|
Plagegeister aller Art und deren Bekämpfung: (Login) Log bei der Bank zeigt Zeiten wo ich nicht Online gewesen sein kann - Komplett Durchsuchung meines SystemsWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
02.11.2013, 11:25 | #1 |
| (Login) Log bei der Bank zeigt Zeiten wo ich nicht Online gewesen sein kann - Komplett Durchsuchung meines Systems Hallo liebe Gemeinde, als erstes hab ich nun die Anleitung befolgt und 1) defogger ( disable ) 2) FRST ( FRST Log + Addition Log ) Für Schritt drei muss ich nun alles ausschalten - GMER ---> folgt lG Medi |
02.11.2013, 11:30 | #2 |
/// the machine /// TB-Ausbilder | (Login) Log bei der Bank zeigt Zeiten wo ich nicht Online gewesen sein kann - Komplett Durchsuchung meines Systems Hi,
__________________Logs bitte immer in den Thread posten. Zur Not aufteilen und mehrere Posts nutzen. So funktioniert es: Posten in CODE-Tags Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
__________________ |
02.11.2013, 12:11 | #3 |
| (Login) Log bei der Bank zeigt Zeiten wo ich nicht Online gewesen sein kann - Komplett Durchsuchung meines Systems 3) gmer ( Teil 1 )
__________________Code:
ATTFilter GMER 2.1.19163 - hxxp://www.gmer.net Rootkit scan 2013-11-02 12:03:23 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 OCZ-VERT rev.1.5_ 238,47GB Running: gmer_2.1.19163.exe; Driver: C:\Users\Tatarus\AppData\Local\Temp\kftirfow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 00000001496b0460 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 00000001496b0450 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 00000001496b0370 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 00000001496b0470 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000001496b03e0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 00000001496b0320 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000001496b03b0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 00000001496b0390 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000001496b02e0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000001496b02d0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 00000001496b0310 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000001496b03c0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000001496b03f0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 00000001496b0230 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 00000001496b0480 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000001496b03a0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c10 5 bytes JMP 00000001496b02f0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 00000001496b0350 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 00000001496b0290 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000001496b02b0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000001496b03d0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 00000001496b0330 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 00000001496b0410 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 00000001496b0240 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000001496b01e0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 00000001496b0250 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 00000001496b0490 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000001496b04a0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 00000001496b0300 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 00000001496b0360 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000001496b02a0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000001496b02c0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 00000001496b0380 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 00000001496b0340 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 00000001496b0440 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 00000001496b0260 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 00000001496b0270 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 00000001496b0400 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000001496b01f0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 00000001496b0210 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 00000001496b0200 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 00000001496b0420 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 00000001496b0430 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 00000001496b0220 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 00000001496b0280 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 0000000077910460 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 0000000077910450 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 0000000077910370 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 0000000077910470 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000000779103e0 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 0000000077910320 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 0000000077910390 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 0000000077910310 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000000779103c0 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000000779103f0 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 0000000077910230 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 0000000077910480 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c10 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 0000000077910350 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 0000000077910290 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000000779103d0 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 0000000077910330 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 0000000077910410 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 0000000077910240 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000000779101e0 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 0000000077910250 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 0000000077910490 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 0000000077910300 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 0000000077910360 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 0000000077910380 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 0000000077910340 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 0000000077910440 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 0000000077910260 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 0000000077910270 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 0000000077910400 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000000779101f0 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 0000000077910210 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 0000000077910200 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 0000000077910420 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 0000000077910430 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 0000000077910220 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 0000000077910280 .text C:\Windows\system32\wininit.exe[628] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007769eecd 1 byte [62] .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 00000001496b0460 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 00000001496b0450 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 00000001496b0370 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 00000001496b0470 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000001496b03e0 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 00000001496b0320 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000001496b03b0 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 00000001496b0390 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000001496b02e0 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000001496b02d0 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 00000001496b0310 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000001496b03c0 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000001496b03f0 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 00000001496b0230 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 00000001496b0480 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000001496b03a0 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c10 5 bytes JMP 00000001496b02f0 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 00000001496b0350 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 00000001496b0290 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000001496b02b0 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000001496b03d0 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 00000001496b0330 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 00000001496b0410 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 00000001496b0240 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000001496b01e0 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 00000001496b0250 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 00000001496b0490 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000001496b04a0 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 00000001496b0300 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 00000001496b0360 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000001496b02a0 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000001496b02c0 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 00000001496b0380 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 00000001496b0340 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 00000001496b0440 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 00000001496b0260 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 00000001496b0270 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 00000001496b0400 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000001496b01f0 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 00000001496b0210 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 00000001496b0200 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 00000001496b0420 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 00000001496b0430 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 00000001496b0220 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 00000001496b0280 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\services.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\services.exe[692] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007769eecd 1 byte [62] .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\lsass.exe[712] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007769eecd 1 byte [62] .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 0000000077910460 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 0000000077910450 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 0000000077910370 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 0000000077910470 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000000779103e0 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 0000000077910320 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 0000000077910390 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 0000000077910310 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000000779103c0 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000000779103f0 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 0000000077910230 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 0000000077910480 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c10 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 0000000077910350 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 0000000077910290 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000000779103d0 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 0000000077910330 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 0000000077910410 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 0000000077910240 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000000779101e0 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 0000000077910250 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 0000000077910490 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 0000000077910300 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 0000000077910360 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 0000000077910380 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 0000000077910340 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 0000000077910440 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 0000000077910260 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 0000000077910270 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 0000000077910400 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000000779101f0 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 