8-9284-405C-92A9-38AB26F4C854} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe
Task: {F3BDDBA9-5430-423B-9F73-94063FDE9ABE} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
==================== Loaded Modules (whitelisted) =============
2013-10-07 15:54 - 2013-10-07 15:54 - 00218112 _____ () C:\Program Files (x86)\GNU\GnuPG\dirmngr.exe
2015-01-21 12:43 - 2015-01-21 12:43 - 02911744 _____ () C:\Program Files\AVAST Software\Avast\defs\15012100\algo.dll
2013-10-07 15:49 - 2013-10-07 15:49 - 00221184 _____ () C:\Program Files (x86)\GNU\GnuPG\libksba-8.dll
2013-10-07 15:47 - 2013-10-07 15:47 - 00037888 _____ () C:\Program Files (x86)\GNU\GnuPG\libgpg-error-0.dll
2013-10-07 15:44 - 2013-10-07 15:44 - 00050176 _____ () C:\Program Files (x86)\GNU\GnuPG\libw32pth-0.dll
2013-10-07 15:49 - 2013-10-07 15:49 - 00069632 _____ () C:\Program Files (x86)\GNU\GnuPG\libassuan-0.dll
2013-10-07 15:49 - 2013-10-07 15:49 - 00628224 _____ () C:\Program Files (x86)\GNU\GnuPG\libgcrypt-11.dll
2014-04-13 18:13 - 2012-08-23 09:38 - 00574840 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\sqlite3.dll
2014-04-13 18:13 - 2013-05-16 09:55 - 00113496 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2014-04-13 18:13 - 2013-05-16 09:55 - 00416600 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl
2014-04-13 18:13 - 2013-05-16 09:55 - 00161112 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2014-04-13 18:13 - 2012-04-03 16:06 - 00565640 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2014-10-22 01:22 - 2014-10-22 01:22 - 00750080 _____ () C:\Users\XXXXX\AppData\Roaming\Dropbox\bin\libGLESv2.dll
2015-01-21 15:15 - 2015-01-21 15:15 - 00043008 _____ () c:\users\XXXXX\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmppax6sy.dll
2014-10-22 01:22 - 2014-10-22 01:22 - 00047616 _____ () C:\Users\XXXXX\AppData\Roaming\Dropbox\bin\libEGL.dll
2014-10-22 01:22 - 2014-10-22 01:22 - 00863744 _____ () C:\Users\XXXXX\AppData\Roaming\Dropbox\bin\plugins\platforms\qwindows.dll
2014-10-22 01:22 - 2014-10-22 01:22 - 00200704 _____ () C:\Users\XXXXX\AppData\Roaming\Dropbox\bin\plugins\imageformats\qjpeg.dll
2014-12-04 22:36 - 2014-12-04 22:36 - 38562088 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2013-08-18 13:34 - 2013-08-18 13:34 - 00172032 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\991a8d378a3e64b31c0f4770ba9ae071\IsdiInterop.ni.dll
2012-05-31 06:05 - 2011-11-29 19:00 - 00059392 _____ () C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IsdiInterop.dll
2012-05-31 06:06 - 2012-02-21 05:09 - 01198872 _____ () C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\ACE.dll
2015-01-21 12:59 - 2015-01-09 10:05 - 03925104 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
2014-12-22 14:48 - 2015-01-15 18:18 - 03347056 _____ () C:\Program Files (x86)\Mozilla Thunderbird\mozjs.dll
2014-12-22 14:48 - 2015-01-15 18:18 - 00158832 _____ () C:\Program Files (x86)\Mozilla Thunderbird\NSLDAP32V60.dll
2014-12-22 14:48 - 2015-01-15 18:18 - 00023152 _____ () C:\Program Files (x86)\Mozilla Thunderbird\NSLDAPPR32V60.dll
2014-07-09 15:04 - 2014-07-09 15:04 - 17029808 _____ () C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_14_0_0_145.dll
==================== Alternate Data Streams (whitelisted) =========
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
==================== Safe Mode (whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
==================== EXE Association (whitelisted) =============
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
==================== MSCONFIG/TASK MANAGER disabled items =========
(Currently there is no automatic fix for this section.)
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: Adobe Creative Cloud => "C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe" --showwindow=false --onOSstartup=true
MSCONFIG\startupreg: AdobeAAMUpdater-1.0 => "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
MSCONFIG\startupreg: cAudioFilterAgent => C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe
MSCONFIG\startupreg: Cisco AnyConnect Secure Mobility Agent for Windows => "C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" -minimized
MSCONFIG\startupreg: Dolby Advanced Audio v2 => "C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe" -autostart
MSCONFIG\startupreg: HotKeysCmds => C:\Windows\system32\hkcmd.exe
MSCONFIG\startupreg: IAStorIcon => C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
MSCONFIG\startupreg: IgfxTray => C:\Windows\system32\igfxtray.exe
MSCONFIG\startupreg: Persistence => C:\Windows\system32\igfxpers.exe
MSCONFIG\startupreg: SDTray => "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
MSCONFIG\startupreg: Skype => "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
MSCONFIG\startupreg: SUPERAntiSpyware => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
MSCONFIG\startupreg: Vidalia => "C:\Program Files (x86)\Vidalia Relay Bundle\Vidalia\vidalia.exe"
========================= Accounts: ==========================
Administrator (S-1-5-21-1390501103-4066318671-3342385200-500 - Administrator - Disabled)
XXXXX (S-1-5-21-1390501103-4066318671-3342385200-1000 - Administrator - Enabled) => C:\Users\XXXXX
Gast (S-1-5-21-1390501103-4066318671-3342385200-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1390501103-4066318671-3342385200-1002 - Limited - Enabled)
==================== Faulty Device Manager Devices =============
Name: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
Description: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Cisco Systems
Service: vpnva
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft-Teredo-Tunneling-Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
==================== Event log errors: =========================
Application errors:
==================
Error: (01/21/2015 03:15:12 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (01/21/2015 00:43:48 PM) (Source: Windows Search Service) (EventID: 7010) (User: )
Description: Der Index kann nicht initialisiert werden.
Details:
Der Inhaltsindexkatalog ist fehlerhaft. (HRESULT : 0xc0041801) (0xc0041801)
Error: (01/21/2015 00:43:48 PM) (Source: Windows Search Service) (EventID: 3058) (User: )
Description: Die Anwendung kann nicht initialisiert werden.
Kontext: Windows Anwendung
Details:
Der Inhaltsindexkatalog ist fehlerhaft. (HRESULT : 0xc0041801) (0xc0041801)
Error: (01/21/2015 00:43:48 PM) (Source: Windows Search Service) (EventID: 3028) (User: )
Description: Das Gatherer-Objekt kann nicht initialisiert werden.
Kontext: Windows Anwendung, SystemIndex Katalog
Details:
Der Inhaltsindexkatalog ist fehlerhaft. (HRESULT : 0xc0041801) (0xc0041801)
Error: (01/21/2015 00:43:48 PM) (Source: Windows Search Service) (EventID: 3029) (User: )
Description: Plug-In in <Search.TripoliIndexer> kann nicht initialisiert werden.
Kontext: Windows Anwendung, SystemIndex Katalog
Details:
Element nicht gefunden. (HRESULT : 0x80070490) (0x80070490)
Error: (01/21/2015 00:43:42 PM) (Source: Windows Search Service) (EventID: 3029) (User: )
Description: Plug-In in <Search.JetPropStore> kann nicht initialisiert werden.
Kontext: Windows Anwendung, SystemIndex Katalog
Details:
Der Inhaltsindexkatalog ist fehlerhaft. (HRESULT : 0xc0041801) (0xc0041801)
Error: (01/21/2015 00:43:42 PM) (Source: Windows Search Service) (EventID: 9002) (User: )
Description: Die Eigenschaftenspeicherdaten können von Windows Search nicht geladen werden.
Kontext: Windows Anwendung, SystemIndex Katalog
Details:
Die Inhaltsindexdatenbank ist fehlerhaft. (HRESULT : 0xc0041800) (0xc0041800)
Error: (01/21/2015 00:43:42 PM) (Source: Windows Search Service) (EventID: 7042) (User: )
Description: Windows Search wird aufgrund eines Problems bei der Indizierung The catalog is corrupt beendet.
Details:
Der Inhaltsindexkatalog ist fehlerhaft. (HRESULT : 0xc0041801) (0xc0041801)
Error: (01/21/2015 00:43:42 PM) (Source: Windows Search Service) (EventID: 7040) (User: )
Description: Vom Suchdienst wurden beschädigte Datendateien im Index {id=4700} erkannt. Vom Dienst wird versucht, dieses Problem durch Neuerstellung des Indexes automatisch zu beheben.
Details:
Der Inhaltsindexkatalog ist fehlerhaft. (HRESULT : 0xc0041801) (0xc0041801)
Error: (01/21/2015 00:43:42 PM) (Source: Windows Search Service) (EventID: 9000) (User: )
Description: Der Jet-Eigenschaftenspeicher kann von Windows Search nicht geöffnet werden.
Details:
0x%08x (0xc0041800 - Die Inhaltsindexdatenbank ist fehlerhaft. (HRESULT : 0xc0041800))
System errors:
=============
Error: (01/21/2015 03:16:12 PM) (Source: DCOM) (EventID: 10016) (User: NT-AUTORITÄT)
Description: AnwendungsspezifischLokalStart{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT-AUTORITÄTSYSTEMS-1-5-18LocalHost (unter Verwendung von LRPC)
Error: (01/21/2015 03:13:49 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "Windows Live ID Sign-in Assistant" wurde aufgrund folgenden Fehlers nicht gestartet:
%%109
Error: (01/21/2015 03:13:49 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT-AUTORITÄT)
Description: Das WLAN-Erweiterungsmodul wurde unerwartet beendet.
Modulpfad: C:\Windows\System32\bcmihvsrv64.dll
Error: (01/21/2015 03:13:49 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT-AUTORITÄT)
Description: Das WLAN-Erweiterungsmodul wurde unerwartet beendet.
Modulpfad: C:\Windows\System32\bcmihvsrv64.dll
Error: (01/21/2015 03:13:47 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT-AUTORITÄT)
Description: Das WLAN-Erweiterungsmodul wurde unerwartet beendet.
Modulpfad: C:\Windows\System32\bcmihvsrv64.dll
Error: (01/21/2015 03:13:39 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Dienst "Intel(R) Management and Security Application User Notification Service" wurde unerwartet beendet. Dies ist bereits 1 Mal passiert.
Error: (01/21/2015 03:13:39 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Der Dienst "Windows Live ID Sign-in Assistant" wurde unerwartet beendet. Dies ist bereits 1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 10000 Millisekunden durchgeführt: Neustart des Diensts.
Error: (01/21/2015 03:13:39 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Der Dienst "Windows Media Player-Netzwerkfreigabedienst" wurde unerwartet beendet. Dies ist bereits 1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 30000 Millisekunden durchgeführt: Neustart des Diensts.
Error: (01/21/2015 03:13:39 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Dienst "Intel(R) Rapid Storage Technology" wurde unerwartet beendet. Dies ist bereits 1 Mal passiert.
Error: (01/21/2015 03:13:39 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Der Dienst "Windows Search" wurde unerwartet beendet. Dies ist bereits 2 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 30000 Millisekunden durchgeführt: Neustart des Diensts.
Microsoft Office Sessions:
=========================
Error: (01/21/2015 03:15:12 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (01/21/2015 00:43:48 PM) (Source: Windows Search Service) (EventID: 7010) (User: )
Description:
Details:
Der Inhaltsindexkatalog ist fehlerhaft. (HRESULT : 0xc0041801) (0xc0041801)
Error: (01/21/2015 00:43:48 PM) (Source: Windows Search Service) (EventID: 3058) (User: )
Description: Kontext: Windows Anwendung
Details:
Der Inhaltsindexkatalog ist fehlerhaft. (HRESULT : 0xc0041801) (0xc0041801)
Error: (01/21/2015 00:43:48 PM) (Source: Windows Search Service) (EventID: 3028) (User: )
Description: Kontext: Windows Anwendung, SystemIndex Katalog
Details:
Der Inhaltsindexkatalog ist fehlerhaft. (HRESULT : 0xc0041801) (0xc0041801)
Error: (01/21/2015 00:43:48 PM) (Source: Windows Search Service) (EventID: 3029) (User: )
Description: Kontext: Windows Anwendung, SystemIndex Katalog
Details:
Element nicht gefunden. (HRESULT : 0x80070490) (0x80070490)
Search.TripoliIndexer
Error: (01/21/2015 00:43:42 PM) (Source: Windows Search Service) (EventID: 3029) (User: )
Description: Kontext: Windows Anwendung, SystemIndex Katalog
Details:
Der Inhaltsindexkatalog ist fehlerhaft. (HRESULT : 0xc0041801) (0xc0041801)
Search.JetPropStore
Error: (01/21/2015 00:43:42 PM) (Source: Windows Search Service) (EventID: 9002) (User: )
Description: Kontext: Windows Anwendung, SystemIndex Katalog
Details:
Die Inhaltsindexdatenbank ist fehlerhaft. (HRESULT : 0xc0041800) (0xc0041800)
Error: (01/21/2015 00:43:42 PM) (Source: Windows Search Service) (EventID: 7042) (User: )
Description:
Details:
Der Inhaltsindexkatalog ist fehlerhaft. (HRESULT : 0xc0041801) (0xc0041801)
The catalog is corrupt
Error: (01/21/2015 00:43:42 PM) (Source: Windows Search Service) (EventID: 7040) (User: )
Description:
Details:
Der Inhaltsindexkatalog ist fehlerhaft. (HRESULT : 0xc0041801) (0xc0041801)
4700
Error: (01/21/2015 00:43:42 PM) (Source: Windows Search Service) (EventID: 9000) (User: )
Description:
Details:
0x%08x (0xc0041800 - Die Inhaltsindexdatenbank ist fehlerhaft. (HRESULT : 0xc0041800))
==================== Memory info ===========================
Processor: Intel(R) Pentium(R) CPU B950 @ 2.10GHz
Percentage of memory in use: 50%
Total physical RAM: 6044.36 MB
Available physical RAM: 2974.54 MB
Total Pagefile: 12086.9 MB
Available Pagefile: 9022.68 MB
Total Virtual: 8192 MB
Available Virtual: 8191.82 MB
==================== Drives ================================
Drive c: (Windows7_OS) (Fixed) (Total:195.31 GB) (Free:109.99 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive d: (SYSTEM_DRV) (Fixed) (Total:0.2 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 36900B49)
Partition 1: (Active) - (Size=200 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=195.3 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=977 MB) - (Type=82)
Partition 4: (Not Active) - (Size=269.3 GB) - (Type=05)
==================== End Of Log ============================
Gmer.txt - TEIL 1 Code:
ATTFilter
GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2015-01-21 17:11:16
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0011 465,76GB
Running: Gmer-19357.exe; Driver: C:\Users\XXXXX\AppData\Local\Temp\uwlyikow.sys
---- User code sections - GMER 2.1 ----
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fa1360 5 bytes JMP 0000000149ad0460
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fa13b0 5 bytes JMP 0000000149ad0450
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076fa1510 5 bytes JMP 0000000149ad0370
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fa1560 5 bytes JMP 0000000149ad0470
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fa1570 5 bytes JMP 0000000149ad03e0
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fa1620 5 bytes JMP 0000000149ad0320
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fa1650 5 bytes JMP 0000000149ad03b0
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076fa1670 5 bytes JMP 0000000149ad0390
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fa16b0 5 bytes JMP 0000000149ad02e0
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fa1730 5 bytes JMP 0000000149ad02d0
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fa1750 5 bytes JMP 0000000149ad0310
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fa1790 5 bytes JMP 0000000149ad03c0
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fa17e0 5 bytes JMP 0000000149ad03f0
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fa1940 5 bytes JMP 0000000149ad0230
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fa1b00 5 bytes JMP 0000000149ad0480
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fa1b30 5 bytes JMP 0000000149ad03a0
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fa1c10 5 bytes JMP 0000000149ad02f0
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fa1c20 5 bytes JMP 0000000149ad0350
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fa1c80 5 bytes JMP 0000000149ad0290
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fa1d10 5 bytes JMP 0000000149ad02b0
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fa1d30 5 bytes JMP 0000000149ad03d0
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fa1d40 5 bytes JMP 0000000149ad0330
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fa1db0 5 bytes JMP 0000000149ad0410
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fa1de0 5 bytes JMP 0000000149ad0240
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fa20a0 5 bytes JMP 0000000149ad01e0
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fa2160 5 bytes JMP 0000000149ad0250
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fa2190 5 bytes JMP 0000000149ad0490
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fa21a0 5 bytes JMP 0000000149ad04a0
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fa21d0 5 bytes JMP 0000000149ad0300
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fa21e0 5 bytes JMP 0000000149ad0360
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fa2240 5 bytes JMP 0000000149ad02a0
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fa2290 5 bytes JMP 0000000149ad02c0
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076fa22c0 5 bytes JMP 0000000149ad0380
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fa22d0 5 bytes JMP 0000000149ad0340
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fa25c0 5 bytes JMP 0000000149ad0440
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fa27c0 5 bytes JMP 0000000149ad0260
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fa27d0 5 bytes JMP 0000000149ad0270
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fa27e0 5 bytes JMP 0000000149ad0400
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fa29a0 5 bytes JMP 0000000149ad01f0
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fa29b0 5 bytes JMP 0000000149ad0210
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fa2a20 5 bytes JMP 0000000149ad0200
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fa2a80 5 bytes JMP 0000000149ad0420
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fa2a90 5 bytes JMP 0000000149ad0430
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fa2aa0 5 bytes JMP 0000000149ad0220
.text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fa2b80 5 bytes JMP 0000000149ad0280
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fa1360 5 bytes JMP 0000000077100460
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fa13b0 5 bytes JMP 0000000077100450
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076fa1510 5 bytes JMP 0000000077100370
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fa1560 5 bytes JMP 0000000077100470
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fa1570 5 bytes JMP 00000000771003e0
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fa1620 5 bytes JMP 0000000077100320
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fa1650 5 bytes JMP 00000000771003b0
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076fa1670 5 bytes JMP 0000000077100390
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fa16b0 5 bytes JMP 00000000771002e0
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fa1730 5 bytes JMP 00000000771002d0
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fa1750 5 bytes JMP 0000000077100310
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fa1790 5 bytes JMP 00000000771003c0
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fa17e0 5 bytes JMP 00000000771003f0
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fa1940 5 bytes JMP 0000000077100230
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fa1b00 5 bytes JMP 0000000077100480
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fa1b30 5 bytes JMP 00000000771003a0
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fa1c10 5 bytes JMP 00000000771002f0
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fa1c20 5 bytes JMP 0000000077100350
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fa1c80 5 bytes JMP 0000000077100290
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fa1d10 5 bytes JMP 00000000771002b0
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fa1d30 5 bytes JMP 00000000771003d0
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fa1d40 5 bytes JMP 0000000077100330
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fa1db0 5 bytes JMP 0000000077100410
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fa1de0 5 bytes JMP 0000000077100240
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fa20a0 5 bytes JMP 00000000771001e0
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fa2160 5 bytes JMP 0000000077100250
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fa2190 5 bytes JMP 0000000077100490
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fa21a0 5 bytes JMP 00000000771004a0
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fa21d0 5 bytes JMP 0000000077100300
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fa21e0 5 bytes JMP 0000000077100360
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fa2240 5 bytes JMP 00000000771002a0
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fa2290 5 bytes JMP 00000000771002c0
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076fa22c0 5 bytes JMP 0000000077100380
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fa22d0 5 bytes JMP 0000000077100340
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fa25c0 5 bytes JMP 0000000077100440
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fa27c0 5 bytes JMP 0000000077100260
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fa27d0 5 bytes JMP 0000000077100270
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fa27e0 5 bytes JMP 0000000077100400
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fa29a0 5 bytes JMP 00000000771001f0
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fa29b0 5 bytes JMP 0000000077100210
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fa2a20 5 bytes JMP 0000000077100200
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fa2a80 5 bytes JMP 0000000077100420
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fa2a90 5 bytes JMP 0000000077100430
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fa2aa0 5 bytes JMP 0000000077100220
.text C:\Windows\system32\wininit.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fa2b80 5 bytes JMP 0000000077100280
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fa1360 5 bytes JMP 0000000100040460
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fa13b0 5 bytes JMP 0000000100040450
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076fa1510 5 bytes JMP 0000000100040370
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fa1560 5 bytes JMP 0000000100040470
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fa1570 5 bytes JMP 00000001000403e0
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fa1620 5 bytes JMP 0000000100040320
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fa1650 5 bytes JMP 00000001000403b0
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076fa1670 5 bytes JMP 0000000100040390
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fa16b0 5 bytes JMP 00000001000402e0
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fa1730 5 bytes JMP 00000001000402d0
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fa1750 5 bytes JMP 0000000100040310
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fa1790 5 bytes JMP 00000001000403c0
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fa17e0 5 bytes JMP 00000001000403f0
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fa1940 5 bytes JMP 0000000100040230
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fa1b00 5 bytes JMP 0000000100040480
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fa1b30 5 bytes JMP 00000001000403a0
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fa1c10 5 bytes JMP 00000001000402f0
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fa1c20 5 bytes JMP 0000000100040350
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fa1c80 5 bytes JMP 0000000100040290
