| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Firefox/NoScript meldet Clickjacking-Attacke/Versuch einer UI-Umadressierung auf Lego.deWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
04.09.2013, 20:57
| #1 |
| |  Firefox/NoScript meldet Clickjacking-Attacke/Versuch einer UI-Umadressierung auf Lego.de Hallo, ich habe vor 3 Tagen von NoScript eine Warnung über einen potentiellen Clickjacking-Angriff bekommen bzw. Versuch einer UI-Umadressierung. Dies tritt bisher nur auf der Lego.de Seite auf, immer wenn man auf das blaue LEGO ID klickt und anschliessend auf Benutzername. In Windows war ein mir unbekanntens Programm installiert das ich deinstalliert habe: WebConnect3.0 Unter dem NoScript Button bemerkte ich das Edgecastcdn.net auf jeder Webseite erschien. In Firefox fand ich ein Addon das ich ebenfalls deinstallierte "Web1.0", oder "Webconnect1.0", bin mir in diesem Punkt nicht mehr sicher. Danach war Edgecastcdn.net verschwunden. Mein Windows 7 64bit System sichere ich mit Avast Free, Spybot SD Als Browser Firefox mit Noscript, Ghostery, Adblock Plus Nach Recherchern hier im Forum habe ich mir Spywareblaster und Malwarebytes installiert. Malewarebytes hat folgendes gefunden: PUP.Optional.SweetIM PUP.Optional.InstallCore.A PUP.Optional.BrowserFox.A Firefox und die Addons habe ich komplett deinstalliert und wieder installiert, da ich dachte ich hätte bei NoScript etwas verändert und die Einstellungen von NoScript wären schuld. Hat aber nichts gebracht. Kompletter Durchlauf von Avast hat auch nichts ergeben. Andere Probleme habe ich bisher nicht festgestellt, System arbeitet normal. Auf die Legoseite komme ich über den Umweg "Shop" noch rein, aber nicht über die Hauptseite. Logdateien mit FRST64 wollte ich erstellen, bekomme aber das erste Logfile nicht mehr, da ich es im Downloadordner gespeichert hatte und auch von da startete, dummerweise habe ich dann mein System nochmals bereinigt  Meine Persönliche Vermutung ist: NoScript reagiert etwas empfindlich was Lego.de angeht, sicher bin ich mir natürlich nicht und erwäge eine Neuinstallation. Trotzdem bin ich ein neugieriger Mensch und wüsste schon gern, was bei mir schief gelaufen ist. Dies ist bisher meine erste Meldung seit ca. 8 Jahren und ich dachte bisher mein Surfverhalten + benutze Software hält mich von Schaden fern... aber jeden triffts wohl mal  Freue mich auf Eure Hilfe LG, Rentner2037 Defogger Log Code:
ATTFilter defogger_disable by jpshortstuff (23.02.10.1)
Log created at 22:36 on 04/09/2013 (Username)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
-=E.O.F=-
FRST.txt FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 04-09-2013
Ran by Username (administrator) on UsernaNFUTURE on 04-09-2013 22:36:48
Running from C:\Users\Username\Desktop
Windows 7 Professional Service Pack 1 (X64) OS Language: German Standard
Internet Explorer Version 10
Boot Mode: Normal
==================== Processes (Whitelisted) =================
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
() C:\Windows\SysWOW64\ASGT.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
(Safer Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
(Nokia) C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Nokia) C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe
(Nokia) C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe
(Nokia) C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe
(Ghisler Software GmbH) C:\Program Files (x86)\totalcmd\TOTALCMD64.EXE
(Farbar) C:\Users\Username\Desktop\FRST64(1).exe
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12489360 2012-05-18] (Realtek Semiconductor)
HKLM\...\Run: [IAAnotif] - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
HKLM\...\Run: [Nvtmru] - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe [1028896 2013-08-27] (NVIDIA Corporation)
HKLM\...\Policies\Explorer: [NoActiveDesktop] 1
HKLM\...\Policies\Explorer: [NoActiveDesktopChanges] 1
HKCU\...\Run: [SpybotSD TeaTimer] - C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKCU\...\Run: [] - [x]
HKCU\...\Run: [NokiaSuite.exe] - C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe [1090912 2013-04-19] (Nokia)
MountPoints2: {a1d57a61-05d4-11e2-805b-806e6f6e6963} - "E:\Diablo III Setup.exe"
MountPoints2: {a1d57a62-05d4-11e2-805b-806e6f6e6963} - F:\autorun.exe
HKLM-x32\...\Run: [avast] - C:\Program Files\AVAST Software\Avast\avastUI.exe [4858968 2013-05-09] (AVAST Software)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
==================== Internet (Whitelisted) ====================
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
BHO: avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
BHO-x32: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
BHO-x32: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
Toolbar: HKLM-x32 - avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1
FireFox:
========
FF ProfilePath: C:\Users\Username\AppData\Roaming\Mozilla\Firefox\Profiles\q1gk82ao.default
FF DefaultSearchEngine: Bing
FF SelectedSearchEngine: Bing
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_8_800_94.dll ()
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_94.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=10.25.2 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.25.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/OfficeLive,version=1.5 - C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF Plugin-x32: @nokia.com/EnablerPlugin - C:\Program Files (x86)\Nokia\Nokia Suite\npNokiaSuiteEnabler.dll ( )
FF Plugin-x32: @nvidia.com/3DVision - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.0.8 - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin HKCU: @unity3d.com/UnityPlayer,version=1.0 - C:\Users\Username\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF Plugin HKCU: amazon.com/AmazonMP3DownloaderPlugin - C:\Program Files (x86)\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin101727.dll (Amazon.com, Inc.)
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\amazondotcom-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\eBay-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\leo_ende_de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\yahoo-de.xml
FF Extension: firefox - C:\Users\Username\AppData\Roaming\Mozilla\Firefox\Profiles\q1gk82ao.default\Extensions\firefox@ghostery.com.xpi
FF Extension: No Name - C:\Users\Username\AppData\Roaming\Mozilla\Firefox\Profiles\q1gk82ao.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
FF Extension: No Name - C:\Users\Username\AppData\Roaming\Mozilla\Firefox\Profiles\q1gk82ao.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: avast! Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF HKCU\...\Firefox\Extensions: [lyrix@lyrixeeker.co] C:\Program Files (x86)\LyriXeeker\128.xpi
==================== Services (Whitelisted) =================
R2 ASGT; C:\Windows\SysWOW64\ASGT.exe [55296 2012-01-17] ()
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [46808 2013-05-09] (AVAST Software)
S2 CLKMSVC10_38F51D56; C:\Program Files (x86)\CyberLink\PowerDVD10\NavFilter\kmsvc.exe [241648 2011-04-20] (CyberLink)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [14997280 2013-08-27] (NVIDIA Corporation)
S3 rpcapd; C:\Program Files (x86)\WinPcap\rpcapd.exe [117264 2010-06-25] (CACE Technologies, Inc.)