0000000077910210 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 0000000077910200 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 0000000077910420 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 0000000077910430 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 0000000077910220 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 0000000077910280 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 0000000077910460 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 0000000077910450 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 0000000077910370 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 0000000077910470 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000000779103e0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 0000000077910320 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 0000000077910390 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 0000000077910310 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000000779103c0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000000779103f0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 0000000077910230 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 0000000077910480 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c10 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 0000000077910350 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 0000000077910290 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000000779103d0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 0000000077910330 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 0000000077910410 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 0000000077910240 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000000779101e0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 0000000077910250 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 0000000077910490 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 0000000077910300 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 0000000077910360 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 0000000077910380 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 0000000077910340 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 0000000077910440 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 0000000077910260 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 0000000077910270 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 0000000077910400 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000000779101f0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 0000000077910210 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 0000000077910200 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 0000000077910420 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 0000000077910430 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 0000000077910220 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 0000000077910280 .text C:\Windows\system32\svchost.exe[820] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007769eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 0000000077910460 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 0000000077910450 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 0000000077910370 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 0000000077910470 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000000779103e0 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 0000000077910320 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 0000000077910390 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 0000000077910310 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000000779103c0 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000000779103f0 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 0000000077910230 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 0000000077910480 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c10 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 0000000077910350 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 0000000077910290 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000000779103d0 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 0000000077910330 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 0000000077910410 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 0000000077910240 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000000779101e0 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 0000000077910250 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 0000000077910490 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 0000000077910300 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 0000000077910360 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 0000000077910380 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 0000000077910340 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 0000000077910440 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 0000000077910260 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 0000000077910270 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 0000000077910400 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000000779101f0 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 0000000077910210 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 0000000077910200 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 0000000077910420 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 0000000077910430 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 0000000077910220 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 0000000077910280 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007769eecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 0000000077910460 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 0000000077910450 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 0000000077910370 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 0000000077910470 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000000779103e0 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 0000000077910320 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 0000000077910390 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 0000000077910310 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000000779103c0 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000000779103f0 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 0000000077910230 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 0000000077910480 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c10 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 0000000077910350 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 0000000077910290 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000000779103d0 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 0000000077910330 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 0000000077910410 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 0000000077910240 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000000779101e0 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 0000000077910250 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 0000000077910490 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 0000000077910300 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 0000000077910360 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 0000000077910380 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 0000000077910340 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 0000000077910440 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 0000000077910260 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 0000000077910270 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 0000000077910400 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000000779101f0 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 0000000077910210 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 0000000077910200 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 0000000077910420 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 0000000077910430 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 0000000077910220 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 0000000077910280 .text C:\Windows\system32\winlogon.exe[168] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007769eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 0000000077910460 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 0000000077910450 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 0000000077910370 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 0000000077910470 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000000779103e0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 0000000077910320 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000000779103b0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 0000000077910390 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000000779102e0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000000779102d0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 0000000077910310 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000000779103c0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000000779103f0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 0000000077910230 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 0000000077910480 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000000779103a0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair |
02.11.2013, 12:12 | #4 |
| (Login) Log bei der Bank zeigt Zeiten wo ich nicht Online gewesen sein kann - Komplett Durchsuchung meines Systems gmer ( Teil2 ) Code:
ATTFilter .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 0000000077910350 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 0000000077910290 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000000779102b0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000000779103d0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 0000000077910330 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 0000000077910410 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 0000000077910240 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000000779101e0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 0000000077910250 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 0000000077910490 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000000779104a0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 0000000077910300 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 0000000077910360 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000000779102a0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000000779102c0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 0000000077910380 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 0000000077910340 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 0000000077910440 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 0000000077910260 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 0000000077910270 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 0000000077910400 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000000779101f0 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 0000000077910210 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 0000000077910200 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 0000000077910420 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 0000000077910430 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 0000000077910220 .text C:\Windows\System32\svchost.