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fa1d10 5 bytes JMP 00000001000402b0
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fa1d30 5 bytes JMP 00000001000403d0
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fa1d40 5 bytes JMP 0000000100040330
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fa1db0 5 bytes JMP 0000000100040410
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fa1de0 5 bytes JMP 0000000100040240
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fa20a0 5 bytes JMP 00000001000401e0
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fa2160 5 bytes JMP 0000000100040250
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fa2190 5 bytes JMP 0000000100040490
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fa21a0 5 bytes JMP 00000001000404a0
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fa21d0 5 bytes JMP 0000000100040300
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fa21e0 5 bytes JMP 0000000100040360
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fa2240 5 bytes JMP 00000001000402a0
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fa2290 5 bytes JMP 00000001000402c0
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076fa22c0 5 bytes JMP 0000000100040380
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fa22d0 5 bytes JMP 0000000100040340
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fa25c0 5 bytes JMP 0000000100040440
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fa27c0 5 bytes JMP 0000000100040260
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fa27d0 5 bytes JMP 0000000100040270
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fa27e0 5 bytes JMP 0000000100040400
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fa29a0 5 bytes JMP 00000001000401f0
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fa29b0 5 bytes JMP 0000000100040210
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fa2a20 5 bytes JMP 0000000100040200
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fa2a80 5 bytes JMP 0000000100040420
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fa2a90 5 bytes JMP 0000000100040430
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fa2aa0 5 bytes JMP 0000000100040220
.text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fa2b80 5 bytes JMP 0000000100040280
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fa1360 5 bytes JMP 0000000077100460
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fa13b0 5 bytes JMP 0000000077100450
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076fa1510 5 bytes JMP 0000000077100370
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fa1560 5 bytes JMP 0000000077100470
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fa1570 5 bytes JMP 00000000771003e0
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fa1620 5 bytes JMP 0000000077100320
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fa1650 5 bytes JMP 00000000771003b0
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076fa1670 5 bytes JMP 0000000077100390
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fa16b0 5 bytes JMP 00000000771002e0
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fa1730 5 bytes JMP 00000000771002d0
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fa1750 5 bytes JMP 0000000077100310
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fa1790 5 bytes JMP 00000000771003c0
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fa17e0 5 bytes JMP 00000000771003f0
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fa1940 5 bytes JMP 0000000077100230
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fa1b00 5 bytes JMP 0000000077100480
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fa1b30 5 bytes JMP 00000000771003a0
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fa1c10 5 bytes JMP 00000000771002f0
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fa1c20 5 bytes JMP 0000000077100350
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fa1c80 5 bytes JMP 0000000077100290
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fa1d10 5 bytes JMP 00000000771002b0
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fa1d30 5 bytes JMP 00000000771003d0
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fa1d40 5 bytes JMP 0000000077100330
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fa1db0 5 bytes JMP 0000000077100410
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fa1de0 5 bytes JMP 0000000077100240
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fa20a0 5 bytes JMP 00000000771001e0
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fa2160 5 bytes JMP 0000000077100250
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fa2190 5 bytes JMP 0000000077100490
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fa21a0 5 bytes JMP 00000000771004a0
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fa21d0 5 bytes JMP 0000000077100300
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fa21e0 5 bytes JMP 0000000077100360
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fa2240 5 bytes JMP 00000000771002a0
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fa2290 5 bytes JMP 00000000771002c0
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076fa22c0 5 bytes JMP 0000000077100380
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fa22d0 5 bytes JMP 0000000077100340
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fa25c0 5 bytes JMP 0000000077100440
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fa27c0 5 bytes JMP 0000000077100260
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fa27d0 5 bytes JMP 0000000077100270
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fa27e0 5 bytes JMP 0000000077100400
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fa29a0 5 bytes JMP 00000000771001f0
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fa29b0 5 bytes
|
|
21.01.2015, 17:39
| #4 |
| | Windows 7: "HealthAlert" befällt alle Browser Gmer.txt - TEIL 2 Code:
ATTFilter
JMP 0000000077100210
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fa2a20 5 bytes JMP 0000000077100200
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fa2a80 5 bytes JMP 0000000077100420
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fa2a90 5 bytes JMP 0000000077100430
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fa2aa0 5 bytes JMP 0000000077100220
.text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fa2b80 5 bytes JMP 0000000077100280
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fa1360 5 bytes JMP 0000000077100460
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fa13b0 5 bytes JMP 0000000077100450
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076fa1510 5 bytes JMP 0000000077100370
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fa1560 5 bytes JMP 0000000077100470
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fa1570 5 bytes JMP 00000000771003e0
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fa1620 5 bytes JMP 0000000077100320
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fa1650 5 bytes JMP 00000000771003b0
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076fa1670 5 bytes JMP 0000000077100390
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fa16b0 5 bytes JMP 00000000771002e0
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fa1730 5 bytes JMP 00000000771002d0
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fa1750 5 bytes JMP 0000000077100310
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fa1790 5 bytes JMP 00000000771003c0
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fa17e0 5 bytes JMP 00000000771003f0
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fa1940 5 bytes JMP 0000000077100230
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fa1b00 5 bytes JMP 0000000077100480
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fa1b30 5 bytes JMP 00000000771003a0
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fa1c10 5 bytes JMP 00000000771002f0
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fa1c20 5 bytes JMP 0000000077100350
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fa1c80 5 bytes JMP 0000000077100290
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fa1d10 5 bytes JMP 00000000771002b0
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fa1d30 5 bytes JMP 00000000771003d0
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fa1d40 5 bytes JMP 0000000077100330
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fa1db0 5 bytes JMP 0000000077100410
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fa1de0 5 bytes JMP 0000000077100240
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fa20a0 5 bytes JMP 00000000771001e0
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fa2160 5 bytes JMP 0000000077100250
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fa2190 5 bytes JMP 0000000077100490
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fa21a0 5 bytes JMP 00000000771004a0
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fa21d0 5 bytes JMP 0000000077100300
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fa21e0 5 bytes JMP 0000000077100360
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fa2240 5 bytes JMP 00000000771002a0
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fa2290 5 bytes JMP 00000000771002c0
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076fa22c0 5 bytes JMP 0000000077100380
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fa22d0 5 bytes JMP 0000000077100340
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fa25c0 5 bytes JMP 0000000077100440
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fa27c0 5 bytes JMP 0000000077100260
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fa27d0 5 bytes JMP 0000000077100270
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fa27e0 5 bytes JMP 0000000077100400
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fa29a0 5 bytes JMP 00000000771001f0
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fa29b0 5 bytes JMP 0000000077100210
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fa2a20 5 bytes JMP 0000000077100200
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fa2a80 5 bytes JMP 0000000077100420
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fa2a90 5 bytes JMP 0000000077100430
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fa2aa0 5 bytes JMP 0000000077100220
.text C:\Windows\system32\winlogon.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fa2b80 5 bytes JMP 0000000077100280
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fa1360 5 bytes JMP 0000000077100460
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fa13b0 5 bytes JMP 0000000077100450
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076fa1510 5 bytes JMP 0000000077100370
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fa1560 5 bytes JMP 0000000077100470
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fa1570 5 bytes JMP 00000000771003e0
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fa1620 5 bytes JMP 0000000077100320
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fa1650 5 bytes JMP 00000000771003b0
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076fa1670 5 bytes JMP 0000000077100390
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fa16b0 5 bytes JMP 00000000771002e0
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fa1730 5 bytes JMP 00000000771002d0
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fa1750 5 bytes JMP 0000000077100310
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fa1790 5 bytes JMP 00000000771003c0
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fa17e0 5 bytes JMP 00000000771003f0
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fa1940 5 bytes JMP 0000000077100230
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fa1b00 5 bytes JMP 0000000077100480
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fa1b30 5 bytes JMP 00000000771003a0
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fa1c10 5 bytes JMP 00000000771002f0
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fa1c20 5 bytes JMP 0000000077100350
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fa1c80 5 bytes JMP 0000000077100290
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fa1d10 5 bytes JMP 00000000771002b0
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fa1d30 5 bytes JMP 00000000771003d0
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fa1d40 5 bytes JMP 0000000077100330
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fa1db0 5 bytes JMP 0000000077100410
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fa1de0 5 bytes JMP 0000000077100240
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fa20a0 5 bytes JMP 00000000771001e0
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fa2160 5 bytes JMP 0000000077100250
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fa2190 5 bytes JMP 0000000077100490
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fa21a0 5 bytes JMP 00000000771004a0
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fa21d0 5 bytes JMP 0000000077100300
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fa21e0 5 bytes JMP 0000000077100360
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fa2240 5 bytes JMP 00000000771002a0
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fa2290 5 bytes JMP 00000000771002c0
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076fa22c0 5 bytes JMP 0000000077100380
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fa22d0 5 bytes JMP 0000000077100340
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fa25c0 5 bytes JMP 0000000077100440
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fa27c0 5 bytes JMP 0000000077100260
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fa27d0 5 bytes JMP 0000000077100270
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fa27e0 5 bytes JMP 0000000077100400
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fa29a0 5 bytes JMP 00000000771001f0
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fa29b0 5 bytes JMP 0000000077100210
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fa2a20 5 bytes JMP 0000000077100200
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fa2a80 5 bytes JMP 0000000077100420
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fa2a90 5 bytes JMP 0000000077100430
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fa2aa0 5 bytes JMP 0000000077100220
.text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fa2b80 5 bytes JMP 0000000077100280
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fa1360 5 bytes JMP 0000000077100460
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fa13b0 5 bytes JMP 0000000077100450
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076fa1510 5 bytes JMP 0000000077100370
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fa1560 5 bytes JMP 0000000077100470
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fa1570 5 bytes JMP 00000000771003e0
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fa1620 5 bytes JMP 0000000077100320
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fa1650 5 bytes JMP 00000000771003b0
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076fa1670 5 bytes JMP 0000000077100390
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fa16b0 5 bytes JMP 00000000771002e0
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fa1730 5 bytes JMP 00000000771002d0
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fa1750 5 bytes JMP 0000000077100310
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fa1790 5 bytes JMP 00000000771003c0
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fa17e0 5 bytes JMP 00000000771003f0
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fa1940 5 bytes JMP 0000000077100230
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fa1b00 5 bytes JMP 0000000077100480
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fa1b30 5 bytes JMP 00000000771003a0
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fa1c10 5 bytes JMP 00000000771002f0
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fa1c20 5 bytes JMP 0000000077100350
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fa1c80 5 bytes JMP 0000000077100290
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fa1d10 5 bytes JMP 00000000771002b0
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fa1d30 5 bytes JMP 00000000771003d0
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fa1d40 5 bytes JMP 0000000077100330
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fa1db0 5 bytes JMP 0000000077100410
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fa1de0 5 bytes JMP 0000000077100240
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fa20a0 5 bytes JMP 00000000771001e0
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fa2160 5 bytes JMP 0000000077100250
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fa2190 5 bytes JMP 0000000077100490
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fa21a0 5 bytes JMP 00000000771004a0
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fa21d0 5 bytes JMP 0000000077100300
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fa21e0 5 bytes JMP 0000000077100360
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fa2240 5 bytes JMP 00000000771002a0
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fa2290 5 bytes JMP 00000000771002c0
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076fa22c0 5 bytes JMP 0000000077100380
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fa22d0 5 bytes JMP 0000000077100340
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fa25c0 5 bytes JMP 0000000077100440
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fa27c0 5 bytes JMP 0000000077100260
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fa27d0 5 bytes JMP 0000000077100270
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fa27e0 5 bytes JMP 0000000077100400
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fa29a0 5 bytes JMP 00000000771001f0
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fa29b0 5
bytes JMP 0000000077100210
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fa2a20 5 bytes JMP 0000000077100200
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fa2a80 5 bytes JMP 0000000077100420
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fa2a90 5 bytes JMP 0000000077100430
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fa2aa0 5 bytes JMP 0000000077100220
.text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fa2b80 5 bytes JMP 0000000077100280
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fa1360 5 bytes JMP 0000000077100460
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fa13b0 5 bytes JMP 0000000077100450
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076fa1510 5 bytes JMP 0000000077100370
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fa1560 5 bytes JMP 0000000077100470
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fa1570 5 bytes JMP 00000000771003e0
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fa1620 5 bytes JMP 0000000077100320
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fa1650 5 bytes JMP 00000000771003b0
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076fa1670 5 bytes JMP 0000000077100390
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fa16b0 5 bytes JMP 00000000771002e0
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fa1730 5 bytes JMP 00000000771002d0
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fa1750 5 bytes JMP 0000000077100310
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fa1790 5 bytes JMP 00000000771003c0
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fa17e0 5 bytes JMP 00000000771003f0
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fa1940 5 bytes JMP 0000000077100230
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fa1b00 5 bytes JMP 0000000077100480
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fa1b30 5 bytes JMP 00000000771003a0
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fa1c10 5 bytes JMP 00000000771002f0
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fa1c20 5 bytes JMP 0000000077100350
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fa1c80 5 bytes JMP 0000000077100290
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fa1d10 5 bytes JMP 00000000771002b0
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fa1d30 5 bytes JMP 00000000771003d0
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fa1d40 5 bytes JMP 0000000077100330
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fa1db0 5 bytes JMP 0000000077100410
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fa1de0 5 bytes JMP 0000000077100240
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fa20a0 5 bytes JMP 00000000771001e0
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fa2160 5 bytes JMP 0000000077100250
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fa2190 5 bytes JMP 0000000077100490
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fa21a0 5 bytes JMP 00000000771004a0
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fa21d0 5 bytes JMP 0000000077100300
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fa21e0 5 bytes JMP 0000000077100360
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fa2240 5 bytes JMP 00000000771002a0
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fa2290 5 bytes JMP 00000000771002c0
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076fa22c0 5 bytes JMP 0000000077100380
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fa22d0 5 bytes JMP 0000000077100340
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fa25c0 5 bytes JMP 0000000077100440
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fa27c0 5 bytes JMP 0000000077100260
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fa27d0 5 bytes JMP 0000000077100270
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fa27e0 5 bytes JMP 0000000077100400
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fa29a0 5 bytes JMP 00000000771001f0
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fa29b0 5 bytes JMP 0000000077100210
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fa2a20 5 bytes JMP 0000000077100200
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fa2a80 5 bytes JMP 0000000077100420
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fa2a90 5 bytes JMP 0000000077100430
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fa2aa0 5 bytes JMP 0000000077100220
.text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fa2b80 5 bytes JMP 0000000077100280
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fa1360 5 bytes JMP 0000000077100460
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fa13b0 5 bytes JMP 0000000077100450
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076fa1510 5 bytes JMP 0000000077100370
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fa1560 5 bytes JMP 0000000077100470
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fa1570 5 bytes JMP 00000000771003e0
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fa1620 5 bytes JMP 0000000077100320
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fa1650 5 bytes JMP 00000000771003b0
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076fa1670 5 bytes JMP 0000000077100390
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fa16b0 5 bytes JMP 00000000771002e0
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fa1730 5 bytes JMP 00000000771002d0
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fa1750 5 bytes JMP 0000000077100310
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fa1790 5 bytes JMP 00000000771003c0
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fa17e0 5 bytes JMP 00000000771003f0
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fa1940 5 bytes JMP 0000000077100230