R2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
==================== Drivers (Whitelisted) ====================
R2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [33400 2013-05-09] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [80816 2013-05-09] (AVAST Software)
R1 aswRdr; C:\Windows\System32\Drivers\aswrdr2.sys [72016 2013-05-09] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65336 2013-05-09] ()
R1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [1030952 2013-06-27] (AVAST Software)
R1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [378944 2013-06-27] (AVAST Software)
R1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [64288 2013-05-09] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [189936 2013-06-27] ()
R2 NPF; C:\Windows\System32\drivers\npf.sys [35344 2010-06-25] (CACE Technologies, Inc.)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [39200 2013-08-20] (NVIDIA Corporation)
S1 UimBus; C:\Windows\System32\DRIVERS\uimx64.sys [59184 2011-11-17] (Windows (R) 2000 DDK provider)
S1 Uim_IM; C:\Windows\System32\Drivers\Uim_IMx64.sys [572336 2011-11-17] (Paragon)
S1 Uim_VIM; C:\Windows\System32\Drivers\uim_vimx64.sys [352816 2011-11-17] (Paragon)
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2013-09-04 22:33 - 2013-09-04 22:33 - 01950668 _____ (Farbar) C:\Users\Username\Desktop\FRST64(1).exe
2013-09-04 18:41 - 2013-09-04 20:49 - 00001133 _____ C:\Windows\setupact.log
2013-09-04 18:41 - 2013-09-04 18:41 - 00000000 _____ C:\Windows\setuperr.log
2013-09-04 00:39 - 2013-09-04 00:39 - 00001164 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2013-09-04 00:39 - 2013-09-04 00:39 - 00000000 ____D C:\Users\Username\AppData\Roaming\Mozilla
2013-09-04 00:38 - 2013-09-04 00:39 - 22240760 _____ (Mozilla) C:\Users\Username\Downloads\Firefox_Setup_23.0.1.exe
2013-09-02 21:31 - 2013-09-02 21:31 - 00000000 ____D C:\FRST
2013-09-02 21:29 - 2013-09-02 21:29 - 00000000 _____ C:\Users\Username\defogger_reenable
2013-09-02 21:28 - 2013-09-02 21:28 - 00050477 _____ C:\Users\Username\Desktop\Defogger.exe
2013-09-02 00:50 - 2013-09-04 01:19 - 00000000 ____D C:\Program Files (x86)\SpywareBlaster
2013-09-02 00:50 - 2013-09-02 00:50 - 04095448 _____ (BrightFort LLC ) C:\Users\Username\Downloads\spywareblastersetup50.exe
2013-09-02 00:50 - 2013-09-02 00:50 - 00001102 _____ C:\Users\Public\Desktop\SpywareBlaster.lnk
2013-09-02 00:50 - 2013-09-02 00:50 - 00000000 ____D C:\ProgramData\Licenses
2013-09-02 00:50 - 2009-03-24 12:52 - 00129872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MSSTDFMT.DLL
2013-09-02 00:44 - 2013-09-02 00:44 - 00000000 ____D C:\Users\Username\AppData\Roaming\Malwarebytes
2013-09-02 00:43 - 2013-09-02 00:43 - 00001138 _____ C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2013-09-02 00:43 - 2013-09-02 00:43 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-09-02 00:43 - 2013-09-02 00:43 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-09-02 00:43 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2013-09-02 00:42 - 2013-09-02 00:42 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\Username\Downloads\mbam-setup-1.75.0.1300.exe
2013-09-01 18:05 - 2013-09-01 18:05 - 00002167 _____ C:\Users\Public\Desktop\Angry Birds Star Wars.lnk
2013-08-29 19:25 - 2013-08-20 15:33 - 00039200 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvvad64v.sys
2013-08-29 19:25 - 2013-08-20 15:32 - 00028448 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvaudcap32v.dll
2013-08-24 17:51 - 2013-08-24 17:51 - 00002058 _____ C:\Users\Username\Desktop\JDownloader.lnk
2013-08-23 23:31 - 2013-07-26 07:13 - 02241024 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-08-23 23:31 - 2013-07-26 07:13 - 01365504 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-08-23 23:31 - 2013-07-26 07:13 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2013-08-23 23:31 - 2013-07-26 07:12 - 19239424 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-08-23 23:31 - 2013-07-26 07:12 - 15405056 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-08-23 23:31 - 2013-07-26 07:12 - 03958784 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-08-23 23:31 - 2013-07-26 07:12 - 02647040 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-08-23 23:31 - 2013-07-26 07:12 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-08-23 23:31 - 2013-07-26 07:12 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-08-23 23:31 - 2013-07-26 07:12 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-08-23 23:31 - 2013-07-26 07:12 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2013-08-23 23:31 - 2013-07-26 07:12 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2013-08-23 23:31 - 2013-07-26 07:12 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-08-23 23:31 - 2013-07-26 07:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2013-08-23 23:31 - 2013-07-26 05:35 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-08-23 23:31 - 2013-07-26 05:13 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-08-23 23:31 - 2013-07-26 05:13 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-08-23 23:31 - 2013-07-26 05:12 - 14329344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-08-23 23:31 - 2013-07-26 05:12 - 02877440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-08-23 23:31 - 2013-07-26 05:12 - 02048512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-08-23 23:31 - 2013-07-26 05:12 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-08-23 23:31 - 2013-07-26 05:12 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-08-23 23:31 - 2013-07-26 05:12 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-08-23 23:31 - 2013-07-26 05:12 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-08-23 23:31 - 2013-07-26 05:12 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-08-23 23:31 - 2013-07-26 05:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-08-23 23:31 - 2013-07-26 05:11 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-08-23 23:31 - 2013-07-26 05:11 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-08-23 23:31 - 2013-07-26 04:49 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-08-23 23:31 - 2013-07-26 04:39 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2013-08-23 23:31 - 2013-07-26 03:59 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-08-23 23:17 - 2013-08-23 23:17 - 00000000 ____D C:\NvidiaLogging