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 0000000077910280 .text C:\Windows\System32\svchost.exe[492] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007769eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 0000000077910460 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 0000000077910450 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 0000000077910370 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 0000000077910470 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000000779103e0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 0000000077910320 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000000779103b0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 0000000077910390 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000000779102e0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000000779102d0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 0000000077910310 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000000779103c0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000000779103f0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 0000000077910230 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 0000000077910480 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000000779103a0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c10 5 bytes JMP 00000000779102f0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 0000000077910350 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 0000000077910290 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000000779102b0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000000779103d0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 0000000077910330 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 0000000077910410 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 0000000077910240 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000000779101e0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 0000000077910250 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 0000000077910490 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000000779104a0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 0000000077910300 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 0000000077910360 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000000779102a0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000000779102c0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 0000000077910380 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 0000000077910340 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 0000000077910440 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 0000000077910260 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 0000000077910270 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 0000000077910400 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000000779101f0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 0000000077910210 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 0000000077910200 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 0000000077910420 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 0000000077910430 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 0000000077910220 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 0000000077910280 .text C:\Windows\System32\svchost.exe[480] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007769eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007769eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 0000000077910460 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 0000000077910450 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 0000000077910370 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 0000000077910470 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000000779103e0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 0000000077910320 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 0000000077910390 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 0000000077910310 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000000779103c0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000000779103f0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 0000000077910230 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 0000000077910480 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c10 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 0000000077910350 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 0000000077910290 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000000779103d0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 0000000077910330 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 0000000077910410 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 0000000077910240 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000000779101e0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 0000000077910250 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 0000000077910490 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 0000000077910300 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 0000000077910360 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 0000000077910380 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 0000000077910340 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 0000000077910440 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 0000000077910260 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 0000000077910270 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 0000000077910400 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000000779101f0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 0000000077910210 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 0000000077910200 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 0000000077910420 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 0000000077910430 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 0000000077910220 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 0000000077910280 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007769eecd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 0000000077910460 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 0000000077910450 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 0000000077910370 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 0000000077910470 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000000779103e0 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 0000000077910320 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 0000000077910390 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 0000000077910310 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000000779103c0 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000000779103f0 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 0000000077910230 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 0000000077910480 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c10 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 0000000077910350 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 0000000077910290 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000000779103d0 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 0000000077910330 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 0000000077910410 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 0000000077910240 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000000779101e0 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 0000000077910250 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 0000000077910490 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 0000000077910300 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 0000000077910360 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 0000000077910380 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 0000000077910340 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 0000000077910440 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 0000000077910260 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 0000000077910270 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 0000000077910400 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000000779101f0 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 0000000077910210 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 0000000077910200 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 0000000077910420 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 0000000077910430 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 0000000077910220 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 0000000077910280 .text C:\Windows\system32\AUDIODG.EXE[1104] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 000000007769eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 0000000077910460 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 0000000077910450 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 0000000077910370 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 0000000077910470 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000000779103e0 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 0000000077910320 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 0000000077910390 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 0000000077910310 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000000779103c0 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000000779103f0 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 0000000077910230 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 0000000077910480 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c10 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 0000000077910350 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 0000000077910290 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000000779103d0 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 0000000077910330 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 0000000077910410 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 0000000077910240 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000000779101e0 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 0000000077910250 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 0000000077910490 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 0000000077910300 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 0000000077910360 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 0000000077910380 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 0000000077910340 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 0000000077910440 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 0000000077910260 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 0000000077910270 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 0000000077910400 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000000779101f0 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 0000000077910210 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 0000000077910200 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 0000000077910420 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 0000000077910430 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 0000000077910220 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 0000000077910280 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007769eecd 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 0000000077910460 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 0000000077910450 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 0000000077910370 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 0000000077910470 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000000779103e0 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 0000000077910320 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 0000000077910390 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 0000000077910310 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000000779103c0 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000000779103f0 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 0000000077910230 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 0000000077910480 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c10 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 0000000077910350 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 0000000077910290 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000000779103d0 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 0000000077910330 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 0000000077910410 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 0000000077910240 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000000779101e0 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 0000000077910250 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 0000000077910490 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 0000000077910300 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 0000000077910360 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 0000000077910380 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 0000000077910340 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 0000000077910440 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 0000000077910260 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 0000000077910270 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 0000000077910400 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000000779101f0 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 0000000077910210 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 0000000077910200 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 0000000077910420 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 0000000077910430 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 0000000077910220 .text C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 0000000077910280 .