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fa1b00 5 bytes JMP 0000000077100480
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fa1b30 5 bytes JMP 00000000771003a0
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fa1c10 5 bytes JMP 00000000771002f0
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fa1c20 5 bytes JMP 0000000077100350
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fa1c80 5 bytes JMP 0000000077100290
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fa1d10 5 bytes JMP 00000000771002b0
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fa1d30 5 bytes JMP 00000000771003d0
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fa1d40 5 bytes JMP 0000000077100330
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fa1db0 5 bytes JMP 0000000077100410
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fa1de0 5 bytes JMP 0000000077100240
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fa20a0 5 bytes JMP 00000000771001e0
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fa2160 5 bytes JMP 0000000077100250
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fa2190 5 bytes JMP 0000000077100490
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fa21a0 5 bytes JMP 00000000771004a0
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fa21d0 5 bytes JMP 0000000077100300
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fa21e0 5 bytes JMP 0000000077100360
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fa2240 5 bytes JMP 00000000771002a0
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fa2290 5 bytes JMP 00000000771002c0
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076fa22c0 5 bytes JMP 0000000077100380
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fa22d0 5 bytes JMP 0000000077100340
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fa25c0 5 bytes JMP 0000000077100440
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fa27c0 5 bytes JMP 0000000077100260
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fa27d0 5 bytes JMP 0000000077100270
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fa27e0 5 bytes JMP 0000000077100400
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fa29a0 5 bytes JMP 00000000771001f0
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fa29b0 5 bytes JMP 0000000077100210
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fa2a20 5 bytes JMP 0000000077100200
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fa2a80 5 bytes JMP 0000000077100420
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fa2a90 5 bytes JMP 0000000077100430
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fa2aa0 5 bytes JMP 0000000077100220
.text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fa2b80 5 bytes JMP 0000000077100280
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fa1360 5 bytes JMP 0000000077100460
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fa13b0 5 bytes JMP 0000000077100450
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076fa1510 5 bytes JMP 0000000077100370
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fa1560 5 bytes JMP 0000000077100470
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fa1570 5 bytes JMP 00000000771003e0
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fa1620 5 bytes JMP 0000000077100320
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fa1650 5 bytes JMP 00000000771003b0
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076fa1670 5 bytes JMP 0000000077100390
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fa16b0 5 bytes JMP 00000000771002e0
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fa1730 5 bytes JMP 00000000771002d0
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fa1750 5 bytes JMP 0000000077100310
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fa1790 5 bytes JMP 00000000771003c0
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fa17e0 5 bytes JMP 00000000771003f0
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fa1940 5 bytes JMP 0000000077100230
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fa1b00 5 bytes JMP 0000000077100480
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fa1b30 5 bytes JMP 00000000771003a0
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fa1c10 5 bytes JMP 00000000771002f0
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fa1c20 5 bytes JMP 0000000077100350
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fa1c80 5 bytes JMP 0000000077100290
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fa1d10 5 bytes JMP 00000000771002b0
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fa1d30 5 bytes JMP 00000000771003d0
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fa1d40 5 bytes JMP 0000000077100330
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fa1db0 5 bytes JMP 0000000077100410
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fa1de0 5 bytes JMP 0000000077100240
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fa20a0 5 bytes JMP 00000000771001e0
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fa2160 5 bytes JMP 0000000077100250
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fa2190 5 bytes JMP 0000000077100490
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fa21a0 5 bytes JMP 00000000771004a0
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fa21d0 5 bytes JMP 0000000077100300
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fa21e0 5 bytes JMP 0000000077100360
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fa2240 5 bytes JMP 00000000771002a0
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fa2290 5 bytes JMP 00000000771002c0
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076fa22c0 5 bytes JMP 0000000077100380
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fa22d0 5 bytes JMP 0000000077100340
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fa25c0 5 bytes JMP 0000000077100440
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fa27c0 5 bytes JMP 0000000077100260
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fa27d0 5 bytes JMP 0000000077100270
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fa27e0 5 bytes JMP 0000000077100400
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fa29a0 5 bytes JMP 00000000771001f0
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fa29b0 5 bytes JMP 0000000077100210
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fa2a20 5 bytes JMP 0000000077100200
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fa2a80 5 bytes JMP 0000000077100420
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fa2a90 5 bytes JMP 0000000077100430
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fa2aa0 5 bytes JMP 0000000077100220
.text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fa2b80 5 bytes JMP 0000000077100280
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fa1360 5 bytes JMP 0000000077100460
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fa13b0 5 bytes JMP 0000000077100450
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076fa1510 5 bytes JMP 0000000077100370
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fa1560 5 bytes JMP 0000000077100470
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fa1570 5 bytes JMP 00000000771003e0
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fa1620 5 bytes JMP 0000000077100320
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fa1650 5 bytes JMP 00000000771003b0
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076fa1670 5 bytes JMP 0000000077100390
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fa16b0 5 bytes JMP 00000000771002e0
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fa1730 5 bytes JMP 00000000771002d0
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fa1750 5 bytes JMP 0000000077100310
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fa1790 5 bytes JMP 00000000771003c0
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fa17e0 5 bytes JMP 00000000771003f0
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fa1940 5 bytes JMP 0000000077100230
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fa1b00 5 bytes JMP 0000000077100480
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fa1b30 5 bytes JMP 00000000771003a0
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fa1c10 5 bytes JMP 00000000771002f0
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fa1c20 5 bytes JMP 0000000077100350
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fa1c80 5 bytes JMP 0000000077100290
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fa1d10 5 bytes JMP 00000000771002b0
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fa1d30 5 bytes JMP 00000000771003d0
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fa1d40 5 bytes JMP 0000000077100330
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fa1db0 5 bytes JMP 0000000077100410
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fa1de0 5 bytes JMP 0000000077100240
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fa20a0 5 bytes JMP 00000000771001e0
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fa2160 5 bytes JMP 0000000077100250
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fa2190 5 bytes JMP 0000000077100490
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fa21a0 5 bytes JMP 00000000771004a0
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fa21d0 5 bytes JMP 0000000077100300
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fa21e0 5 bytes JMP 0000000077100360
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fa2240 5 bytes JMP 00000000771002a0
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fa2290 5 bytes JMP 00000000771002c0
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076fa22c0 5 bytes JMP 0000000077100380
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fa22d0 5 bytes JMP 0000000077100340
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fa25c0 5 bytes JMP 0000000077100440
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fa27c0 5 bytes JMP 0000000077100260
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fa27d0 5 bytes JMP 0000000077100270
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fa27e0 5 bytes JMP 0000000077100400
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fa29a0 5 bytes JMP 00000000771001f0
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fa29b0 5 bytes JMP 0000000077100210
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fa2a20 5 bytes JMP 0000000077100200
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fa2a80 5 bytes JMP 0000000077100420
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fa2a90 5 bytes JMP 0000000077100430
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fa2aa0 5 bytes JMP 0000000077100220
.text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fa2b80 5 bytes JMP 0000000077100280
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fa1360 5 bytes JMP 0000000100070460
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fa13b0 5 bytes JMP 0000000100070450
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076fa1510 5 bytes JMP 0000000100070370
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fa1560 5 bytes JMP 0000000100070470
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fa1570 5 bytes JMP 00000001000703e0
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fa1620 5 bytes JMP 0000000100070320
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fa1650 5 bytes JMP 00000001000703b0
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076fa1670 5 bytes JMP 0000000100070390
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fa16b0 5 bytes JMP 00000001000702e0
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fa1730 5 bytes JMP 00000001000702d0
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fa1750 5 bytes JMP 0000000100070310
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fa1790 5 bytes JMP 00000001000703c0
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fa17e0 5 bytes JMP 00000001000703f0
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fa1940 5 bytes JMP 0000000100070230
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fa1b00 5 bytes JMP 0000000100070480
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fa1b30 5 bytes JMP 00000001000703a0
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fa1c10 5 bytes JMP 00000001000702f0
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fa1c20 5 bytes JMP 0000000100070350
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fa1c80 5 bytes JMP 0000000100070290
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fa1d10 5 bytes JMP 00000001000702b0
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fa1d30 5 bytes JMP 00000001000703d0
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fa1d40 5 bytes JMP 0000000100070330
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fa1db0 5 bytes JMP 0000000100070410
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fa1de0 5 bytes JMP 0000000100070240
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fa20a0 5 bytes JMP 00000001000701e0
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fa2160 5 bytes JMP 0000000100070250
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fa2190 5 bytes JMP 0000000100070490
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fa21a0 5 bytes JMP 00000001000704a0
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fa21d0 5 bytes JMP 0000000100070300
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fa21e0 5 bytes JMP 0000000100070360
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fa2240 5 bytes JMP 00000001000702a0
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fa2290 5 bytes JMP 00000001000702c0
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076fa22c0 5 bytes JMP 0000000100070380
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fa22d0 5 bytes JMP 0000000100070340
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fa25c0 5 bytes
|
|
21.01.2015, 17:41
| #5 |
| | Windows 7: "HealthAlert" befällt alle Browser Gmer.txt - TEIL 3 Code:
ATTFilter
JMP 0000000100070440
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fa27c0 5 bytes JMP 0000000100070260
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fa27d0 5 bytes JMP 0000000100070270
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fa27e0 5 bytes JMP 0000000100070400
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fa29a0 5 bytes JMP 00000001000701f0
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fa29b0 5 bytes JMP 0000000100070210
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fa2a20 5 bytes JMP 0000000100070200
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fa2a80 5 bytes JMP 0000000100070420
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fa2a90 5 bytes JMP 0000000100070430
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fa2aa0 5 bytes JMP 0000000100070220
.text C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fa2b80 5 bytes JMP 0000000100070280
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fa1360 5 bytes JMP 0000000077100460
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fa13b0 5 bytes JMP 0000000077100450
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076fa1510 5 bytes JMP 0000000077100370
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fa1560 5 bytes JMP 0000000077100470
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fa1570 5 bytes JMP 00000000771003e0
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fa1620 5 bytes JMP 0000000077100320
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fa1650 5 bytes JMP 00000000771003b0
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076fa1670 5 bytes JMP 0000000077100390
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fa16b0 5 bytes JMP 00000000771002e0
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fa1730 5 bytes JMP 00000000771002d0
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fa1750 5 bytes JMP 0000000077100310
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fa1790 5 bytes JMP 00000000771003c0
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fa17e0 5 bytes JMP 00000000771003f0
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fa1940 5 bytes JMP 0000000077100230
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fa1b00 5 bytes JMP 0000000077100480
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fa1b30 5 bytes JMP 00000000771003a0
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fa1c10 5 bytes JMP 00000000771002f0
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fa1c20 5 bytes JMP 0000000077100350
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fa1c80 5 bytes JMP 0000000077100290
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fa1d10 5 bytes JMP 00000000771002b0
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fa1d30 5 bytes JMP 00000000771003d0
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fa1d40 5 bytes JMP 0000000077100330
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fa1db0 5 bytes JMP 0000000077100410
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fa1de0 5 bytes JMP 0000000077100240
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fa20a0 5 bytes JMP 00000000771001e0
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fa2160 5 bytes JMP 0000000077100250
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fa2190 5 bytes JMP 0000000077100490
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fa21a0 5 bytes JMP 00000000771004a0
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fa21d0 5 bytes JMP 0000000077100300
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fa21e0 5 bytes JMP 0000000077100360
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fa2240 5 bytes JMP 00000000771002a0
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fa2290 5 bytes JMP 00000000771002c0
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076fa22c0 5 bytes JMP 0000000077100380
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fa22d0 5 bytes JMP 0000000077100340
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fa25c0 5 bytes JMP 0000000077100440
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fa27c0 5 bytes JMP 0000000077100260
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fa27d0 5 bytes JMP 0000000077100270
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fa27e0 5 bytes JMP 0000000077100400
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fa29a0 5 bytes JMP 00000000771001f0
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fa29b0 5 bytes JMP 0000000077100210
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fa2a20 5 bytes JMP 0000000077100200
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fa2a80 5 bytes JMP 0000000077100420
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fa2a90 5 bytes JMP 0000000077100430
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fa2aa0 5 bytes JMP 0000000077100220
.text C:\Windows\system32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fa2b80 5 bytes JMP 0000000077100280
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fa1360 5 bytes JMP 0000000100070460
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fa13b0 5 bytes JMP 0000000100070450
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076fa1510 5 bytes JMP 0000000100070370
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fa1560 5 bytes JMP 0000000100070470
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fa1570 5 bytes JMP 00000001000703e0
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fa1620 5 bytes JMP 0000000100070320
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fa1650 5 bytes JMP 00000001000703b0
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076fa1670 5 bytes JMP 0000000100070390
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fa16b0 5 bytes JMP 00000001000702e0
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fa1730 5 bytes JMP 00000001000702d0
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fa1750 5 bytes JMP 0000000100070310
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fa1790 5 bytes JMP 00000001000703c0
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fa17e0 5 bytes JMP 00000001000703f0
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fa1940 5 bytes JMP 0000000100070230
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fa1b00 5 bytes JMP 0000000100070480
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fa1b30 5 bytes JMP 00000001000703a0
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fa1c10 5 bytes JMP 00000001000702f0
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fa1c20 5 bytes JMP 0000000100070350
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fa1c80 5 bytes JMP 0000000100070290
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fa1d10 5 bytes JMP 00000001000702b0
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fa1d30 5 bytes JMP 00000001000703d0
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fa1d40 5 bytes JMP 0000000100070330
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fa1db0 5 bytes JMP 0000000100070410
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fa1de0 5 bytes JMP 0000000100070240
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fa20a0 5 bytes JMP 00000001000701e0
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fa2160 5 bytes JMP 0000000100070250
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fa2190 5 bytes JMP 0000000100070490
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fa21a0 5 bytes JMP 00000001000704a0
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fa21d0 5 bytes JMP 0000000100070300
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fa21e0 5 bytes JMP 0000000100070360
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fa2240 5 bytes JMP 00000001000702a0
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fa2290 5 bytes JMP 00000001000702c0
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076fa22c0 5 bytes JMP 0000000100070380
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fa22d0 5 bytes JMP 0000000100070340
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fa25c0 5 bytes JMP 0000000100070440
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fa27c0 5 bytes JMP 0000000100070260
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fa27d0 5 bytes JMP 0000000100070270
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fa27e0 5 bytes JMP 0000000100070400
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fa29a0 5 bytes JMP 00000001000701f0
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fa29b0 5 bytes JMP 0000000100070210
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fa2a20 5 bytes JMP 0000000100070200
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fa2a80 5 bytes JMP 0000000100070420
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fa2a90 5 bytes JMP 0000000100070430
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fa2aa0 5 bytes JMP 0000000100070220
.text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fa2b80 5 bytes JMP 0000000100070280
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fa1360 5 bytes JMP 0000000077100460
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fa13b0 5 bytes JMP 0000000077100450
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076fa1510 5 bytes JMP 0000000077100370
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fa1560 5 bytes JMP 0000000077100470
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fa1570 5 bytes JMP 00000000771003e0
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fa1620 5 bytes JMP 0000000077100320
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fa1650 5 bytes JMP 00000000771003b0
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076fa1670 5 bytes JMP 0000000077100390
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fa16b0 5 bytes JMP 00000000771002e0
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fa1730 5 bytes JMP 00000000771002d0