2013-08-23 23:16 - 2013-08-20 15:32 - 00029984 _____ (NVIDIA Corporation) C:\Windows\system32\nvaudcap64v.dll
2013-08-23 23:15 - 2013-08-23 23:15 - 00000000 ____D C:\Users\Userna~1\AppData\Local\NVIDIA
2013-08-23 23:11 - 2013-08-23 23:11 - 00000000 ____D C:\Program Files (x86)\AGEIA Technologies
2013-08-23 23:08 - 2013-08-24 15:54 - 01590370 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2013-08-23 23:07 - 2013-06-21 14:06 - 27781920 _____ (NVIDIA Corporation) C:\Windows\system32\nvoglv64.dll
2013-08-23 23:07 - 2013-06-21 14:06 - 25256224 _____ (NVIDIA Corporation) C:\Windows\system32\nvcompiler.dll
2013-08-23 23:07 - 2013-06-21 14:06 - 21102368 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglv32.dll
2013-08-23 23:07 - 2013-06-21 14:06 - 17560352 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcompiler.dll
2013-08-23 23:07 - 2013-06-21 14:06 - 15144928 _____ (NVIDIA Corporation) C:\Windows\system32\nvd3dumx.dll
2013-08-23 23:07 - 2013-06-21 14:06 - 11235104 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvlddmkm.sys
2013-08-23 23:07 - 2013-06-21 14:06 - 09239344 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuda.dll
2013-08-23 23:07 - 2013-06-21 14:06 - 07687592 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuda.dll
2013-08-23 23:07 - 2013-06-21 14:06 - 07641832 _____ (NVIDIA Corporation) C:\Windows\system32\nvopencl.dll
2013-08-23 23:07 - 2013-06-21 14:06 - 06324360 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvopencl.dll
2013-08-23 23:07 - 2013-06-21 14:06 - 02953504 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuvid.dll
2013-08-23 23:07 - 2013-06-21 14:06 - 02777888 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvid.dll
2013-08-23 23:07 - 2013-06-21 14:06 - 02597856 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvapi.dll
2013-08-23 23:07 - 2013-06-21 14:06 - 02363680 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuvenc.dll
2013-08-23 23:07 - 2013-06-21 14:06 - 02002720 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvenc.dll
2013-08-23 23:07 - 2013-06-21 14:06 - 01832224 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispco6432049.dll
2013-08-23 23:07 - 2013-06-21 14:06 - 01511712 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispgenco6432049.dll
2013-08-23 23:07 - 2013-06-21 14:06 - 00925648 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvumdshim.dll
2013-08-23 23:07 - 2013-06-21 14:06 - 00572704 _____ (NVIDIA Corporation) C:\Windows\system32\NvFBC64.dll
2013-08-23 23:07 - 2013-06-21 14:06 - 00570656 _____ (NVIDIA Corporation) C:\Windows\system32\NvIFR64.dll
2013-08-23 23:07 - 2013-06-21 14:06 - 00467232 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvIFR.dll
2013-08-23 23:07 - 2013-06-21 14:06 - 00465184 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvFBC.dll
2013-08-23 23:07 - 2013-06-21 14:06 - 00432928 _____ (NVIDIA Corporation) C:\Windows\system32\nvEncodeAPI64.dll
2013-08-23 23:07 - 2013-06-21 14:06 - 00372000 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvEncodeAPI.dll
2013-08-23 23:07 - 2013-06-21 14:06 - 00266448 _____ (NVIDIA Corporation) C:\Windows\system32\nvinitx.dll
2013-08-23 23:07 - 2013-06-21 14:06 - 00218592 _____ (NVIDIA Corporation) C:\Windows\system32\nvoglshim64.dll
2013-08-23 23:07 - 2013-06-21 14:06 - 00214448 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvinit.dll
2013-08-23 23:07 - 2013-06-21 14:06 - 00181488 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglshim32.dll
2013-08-23 23:07 - 2013-02-25 07:27 - 00194848 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvhda64v.sys
2013-08-23 23:07 - 2013-02-25 07:27 - 00031520 _____ (NVIDIA Corporation) C:\Windows\system32\nvhdap64.dll
2013-08-23 21:23 - 2013-09-03 22:58 - 00000000 ____D C:\Users\Username\AppData\Roaming\vlc
2013-08-23 21:02 - 2013-08-23 21:02 - 00001077 _____ C:\Users\Public\Desktop\VLC media player.lnk
2013-08-23 20:28 - 2013-08-23 20:29 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
2013-08-23 18:59 - 2013-09-04 00:39 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-08-23 18:16 - 2013-07-25 11:25 - 01888768 _____ (Microsoft Corporation) C:\Windows\system32\WMVDECOD.DLL
2013-08-23 18:16 - 2013-07-25 10:57 - 01620992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2013-08-23 18:16 - 2013-07-19 03:58 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2013-08-23 18:16 - 2013-07-19 03:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2013-08-23 18:16 - 2013-07-09 07:52 - 00224256 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll
2013-08-23 18:16 - 2013-07-09 07:51 - 01217024 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2013-08-23 18:16 - 2013-07-09 07:46 - 01472512 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2013-08-23 18:16 - 2013-07-09 07:46 - 00184320 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll
2013-08-23 18:16 - 2013-07-09 07:46 - 00139776 _____ (Microsoft Corporation) C:\Windows\system32\cryptnet.dll
2013-08-23 18:16 - 2013-07-09 06:52 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2013-08-23 18:16 - 2013-07-09 06:52 - 00175104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2013-08-23 18:16 - 2013-07-09 06:46 - 01166848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-08-23 18:16 - 2013-07-09 06:46 - 00140288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-08-23 18:16 - 2013-07-09 06:46 - 00103936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-08-23 18:16 - 2013-07-06 08:03 - 01910208 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2013-08-23 18:16 - 2013-06-15 06:32 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tssecsrv.sys
==================== One Month Modified Files and Folders =======
2013-09-04 22:33 - 2013-09-04 22:33 - 01950668 _____ (Farbar) C:\Users\Username\Desktop\FRST64(1).exe
2013-09-04 20:56 - 2009-07-14 06:45 - 00021872 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-04 20:56 - 2009-07-14 06:45 - 00021872 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-04 20:55 - 2011-04-12 09:43 - 00696848 _____ C:\Windows\system32\perfh007.dat