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1608] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076fea2ba 1 byte [62] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1608] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077271465 2 bytes [27, 77] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1608] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000772714bb 2 bytes [27, 77] .text ... * 2 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 0000000100070460 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 0000000100070450 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 0000000100070370 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 0000000100070470 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 0000000100070320 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 0000000100070390 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 0000000100070310 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 0000000100070230 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 0000000100070480 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c10 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 0000000100070350 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 0000000100070290 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 0000000100070330 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 0000000100070410 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 0000000100070240 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 0000000100070250 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 0000000100070490 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 0000000100070300 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 0000000100070360 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 0000000100070340 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 0000000100070260 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 0000000100070270 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 0000000100070200 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 0000000100070420 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 0000000100070430 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 0000000100070220 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 0000000100070280 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007769eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 0000000077910460 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 0000000077910450 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 0000000077910370 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 0000000077910470 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000000779103e0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 0000000077910320 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 0000000077910390 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 0000000077910310 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000000779103c0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000000779103f0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 0000000077910230 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 0000000077910480 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c10 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 0000000077910350 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 0000000077910290 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000000779103d0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 0000000077910330 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 0000000077910410 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 0000000077910240 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000000779101e0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 0000000077910250 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 0000000077910490 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 0000000077910300 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 0000000077910360 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 0000000077910380 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 0000000077910340 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 0000000077910440 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 0000000077910260 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 0000000077910270 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 0000000077910400 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000000779101f0 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 0000000077910210 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 0000000077910200 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 0000000077910420 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 0000000077910430 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 0000000077910220 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 0000000077910280 .text C:\Windows\system32\svchost.exe[1820] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007769eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076fea2ba 1 byte [62] .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 0000000077910460 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 0000000077910450 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 0000000077910370 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 0000000077910470 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000000779103e0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 0000000077910320 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000000779103b0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 0000000077910390 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000000779102e0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000000779102d0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 0000000077910310 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000000779103c0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000000779103f0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 0000000077910230 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 0000000077910480 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000000779103a0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c10 5 bytes JMP 00000000779102f0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 0000000077910350 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 0000000077910290 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000000779102b0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000000779103d0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 0000000077910330 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 0000000077910410 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 0000000077910240 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000000779101e0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 0000000077910250 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 0000000077910490 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000000779104a0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 0000000077910300 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 0000000077910360 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000000779102a0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000000779102c0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 0000000077910380 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 0000000077910340 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 0000000077910440 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 0000000077910260 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 0000000077910270 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 0000000077910400 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000000779101f0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 0000000077910210 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 0000000077910200 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 0000000077910420 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 0000000077910430 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 0000000077910220 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 0000000077910280 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2004] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007769eecd 1 byte [62] .text C:\Windows\SysWOW64\svchost.exe[1096] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076fea2ba 1 byte [62] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 0000000077910460 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 0000000077910450 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 0000000077910370 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 0000000077910470 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000000779103e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 0000000077910320 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000000779103b0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 0000000077910390 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000000779102e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000000779102d0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 0000000077910310 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000000779103c0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000000779103f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 0000000077910230 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 0000000077910480 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000000779103a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c10 5 bytes JMP 00000000779102f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 0000000077910350 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 0000000077910290 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000000779102b0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000000779103d0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 0000000077910330 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 0000000077910410 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 0000000077910240 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000000779101e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 0000000077910250 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 0000000077910490 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000000779104a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 0000000077910300 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 0000000077910360 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000000779102a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000000779102c0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 0000000077910380 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 0000000077910340 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 0000000077910440 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 0000000077910260 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 0000000077910270 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 0000000077910400 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000000779101f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 0000000077910210 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 0000000077910200 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 0000000077910420 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 0000000077910430 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 0000000077910220 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 0000000077910280 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1856] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076fea2ba 1 byte [62] .text C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe[2120] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076fea2ba 1 byte [62] |
02.11.2013, 12:13 | #5 |
| (Login) Log bei der Bank zeigt Zeiten wo ich nicht Online gewesen sein kann - Komplett Durchsuchung meines Systems Teil 3 Code:
ATTFilter ce.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 0000000100070460 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 0000000100070450 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 0000000100070370 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 0000000100070470 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000001000703e0 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 0000000100070320 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000001000703b0 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 0000000100070390 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000001000702e0 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000001000702d0 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 0000000100070310 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000001000703c0 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000001000703f0 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 0000000100070230 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 0000000100070480 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000001000703a0 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c10 5 bytes JMP 00000001000702f0 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 0000000100070350 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 0000000100070290 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000001000702b0 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000001000703d0 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 0000000100070330 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 0000000100070410 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 0000000100070240 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000001000701e0 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 0000000100070250 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 0000000100070490 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000001000704a0 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 0000000100070300 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 0000000100070360 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000001000702a0 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000001000702c0 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 0000000100070380 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 0000000100070340 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 0000000100070440 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 0000000100070260 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 0000000100070270 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 0000000100070400 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000001000701f0 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 0000000100070210 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 0000000100070200 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 0000000100070420 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 0000000100070430 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 0000000100070220 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 0000000100070280 .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2316] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007769eecd 1 byte [62] .text C:\Windows\SysWOW64\IoctlSvc.exe[2388] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076fea2ba 1 byte [62] .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2432] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076fea2ba 1 byte [62] .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 0000000077910460 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 0000000077910450 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 0000000077910370 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 0000000077910470 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000000779103e0 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 0000000077910320 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 0000000077910390 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 0000000077910310 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000000779103c0 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000000779103f0 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 0000000077910230 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 0000000077910480 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c10 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 0000000077910350 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 0000000077910290 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000000779103d0 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 0000000077910330 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 0000000077910410 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 0000000077910240 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000000779101e0 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 0000000077910250 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 0000000077910490 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 0000000077910300 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 0000000077910360 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 0000000077910380 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 0000000077910340 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 0000000077910440 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 0000000077910260 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 0000000077910270 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 0000000077910400 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000000779101f0 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 0000000077910210 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 0000000077910200 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 0000000077910420 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 0000000077910430 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 0000000077910220 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 0000000077910280 .text C:\Windows\system32\svchost.exe[2512] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007769eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 0000000077910460 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 0000000077910450 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 0000000077910370 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 0000000077910470 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000000779103e0 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 0000000077910320 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 0000000077910390 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 0000000077910310 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000000779103c0 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000000779103f0 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 0000000077910230 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 0000000077910480 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c10 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 0000000077910350 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 0000000077910290 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000000779103d0 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 0000000077910330 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 0000000077910410 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 0000000077910240 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000000779101e0 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 0000000077910250 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 0000000077910490 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 0000000077910300 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 0000000077910360 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 0000000077910380 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 0000000077910340 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 0000000077910440 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 0000000077910260 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 0000000077910270 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 0000000077910400 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000000779101f0 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 0000000077910210 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 0000000077910200 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 0000000077910420 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 0000000077910430 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 0000000077910220 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 0000000077910280 .text C:\Windows\system32\svchost.exe[3048] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007769eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 0000000077910460 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 0000000077910450 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 0000000077910370 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 0000000077910470 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000000779103e0 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 0000000077910320 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000000779103b0 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 0000000077910390 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000000779102e0 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000000779102d0 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 0000000077910310 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000000779103c0 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000000779103f0 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 0000000077910230 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 0000000077910480 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000000779103a0 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c10 5 bytes JMP 00000000779102f0 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 0000000077910350 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 0000000077910290 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000000779102b0 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000000779103d0 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 0000000077910330 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 0000000077910410 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 0000000077910240 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000000779101e0 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 0000000077910250 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 0000000077910490 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000000779104a0 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 0000000077910300 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 0000000077910360 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000000779102a0 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000000779102c0 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 0000000077910380 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 0000000077910340 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 0000000077910440 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 0000000077910260 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 0000000077910270 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 0000000077910400 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000000779101f0 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 0000000077910210 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 0000000077910200 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 0000000077910420 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 0000000077910430 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 0000000077910220 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 0000000077910280 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007769eecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 0000000077910460 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 0000000077910450 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 0000000077910370 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 0000000077910470 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000000779103e0 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 0000000077910320 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 0000000077910390 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 0000000077910310 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000000779103c0 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000000779103f0 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 0000000077910230 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 0000000077910480 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c10 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 0000000077910350 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 0000000077910290 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000000779103d0 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 0000000077910330 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 0000000077910410 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 0000000077910240 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000000779101e0 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 0000000077910250 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 0000000077910490 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 0000000077910300 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 0000000077910360 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 0000000077910380 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 0000000077910340 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 0000000077910440 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 