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fa1750 5 bytes JMP 0000000077100310
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fa1790 5 bytes JMP 00000000771003c0
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fa17e0 5 bytes JMP 00000000771003f0
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fa1940 5 bytes JMP 0000000077100230
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fa1b00 5 bytes JMP 0000000077100480
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fa1b30 5 bytes JMP 00000000771003a0
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fa1c10 5 bytes JMP 00000000771002f0
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fa1c20 5 bytes JMP 0000000077100350
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fa1c80 5 bytes JMP 0000000077100290
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fa1d10 5 bytes JMP 00000000771002b0
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fa1d30 5 bytes JMP 00000000771003d0
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fa1d40 5 bytes JMP 0000000077100330
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fa1db0 5 bytes JMP 0000000077100410
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fa1de0 5 bytes JMP 0000000077100240
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fa20a0 5 bytes JMP 00000000771001e0
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fa2160 5 bytes JMP 0000000077100250
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fa2190 5 bytes JMP 0000000077100490
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fa21a0 5 bytes JMP 00000000771004a0
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fa21d0 5 bytes JMP 0000000077100300
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fa21e0 5 bytes JMP 0000000077100360
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fa2240 5 bytes JMP 00000000771002a0
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fa2290 5 bytes JMP 00000000771002c0
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076fa22c0 5 bytes JMP 0000000077100380
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fa22d0 5 bytes JMP 0000000077100340
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fa25c0 5 bytes JMP 0000000077100440
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fa27c0 5 bytes JMP 0000000077100260
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fa27d0 5 bytes JMP 0000000077100270
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fa27e0 5 bytes JMP 0000000077100400
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fa29a0 5 bytes JMP 00000000771001f0
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fa29b0 5 bytes JMP 0000000077100210
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fa2a20 5 bytes JMP 0000000077100200
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fa2a80 5 bytes JMP 0000000077100420
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fa2a90 5 bytes JMP 0000000077100430
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fa2aa0 5 bytes JMP 0000000077100220
.text C:\Windows\system32\WLANExt.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fa2b80 5 bytes JMP 0000000077100280
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fa1360 5 bytes JMP 0000000077100460
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fa13b0 5 bytes JMP 0000000077100450
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076fa1510 5 bytes JMP 0000000077100370
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fa1560 5 bytes JMP 0000000077100470
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fa1570 5 bytes JMP 00000000771003e0
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fa1620 5 bytes JMP 0000000077100320
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fa1650 5 bytes JMP 00000000771003b0
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076fa1670 5 bytes JMP 0000000077100390
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fa16b0 5 bytes JMP 00000000771002e0
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fa1730 5 bytes JMP 00000000771002d0
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fa1750 5 bytes JMP 0000000077100310
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fa1790 5 bytes JMP 00000000771003c0
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fa17e0 5 bytes JMP 00000000771003f0
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fa1940 5 bytes JMP 0000000077100230
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fa1b00 5 bytes JMP 0000000077100480
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fa1b30 5 bytes JMP 00000000771003a0
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fa1c10 5 bytes JMP 00000000771002f0
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fa1c20 5 bytes JMP 0000000077100350
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fa1c80 5 bytes JMP 0000000077100290
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fa1d10 5 bytes JMP 00000000771002b0
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fa1d30 5 bytes JMP 00000000771003d0
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fa1d40 5 bytes JMP 0000000077100330
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fa1db0 5 bytes JMP 0000000077100410
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fa1de0 5 bytes JMP 0000000077100240
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fa20a0 5 bytes JMP 00000000771001e0
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fa2160 5 bytes JMP 0000000077100250
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fa2190 5 bytes JMP 0000000077100490
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fa21a0 5 bytes JMP 00000000771004a0
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fa21d0 5 bytes JMP 0000000077100300
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion
0000000076fa21e0 5 bytes JMP 0000000077100360
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fa2240 5 bytes JMP 00000000771002a0
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fa2290 5 bytes JMP 00000000771002c0
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076fa22c0 5 bytes JMP 0000000077100380
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fa22d0 5 bytes JMP 0000000077100340
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fa25c0 5 bytes JMP 0000000077100440
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fa27c0 5 bytes JMP 0000000077100260
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fa27d0 5 bytes JMP 0000000077100270
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fa27e0 5 bytes JMP 0000000077100400
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fa29a0 5 bytes JMP 00000000771001f0
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fa29b0 5 bytes JMP 0000000077100210
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fa2a20 5 bytes JMP 0000000077100200
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fa2a80 5 bytes JMP 0000000077100420
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fa2a90 5 bytes JMP 0000000077100430
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fa2aa0 5 bytes JMP 0000000077100220
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fa2b80 5 bytes JMP 0000000077100280
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fa1360 5 bytes JMP 0000000077100460
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fa13b0 5 bytes JMP 0000000077100450
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076fa1510 5 bytes JMP 0000000077100370
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fa1560 5 bytes JMP 0000000077100470
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fa1570 5 bytes JMP 00000000771003e0
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fa1620 5 bytes JMP 0000000077100320
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fa1650 5 bytes JMP 00000000771003b0
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076fa1670 5 bytes JMP 0000000077100390
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fa16b0 5 bytes JMP 00000000771002e0
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fa1730 5 bytes JMP 00000000771002d0
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fa1750 5 bytes JMP 0000000077100310
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fa1790 5 bytes JMP 00000000771003c0
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fa17e0 5 bytes JMP 00000000771003f0
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fa1940 5 bytes JMP 0000000077100230
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fa1b00 5 bytes JMP 0000000077100480
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fa1b30 5 bytes JMP 00000000771003a0
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fa1c10 5 bytes JMP 00000000771002f0
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fa1c20 5 bytes JMP 0000000077100350
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fa1c80 5 bytes JMP 0000000077100290
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fa1d10 5 bytes JMP 00000000771002b0
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fa1d30 5 bytes JMP 00000000771003d0
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fa1d40 5 bytes JMP 0000000077100330
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fa1db0 5 bytes JMP 0000000077100410
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fa1de0 5 bytes JMP 0000000077100240
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fa20a0 5 bytes JMP 00000000771001e0
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fa2160 5 bytes JMP 0000000077100250
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fa2190 5 bytes JMP 0000000077100490
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fa21a0 5 bytes JMP 00000000771004a0
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fa21d0 5 bytes JMP 0000000077100300
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fa21e0 5 bytes JMP 0000000077100360
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fa2240 5 bytes JMP 00000000771002a0
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fa2290 5 bytes JMP 00000000771002c0
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076fa22c0 5 bytes JMP 0000000077100380
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fa22d0 5 bytes JMP 0000000077100340
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fa25c0 5 bytes JMP 0000000077100440
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fa27c0 5 bytes JMP 0000000077100260
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fa27d0 5 bytes JMP 0000000077100270
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fa27e0 5 bytes JMP 0000000077100400
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fa29a0 5 bytes JMP 00000000771001f0
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fa29b0 5 bytes JMP 0000000077100210
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fa2a20 5 bytes JMP 0000000077100200
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fa2a80 5 bytes JMP 0000000077100420
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fa2a90 5 bytes JMP 0000000077100430
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fa2aa0 5 bytes JMP 0000000077100220
.text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fa2b80 5 bytes JMP 0000000077100280
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fa1360 5 bytes JMP 0000000077100460
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fa13b0 5 bytes JMP 0000000077100450
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076fa1510 5 bytes JMP 0000000077100370
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fa1560 5 bytes JMP 0000000077100470
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fa1570 5 bytes JMP 00000000771003e0
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fa1620 5 bytes JMP 0000000077100320
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fa1650 5 bytes JMP 00000000771003b0
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076fa1670 5 bytes JMP 0000000077100390
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fa16b0 5 bytes JMP 00000000771002e0
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fa1730 5 bytes JMP 00000000771002d0
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fa1750 5 bytes JMP 0000000077100310
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fa1790 5 bytes JMP 00000000771003c0
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fa17e0 5 bytes JMP
|
|
21.01.2015, 17:43
| #6 |
| | Windows 7: "HealthAlert" befällt alle Browser Es nimmt kein Ende: Gmer.txt - TEIL 4 Code:
ATTFilter
00000000771003f0
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fa1940 5 bytes JMP 0000000077100230
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fa1b00 5 bytes JMP 0000000077100480
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fa1b30 5 bytes JMP 00000000771003a0
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fa1c10 5 bytes JMP 00000000771002f0
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fa1c20 5 bytes JMP 0000000077100350
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fa1c80 5 bytes JMP 0000000077100290
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fa1d10 5 bytes JMP 00000000771002b0
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fa1d30 5 bytes JMP 00000000771003d0
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fa1d40 5 bytes JMP 0000000077100330
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fa1db0 5 bytes JMP 0000000077100410
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fa1de0 5 bytes JMP 0000000077100240
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fa20a0 5 bytes JMP 00000000771001e0
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fa2160 5 bytes JMP 0000000077100250
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fa2190 5 bytes JMP 0000000077100490
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fa21a0 5 bytes JMP 00000000771004a0
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fa21d0 5 bytes JMP 0000000077100300
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fa21e0 5 bytes JMP 0000000077100360
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fa2240 5 bytes JMP 00000000771002a0
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fa2290 5 bytes JMP 00000000771002c0
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076fa22c0 5 bytes JMP 0000000077100380
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fa22d0 5 bytes JMP 0000000077100340
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fa25c0 5 bytes JMP 0000000077100440
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fa27c0 5 bytes JMP 0000000077100260
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fa27d0 5 bytes JMP 0000000077100270
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fa27e0 5 bytes JMP 0000000077100400
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fa29a0 5 bytes JMP 00000000771001f0
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fa29b0 5 bytes JMP 0000000077100210
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fa2a20 5 bytes JMP 0000000077100200
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fa2a80 5 bytes JMP 0000000077100420
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fa2a90 5 bytes JMP 0000000077100430
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fa2aa0 5 bytes JMP 0000000077100220
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fa2b80 5 bytes JMP 0000000077100280
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075b91465 2 bytes [B9, 75]
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075b914bb 2 bytes [B9, 75]
.text ... * 2
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[1940] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075b91465 2 bytes [B9, 75]
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[1940] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000075b914bb 2 bytes [B9, 75]
.text ... * 2
.text C:\ProgramData\TExOqonDHMW\pyFWawfV.exe[2720] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075b91465 2 bytes [B9, 75]
.text C:\ProgramData\TExOqonDHMW\pyFWawfV.exe[2720] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075b914bb 2 bytes [B9, 75]
.text ... * 2
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fa1360 5 bytes JMP 0000000077100460
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fa13b0 5 bytes JMP 0000000077100450
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076fa1510 5 bytes JMP 0000000077100370
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fa1560 5 bytes JMP 0000000077100470
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fa1570 5 bytes JMP 00000000771003e0
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fa1620 5 bytes JMP 0000000077100320
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fa1650 5 bytes JMP 00000000771003b0
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076fa1670 5 bytes JMP 0000000077100390
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fa16b0 5 bytes JMP 00000000771002e0
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fa1730 5 bytes JMP 00000000771002d0
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fa1750 5 bytes JMP 0000000077100310
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fa1790 5 bytes JMP 00000000771003c0
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fa17e0 5 bytes JMP 00000000771003f0
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fa1940 5 bytes JMP 0000000077100230
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fa1b00 5 bytes JMP 0000000077100480
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fa1b30 5 bytes JMP 00000000771003a0
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fa1c10 5 bytes JMP 00000000771002f0
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fa1c20 5 bytes JMP 0000000077100350
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fa1c80 5 bytes JMP 0000000077100290
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fa1d10 5 bytes JMP 00000000771002b0
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fa1d30 5 bytes JMP 00000000771003d0
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fa1d40 5 bytes JMP 0000000077100330
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fa1db0 5 bytes JMP 0000000077100410
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fa1de0 5 bytes JMP 0000000077100240
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fa20a0 5 bytes JMP 00000000771001e0
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fa2160 5 bytes JMP 0000000077100250
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fa2190 5 bytes JMP 0000000077100490
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fa21a0 5 bytes JMP 00000000771004a0
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fa21d0 5 bytes JMP 0000000077100300
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fa21e0 5 bytes JMP 0000000077100360
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fa2240 5 bytes JMP 00000000771002a0
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fa2290 5 bytes JMP 00000000771002c0
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076fa22c0 5 bytes JMP 0000000077100380
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fa22d0 5 bytes JMP 0000000077100340
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fa25c0 5 bytes JMP 0000000077100440
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fa27c0 5 bytes JMP 0000000077100260
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fa27d0 5 bytes JMP 0000000077100270
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fa27e0 5 bytes JMP 0000000077100400
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fa29a0 5 bytes JMP 00000000771001f0
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fa29b0 5 bytes JMP 0000000077100210
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fa2a20 5 bytes JMP 0000000077100200
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fa2a80 5 bytes JMP 0000000077100420
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fa2a90 5 bytes JMP 0000000077100430
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fa2aa0 5 bytes JMP 0000000077100220
.text C:\Windows\system32\svchost.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fa2b80 5 bytes JMP 0000000077100280
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fa1360 5 bytes JMP 0000000077100460
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fa13b0 5 bytes JMP 0000000077100450
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076fa1510 5 bytes JMP 0000000077100370
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fa1560 5 bytes JMP 0000000077100470
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fa1570 5 bytes JMP 00000000771003e0
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fa1620 5 bytes JMP 0000000077100320
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fa1650 5 bytes JMP 00000000771003b0
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076fa1670 5 bytes JMP 0000000077100390
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fa16b0 5 bytes JMP 00000000771002e0
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fa1730 5 bytes JMP 00000000771002d0
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fa1750 5 bytes JMP 0000000077100310
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fa1790 5 bytes JMP 00000000771003c0
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fa17e0 5 bytes JMP 00000000771003f0
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fa1940 5 bytes JMP 0000000077100230
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fa1b00 5 bytes JMP 0000000077100480
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fa1b30 5 bytes JMP 00000000771003a0
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fa1c10 5 bytes JMP 00000000771002f0
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fa1c20 5 bytes JMP 0000000077100350
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fa1c80 5 bytes JMP 0000000077100290
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fa1d10 5 bytes JMP 00000000771002b0
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fa1d30 5 bytes JMP 00000000771003d0
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fa1d40 5 bytes JMP 0000000077100330
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fa1db0 5 bytes JMP 0000000077100410
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fa1de0 5 bytes JMP 0000000077100240
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fa20a0 5 bytes JMP 00000000771001e0
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fa2160 5 bytes JMP 0000000077100250
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fa2190 5 bytes JMP 0000000077100490
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fa21a0 5 bytes JMP 00000000771004a0
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fa21d0 5 bytes JMP 0000000077100300
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fa21e0 5 bytes JMP 0000000077100360
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fa2240 5 bytes JMP 00000000771002a0
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fa2290 5 bytes JMP 00000000771002c0
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076fa22c0 5 bytes JMP 0000000077100380
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fa22d0 5 bytes JMP 0000000077100340
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fa25c0 5 bytes JMP 0000000077100440
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fa27c0 5 bytes JMP 0000000077100260
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fa27d0 5 bytes JMP 0000000077100270
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fa27e0 5 bytes JMP 0000000077100400
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fa29a0 5 bytes JMP 00000000771001f0
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fa29b0 5 bytes JMP 0000000077100210
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fa2a20 5 bytes JMP 0000000077100200