2013-09-04 20:55 - 2011-04-12 09:43 - 00148144 _____ C:\Windows\system32\perfc007.dat
2013-09-04 20:55 - 2009-07-14 07:13 - 01613412 _____ C:\Windows\system32\PerfStringBackup.INI
2013-09-04 20:49 - 2013-09-04 18:41 - 00001133 _____ C:\Windows\setupact.log
2013-09-04 20:49 - 2012-09-24 01:09 - 00000000 ____D C:\ProgramData\NVIDIA
2013-09-04 20:49 - 2009-07-14 07:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-09-04 18:45 - 2013-07-20 14:41 - 01709181 _____ C:\Windows\WindowsUpdate.log
2013-09-04 18:41 - 2013-09-04 18:41 - 00000000 _____ C:\Windows\setuperr.log
2013-09-04 18:41 - 2012-09-24 00:53 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-09-04 01:19 - 2013-09-02 00:50 - 00000000 ____D C:\Program Files (x86)\SpywareBlaster
2013-09-04 00:39 - 2013-09-04 00:39 - 00001164 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2013-09-04 00:39 - 2013-09-04 00:39 - 00000000 ____D C:\Users\Username\AppData\Roaming\Mozilla
2013-09-04 00:39 - 2013-09-04 00:38 - 22240760 _____ (Mozilla) C:\Users\Username\Downloads\Firefox_Setup_23.0.1.exe
2013-09-04 00:39 - 2013-08-23 18:59 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-09-03 22:58 - 2013-08-23 21:23 - 00000000 ____D C:\Users\Username\AppData\Roaming\vlc
2013-09-02 21:31 - 2013-09-02 21:31 - 00000000 ____D C:\FRST
2013-09-02 21:29 - 2013-09-02 21:29 - 00000000 _____ C:\Users\Username\defogger_reenable
2013-09-02 21:29 - 2012-09-24 00:38 - 00000000 ____D C:\Users\Username
2013-09-02 21:28 - 2013-09-02 21:28 - 00050477 _____ C:\Users\Username\Desktop\Defogger.exe
2013-09-02 00:50 - 2013-09-02 00:50 - 04095448 _____ (BrightFort LLC ) C:\Users\Username\Downloads\spywareblastersetup50.exe
2013-09-02 00:50 - 2013-09-02 00:50 - 00001102 _____ C:\Users\Public\Desktop\SpywareBlaster.lnk
2013-09-02 00:50 - 2013-09-02 00:50 - 00000000 ____D C:\ProgramData\Licenses
2013-09-02 00:44 - 2013-09-02 00:44 - 00000000 ____D C:\Users\Username\AppData\Roaming\Malwarebytes
2013-09-02 00:43 - 2013-09-02 00:43 - 00001138 _____ C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2013-09-02 00:43 - 2013-09-02 00:43 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-09-02 00:43 - 2013-09-02 00:43 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-09-02 00:42 - 2013-09-02 00:42 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\Username\Downloads\mbam-setup-1.75.0.1300.exe
2013-09-01 21:07 - 2012-10-09 00:20 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-09-01 20:31 - 2012-09-24 00:45 - 00004182 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2013-09-01 18:05 - 2013-09-01 18:05 - 00002167 _____ C:\Users\Public\Desktop\Angry Birds Star Wars.lnk
2013-09-01 18:05 - 2013-07-19 16:56 - 00000000 ____D C:\Users\Username\AppData\Roaming\Rovio Entertainment Ltd
2013-08-31 20:38 - 2012-11-13 20:40 - 00451249 ____R C:\Windows\system32\Drivers\etc\hosts.20130901.backup
2013-08-29 19:26 - 2012-09-24 01:09 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2013-08-24 19:27 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\rescache
2013-08-24 17:57 - 2012-09-27 19:22 - 00000000 ____D C:\Program Files (x86)\JDownloader
2013-08-24 17:51 - 2013-08-24 17:51 - 00002058 _____ C:\Users\Username\Desktop\JDownloader.lnk
2013-08-24 17:40 - 2012-09-24 21:45 - 00000829 _____ C:\Users\Public\Desktop\CCleaner.lnk
2013-08-24 17:40 - 2012-09-24 21:45 - 00000000 ____D C:\Program Files\CCleaner
2013-08-24 17:40 - 2012-09-24 01:32 - 00000000 ____D C:\Windows\Panther
2013-08-24 15:54 - 2013-08-23 23:08 - 01590370 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2013-08-24 15:38 - 2012-12-07 20:18 - 00000022 _____ C:\Windows\GPU-Z.INI
2013-08-23 23:29 - 2013-07-22 21:56 - 00000000 ____D C:\Windows\system32\MRT
2013-08-23 23:29 - 2012-10-31 20:31 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-08-23 23:26 - 2012-09-24 19:42 - 78161360 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2013-08-23 23:17 - 2013-08-23 23:17 - 00000000 ____D C:\NvidiaLogging
2013-08-23 23:17 - 2012-09-24 01:08 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2013-08-23 23:15 - 2013-08-23 23:15 - 00000000 ____D C:\Users\Userna~1\AppData\Local\NVIDIA
2013-08-23 23:15 - 2012-09-24 01:08 - 00000000 ____D C:\ProgramData\NVIDIA Corporation
2013-08-23 23:11 - 2013-08-23 23:11 - 00000000 ____D C:\Program Files (x86)\AGEIA Technologies
2013-08-23 22:39 - 2012-11-13 20:40 - 00451249 ____R C:\Windows\system32\Drivers\etc\hosts.20130831-203828.backup
2013-08-23 21:02 - 2013-08-23 21:02 - 00001077 _____ C:\Users\Public\Desktop\VLC media player.lnk
2013-08-23 20:56 - 2012-10-16 17:51 - 00000000 ____D C:\Users\Username\AppData\Roaming\foobar2000
2013-08-23 20:42 - 2012-09-24 00:45 - 00000000 _____ C:\Windows\SysWOW64\config.nt
2013-08-23 20:29 - 2013-08-23 20:28 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
2013-08-20 15:33 - 2013-08-29 19:25 - 00039200 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvvad64v.sys
2013-08-20 15:32 - 2013-08-29 19:25 - 00028448 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvaudcap32v.dll
2013-08-20 15:32 - 2013-08-23 23:16 - 00029984 _____ (NVIDIA Corporation) C:\Windows\system32\nvaudcap64v.dll
Files to move or delete:
====================
C:\Users\Userna~1\AppData\Local\Temp\NOSEventMessages.dll
==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
LastRegBack: 2013-08-23 19:58
==================== End Of Log ============================
--- --- --- Geändert von Rentner2037 (04.09.2013 um 21:45 Uhr) |
|
05.09.2013, 18:55
| #2 |
| | Firefox/NoScript meldet Clickjacking-Attacke/Versuch einer UI-Umadressierung auf Lego.de Gmer.txt
__________________GMER Logfile: Code:
ATTFilter GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2013-09-04 22:53:12
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 OCZ-VERT rev.1.5_ 119,24GB
Running: cm4khe5u.exe; Driver: C:\Users\USERNA~1\AppData\Local\Temp\pxdcypow.sys
---- Kernel code sections - GMER 2.1 ----
.text C:\Windows\System32\win32k.sys!EngSetLastError + 140 fffff960000d4a48 8 bytes [24, CD, B0, 03, 80, F8, FF, ...]
.text C:\Windows\System32\win32k.sys!EngSetLastError + 616 fffff960000d4c24 8 bytes [04, BA, B0, 03, 80, F8, FF, ...]
.text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000103e00 7 bytes [00, A3, F3, FF, 01, AF, F0]
.text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000103e08 3 bytes [C0, 06, 02]
.text ... * 106
.text C:\Windows\System32\win32k.sys!EngGetProcessHandle + 424 fffff960001c2a98 6 bytes {JMP QWORD [RIP+0x65fde]}
---- User code sections - GMER 2.1 ----
.text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007781eecd 1 byte [62]
.text C:\Windows\system32\services.exe[620] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007781eecd 1 byte [62]
.text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007781eecd 1 byte [62]
.text C:\Windows\system32\winlogon.exe[824] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007781eecd 1 byte [62]
.text C:\Windows\system32\nvvsvc.exe[892] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007781eecd 1 byte [62]
.text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[916] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000757aa30a 1 byte [62]
.text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007781eecd 1 byte [62]
.text C:\Windows\System32\svchost.exe[264] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007781eecd 1 byte [62]
.text C:\Windows\System32\svchost.exe[476] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007781eecd 1 byte [62]
.text C:\Windows\system32\svchost.exe[512] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007781eecd 1 byte [62]
.text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007781eecd 1 byte [62]
.text C:\Windows\system32\svchost.exe[1276] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007781eecd 1 byte [62]
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007781eecd 1 byte [62]
.text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007781eecd 1 byte [62]
.text C:\Windows\System32\spoolsv.exe[1660] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007781eecd 1 byte [62]
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007781eecd 1 byte [62]
.text C:\Windows\SysWOW64\ASGT.exe[1760] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000757aa30a 1 byte [62]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1872] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007781eecd 1 byte [62]
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2008] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000757aa30a 1 byte [62]
.text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007781eecd 1 byte [62]
.text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[1328] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000757aa30a 1 byte [62]
.text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[1804] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000757aa30a 1 byte [62]
.text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[1804] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075571465 2 bytes [57, 75]
.text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[1804] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000755714bb 2 bytes [57, 75]
.text ... * 2
.text C:\Windows\system32\taskhost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077903ae0 5 bytes JMP 00000001001b075c
.text C:\Windows\system32\taskhost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077907a90 5 bytes JMP 00000001001b03a4
.text C:\Windows\system32\taskhost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077931490 5 bytes JMP 00000001001b0b14
.text C:\Windows\system32\taskhost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779314f0 5 bytes JMP 00000001001b0ecc
.text C:\Windows\system32\taskhost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779315d0 5 bytes JMP 00000001001b163c
.text C:\Windows\system32\taskhost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077931810 5 bytes JMP 00000001001b1284
.text C:\Windows\system32\taskhost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077932840 5 bytes JMP 00000001001b19f4
.text C:\Windows\system32\taskhost.exe[2740] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007781eecd 1 byte [62]
.text C:\Windows\system32\taskhost.exe[2740] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff896e00 5 bytes JMP 000007ff7f8b1dac
.text C:\Windows\system32\taskhost.exe[2740] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff896f2c 5 bytes JMP 000007ff7f8b0ecc
.text C:\Windows\system32\taskhost.exe[2740] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff897220 5 bytes JMP 000007ff7f8b1284
.text C:\Windows\system32\taskhost.exe[2740] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff89739c 5 bytes JMP 000007ff7f8b163c
.text C:\Windows\system32\taskhost.exe[2740] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff897538 5 bytes JMP 000007ff7f8b19f4
.text C:\Windows\system32\taskhost.exe[2740] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8975e8 5 bytes JMP 000007ff7f8b03a4
.text C:\Windows\system32\taskhost.exe[2740] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff89790c 5 bytes JMP 000007ff7f8b075c
.text C:\Windows\system32\taskhost.exe[2740] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff897ab4 5 bytes JMP 000007ff7f8b0b14
.text C:\Windows\system32\Dwm.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077903ae0 5 bytes JMP 000000010012075c
.text C:\Windows\system32\Dwm.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077907a90 5 bytes JMP 00000001001203a4
.text C:\Windows\system32\Dwm.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077931490 5 bytes JMP 0000000100120b14
.text C:\Windows\system32\Dwm.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779314f0 5 bytes JMP 0000000100120ecc
.text C:\Windows\system32\Dwm.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779315d0 5 bytes JMP 000000010012163c
.text C:\Windows\system32\Dwm.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077931810 5 bytes JMP 0000000100121284
.text C:\Windows\system32\Dwm.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077932840 5 bytes JMP 00000001001219f4
.text C:\Windows\system32\Dwm.exe[2868] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff896e00 5 bytes JMP 000007ff7f8b1dac
.text C:\Windows\system32\Dwm.exe[2868] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff896f2c 5 bytes JMP 000007ff7f8b0ecc
.text C:\Windows\system32\Dwm.exe[2868] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff897220 5 bytes JMP 000007ff7f8b1284
.text C:\Windows\system32\Dwm.exe[2868] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff89739c 5 bytes JMP 000007ff7f8b163c
.text C:\Windows\system32\Dwm.exe[2868] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff897538 5 bytes JMP 000007ff7f8b19f4
.text C:\Windows\system32\Dwm.exe[2868] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8975e8 5 bytes JMP 000007ff7f8b03a4
.text C:\Windows\system32\Dwm.exe[2868] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff89790c 5 bytes JMP 000007ff7f8b075c
.text C:\Windows\system32\Dwm.exe[2868] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff897ab4 5 bytes JMP 000007ff7f8b0b14
.text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077903ae0 5 bytes JMP 000000010020075c
.text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077907a90 5 bytes JMP 00000001002003a4
.text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077931490 5 bytes JMP 0000000100200b14
.text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779314f0 5 bytes JMP 0000000100200ecc
.text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779315d0 5 bytes JMP 000000010020163c
.text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077931810 5 bytes JMP 0000000100201284
.text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077932840 5 bytes JMP 00000001002019f4
.text C:\Windows\Explorer.EXE[3048] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007781eecd 1 byte [62]
.text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff896e00 5 bytes JMP 000007ff7f8b1dac
.text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff896f2c 5 bytes JMP 000007ff7f8b0ecc
.text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff897220 5 bytes JMP 000007ff7f8b1284
.text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff89739c 5 bytes JMP 000007ff7f8b163c
.text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff897538 5 bytes JMP 000007ff7f8b19f4
.text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8975e8 5 bytes JMP 000007ff7f8b03a4
.text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff89790c 5 bytes JMP 000007ff7f8b075c
.text C:\Windows\Explorer.EXE[3048] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff897ab4 5 bytes JMP 000007ff7f8b0b14
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077903ae0 5 bytes JMP 00000001002e075c
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077907a90 5 bytes JMP 00000001002e03a4
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077931490 5 bytes JMP 00000001002e0b14
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779314f0 5 bytes JMP 00000001002e0ecc
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779315d0 5 bytes JMP 00000001002e163c
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077931810 5 bytes JMP 00000001002e1284
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077932840 5 bytes JMP 00000001002e19f4
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3060] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007781eecd 1 byte [62]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3060] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff896e00 5 bytes JMP 000007ff7f8b1dac
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3060] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff896f2c 5 bytes JMP 000007ff7f8b0ecc
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3060] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff897220 5 bytes JMP 000007ff7f8b1284
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3060] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff89739c 5 bytes JMP 000007ff7f8b163c
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3060] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff897538 5 bytes JMP 000007ff7f8b19f4
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3060] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8975e8 5 bytes JMP 000007ff7f8b03a4
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3060] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff89790c 5 bytes JMP 000007ff7f8b075c
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3060] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff897ab4 5 bytes JMP 000007ff7f8b0b14
.text C:\Windows\system32\conhost.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077903ae0 5 bytes JMP 000000010040075c
.text C:\Windows\system32\conhost.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077907a90 5 bytes JMP 00000001004003a4
.text C:\Windows\system32\conhost.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077931490 5 bytes JMP 0000000100400b14
.text C:\Windows\system32\conhost.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779314f0 5 bytes JMP 0000000100400ecc
.text C:\Windows\system32\conhost.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779315d0 5 bytes JMP 000000010040163c
.text C:\Windows\system32\conhost.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077931810 5 bytes JMP 0000000100401284
.text C:\Windows\system32\conhost.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077932840 5 bytes JMP 00000001004019f4
.text C:\Windows\system32\conhost.exe[2560] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007781eecd 1 byte [62]
.text C:\Windows\system32\conhost.exe[2560] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff896e00 5 bytes JMP 000007ff7f8b1dac
.text C:\Windows\system32\conhost.exe[2560] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff896f2c 5 bytes JMP 000007ff7f8b0ecc
.text C:\Windows\system32\conhost.exe[2560] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff897220 5 bytes JMP 000007ff7f8b1284