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fa2a80 5 bytes JMP 0000000077100420
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fa2a90 5 bytes JMP 0000000077100430
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fa2aa0 5 bytes JMP 0000000077100220
.text C:\Windows\system32\taskhost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fa2b80 5 bytes JMP 0000000077100280
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fa1360 5 bytes JMP 0000000100070460
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fa13b0 5 bytes JMP 0000000100070450
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076fa1510 5 bytes JMP 0000000100070370
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fa1560 5 bytes JMP 0000000100070470
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fa1570 5 bytes JMP 00000001000703e0
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fa1620 5 bytes JMP 0000000100070320
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fa1650 5 bytes JMP 00000001000703b0
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076fa1670 5 bytes JMP 0000000100070390
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fa16b0 5 bytes JMP 00000001000702e0
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fa1730 5 bytes JMP 00000001000702d0
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fa1750 5 bytes JMP 0000000100070310
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fa1790 5 bytes JMP 00000001000703c0
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fa17e0 5 bytes JMP 00000001000703f0
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fa1940 5 bytes JMP 0000000100070230
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fa1b00 5 bytes JMP 0000000100070480
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fa1b30 5 bytes JMP 00000001000703a0
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fa1c10 5 bytes
JMP 00000001000702f0
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fa1c20 5 bytes JMP 0000000100070350
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fa1c80 5 bytes JMP 0000000100070290
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fa1d10 5 bytes JMP 00000001000702b0
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fa1d30 5 bytes JMP 00000001000703d0
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fa1d40 5 bytes JMP 0000000100070330
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fa1db0 5 bytes JMP 0000000100070410
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fa1de0 5 bytes JMP 0000000100070240
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fa20a0 5 bytes JMP 00000001000701e0
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fa2160 5 bytes JMP 0000000100070250
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fa2190 5 bytes JMP 0000000100070490
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fa21a0 5 bytes JMP 00000001000704a0
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fa21d0 5 bytes JMP 0000000100070300
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fa21e0 5 bytes JMP 0000000100070360
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fa2240 5 bytes JMP 00000001000702a0
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fa2290 5 bytes JMP 00000001000702c0
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076fa22c0 5 bytes JMP 0000000100070380
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fa22d0 5 bytes JMP 0000000100070340
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fa25c0 5 bytes JMP 0000000100070440
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fa27c0 5 bytes JMP 0000000100070260
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fa27d0 5 bytes JMP 0000000100070270
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fa27e0 5 bytes JMP 0000000100070400
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fa29a0 5 bytes JMP 00000001000701f0
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fa29b0 5 bytes JMP 0000000100070210
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fa2a20 5 bytes JMP 0000000100070200
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fa2a80 5 bytes JMP 0000000100070420
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fa2a90 5 bytes JMP 0000000100070430
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fa2aa0 5 bytes JMP 0000000100070220
.text C:\Windows\system32\Dwm.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fa2b80 5 bytes JMP 0000000100070280
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fa1360 5 bytes JMP 0000000100070460
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fa13b0 5 bytes JMP 0000000100070450
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076fa1510 5 bytes JMP 0000000100070370
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fa1560 5 bytes JMP 0000000100070470
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fa1570 5 bytes JMP 00000001000703e0
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fa1620 5 bytes JMP 0000000100070320
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fa1650 5 bytes JMP 00000001000703b0
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076fa1670 5 bytes JMP 0000000100070390
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fa16b0 5 bytes JMP 00000001000702e0
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fa1730 5 bytes JMP 00000001000702d0
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fa1750 5 bytes JMP 0000000100070310
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fa1790 5 bytes JMP 00000001000703c0
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fa17e0 5 bytes JMP 00000001000703f0
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fa1940 5 bytes JMP 0000000100070230
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fa1b00 5 bytes JMP 0000000100070480
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fa1b30 5 bytes JMP 00000001000703a0
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fa1c10 5 bytes JMP 00000001000702f0
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fa1c20 5 bytes JMP 0000000100070350
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fa1c80 5 bytes JMP 0000000100070290
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fa1d10 5 bytes JMP 00000001000702b0
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fa1d30 5 bytes JMP 00000001000703d0
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fa1d40 5 bytes JMP 0000000100070330
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fa1db0 5 bytes JMP 0000000100070410
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fa1de0 5 bytes JMP 0000000100070240
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fa20a0 5 bytes JMP 00000001000701e0
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fa2160 5 bytes JMP 0000000100070250
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fa2190 5 bytes JMP 0000000100070490
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fa21a0 5 bytes JMP 00000001000704a0
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fa21d0 5 bytes JMP 0000000100070300
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fa21e0 5 bytes JMP 0000000100070360
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fa2240 5 bytes JMP 00000001000702a0
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fa2290 5 bytes JMP 00000001000702c0
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076fa22c0 5 bytes JMP 0000000100070380
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fa22d0 5 bytes JMP 0000000100070340
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fa25c0 5 bytes JMP 0000000100070440
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fa27c0 5 bytes JMP 0000000100070260
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fa27d0 5 bytes JMP 0000000100070270
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fa27e0 5 bytes JMP 0000000100070400
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fa29a0 5 bytes JMP 00000001000701f0
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fa29b0 5 bytes JMP 0000000100070210
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fa2a20 5 bytes JMP 0000000100070200
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fa2a80 5 bytes JMP 0000000100070420
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fa2a90 5 bytes JMP 0000000100070430
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fa2aa0 5 bytes JMP 0000000100070220
.text C:\Windows\Explorer.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fa2b80 5 bytes JMP 0000000100070280
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fa1360 5 bytes JMP 0000000077100460
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fa13b0 5 bytes JMP 0000000077100450
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076fa1510 5 bytes JMP 0000000077100370
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fa1560 5 bytes JMP 0000000077100470
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fa1570 5 bytes JMP 00000000771003e0
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fa1620 5 bytes JMP 0000000077100320
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fa1650 5 bytes JMP 00000000771003b0
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076fa1670 5 bytes JMP 0000000077100390
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fa16b0 5 bytes JMP 00000000771002e0
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fa1730 5 bytes JMP 00000000771002d0
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fa1750 5 bytes JMP 0000000077100310
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fa1790 5 bytes JMP 00000000771003c0
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fa17e0 5 bytes JMP 00000000771003f0
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fa1940 5 bytes JMP 0000000077100230
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fa1b00 5 bytes JMP 0000000077100480
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fa1b30 5 bytes JMP 00000000771003a0
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fa1c10 5 bytes JMP 00000000771002f0
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fa1c20 5 bytes JMP 0000000077100350
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fa1c80 5 bytes JMP 0000000077100290
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fa1d10 5 bytes JMP 00000000771002b0
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fa1d30 5 bytes JMP 00000000771003d0
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fa1d40 5 bytes JMP 0000000077100330
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fa1db0 5 bytes JMP 0000000077100410
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fa1de0 5 bytes JMP 0000000077100240
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fa20a0 5 bytes JMP 00000000771001e0
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fa2160 5 bytes JMP 0000000077100250
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fa2190 5 bytes JMP 0000000077100490
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fa21a0 5 bytes JMP 00000000771004a0
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fa21d0 5 bytes JMP 0000000077100300
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fa21e0 5 bytes JMP 0000000077100360
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fa2240 5 bytes JMP 00000000771002a0
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fa2290 5 bytes JMP 00000000771002c0
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076fa22c0 5 bytes JMP 0000000077100380
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fa22d0 5 bytes JMP 0000000077100340
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fa25c0 5 bytes JMP 0000000077100440
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fa27c0 5 bytes JMP 0000000077100260
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fa27d0 5 bytes JMP 0000000077100270
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fa27e0 5 bytes JMP 0000000077100400
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fa29a0 5 bytes JMP 00000000771001f0
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fa29b0 5 bytes JMP 0000000077100210
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fa2a20 5 bytes JMP 0000000077100200
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fa2a80 5 bytes JMP 0000000077100420
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fa2a90 5 bytes JMP 0000000077100430
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fa2aa0 5 bytes JMP 0000000077100220
.text C:\Program Files\Elantech\ETDCtrl.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fa2b80 5 bytes JMP 0000000077100280
.text C:\Users\XXXXX\AppData\Roaming\Dropbox\bin\Dropbox.exe[3408] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69 0000000075b91465 2 bytes [B9, 75]
.text C:\Users\XXXXX\AppData\Roaming\Dropbox\bin\Dropbox.exe[3408] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155 0000000075b914bb 2 bytes [B9, 75]
.text ... * 2
.text C:\Program Files\AVAST Software\Avast\avastui.exe[3464] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075718769 8 bytes [31, C0, C2, 04, 00, 90, 90, ...]
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fa1360 5 bytes JMP 0000000077100460
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fa13b0 5 bytes JMP 0000000077100450
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076fa1510 5 bytes JMP 0000000077100370
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fa1560 5 bytes JMP 0000000077100470
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fa1570 5 bytes JMP 00000000771003e0
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fa1620 5 bytes JMP 0000000077100320
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fa1650 5 bytes JMP 00000000771003b0
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076fa1670 5 bytes JMP 0000000077100390
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fa16b0 5 bytes JMP 00000000771002e0
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fa1730 5 bytes JMP 00000000771002d0
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fa1750 5 bytes JMP 0000000077100310
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fa1790 5 bytes JMP 00000000771003c0
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fa17e0 5 bytes JMP 00000000771003f0
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fa1940 5 bytes JMP 0000000077100230
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fa1b00 5 bytes JMP 0000000077100480
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fa1b30 5 bytes JMP 00000000771003a0
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fa1c10 5 bytes JMP 00000000771002f0
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fa1c20 5 bytes JMP 0000000077100350
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fa1c80 5 bytes JMP 0000000077100290
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fa1d10 5 bytes JMP 00000000771002b0
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fa1d30 5 bytes JMP 00000000771003d0
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fa1d40 5 bytes JMP 0000000077100330
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fa1db0 5 bytes JMP 0000000077100410
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fa1de0 5 bytes JMP 0000000077100240
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fa20a0 5 bytes JMP 00000000771001e0
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fa2160 5 bytes JMP 0000000077100250
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fa2190 5 bytes JMP 0000000077100490
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fa21a0 5 bytes JMP 00000000771004a0
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fa21d0 5 bytes JMP 0000000077100300
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fa21e0 5 bytes JMP 0000000077100360
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fa2240 5 bytes JMP 00000000771002a0
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fa2290 5 bytes JMP 00000000771002c0
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076fa22c0 5 bytes JMP 0000000077100380
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fa22d0 5 bytes JMP 0000000077100340
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fa25c0 5 bytes JMP 0000000077100440
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fa27c0 5 bytes JMP 0000000077100260
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fa27d0 5 bytes JMP 0000000077100270
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fa27e0 5 bytes JMP 0000000077100400
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fa29a0 5 bytes JMP 00000000771001f0
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fa29b0 5 bytes JMP 0000000077100210
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fa2a20 5 bytes JMP 0000000077100200
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fa2a80 5 bytes JMP 0000000077100420
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fa2a90 5 bytes JMP 0000000077100430
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fa2aa0 5 bytes JMP 0000000077100220
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fa2b80 5 bytes JMP 0000000077100280
.text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fa1360 5 bytes JMP 0000000077100460
.text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fa13b0 5 bytes JMP 0000000077100450
.text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076fa1510 5 bytes JMP 0000000077100370
.text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fa1560 5 bytes JMP 0000000077100470
.text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fa1570 5 bytes JMP 00000000771003e0
.text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fa1620 5 bytes JMP 0000000077100320
.text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fa1650 5 bytes JMP 00000000771003b0
.text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076fa1670 5 bytes JMP 0000000077100390
.text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fa16b0 5 bytes JMP 00000000771002e0
.text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fa1730 5 bytes JMP 00000000771002d0
.text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fa1750 5 bytes JMP 0000000077100310
.text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fa1790 5 bytes JMP 00000000771003c0
.text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fa17e0 5 bytes JMP 00000000771003f0
.text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fa1940 5 bytes JMP 0000000077100230
.text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fa1b00 5 bytes JMP 0000000077100480
.text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fa1b30 5 bytes JMP 00000000771003a0
.text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fa1c10 5 bytes JMP 00000000771002f0
.text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fa1c20 5 bytes JMP 0000000077100350
.text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fa1c80 5 bytes JMP 0000000077100290
.text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fa1d10 5 bytes JMP 00000000771002b0
.text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fa1d30 5 bytes JMP 00000000771003d0
.text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fa1d40 5 bytes JMP 0000000077100330
.text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fa1db0 5 bytes JMP 0000000077100410
.text C:\Windows\system32\SearchIndexer.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fa1de0 5 bytes JMP
|
|
21.01.2015, 22:00
| #7 |
| /// the machine /// TB-Ausbilder | Windows 7: "HealthAlert" befällt alle Browser Drücke bitte die Windowstaste + R Taste und schreibe notepad in das Ausführen Fenster. Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument Code:
ATTFilter ProxyServer: [S-1-5-21-1390501103-4066318671-3342385200-1000] => 176.61.136.76:8080
FF NetworkProxy: "ftp", "127.0.0.1"
FF NetworkProxy: "ftp_port", 4001
FF NetworkProxy: "gopher", "127.0.0.1"
FF NetworkProxy: "gopher_port", 4001
FF NetworkProxy: "http", "127.0.0.1"
FF NetworkProxy: "http_port", 4001
FF NetworkProxy: "no_proxies_on", ""
FF NetworkProxy: "socks", "127.0.0.1"
FF NetworkProxy: "socks_port", 4001
FF NetworkProxy: "socks_remote_dns", true
FF NetworkProxy: "ssl", "127.0.0.1"
FF NetworkProxy: "ssl_port", 4001
FF NetworkProxy: "type", 1
R2 pyFWawfV; C:\ProgramData\TExOqonDHMW\pyFWawfV.exe [2734400 2015-01-21] (Rational Thought Solutions)
C:\ProgramData\TExOqonDHMW
Hosts:
Emptytemp:
Speichere diese bitte als Fixlist.txt auf deinem Desktop (oder dem Verzeichnis in dem sich FRST befindet).
Downloade Dir bitte  AdwCleaner auf deinen Desktop.
Beende bitte Deine Schutzsoftware um eventuelle Konflikte zu vermeiden.
und ein frisches FRST log bitte.
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
23.01.2015, 12:18
| #8 |
| | Windows 7: "HealthAlert" befällt alle Browser Hier bittesehr: Fixlog.txt Code:
ATTFilter
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 19-01-2015
Ran by XXXX at 2015-01-22 19:31:05 Run:1
Running from C:\Users\XXXXX\Desktop
Loaded Profiles: XXXXX (Available profiles: XXXXX)
Boot Mode: Normal
==============================================
Content of fixlist:
*****************
ProxyServer: [S-1-5-21-1390501103-4066318671-3342385200-1000] => 176.61.136.76:8080
FF NetworkProxy: "ftp", "127.0.0.1"
FF NetworkProxy: "ftp_port", 4001
FF NetworkProxy: "gopher", "127.0.0.1"
FF NetworkProxy: "gopher_port", 4001
FF NetworkProxy: "http", "127.0.0.1"
FF NetworkProxy: "http_port", 4001
FF NetworkProxy: "no_proxies_on", ""
FF NetworkProxy: "socks", "127.0.0.1"
FF NetworkProxy: "socks_port", 4001
FF NetworkProxy: "socks_remote_dns", true
FF NetworkProxy: "ssl", "127.0.0.1"
FF NetworkProxy: "ssl_port", 4001
FF NetworkProxy: "type", 1
R2 pyFWawfV; C:\ProgramData\TExOqonDHMW\pyFWawfV.exe [2734400 2015-01-21] (Rational Thought Solutions)
C:\ProgramData\TExOqonDHMW
Hosts:
Emptytemp:
*****************
HKU\S-1-5-21-1390501103-4066318671-3342385200-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value deleted successfully.
Firefox Proxy settings were reset.
Firefox Proxy settings were reset.
Firefox Proxy settings were reset.
Firefox Proxy settings were reset.
Firefox Proxy settings were reset.
Firefox Proxy settings were reset.
Firefox Proxy settings were reset.
Firefox Proxy settings were reset.
Firefox Proxy settings were reset.
Firefox Proxy settings were reset.
Firefox Proxy settings were reset.
Firefox Proxy settings were reset.
Firefox Proxy settings were reset.
pyFWawfV => Unable to stop service
pyFWawfV => Service deleted successfully.
"C:\ProgramData\TExOqonDHMW" directory move:
Could not move "C:\ProgramData\TExOqonDHMW\info.dat" => Scheduled to move on reboot.
Could not move "C:\ProgramData\TExOqonDHMW\pyFWawfV.dat" => Scheduled to move on reboot.
C:\ProgramData\TExOqonDHMW\pyFWawfV.exe => Moved successfully.
C:\ProgramData\TExOqonDHMW\pyFWawfV.exe.config => Moved successfully.
Could not move "C:\ProgramData\TExOqonDHMW\dat\DTlTyR.exe" => Scheduled to move on reboot.
Could not move "C:\ProgramData\TExOqonDHMW\dat\DTlTyR.exe.config" => Scheduled to move on reboot.
Could not move "C:\ProgramData\TExOqonDHMW\dat\HuPkRnmjvAN.dll" => Scheduled to move on reboot.
Could not move "C:\ProgramData\TExOqonDHMW\dat\XDBXTLQp.exe" => Scheduled to move on reboot.
Could not move "C:\ProgramData\TExOqonDHMW\dat\XDBXTLQp.exe.config" => Scheduled to move on reboot.
Could not move "C:\ProgramData\TExOqonDHMW\dat\ZZVsbwbS.dll" => Scheduled to move on reboot.
Could not move "C:\ProgramData\TExOqonDHMW" directory. => Scheduled to move on reboot.
C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.
EmptyTemp: => Removed 2.6 GB temporary data.
=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2015-01-22 19:33:21)<=
C:\ProgramData\TExOqonDHMW\info.dat => Is moved successfully.
C:\ProgramData\TExOqonDHMW\pyFWawfV.dat => Is moved successfully.
C:\ProgramData\TExOqonDHMW\dat\DTlTyR.exe => Is moved successfully.
C:\ProgramData\TExOqonDHMW\dat\DTlTyR.exe.config => Is moved successfully.