.text C:\Windows\system32\conhost.exe[2560] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff89739c 5 bytes JMP 000007ff7f8b163c
.text C:\Windows\system32\conhost.exe[2560] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff897538 5 bytes JMP 000007ff7f8b19f4
.text C:\Windows\system32\conhost.exe[2560] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8975e8 5 bytes JMP 000007ff7f8b03a4
.text C:\Windows\system32\conhost.exe[2560] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff89790c 5 bytes JMP 000007ff7f8b075c
.text C:\Windows\system32\conhost.exe[2560] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff897ab4 5 bytes JMP 000007ff7f8b0b14
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077903ae0 5 bytes JMP 000000010040075c
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077907a90 5 bytes JMP 00000001004003a4
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077931490 5 bytes JMP 0000000100400b14
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779314f0 5 bytes JMP 0000000100400ecc
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779315d0 5 bytes JMP 000000010040163c
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077931810 5 bytes JMP 0000000100401284
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077932840 5 bytes JMP 00000001004019f4
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3312] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007781eecd 1 byte [62]
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3312] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff896e00 5 bytes JMP 000007ff7f8b1dac
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3312] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff896f2c 5 bytes JMP 000007ff7f8b0ecc
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3312] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff897220 5 bytes JMP 000007ff7f8b1284
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3312] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff89739c 5 bytes JMP 000007ff7f8b163c
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3312] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff897538 5 bytes JMP 000007ff7f8b19f4
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3312] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8975e8 5 bytes JMP 000007ff7f8b03a4
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3312] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff89790c 5 bytes JMP 000007ff7f8b075c
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3312] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff897ab4 5 bytes JMP 000007ff7f8b0b14
.text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3320] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077adfaa0 5 bytes JMP 0000000100030600
.text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3320] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077adfb38 5 bytes JMP 0000000100030804
.text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3320] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077adfc90 5 bytes JMP 0000000100030c0c
.text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3320] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ae0018 5 bytes JMP 0000000100030a08
.text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3320] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ae1900 5 bytes JMP 0000000100030e10
.text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3320] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077afc45a 5 bytes JMP 00000001000301f8
.text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3320] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b01217 5 bytes JMP 00000001000303fc
.text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3320] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000757aa30a 1 byte [62]
.text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3320] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075c2ee09 5 bytes JMP 00000001002401f8
.text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3320] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075c33982 5 bytes JMP 00000001002403fc
.text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3320] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075c37603 5 bytes JMP 0000000100240804
.text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3320] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075c3835c 5 bytes JMP 0000000100240600
.text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3320] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075c4f52b 5 bytes JMP 0000000100240a08
.text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3320] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000077145181 5 bytes JMP 0000000100251014
.text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3320] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000077145254 5 bytes JMP 0000000100250804
.text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3320] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000771453d5 3 bytes JMP 0000000100250a08
.text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3320] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW + 4 00000000771453d9 1 byte [89]
.text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3320] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000771454c2 5 bytes JMP 0000000100250c0c
.text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3320] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000771455e2 5 bytes JMP 0000000100250e10
.text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3320] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007714567c 5 bytes JMP 00000001002501f8
.text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3320] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007714589f 5 bytes JMP 00000001002503fc
.text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3320] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000077145a22 5 bytes JMP 0000000100250600
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077adfaa0 5 bytes JMP 0000000100030600
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077adfb38 5 bytes JMP 0000000100030804
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077adfc90 5 bytes JMP 0000000100030c0c
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ae0018 5 bytes JMP 0000000100030a08
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ae1900 5 bytes JMP 0000000100030e10
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3344] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077afc45a 5 bytes JMP 00000001000301f8
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3344] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b01217 5 bytes JMP 00000001000303fc
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3344] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000757aa30a 1 byte [62]
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3344] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075c2ee09 5 bytes JMP 00000001000901f8
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3344] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075c33982 5 bytes JMP 00000001000903fc
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3344] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075c37603 5 bytes JMP 0000000100090804
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3344] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075c3835c 5 bytes JMP 0000000100090600
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3344] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075c4f52b 5 bytes JMP 0000000100090a08
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3344] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000077145181 5 bytes JMP 00000001000a1014
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3344] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000077145254 5 bytes JMP 00000001000a0804
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3344] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000771453d5 5 bytes JMP 00000001000a0a08
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3344] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000771454c2 5 bytes JMP 00000001000a0c0c
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3344] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000771455e2 5 bytes JMP 00000001000a0e10
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3344] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007714567c 5 bytes JMP 00000001000a01f8
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3344] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007714589f 5 bytes JMP 00000001000a03fc
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3344] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000077145a22 5 bytes JMP 00000001000a0600
.text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3572] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000757aa30a 1 byte [62]
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3712] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077adfaa0 5 bytes JMP 0000000100030600
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3712] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077adfb38 5 bytes JMP 0000000100030804
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3712] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077adfc90 5 bytes JMP 0000000100030c0c
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3712] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ae0018 5 bytes JMP 0000000100030a08
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3712] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ae1900 5 bytes JMP 0000000100030e10
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3712] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077afc45a 5 bytes JMP 00000001000301f8
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3712] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b01217 5 bytes JMP 00000001000303fc
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3712] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000757aa30a 1 byte [62]
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3712] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000077145181 5 bytes JMP 00000001001e1014
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3712] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000077145254 5 bytes JMP 00000001001e0804
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3712] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000771453d5 5 bytes JMP 00000001001e0a08
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3712] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000771454c2 5 bytes JMP 00000001001e0c0c
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3712] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000771455e2 5 bytes JMP 00000001001e0e10
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3712] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007714567c 5 bytes JMP 00000001001e01f8
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3712] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007714589f 5 bytes JMP 00000001001e03fc
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3712] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000077145a22 5 bytes JMP 00000001001e0600
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3712] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075c2ee09 5 bytes JMP 00000001002701f8
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3712] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075c33982 5 bytes JMP 00000001002703fc
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3712] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075c37603 5 bytes JMP 0000000100270804
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3712] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075c3835c 5 bytes JMP 0000000100270600
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3712] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075c4f52b 5 bytes JMP 0000000100270a08
.text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077adfaa0 5 bytes JMP 0000000100030600
.text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077adfb38 5 bytes JMP 0000000100030804
.text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077adfc90 5 bytes JMP 0000000100030c0c
.text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ae0018 5 bytes JMP 0000000100030a08
.text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ae1900 5 bytes JMP 0000000100030e10
.text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3804] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077afc45a 5 bytes JMP 00000001000301f8
.text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3804] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b01217 5 bytes JMP 00000001000303fc
.text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3804] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000757aa30a 1 byte [62]
.text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3804] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000077145181 5 bytes JMP 0000000100101014
.text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3804] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000077145254 5 bytes JMP 0000000100100804
.text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3804] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000771453d5 5 bytes JMP 0000000100100a08
.text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3804] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000771454c2 5 bytes JMP 0000000100100c0c
.text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3804] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000771455e2 5 bytes JMP 0000000100100e10
.text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3804] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007714567c 5 bytes JMP 00000001001001f8
.text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3804] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007714589f 5 bytes JMP 00000001001003fc
.text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3804] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000077145a22 5 bytes JMP 0000000100100600
.text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3804] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075c2ee09 5 bytes JMP 00000001001101f8
.text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3804] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075c33982 5 bytes JMP 00000001001103fc
.text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3804] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075c37603 5 bytes JMP 0000000100110804
.text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3804] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075c3835c 5 bytes JMP 0000000100110600
.text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[3804] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075c4f52b 5 bytes JMP 0000000100110a08
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe[3888] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff896e00 5 bytes JMP 000007ff7f8b1dac
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe[3888] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff896f2c 5 bytes JMP 000007ff7f8b0ecc
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe[3888] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff897220 5 bytes JMP 000007ff7f8b1284
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe[3888] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff89739c 5 bytes JMP 000007ff7f8b163c
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe[3888] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff897538 5 bytes JMP 000007ff7f8b19f4
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe[3888] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8975e8 5 bytes JMP 000007ff7f8b03a4
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe[3888] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff89790c 5 bytes JMP 000007ff7f8b075c
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe[3888] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff897ab4 5 bytes JMP 000007ff7f8b0b14
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[2872] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077adfaa0 5 bytes JMP 0000000100030600
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[2872] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077adfb38 5 bytes JMP 0000000100030804
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[2872] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077adfc90 5 bytes JMP 0000000100030c0c
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[2872] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ae0018 5 bytes JMP 0000000100030a08
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[2872] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ae1900 5 bytes JMP 0000000100030e10
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[2872] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077afc45a 5 bytes JMP 00000001000301f8
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[2872] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b01217 5 bytes JMP 00000001000303fc
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[2872] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000757aa30a 1 byte [62]
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[2872] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000077145181 5 bytes JMP 0000000100141014
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[2872] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000077145254 5 bytes JMP 0000000100140804
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[2872] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000771453d5 5 bytes JMP 0000000100140a08
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[2872] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000771454c2 5 bytes JMP 0000000100140c0c
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[2872] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000771455e2 5 bytes JMP 0000000100140e10
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[2872] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007714567c 5 bytes JMP 00000001001401f8
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[2872] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007714589f 5 bytes JMP 00000001001403fc
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[2872] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000077145a22 5 bytes JMP 0000000100140600
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[2872] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075c2ee09 5 bytes JMP 00000001001501f8
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[2872] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075c33982 5 bytes JMP 00000001001503fc
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[2872] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075c37603 5 bytes JMP 0000000100150804
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[2872] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075c3835c 5 bytes JMP 0000000100150600
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[2872] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075c4f52b 5 bytes JMP 0000000100150a08
.text C:\Windows\System32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077903ae0 5 bytes JMP 00000001002a075c
.text C:\Windows\System32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077907a90 5 bytes JMP 00000001002a03a4
.text C:\Windows\System32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077931490 5 bytes JMP 00000001002a0b14
.text C:\Windows\System32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779314f0 5 bytes JMP 00000001002a0ecc
.text C:\Windows\System32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779315d0 5 bytes JMP 00000001002a163c
.text C:\Windows\System32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077931810 5 bytes JMP 00000001002a1284
.text C:\Windows\System32\svchost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077932840 5 bytes JMP 00000001002a19f4
.text C:\Windows\System32\svchost.exe[2672] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff896e00 5 bytes JMP 000007ff7f8b1dac
.text C:\Windows\System32\svchost.exe[2672] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff896f2c 5 bytes JMP 000007ff7f8b0ecc
.text C:\Windows\System32\svchost.exe[2672] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff897220 5 bytes JMP 000007ff7f8b1284
.text C:\Windows\System32\svchost.exe[2672] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff89739c 5 bytes JMP 000007ff7f8b163c
.text C:\Windows\System32\svchost.exe[2672] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff897538 5 bytes JMP 000007ff7f8b19f4
.text C:\Windows\System32\svchost.exe[2672] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8975e8 5 bytes JMP 000007ff7f8b03a4
.text C:\Windows\System32\svchost.exe[2672] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff89790c 5 bytes JMP 000007ff7f8b075c
.text C:\Windows\System32\svchost.exe[2672] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff897ab4 5 bytes JMP 000007ff7f8b0b14
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3500] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077adfaa0 5 bytes JMP 0000000100030600
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3500] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077adfb38 5 bytes JMP 0000000100030804
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3500] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077adfc90 5 bytes JMP 0000000100030c0c
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3500] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ae0018 5 bytes JMP 0000000100030a08
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3500] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ae1900 5 bytes JMP 0000000100030e10
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3500] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077afc45a 5 bytes JMP 00000001000301f8
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3500] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b01217 5 bytes JMP 00000001000303fc
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3500] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000757aa30a 1 byte [62]
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3500] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000077145181 5 bytes JMP 0000000100191014
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3500] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000077145254 5 bytes JMP 0000000100190804
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3500] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000771453d5 5 bytes JMP 0000000100190a08
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3500] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000771454c2 5 bytes JMP 0000000100190c0c
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3500] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000771455e2 5 bytes JMP 0000000100190e10
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3500] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007714567c 5 bytes JMP 00000001001901f8
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3500] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007714589f 5 bytes JMP 00000001001903fc
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3500] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000077145a22 5 bytes JMP 0000000100190600
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3500] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075c2ee09 5 bytes JMP 00000001001a01f8