C:\ProgramData\TExOqonDHMW\dat\HuPkRnmjvAN.dll => Is moved successfully.
C:\ProgramData\TExOqonDHMW\dat\XDBXTLQp.exe => Is moved successfully.
C:\ProgramData\TExOqonDHMW\dat\XDBXTLQp.exe.config => Is moved successfully.
C:\ProgramData\TExOqonDHMW\dat\ZZVsbwbS.dll => Is moved successfully.
C:\ProgramData\TExOqonDHMW => Is moved successfully.
==== End of Fixlog 19:33:21 ====
AdwCleaner[S5] Code:
ATTFilter # AdwCleaner v4.108 - Bericht erstellt am 22/01/2015 um 19:47:08
# Aktualisiert 17/01/2015 von Xplode
# Database : 2015-01-22.3 [Live]
# Betriebssystem : Windows 7 Home Premium Service Pack 1 (64 bits)
# Benutzername : XXXXX- XXXXX-PC
# Gestartet von : C:\Users\XXXXX\Downloads\AdwCleaner_4.108.exe
# Option : Löschen
***** [ Dienste ] *****
***** [ Dateien / Ordner ] *****
Ordner Gelöscht : C:\ProgramData\Browser
Ordner Gelöscht : C:\Users\XXXXX\AppData\Local\HealthAlert
***** [ Tasks ] *****
***** [ Verknüpfungen ] *****
***** [ Registrierungsdatenbank ] *****
***** [ Browser ] *****
-\\ Internet Explorer v10.0.9200.16736
-\\ Mozilla Firefox v35.0 (x86 de)
-\\ Google Chrome v
*************************
AdwCleaner[R0].txt - [7097 octets] - [26/02/2014 11:52:16]
AdwCleaner[R1].txt - [1975 octets] - [28/02/2014 00:15:58]
AdwCleaner[R2].txt - [1059 octets] - [28/02/2014 00:19:26]
AdwCleaner[R3].txt - [1180 octets] - [03/03/2014 21:57:53]
AdwCleaner[R4].txt - [7123 octets] - [07/05/2014 11:23:25]
AdwCleaner[R5].txt - [9678 octets] - [21/01/2015 15:11:21]
AdwCleaner[R6].txt - [1580 octets] - [22/01/2015 19:36:36]
AdwCleaner[S0].txt - [6237 octets] - [26/02/2014 11:52:52]
AdwCleaner[S1].txt - [1785 octets] - [28/02/2014 00:16:23]
AdwCleaner[S2].txt - [1121 octets] - [28/02/2014 00:20:13]
AdwCleaner[S3].txt - [5384 octets] - [07/05/2014 11:23:50]
AdwCleaner[S4].txt - [9421 octets] - [21/01/2015 15:13:32]
AdwCleaner[S5].txt - [1501 octets] - [22/01/2015 19:47:08]
########## EOF - C:\AdwCleaner\AdwCleaner[S5].txt - [1561 octets] ##########
JRT.txt Code:
ATTFilter
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.1 (12.28.2014:1)
OS: Windows 7 Home Premium x64
Ran by XXXXX on 22.01.2015 at 19:56:50,64
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services
~~~ Registry Values
~~~ Registry Keys
~~~ Files
~~~ Folders
Successfully deleted: [Empty Folder] C:\Users\XXXXX\appdata\local\{026BC279-6BE0-48B7-8251-4814DD465CC5}
Successfully deleted: [Empty Folder] C:\Users\XXXXX\appdata\local\{22858EE6-D43B-4E97-ACB7-7CA44FE312FC}
Successfully deleted: [Empty Folder] C:\Users\XXXXX\appdata\local\{4E5A7800-0E97-4138-A84B-60B09650EDE1}
Successfully deleted: [Empty Folder] C:\Users\XXXXX\appdata\local\{65BCE210-EC30-4953-9BE5-83C8394B726F}
Successfully deleted: [Empty Folder] C:\Users\XXXXX\appdata\local\{90548BCC-9700-4482-8CB9-49C7F6A0014B}
Successfully deleted: [Empty Folder] C:\Users\XXXXX\appdata\local\{AE7AF858-0AF4-41C0-B876-94876A9B4D09}
Successfully deleted: [Empty Folder] C:\Users\XXXXX\appdata\local\{B982DB7A-016A-4883-A32D-5120B3F26D21}
Successfully deleted: [Empty Folder] C:\Users\XXXXX\appdata\local\{BD3F6BF7-05DE-4242-9D93-ECA5308A8D85}
Successfully deleted: [Empty Folder] C:\Users\XXXXX\appdata\local\{D21C9467-CF0D-4FB2-996A-9DA86EB1459F}
Successfully deleted: [Empty Folder] C:\Users\XXXXX\appdata\local\{D8B0E0CA-CD49-4BEC-ACC4-73EA92E8E9E8}
Successfully deleted: [Empty Folder] C:\Users\XXXXX\appdata\local\{DCE0F5F0-0826-489E-99A2-579E0CF4157D}
~~~ FireFox
Successfully deleted: [Folder] C:\Users\XXXXX\AppData\Roaming\mozilla\firefox\profiles\JonDoFox\extensions\staged
Emptied folder: C:\Users\XXXXX\AppData\Roaming\mozilla\firefox\profiles\26bmkjs9.default-1421850433756\minidumps [1 files]
~~~ Event Viewer Logs were cleared
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 22.01.2015 at 20:01:36,66
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
FRST.txt FRST Logfile: FRST Logfile: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 19-01-2015
Ran by XXXXX (administrator) on XXXXX-PC on 22-01-2015 20:06:23
Running from C:\Users\XXXXX\Downloads
Loaded Profiles: XXXXX (Available profiles: XXXXX)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 10 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Conexant Systems Inc.) C:\Windows\System32\CxAudMsg64.exe
() C:\Program Files (x86)\GNU\GnuPG\dirmngr.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Dropbox, Inc.) C:\Users\XXXXX\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2809856 2012-01-16] (ELAN Microelectronics Corp.)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-02-27] (Intel Corporation)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5227112 2015-01-09] (AVAST Software)
Winlogon\Notify\igfxcui: C:\Windows\SYSTEM32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
Startup: C:\Users\XXXXX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\XXXXX\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll (AVAST Software)
BootExecute: autocheck autochk * sdnclean64.exe
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com
HKU\S-1-5-21-1390501103-4066318671-3342385200-1000\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.google.de/
HKU\S-1-5-21-1390501103-4066318671-3342385200-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.newsmap.jp/
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1390501103-4066318671-3342385200-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1
FireFox:
========
FF ProfilePath: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\26bmkjs9.default-1421850433756
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_14_0_0_145.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_14_0_0_145.dll ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.51.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre7\bin\new_plugin\npjp2.dll No File
FF Plugin-x32: @java.com/JavaPlugin,version=10.51.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\blekko-ssl.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\duckduckgo-ssl-javascript-free.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\google-de-ssl.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\google-encrypted-no-personalization.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\ixquick---deutsch.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\ixquick-ssl-pictures---deutsch.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\ixquick-ssl-pictures---english.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\ixquick.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\leo-eng-ger.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\leo-esp-ale.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\leo-fra-all.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\metager2.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\ssl-wikipedia-deutsch.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\ssl-wikipedia-english.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\startpage-https---deutsch.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\startpage-https.xml
FF Extension: HTTPS-Everywhere - C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\Extensions\https-everywhere@eff.org [2014-08-03]
FF Extension: DownloadHelper - C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [2014-08-03]
FF Extension: JonDoFox - C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\Extensions\{437be45a-4114-11dd-b9ab-71d256d89593}.xpi [2014-07-23]
FF Extension: NoScript - C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2014-07-22]
FF Extension: Cookie Controller - C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\Extensions\{ac2cfa60-bc96-11e0-962b-0800200c9a66}.xpi [2014-07-22]
FF Extension: Adblock Plus - C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-06-11]
FF Extension: ProfileSwitcher - C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\Extensions\{fa8476cf-a98c-4e08-99b4-65a69cb4b7d4}.xpi [2014-06-11]
FF Extension: Adblock Plus Pop-up Addon - C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\26bmkjs9.default-1421850433756\Extensions\adblockpopups@jessehakanen.net.xpi [2015-01-21]
FF Extension: No Name - C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\26bmkjs9.default-1421850433756\Extensions\firefox@ghostery.com.xpi [2015-01-21]
FF Extension: No Name - C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\26bmkjs9.default-1421850433756\Extensions\jid1-P34HaABBBpOerQ@jetpack.xpi [2015-01-21]
FF HKLM-x32\...\Firefox\Extensions: [{D19CA586-DD6C-4a0a-96F8-14644F340D60}] - C:\Program Files (x86)\Common Files\McAfee\SystemCore
Chrome:
=======
==================== Services (Whitelisted) =================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-23] (SUPERAntiSpyware.com)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-12-04] (AVAST Software)
S4 DamageGuardSvc; C:\Program Files\Lenovo\Instant Reset\DamageGuardSvc.exe [572976 2012-02-13] (Lenovo (Beijing) Limited)
R2 DirMngr; C:\Program Files (x86)\GNU\GnuPG\dirmngr.exe [218112 2013-10-07] () [File not signed]
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed]
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [161560 2012-02-28] (Intel Corporation)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [3921880 2013-10-15] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1042272 2013-09-20] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171416 2013-09-13] (Safer-Networking Ltd.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2014-12-04] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [83280 2014-12-04] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2014-12-04] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2014-12-04] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1050432 2014-12-04] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [436624 2014-12-04] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [116728 2014-12-04] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [267632 2014-12-04] ()
R3 bcbtums; C:\Windows\System32\drivers\bcbtums.sys [134696 2012-02-02] (Broadcom Corporation.)
S4 DamageGuard; C:\Windows\System32\DRIVERS\DamageGuardX64.sys [217392 2012-02-10] (Lenovo)
S4 dgFltr; C:\Windows\System32\drivers\dgFltrX64.sys [23648 2011-12-13] (Lenovo)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 vpnva; C:\Windows\System32\DRIVERS\vpnva64-6.sys [52080 2013-10-10] (Cisco Systems, Inc.)
U3 BcmSqlStartupSvc; No ImagePath
S3 btwampfl; \??\C:\Windows\system32\drivers\btwampfl.sys [X]
S3 btwaudio; system32\drivers\btwaudio.sys [X]
S3 btwavdt; system32\drivers\btwavdt.sys [X]
S3 btwl2cap; system32\DRIVERS\btwl2cap.sys [X]
S3 btwrchid; system32\DRIVERS\btwrchid.sys [X]
U2 CLKMSVC10_3A60B698; No ImagePath
U2 CLKMSVC10_C3B3B687; No ImagePath
S3 clwvd; system32\DRIVERS\clwvd.sys [X]
U2 DriverService; No ImagePath
S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X]
U2 iATAgentService; No ImagePath
U2 idealife Update Service; No ImagePath
U3 IGRS; No ImagePath
U2 IviRegMgr; No ImagePath
S3 massfilter; system32\drivers\massfilter.sys [X]
S3 massfilter_hs; system32\drivers\massfilter_hs.sys [X]
U2 nvUpdatusService; No ImagePath
U2 Oasis2Service; No ImagePath
U2 PCCarerService; No ImagePath
U2 ReadyComm.DirectRouter; No ImagePath
U2 RichVideo; No ImagePath
U2 RtLedService; No ImagePath
U2 SeaPort; No ImagePath
U2 SoftwareService; No ImagePath
U3 SQLWriter; No ImagePath
S3 taphss6; system32\DRIVERS\taphss6.sys [X]
S3 vm332avs; System32\Drivers\vm332avs.sys [X]
S3 ZTEusbmdm6k; system32\DRIVERS\ZTEusbmdm6k.sys [X]
S3 ZTEusbnmea; system32\DRIVERS\ZTEusbnmea.sys [X]
S3 ZTEusbser6k; system32\DRIVERS\ZTEusbser6k.sys [X]
==================== NetSvcs (Whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
==================== One Month Created Files and Folders ========
(If an entry is included in the fixlist, the file\folder will be moved.)
2015-01-22 20:06 - 2015-01-22 20:06 - 00016060 _____ () C:\Users\XXXXX\Downloads\FRST.txt
2015-01-22 20:01 - 2015-01-22 20:01 - 00002095 _____ () C:\Users\XXXXX\Desktop\JRT.txt
2015-01-22 19:56 - 2015-01-22 19:56 - 01707939 _____ (Thisisu) C:\Users\XXXXX\Downloads\JRT.exe
2015-01-22 19:56 - 2015-01-22 19:56 - 00000000 ____D () C:\Windows\ERUNT
2015-01-22 19:55 - 2015-01-22 19:55 - 00001641 _____ () C:\Users\XXXXX\Desktop\AdwCleaner[S5].txt
2015-01-22 19:48 - 2015-01-22 19:48 - 00000022 _____ () C:\Windows\S.dirmngr
2015-01-22 19:35 - 2015-01-22 19:35 - 02186752 _____ () C:\Users\XXXXX\Downloads\AdwCleaner_4.108.exe
2015-01-21 16:54 - 2015-01-21 16:54 - 00380416 _____ () C:\Users\XXXXX\Downloads\Gmer-19357.exe
2015-01-21 16:49 - 2015-01-22 20:06 - 00000000 ____D () C:\FRST
2015-01-21 16:49 - 2015-01-21 16:49 - 02126848 _____ (Farbar) C:\Users\XXXXX\Downloads\FRST64.exe
2015-01-21 16:48 - 2015-01-21 16:48 - 00000000 _____ () C:\Users\XXXXX\defogger_reenable
2015-01-21 16:47 - 2015-01-21 16:47 - 00050477 _____ () C:\Users\XXXXX\Downloads\Defogger.exe
2015-01-21 15:04 - 2015-01-21 15:04 - 00009449 _____ () C:\Users\XXXXX\Desktop\cannabis.odt
2015-01-21 13:48 - 2015-01-21 15:24 - 00000000 ____D () C:\Program Files (x86)\VS Revo Group
2015-01-21 12:59 - 2015-01-21 12:59 - 00001174 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-01-21 12:59 - 2015-01-21 12:59 - 00001162 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-01-21 12:59 - 2015-01-21 12:59 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-01-21 12:42 - 2015-01-22 19:47 - 00008166 _____ () C:\Windows\PFRO.log
2015-01-21 12:42 - 2015-01-22 19:47 - 00000224 _____ () C:\Windows\setupact.log
2015-01-21 12:42 - 2015-01-21 12:42 - 00000000 _____ () C:\Windows\setuperr.log
2015-01-21 12:23 - 2015-01-21 12:23 - 00003116 _____ () C:\Windows\System32\Tasks\{B1A80AA6-5F61-4EEB-A31D-833CA9CF90F9}
2015-01-21 12:14 - 2015-01-21 18:47 - 00020379 _____ () C:\Users\XXXXX\Desktop\fragen - geräuschemacher.odt
2015-01-20 14:05 - 2015-01-20 14:14 - 993524076 _____ () C:\Users\XXXXX\Desktop\Dokumentation-Italy,_Love_it_or_Leave_it-044459-000-A_EQ_1_VA-STA_01626678_MP4-1500_AMM-HBBTV.mp4
2015-01-18 17:45 - 2015-01-18 17:45 - 00056530 _____ () C:\Users\XXXXX\AppData\Local\recently-used.xbel
2015-01-16 23:21 - 2015-01-20 15:28 - 00020905 _____ () C:\Users\XXXXX\Desktop\beamer.odt
2015-01-16 18:11 - 2015-01-16 18:11 - 00021334 _____ () C:\Users\XXXXX\Desktop\mut der studenten.odt
2015-01-13 17:52 - 2015-01-14 01:10 - 00000000 ____D () C:\Users\XXXXX\Documents\Beatport Sync
2015-01-13 17:52 - 2015-01-13 17:52 - 00000000 ____D () C:\Program Files (x86)\Native Instruments
2015-01-11 20:01 - 2015-01-16 22:52 - 00023341 _____ () C:\Users\XXXXX\Desktop\carroll.odt
2015-01-05 19:34 - 2015-01-05 19:34 - 00000000 ___RD () C:\Users\XXXXX\Creative Cloud Files
2015-01-05 19:28 - 2015-01-05 19:28 - 00001108 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Content Viewer.lnk
2015-01-05 19:02 - 2015-01-05 19:02 - 00000000 ___RD () C:\Users\XXXXX\Creative Cloud Files (c3002257@trbvm.com)
2015-01-05 18:49 - 2015-01-05 18:49 - 00000000 ____D () C:\adobeTemp
==================== One Month Modified Files and Folders =======
(If an entry is included in the fixlist, the file\folder will be moved.)
2015-01-22 19:55 - 2009-07-14 05:45 - 00032064 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-22 19:55 - 2009-07-14 05:45 - 00032064 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-22 19:51 - 2012-05-31 06:00 - 01457277 _____ () C:\Windows\WindowsUpdate.log
2015-01-22 19:49 - 2012-11-04 14:12 - 00000000 ___RD () C:\Users\XXXXX\Dropbox
2015-01-22 19:49 - 2012-11-03 13:14 - 00000000 ____D () C:\Users\XXXXX\AppData\Roaming\Dropbox
2015-01-22 19:48 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-22 19:47 - 2014-02-26 11:50 - 00000000 ____D () C:\AdwCleaner
2015-01-22 19:33 - 2012-12-20 01:19 - 17342464 ___SH () C:\Users\XXXXX\Desktop\Thumbs.db
2015-01-22 19:24 - 2014-09-21 23:22 - 00003954 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{F6F4E6B6-9A6F-4BFC-AC3D-2222AAD939A2}
2015-01-22 18:36 - 2012-05-31 15:45 - 00696870 _____ () C:\Windows\system32\perfh007.dat
2015-01-22 18:36 - 2012-05-31 15:45 - 00148134 _____ () C:\Windows\system32\perfc007.dat
2015-01-22 18:36 - 2009-07-14 06:13 - 01612484 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-21 16:48 - 2012-07-28 14:05 - 00000000 ____D () C:\Users\XXXXX
2015-01-21 15:14 - 2013-01-08 23:21 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-01-21 15:13 - 2014-08-03 16:30 - 00000000 ____D () C:\Users\XXXXX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\JonDoFox
2015-01-21 15:13 - 2012-07-28 14:06 - 00000972 _____ () C:\Users\XXXXX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-01-21 14:39 - 2013-08-07 13:26 - 00000000 ____D () C:\Users\XXXXX\AppData\Roaming\gnupg
2015-01-21 13:01 - 2014-09-17 16:58 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
2015-01-21 12:44 - 2014-05-30 11:30 - 00004182 _____ () C:\Windows\System32\Tasks\avast! Emergency Update
2015-01-21 12:43 - 2009-07-14 03:34 - 00000529 _____ () C:\Windows\win.ini
2015-01-21 12:42 - 2014-09-10 11:13 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware
2015-01-21 12:41 - 2009-07-14 04:20 - 00000000 __RSD () C:\Windows\Media
2015-01-21 12:22 - 2014-05-13 22:33 - 00000000 ____D () C:\Program Files (x86)\Microsoft Office
2015-01-20 19:10 - 2012-10-25 20:18 - 00000000 ____D () C:\Users\XXXXX\Desktop\projekte
2015-01-20 14:14 - 2014-09-10 11:14 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-18 17:45 - 2014-06-05 18:46 - 00000000 ____D () C:\Users\XXXXX\AppData\Local\gtk-2.0
2015-01-18 17:45 - 2013-05-06 13:59 - 00000000 ____D () C:\Users\XXXXX\.gimp-2.8
2015-01-15 19:35 - 2014-03-29 12:33 - 00001578 _____ () C:\Windows\system32\TeamViewer9_Hooks.log
2015-01-15 19:35 - 2014-03-20 19:37 - 00001113 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 9.lnk
2015-01-15 18:18 - 2014-12-22 14:48 - 00000000 ____D () C:\Program Files (x86)\Mozilla Thunderbird
2015-01-12 22:15 - 2012-11-04 12:01 - 00000000 ____D () C:\Users\XXXXX\AppData\Roaming\Skype
2015-01-06 22:36 - 2014-06-05 19:27 - 00000000 ____D () C:\Program Files (x86)\Steam
2015-01-06 22:36 - 2013-08-13 14:16 - 00000000 ____D () C:\Users\XXXXX\AppData\Roaming\FileZilla
2015-01-06 21:46 - 2012-07-28 14:15 - 00000000 ____D () C:\Users\XXXXX\AppData\Roaming\Adobe
2015-01-06 21:46 - 2012-05-31 06:33 - 00000000 ____D () C:\Program Files (x86)\Adobe
2015-01-06 21:41 - 2014-05-23 18:51 - 00000000 ____D () C:\Program Files\Adobe
2015-01-05 19:34 - 2012-08-03 09:54 - 00000000 ____D () C:\Users\XXXXX\AppData\Local\Adobe
2015-01-05 19:23 - 2014-05-23 18:27 - 00000000 ____D () C:\ProgramData\Package Cache
2015-01-05 09:27 - 2014-01-03 15:45 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileZilla FTP Client
2015-01-05 09:27 - 2014-01-03 15:45 - 00000000 ____D () C:\Program Files (x86)\FileZilla FTP Client
2014-12-25 12:03 - 2009-07-14 05:45 - 05030416 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-12-23 18:40 - 2012-07-28 14:06 - 00077408 _____ () C:\Users\XXXXX\AppData\Local\GDIPFONTCACHEV1.DAT
==================== Files in the root of some directories =======
2014-07-16 01:16 - 2014-07-16 01:16 - 0071813 _____ () C:\Users\XXXXX\AppData\Roaming\gmic_grain_orwo_np20.cimgz
2014-07-16 01:22 - 2014-07-16 01:22 - 3107745 _____ () C:\Users\XXXXX\AppData\Roaming\update1593.gmic
2013-07-26 23:38 - 2014-02-26 00:35 - 0000215 _____ () C:\Users\XXXXX\AppData\Roaming\WB.CFG
2013-12-15 15:16 - 2013-12-15 15:16 - 0000006 _____ () C:\Users\XXXXX\AppData\Roaming\WBPU-Q5-TTL.DAT
2013-06-18 19:16 - 2014-01-28 09:35 - 0000005 _____ () C:\Users\XXXXX\AppData\Roaming\WBPU-TTL.DAT
2013-05-12 23:36 - 2014-03-13 13:05 - 0000600 _____ () C:\Users\XXXXX\AppData\Local\PUTTY.RND
2015-01-18 17:45 - 2015-01-18 17:45 - 0056530 _____ () C:\Users\XXXXX\AppData\Local\recently-used.xbel
Some content of TEMP:
====================
C:\Users\XXXXX\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpkdnx6o.dll
C:\Users\XXXXX\AppData\Local\Temp\Quarantine.exe
C:\Users\XXXXX\AppData\Local\Temp\sqlite3.dll
==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2015-01-14 12:40
==================== End Of Log ============================
--- --- --- --- --- --- Wow, das scheint das Problem behoben zu haben. Die Werbung ist weg. Vielen vielen Dank dafür! Ich frage mich, welche der von dir geschilderten Maßnahmen letzten Endes das nötige geleistet hat. |
|
23.01.2015, 13:17
| #9 |
| /// the machine /// TB-Ausbilder | Windows 7: "HealthAlert" befällt alle Browser Wir sind noch nicht ganz fertig  ESET Online Scanner
Downloade Dir bitte  SecurityCheck und:
und ein frisches FRST log bitte. Noch Probleme?
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
24.01.2015, 13:01
| #10 |
| | Windows 7: "HealthAlert" befällt alle Browser ESET log.txt Code:
ATTFilter
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=fd84d886cff38b44aa42c1e70b6b6641
# engine=22124
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2015-01-24 11:46:30
# local_time=2015-01-24 12:46:30 (+0100, Mitteleuropäische Zeit)
# country="Germany"
# lang=1031
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='avast! Antivirus'
# compatibility_mode=783 16777213 71 90 259472 20654194 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776573 100 94 259616 173729840 0 0
# scanned=130596
# found=19
# cleaned=0
# scan_time=4484
sh=497D88F38E21229D95650E02708207190CB6849E ft=1 fh=64a74ba51bf40770
vn="Win32/ELEX.BM evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner
\Quarantine\C\Program Files (x86)\XTab\BrowerWatchCH.dll.vir"
sh=5468230F587DE9F869DB9E22083131DCFD9451F2 ft=1 fh=07a842c13464288e
vn="Win32/ELEX.BM evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner
\Quarantine\C\Program Files (x86)\XTab\BrowerWatchFF.dll.vir"
sh=5D628376391A827A818B0A079B64EE457AE9B82A ft=1 fh=c71c0011e2e7a7a5
vn="Variante von Win32/ELEX.BM evtl. unerwünschte Anwendung" ac=I
fn="C:\AdwCleaner\Quarantine\C\Program Files (x86)\XTab
\BrowserAction.dll.vir"
sh=599F4EB498D7C05A680386C1D3E1FC3DD68A8FA9 ft=1 fh=bd87bce3b868a7f1
vn="Win32/ELEX.BM evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner
\Quarantine\C\Program Files (x86)\XTab\CmdShell.exe.vir"
sh=6F2DDAFE7B526A4CC60D75CCB1D4EBEA6F5D0DDC ft=1 fh=a836ee7136df2313
vn="Win32/ELEX.BM evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner
\Quarantine\C\Program Files (x86)\XTab\HPNotify.exe.vir"
sh=1DFF39C0F7B7617C8292510F1833B282CD0A1F21 ft=1 fh=18ddbd645dd0ae9c
vn="Win32/ELEX.BM evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner
\Quarantine\C\Program Files (x86)\XTab\IeWatchDog.dll.vir"
sh=DF7B974F73F65FDF917E9C3AB8B8EC9FD97FC2A0 ft=1 fh=0e3a711fc1c46ea8
vn="Win32/ELEX.BM evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner
\Quarantine\C\Program Files (x86)\XTab\ProtectService.exe.vir"
sh=606D4414333C04E362F60B505926C78BB0B6C694 ft=1 fh=2f7c44d7fdd8d932
vn="Variante von Win32/ELEX.BM evtl. unerwünschte Anwendung" ac=I
fn="C:\AdwCleaner\Quarantine\C\Program Files (x86)\XTab\SupTab.dll.vir"
sh=529F1CB730B133C2264E3451DCCC7DEEB179C135 ft=1 fh=2c963b952ca2f278
vn="Variante von Win32/Adware.Yontoo.B Anwendung" ac=I fn="C:
\AdwCleaner\Quarantine\C\ProgramData\Tarma Installer\{C4ED781C-7394-
4906-AAFF-D6AB64FF7C38}\_Setupx.dll.vir"
sh=AF36570D737043FEBEC5FA3DDB416A4CF5FDFBE9 ft=1 fh=c71c0011100f33aa
vn="Variante von Win32/ELEX.BH evtl. unerwünschte Anwendung" ac=I
fn="C:\AdwCleaner\Quarantine\C\ProgramData\WindowsMangerProtect
\ProtectWindowsManager.exe.vir"
sh=98FCF260C8C676E33DA77173AB222BA6B0142116 ft=1 fh=e0b1efaf129489ac
vn="Win32/Toolbar.Conduit evtl. unerwünschte Anwendung" ac=I fn="C:
\AdwCleaner\Quarantine\C\Users\XXXXX\AppData\Roaming\RHEng
\C4AAD2C190FC4824A8F6F31BA510DFC6\zafwSetupWeb_131_211_000.exe.vir"
sh=EE6E66611077F7745810CFD6FED132EB8A204926 ft=1 fh=49d19272fba842a3
vn="Variante von Win64/BrowseFox.AA evtl. unerwünschte Anwendung" ac=I
fn="C:\AdwCleaner\Quarantine\C\Windows\System32\drivers\{8590482e-6fbf-
4e86-9e78-2d81034791b1}Gw64.sys.vir"
sh=6FBA2D6805486E719733906FE6C840B6DAA4DC96 ft=1 fh=c2daa32e5071e641
vn="Variante von MSIL/Adware.PullUpdate.G.gen Anwendung" ac=I fn="C:
\FRST\Quarantine\C\ProgramData\TExOqonDHMW\pyFWawfV.exe.xBAD"
sh=4DFFCA6DE5EFCC49FD012E7BCE4211A6CE2CFB65 ft=1 fh=4c335f5d844b57ec
vn="Variante von MSIL/Adware.PullUpdate.G.gen Anwendung" ac=I fn="C:
\FRST\Quarantine\C\ProgramData\TExOqonDHMW\dat\DTlTyR.exe.xBAD"
sh=6EBE4681B216839C5B0B0D086B40115F9F2C7467 ft=1 fh=9da91ff8ff0e3473
vn="Variante von MSIL/Adware.PullUpdate.K.gen Anwendung" ac=I fn="C:
\FRST\Quarantine\C\ProgramData\TExOqonDHMW\dat\HuPkRnmjvAN.dll.xBAD"
sh=B93CF366E0550516CD125EB49127DBC8F31DCA0A ft=1 fh=641df59ed4002b35
vn="Variante von MSIL/Adware.PullUpdate.G.gen Anwendung" ac=I fn="C:
\FRST\Quarantine\C\ProgramData\TExOqonDHMW\dat\XDBXTLQp.exe.xBAD"
sh=234F20CF2B3DC44308BBDCAEC03D9B9CB615BC3F ft=1 fh=60d44aed07f0cad7
vn="Variante von MSIL/Adware.PullUpdate.K.gen Anwendung" ac=I fn="C:
\FRST\Quarantine\C\ProgramData\TExOqonDHMW\dat\ZZVsbwbS.dll.xBAD"
sh=8F1C8EE7CA80E2CA8132B19F2A2E022C734E5D35 ft=1 fh=1de9b2a4fa1a759e
vn="Variante von Win32/InstalleRex.T evtl. unerwünschte Anwendung" ac=I
fn="C:\ProgramData\InstallMate\{82C4E8E6-70E7-42F4-A01F-
38C55927CA10}\_Setupx.dll"
sh=8F1C8EE7CA80E2CA8132B19F2A2E022C734E5D35 ft=1 fh=1de9b2a4fa1a759e
vn="Variante von Win32/InstalleRex.T evtl. unerwünschte Anwendung" ac=I
fn="C:\Users\All Users\InstallMate\{82C4E8E6-70E7-42F4-A01F-
38C55927CA10}\_Setupx.dll"
Bei SecurityCheck gibt's anscheinend Probleme: checkup.txt Code:
ATTFilter
UNSUPPORTED OPERATING SYSTEM! ABORTED!
Und die FRST.txt FRST Logfile: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 24-01-2015 01
Ran by XXXXX (administrator) on XXXXX-PC on 24-01-2015 12:58:04
Running from C:\Users\XXXXX\Downloads
Loaded Profiles: XXXXX (Available profiles: XXXXX)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 10 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Conexant Systems Inc.) C:\Windows\System32\CxAudMsg64.exe
() C:\Program Files (x86)\GNU\GnuPG\dirmngr.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Dropbox, Inc.) C:\Users\XXXXX\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_14_0_0_145.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_14_0_0_145.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
(Apache Software Foundation) C:\Program Files (x86)\OpenOffice 4\program\swriter.exe
(Apache Software Foundation) C:\Program Files (x86)\OpenOffice 4\program\soffice.exe
(Apache Software Foundation) C:\Program Files (x86)\OpenOffice 4\program\soffice.bin
(Microsoft Corporation) C:\Windows\SysWOW64\notepad.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2809856 2012-01-16] (ELAN Microelectronics Corp.)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-02-27] (Intel Corporation)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5227112 2015-01-09] (AVAST Software)
Winlogon\Notify\igfxcui: C:\Windows\SYSTEM32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
Startup: C:\Users\XXXXX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\XXXXX\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll (AVAST Software)
BootExecute: autocheck autochk * sdnclean64.exe
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com
HKU\S-1-5-21-1390501103-4066318671-3342385200-1000\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.google.de/
HKU\S-1-5-21-1390501103-4066318671-3342385200-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.newsmap.jp/
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1390501103-4066318671-3342385200-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1
FireFox:
========
FF ProfilePath: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\26bmkjs9.default-1421850433756
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_14_0_0_145.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_14_0_0_145.dll ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.51.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre7\bin\new_plugin\npjp2.dll No File
FF Plugin-x32: @java.com/JavaPlugin,version=10.51.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\blekko-ssl.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\duckduckgo-ssl-javascript-free.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\google-de-ssl.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\google-encrypted-no-personalization.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\ixquick---deutsch.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\ixquick-ssl-pictures---deutsch.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\ixquick-ssl-pictures---english.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\ixquick.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\leo-eng-ger.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\leo-esp-ale.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\leo-fra-all.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\metager2.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\ssl-wikipedia-deutsch.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\ssl-wikipedia-english.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\startpage-https---deutsch.xml
FF SearchPlugin: C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\searchplugins\startpage-https.xml
FF Extension: HTTPS-Everywhere - C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\Extensions\https-everywhere@eff.org [2014-08-03]
FF Extension: DownloadHelper - C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [2014-08-03]
FF Extension: JonDoFox - C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\Extensions\{437be45a-4114-11dd-b9ab-71d256d89593}.xpi [2014-07-23]
FF Extension: NoScript - C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2014-07-22]
FF Extension: Cookie Controller - C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\Extensions\{ac2cfa60-bc96-11e0-962b-0800200c9a66}.xpi [2014-07-22]
FF Extension: Adblock Plus - C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-06-11]
FF Extension: ProfileSwitcher - C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\Extensions\{fa8476cf-a98c-4e08-99b4-65a69cb4b7d4}.xpi [2014-06-11]
FF Extension: Adblock Plus Pop-up Addon - C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\26bmkjs9.default-1421850433756\Extensions\adblockpopups@jessehakanen.net.xpi [2015-01-21]
FF Extension: No Name - C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\26bmkjs9.default-1421850433756\Extensions\firefox@ghostery.com.xpi [2015-01-21]
FF Extension: No Name - C:\Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\26bmkjs9.default-1421850433756\Extensions\jid1-P34HaABBBpOerQ@jetpack.xpi [2015-01-21]
FF HKLM-x32\...\Firefox\Extensions: [{D19CA586-DD6C-4a0a-96F8-14644F340D60}] - C:\Program Files (x86)\Common Files\McAfee\SystemCore
==================== Services (Whitelisted) =================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-23] (SUPERAntiSpyware.com)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-12-04] (AVAST Software)
S4 DamageGuardSvc; C:\Program Files\Lenovo\Instant Reset\DamageGuardSvc.exe [572976 2012-02-13] (Lenovo (Beijing) Limited)
R2 DirMngr; C:\Program Files (x86)\GNU\GnuPG\dirmngr.exe [218112 2013-10-07] () [File not signed]
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed]
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [161560 2012-02-28] (Intel Corporation)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [3921880 2013-10-15] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1042272 2013-09-20] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171416 2013-09-13] (Safer-Networking Ltd.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2014-12-04] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [83280 2014-12-04] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2014-12-04] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2014-12-04] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1050432 2014-12-04] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [436624 2014-12-04] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [116728 2014-12-04] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [267632 2014-12-04] ()
R3 bcbtums; C:\Windows\System32\drivers\bcbtums.sys [134696 2012-02-02] (Broadcom Corporation.)