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3500] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075c33982 5 bytes JMP 00000001001a03fc
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3500] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075c37603 5 bytes JMP 00000001001a0804
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3500] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075c3835c 5 bytes JMP 00000001001a0600
.text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[3500] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075c4f52b 5 bytes JMP 00000001001a0a08
.text C:\Windows\SysWOW64\ctfmon.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077adfaa0 5 bytes JMP 0000000100030600
.text C:\Windows\SysWOW64\ctfmon.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077adfb38 5 bytes JMP 0000000100030804
.text C:\Windows\SysWOW64\ctfmon.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077adfc90 5 bytes JMP 0000000100030c0c
.text C:\Windows\SysWOW64\ctfmon.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ae0018 5 bytes JMP 0000000100030a08
.text C:\Windows\SysWOW64\ctfmon.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ae1900 5 bytes JMP 0000000100030e10
.text C:\Windows\SysWOW64\ctfmon.exe[4740] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077afc45a 5 bytes JMP 00000001000301f8
.text C:\Windows\SysWOW64\ctfmon.exe[4740] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b01217 5 bytes JMP 00000001000303fc
.text C:\Windows\SysWOW64\ctfmon.exe[4740] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000757aa30a 1 byte [62]
.text C:\Windows\SysWOW64\ctfmon.exe[4740] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075c2ee09 5 bytes JMP 00000001001401f8
.text C:\Windows\SysWOW64\ctfmon.exe[4740] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075c33982 5 bytes JMP 00000001001403fc
.text C:\Windows\SysWOW64\ctfmon.exe[4740] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075c37603 5 bytes JMP 0000000100140804
.text C:\Windows\SysWOW64\ctfmon.exe[4740] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075c3835c 5 bytes JMP 0000000100140600
.text C:\Windows\SysWOW64\ctfmon.exe[4740] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075c4f52b 5 bytes JMP 0000000100140a08
.text C:\Windows\SysWOW64\ctfmon.exe[4740] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000077145181 5 bytes JMP 0000000100151014
.text C:\Windows\SysWOW64\ctfmon.exe[4740] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000077145254 5 bytes JMP 0000000100150804
.text C:\Windows\SysWOW64\ctfmon.exe[4740] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000771453d5 5 bytes JMP 0000000100150a08
.text C:\Windows\SysWOW64\ctfmon.exe[4740] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000771454c2 5 bytes JMP 0000000100150c0c
.text C:\Windows\SysWOW64\ctfmon.exe[4740] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000771455e2 5 bytes JMP 0000000100150e10
.text C:\Windows\SysWOW64\ctfmon.exe[4740] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007714567c 5 bytes JMP 00000001001501f8
.text C:\Windows\SysWOW64\ctfmon.exe[4740] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007714589f 5 bytes JMP 00000001001503fc
.text C:\Windows\SysWOW64\ctfmon.exe[4740] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000077145a22 5 bytes JMP 0000000100150600
.text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077903ae0 5 bytes JMP 000000010046075c
.text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077907a90 5 bytes JMP 00000001004603a4
.text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077931490 5 bytes JMP 0000000100460b14
.text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779314f0 5 bytes JMP 0000000100460ecc
.text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779315d0 5 bytes JMP 000000010046163c
.text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077931810 5 bytes JMP 0000000100461284
.text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077932840 5 bytes JMP 00000001004619f4
.text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff896e00 5 bytes JMP 000007ff7f8b1dac
.text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff896f2c 5 bytes JMP 000007ff7f8b0ecc
.text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff897220 5 bytes JMP 000007ff7f8b1284
.text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff89739c 5 bytes JMP 000007ff7f8b163c
.text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff897538 5 bytes JMP 000007ff7f8b19f4
.text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8975e8 5 bytes JMP 000007ff7f8b03a4
.text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff89790c 5 bytes JMP 000007ff7f8b075c
.text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff897ab4 5 bytes JMP 000007ff7f8b0b14
.text C:\Windows\system32\AUDIODG.EXE[4380] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 000000007781eecd 1 byte [62]
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4628] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007781eecd 1 byte [62]
.text C:\Users\Username\Desktop\cm4khe5u.exe[4876] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000757aa30a 1 byte [62]
---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr?
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk)
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr?
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt)
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip?
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 146
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 1579439
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr?
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx)
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@NoWelcomeScreen 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP
Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support
Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI
Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip?
Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver
Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 9
Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi
Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm
Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor
Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe"
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS?
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Verwaltet und implementiert avast! Antivirus-Dienste f?r diesen Computer. Dies beinhaltet den Echtzeit-Schutz, den Virus-Container und den Planer.
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr?
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk)
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr?
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt)
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0
Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys
Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1
Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1
Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr
Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI
Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip?
Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver
Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault
Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll
Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1
Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0
Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt
Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert
Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 146
Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 1579439
Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows
Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr?
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx)
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast
Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1
Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1
Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP
Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection
Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1
Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast
Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast
Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files
Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@NoWelcomeScreen 1
Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1
Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1
Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support
Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI
Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip?
Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver
Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 9
Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1
Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0
Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm
Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor
Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32
Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2
Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe"
Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus
Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup
Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS?
Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1
Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1
Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Verwaltet und implementiert avast! Antivirus-Dienste f?r diesen Computer. Dies beinhaltet den Echtzeit-Schutz, den Virus-Container und den Planer.
---- EOF - GMER 2.1 ----
Habe das Log von Malwarebytes vergessen, tschuldigung. Das erste Logfile von FRST habe ich auf der ssd nicht mehr wiederherstellen können, gibt es die Möglichkeit FRST dazu zu bringen dieses wieder zu generieren ? Ergänzend: Wichtig wäre für mich, ob etwas auf meinem System ist das Passwörter abgreifen könnte, falls man das überhaupt sagen kann. Habe mich seitdem nirgends mehr eingeloggt, bis auf diese Seite natürlich  LG, Rentner2037 Code:
ATTFilter Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Datenbank Version: v2013.09.01.05 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 10.0.9200.16660 Username :: Username [Administrator] 02.09.2013 00:45:51 mbam-log-2013-09-02 (00-45-51).txt Art des Suchlaufs: Quick-Scan Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 240342 Laufzeit: 1 Minute(n), 54 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 2 HKCR\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3} (PUP.Optional.BrowseFox.A) -> Erfolgreich gelöscht und in Quarantäne gestellt. HKCU\SOFTWARE\INSTALLCORE (PUP.Optional.InstallCore.A) -> Erfolgreich gelöscht und in Quarantäne gestellt. Infizierte Registrierungswerte: 1 HKCU\Software\InstallCore|tb (PUP.Optional.InstallCore.A) -> Daten: 0S1S1T0E1J1L1H1R -> Erfolgreich gelöscht und in Quarantäne gestellt. Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 1 C:\Windows\Installer\25d9b7.msi (PUP.Optional.SweetIM) -> Erfolgreich gelöscht und in Quarantäne gestellt. (Ende) |
|
09.09.2013, 01:10
| #3 |
| | Firefox/NoScript meldet Clickjacking-Attacke/Versuch einer UI-Umadressierung auf Lego.de Der Beitrag hat sich erledigt, da ich eine Neuinstallation gemacht habe.
__________________Hier gehts weiter: http://www.trojaner-board.de/141215-...ml#post1150785 . |
|
| Themen zu Firefox/NoScript meldet Clickjacking-Attacke/Versuch einer UI-Umadressierung auf Lego.de |
| adblock, arbeitet, browser, button, einstellungen, farbar, farbar recovery scan tool, festgestellt, firefox, free, logfile, malwarebytes, meldung, nicht mehr, plug-in, probleme, programm, pup.optional.browsefox.a, pup.optional.installcore.a, pup.optional.sweetim, safer networking, seite, software, spybot, system, warnung, windows, windows 7 |