S4 DamageGuard; C:\Windows\System32\DRIVERS\DamageGuardX64.sys [217392 2012-02-10] (Lenovo)
S4 dgFltr; C:\Windows\System32\drivers\dgFltrX64.sys [23648 2011-12-13] (Lenovo)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 vpnva; C:\Windows\System32\DRIVERS\vpnva64-6.sys [52080 2013-10-10] (Cisco Systems, Inc.)
U3 BcmSqlStartupSvc; No ImagePath
S3 btwampfl; \??\C:\Windows\system32\drivers\btwampfl.sys [X]
S3 btwaudio; system32\drivers\btwaudio.sys [X]
S3 btwavdt; system32\drivers\btwavdt.sys [X]
S3 btwl2cap; system32\DRIVERS\btwl2cap.sys [X]
S3 btwrchid; system32\DRIVERS\btwrchid.sys [X]
U2 CLKMSVC10_3A60B698; No ImagePath
U2 CLKMSVC10_C3B3B687; No ImagePath
S3 clwvd; system32\DRIVERS\clwvd.sys [X]
U2 DriverService; No ImagePath
S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X]
U2 iATAgentService; No ImagePath
U2 idealife Update Service; No ImagePath
U3 IGRS; No ImagePath
U2 IviRegMgr; No ImagePath
S3 massfilter; system32\drivers\massfilter.sys [X]
S3 massfilter_hs; system32\drivers\massfilter_hs.sys [X]
U2 nvUpdatusService; No ImagePath
U2 Oasis2Service; No ImagePath
U2 PCCarerService; No ImagePath
U2 ReadyComm.DirectRouter; No ImagePath
U2 RichVideo; No ImagePath
U2 RtLedService; No ImagePath
U2 SeaPort; No ImagePath
U2 SoftwareService; No ImagePath
U3 SQLWriter; No ImagePath
S3 taphss6; system32\DRIVERS\taphss6.sys [X]
S3 vm332avs; System32\Drivers\vm332avs.sys [X]
S3 ZTEusbmdm6k; system32\DRIVERS\ZTEusbmdm6k.sys [X]
S3 ZTEusbnmea; system32\DRIVERS\ZTEusbnmea.sys [X]
S3 ZTEusbser6k; system32\DRIVERS\ZTEusbser6k.sys [X]
==================== NetSvcs (Whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
==================== One Month Created Files and Folders ========
(If an entry is included in the fixlist, the file\folder will be moved.)
2015-01-24 12:58 - 2015-01-24 12:58 - 00016752 _____ () C:\Users\XXXXX\Downloads\FRST.txt
2015-01-24 12:57 - 2015-01-24 12:57 - 00000000 ____D () C:\Users\XXXXX\Downloads\FRST-OlderVersion
2015-01-24 12:56 - 2015-01-24 12:56 - 00852504 _____ () C:\Users\XXXXX\Desktop\SecurityCheck.exe
2015-01-24 12:00 - 2015-01-24 12:32 - 00000115 ____H () C:\Users\XXXXX\Desktop\.~lock.fragen - geräuschemacher.odt#
2015-01-24 11:27 - 2015-01-24 11:27 - 02347384 _____ (ESET) C:\Users\XXXXX\Downloads\esetsmartinstaller_deu.exe
2015-01-22 20:29 - 2015-01-22 20:29 - 00042649 _____ () C:\Users\XXXXX\AppData\Local\recently-used.xbel
2015-01-22 20:07 - 2015-01-22 20:07 - 00023231 _____ () C:\Users\XXXXX\Downloads\Addition.txt
2015-01-22 19:56 - 2015-01-22 19:56 - 01707939 _____ (Thisisu) C:\Users\XXXXX\Downloads\JRT.exe
2015-01-22 19:56 - 2015-01-22 19:56 - 00000000 ____D () C:\Windows\ERUNT
2015-01-22 19:48 - 2015-01-22 19:48 - 00000022 _____ () C:\Windows\S.dirmngr
2015-01-22 19:35 - 2015-01-22 19:35 - 02186752 _____ () C:\Users\XXXXX\Downloads\AdwCleaner_4.108.exe
2015-01-21 16:54 - 2015-01-21 16:54 - 00380416 _____ () C:\Users\XXXXX\Downloads\Gmer-19357.exe
2015-01-21 16:49 - 2015-01-24 12:58 - 00000000 ____D () C:\FRST
2015-01-21 16:49 - 2015-01-24 12:57 - 02129920 _____ (Farbar) C:\Users\XXXXX\Downloads\FRST64.exe
2015-01-21 16:48 - 2015-01-21 16:48 - 00000000 _____ () C:\Users\XXXXX\defogger_reenable
2015-01-21 16:47 - 2015-01-21 16:47 - 00050477 _____ () C:\Users\XXXXX\Downloads\Defogger.exe
2015-01-21 15:04 - 2015-01-22 20:42 - 00029287 _____ () C:\Users\XXXXX\Desktop\cannabis.odt
2015-01-21 13:48 - 2015-01-21 15:24 - 00000000 ____D () C:\Program Files (x86)\VS Revo Group
2015-01-21 12:59 - 2015-01-21 12:59 - 00001174 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-01-21 12:59 - 2015-01-21 12:59 - 00001162 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-01-21 12:59 - 2015-01-21 12:59 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-01-21 12:42 - 2015-01-22 19:47 - 00008166 _____ () C:\Windows\PFRO.log
2015-01-21 12:42 - 2015-01-22 19:47 - 00000224 _____ () C:\Windows\setupact.log
2015-01-21 12:42 - 2015-01-21 12:42 - 00000000 _____ () C:\Windows\setuperr.log
2015-01-21 12:23 - 2015-01-21 12:23 - 00003116 _____ () C:\Windows\System32\Tasks\{B1A80AA6-5F61-4EEB-A31D-833CA9CF90F9}
2015-01-21 12:14 - 2015-01-24 12:32 - 00025090 _____ () C:\Users\XXXXX\Desktop\fragen - geräuschemacher.odt
2015-01-20 14:05 - 2015-01-20 14:14 - 993524076 _____ () C:\Users\XXXXX\Desktop\Dokumentation-Italy,_Love_it_or_Leave_it-044459-000-A_EQ_1_VA-STA_01626678_MP4-1500_AMM-HBBTV.mp4
2015-01-16 23:21 - 2015-01-20 15:28 - 00020905 _____ () C:\Users\XXXXX\Desktop\beamer.odt
2015-01-16 18:11 - 2015-01-16 18:11 - 00021334 _____ () C:\Users\XXXXX\Desktop\mut der studenten.odt
2015-01-13 17:52 - 2015-01-14 01:10 - 00000000 ____D () C:\Users\XXXXX\Documents\Beatport Sync
2015-01-13 17:52 - 2015-01-13 17:52 - 00000000 ____D () C:\Program Files (x86)\Native Instruments
2015-01-11 20:01 - 2015-01-16 22:52 - 00023341 _____ () C:\Users\XXXXX\Desktop\carroll.odt
2015-01-05 19:34 - 2015-01-05 19:34 - 00000000 ___RD () C:\Users\XXXXX\Creative Cloud Files
2015-01-05 19:28 - 2015-01-05 19:28 - 00001108 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Content Viewer.lnk
2015-01-05 19:02 - 2015-01-05 19:02 - 00000000 ___RD () C:\Users\XXXXX\Creative Cloud Files (c3002257@trbvm.com)
2015-01-05 18:49 - 2015-01-05 18:49 - 00000000 ____D () C:\adobeTemp
==================== One Month Modified Files and Folders =======
(If an entry is included in the fixlist, the file\folder will be moved.)
2015-01-24 11:30 - 2012-05-31 15:45 - 00696870 _____ () C:\Windows\system32\perfh007.dat
2015-01-24 11:30 - 2012-05-31 15:45 - 00148134 _____ () C:\Windows\system32\perfc007.dat
2015-01-24 11:30 - 2009-07-14 06:13 - 01612484 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-24 11:20 - 2014-09-21 23:22 - 00003954 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{F6F4E6B6-9A6F-4BFC-AC3D-2222AAD939A2}
2015-01-24 11:20 - 2012-05-31 06:00 - 01457727 _____ () C:\Windows\WindowsUpdate.log
2015-01-23 06:14 - 2014-05-30 11:30 - 00004182 _____ () C:\Windows\System32\Tasks\avast! Emergency Update
2015-01-22 22:08 - 2012-12-20 01:19 - 17427968 ___SH () C:\Users\XXXXX\Desktop\Thumbs.db
2015-01-22 20:29 - 2014-06-05 18:46 - 00000000 ____D () C:\Users\XXXXX\AppData\Local\gtk-2.0
2015-01-22 20:29 - 2013-05-06 13:59 - 00000000 ____D () C:\Users\XXXXX\.gimp-2.8
2015-01-22 19:55 - 2009-07-14 05:45 - 00032064 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-22 19:55 - 2009-07-14 05:45 - 00032064 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-22 19:49 - 2012-11-04 14:12 - 00000000 ___RD () C:\Users\XXXXX\Dropbox
2015-01-22 19:49 - 2012-11-03 13:14 - 00000000 ____D () C:\Users\XXXXX\AppData\Roaming\Dropbox
2015-01-22 19:48 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-22 19:47 - 2014-02-26 11:50 - 00000000 ____D () C:\AdwCleaner
2015-01-21 16:48 - 2012-07-28 14:05 - 00000000 ____D () C:\Users\XXXXX
2015-01-21 15:14 - 2013-01-08 23:21 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-01-21 15:13 - 2014-08-03 16:30 - 00000000 ____D () C:\Users\XXXXX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\JonDoFox
2015-01-21 15:13 - 2012-07-28 14:06 - 00000972 _____ () C:\Users\XXXXX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-01-21 14:39 - 2013-08-07 13:26 - 00000000 ____D () C:\Users\XXXXX\AppData\Roaming\gnupg
2015-01-21 13:01 - 2014-09-17 16:58 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
2015-01-21 12:43 - 2009-07-14 03:34 - 00000529 _____ () C:\Windows\win.ini
2015-01-21 12:42 - 2014-09-10 11:13 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware
2015-01-21 12:41 - 2009-07-14 04:20 - 00000000 __RSD () C:\Windows\Media
2015-01-21 12:22 - 2014-05-13 22:33 - 00000000 ____D () C:\Program Files (x86)\Microsoft Office
2015-01-20 19:10 - 2012-10-25 20:18 - 00000000 ____D () C:\Users\XXXXX\Desktop\projekte
2015-01-20 14:14 - 2014-09-10 11:14 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-15 19:35 - 2014-03-29 12:33 - 00001578 _____ () C:\Windows\system32\TeamViewer9_Hooks.log
2015-01-15 19:35 - 2014-03-20 19:37 - 00001113 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 9.lnk
2015-01-15 18:18 - 2014-12-22 14:48 - 00000000 ____D () C:\Program Files (x86)\Mozilla Thunderbird
2015-01-12 22:15 - 2012-11-04 12:01 - 00000000 ____D () C:\Users\XXXXX\AppData\Roaming\Skype
2015-01-06 22:36 - 2014-06-05 19:27 - 00000000 ____D () C:\Program Files (x86)\Steam
2015-01-06 22:36 - 2013-08-13 14:16 - 00000000 ____D () C:\Users\XXXXX\AppData\Roaming\FileZilla
2015-01-06 21:46 - 2012-07-28 14:15 - 00000000 ____D () C:\Users\XXXXX\AppData\Roaming\Adobe
2015-01-06 21:46 - 2012-05-31 06:33 - 00000000 ____D () C:\Program Files (x86)\Adobe
2015-01-06 21:41 - 2014-05-23 18:51 - 00000000 ____D () C:\Program Files\Adobe
2015-01-05 19:34 - 2012-08-03 09:54 - 00000000 ____D () C:\Users\XXXXX\AppData\Local\Adobe
2015-01-05 19:23 - 2014-05-23 18:27 - 00000000 ____D () C:\ProgramData\Package Cache
2015-01-05 09:27 - 2014-01-03 15:45 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileZilla FTP Client
2015-01-05 09:27 - 2014-01-03 15:45 - 00000000 ____D () C:\Program Files (x86)\FileZilla FTP Client
2014-12-25 12:03 - 2009-07-14 05:45 - 05030416 _____ () C:\Windows\system32\FNTCACHE.DAT
==================== Files in the root of some directories =======
2014-07-16 01:16 - 2014-07-16 01:16 - 0071813 _____ () C:\Users\XXXXX\AppData\Roaming\gmic_grain_orwo_np20.cimgz
2014-07-16 01:22 - 2014-07-16 01:22 - 3107745 _____ () C:\Users\XXXXX\AppData\Roaming\update1593.gmic
2013-07-26 23:38 - 2014-02-26 00:35 - 0000215 _____ () C:\Users\XXXXX\AppData\Roaming\WB.CFG
2013-12-15 15:16 - 2013-12-15 15:16 - 0000006 _____ () C:\Users\XXXXX\AppData\Roaming\WBPU-Q5-TTL.DAT
2013-06-18 19:16 - 2014-01-28 09:35 - 0000005 _____ () C:\Users\XXXXX\AppData\Roaming\WBPU-TTL.DAT
2013-05-12 23:36 - 2014-03-13 13:05 - 0000600 _____ () C:\Users\XXXXX\AppData\Local\PUTTY.RND
2015-01-22 20:29 - 2015-01-22 20:29 - 0042649 _____ () C:\Users\XXXXX\AppData\Local\recently-used.xbel
Some content of TEMP:
====================
C:\Users\XXXXX\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpkdnx6o.dll
C:\Users\XXXXX\AppData\Local\Temp\Quarantine.exe
C:\Users\XXXXX\AppData\Local\Temp\sqlite3.dll
==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2015-01-14 12:40
==================== End Of Log ============================
--- --- --- [/CODE] |
|
24.01.2015, 16:14
| #11 |
| /// the machine /// TB-Ausbilder | Windows 7: "HealthAlert" befällt alle Browser Fertig Die Reihenfolge ist hier entscheidend.
Falls Du Lob oder Kritik abgeben möchtest kannst Du das hier tun Hier noch ein paar Tipps zur Absicherung deines Systems. Ich kann garnicht zu oft erwähnen, wie wichtig es ist, dass dein System Up to Date ist.
Anti- Viren Software
Zusätzlicher Schutz
Sicheres Browsen
Alternative Browser Andere Browser tendieren zu etwas mehr Sicherheit als der IE, da diese keine Active X Elemente verwenden. Diese können von Spyware zur Infektion deines Systems missbraucht werden.
Performance Bereinige regelmäßig deine Temp Files. Ich empfehle hierzu TFC Halte dich fern von jedlichen Registry Cleanern. Diese Schaden deinem System mehr als sie helfen. Hier ein paar ( englishe ) Links Miekemoes Blogspot ( MVP ) Bill Castner ( MVP ) Don'ts
Hinweis: Bitte gib mir eine kurze Rückmeldung wenn alles erledigt ist und keine Fragen mehr vorhanden sind, so das ich diesen Thread aus meinen Abos löschen kann.
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
25.01.2015, 16:43
| #12 |
| | Windows 7: "HealthAlert" befällt alle Browser Alles erledigt, alles gut. Vielen Dank für die Hilfe! |
|
25.01.2015, 19:01
| #13 |
| /// the machine /// TB-Ausbilder | Windows 7: "HealthAlert" befällt alle Browser Gern Geschehen
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
| Themen zu Windows 7: "HealthAlert" befällt alle Browser |
| alert, anwendung, browser, deinstallieren, einfügen, firefox, installation, installer, leute, links, logfiles, malwarebytes, neuinstallation, nichts, registry, revo uninstaller, spybot, superantispyware, systemsteuerung, trotz, versucht, websites, werbung, windows, windows 7, zurücksetzen |
Hybrid-Darstellung