0000000077910260 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 0000000077910270 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 0000000077910400 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000000779101f0 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 0000000077910210 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 0000000077910200 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 0000000077910420 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 0000000077910430 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 0000000077910220 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 0000000077910280 .text C:\Windows\system32\taskhost.exe[3640] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007769eecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 0000000077910460 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 0000000077910450 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 0000000077910370 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 0000000077910470 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000000779103e0 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 0000000077910320 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 0000000077910390 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 0000000077910310 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000000779103c0 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000000779103f0 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 0000000077910230 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 0000000077910480 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c10 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 0000000077910350 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 0000000077910290 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000000779103d0 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 0000000077910330 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 0000000077910410 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 0000000077910240 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000000779101e0 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 0000000077910250 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 0000000077910490 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 0000000077910300 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 0000000077910360 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 0000000077910380 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 0000000077910340 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 0000000077910440 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 0000000077910260 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 0000000077910270 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 0000000077910400 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000000779101f0 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 0000000077910210 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 0000000077910200 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 0000000077910420 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 0000000077910430 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 0000000077910220 .text C:\Windows\system32\Dwm.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 0000000077910280 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 0000000077910460 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 0000000077910450 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 0000000077910370 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 0000000077910470 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000000779103e0 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 0000000077910320 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000000779103b0 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 0000000077910390 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000000779102e0 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000000779102d0 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 0000000077910310 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000000779103c0 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000000779103f0 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 0000000077910230 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 0000000077910480 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000000779103a0 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c10 5 bytes JMP 00000000779102f0 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 0000000077910350 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 0000000077910290 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000000779102b0 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000000779103d0 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 0000000077910330 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 0000000077910410 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 0000000077910240 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000000779101e0 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 0000000077910250 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 0000000077910490 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000000779104a0 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 0000000077910300 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 0000000077910360 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000000779102a0 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000000779102c0 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 0000000077910380 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 0000000077910340 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 0000000077910440 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 0000000077910260 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 0000000077910270 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 0000000077910400 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000000779101f0 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 0000000077910210 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 0000000077910200 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 0000000077910420 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 0000000077910430 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 0000000077910220 .text C:\Windows\Explorer.EXE[3736] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 0000000077910280 .text C:\Windows\Explorer.EXE[3736] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007769eecd 1 byte [62] .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 0000000077910460 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 0000000077910450 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 0000000077910370 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 0000000077910470 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000000779103e0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 0000000077910320 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000000779103b0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 0000000077910390 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000000779102e0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000000779102d0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 0000000077910310 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000000779103c0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000000779103f0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 0000000077910230 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 0000000077910480 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000000779103a0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c10 5 bytes JMP 00000000779102f0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 0000000077910350 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 0000000077910290 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000000779102b0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000000779103d0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 0000000077910330 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 0000000077910410 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 0000000077910240 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000000779101e0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 0000000077910250 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 0000000077910490 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000000779104a0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 0000000077910300 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 0000000077910360 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000000779102a0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000000779102c0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 0000000077910380 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 0000000077910340 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 0000000077910440 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 0000000077910260 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 0000000077910270 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 0000000077910400 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000000779101f0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 0000000077910210 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 0000000077910200 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 0000000077910420 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 0000000077910430 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 0000000077910220 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 0000000077910280 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[1392] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007769eecd 1 byte [62] .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 0000000077910460 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 0000000077910450 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 0000000077910370 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 0000000077910470 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000000779103e0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 0000000077910320 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000000779103b0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 0000000077910390 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000000779102e0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000000779102d0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 0000000077910310 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000000779103c0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000000779103f0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 0000000077910230 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 0000000077910480 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000000779103a0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c10 5 bytes JMP 00000000779102f0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 0000000077910350 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 0000000077910290 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000000779102b0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000000779103d0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 0000000077910330 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 0000000077910410 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 0000000077910240 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000000779101e0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 0000000077910250 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 0000000077910490 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000000779104a0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 0000000077910300 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 0000000077910360 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000000779102a0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000000779102c0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 0000000077910380 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 0000000077910340 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 0000000077910440 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 0000000077910260 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 0000000077910270 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 0000000077910400 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000000779101f0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 0000000077910210 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 0000000077910200 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 0000000077910420 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 0000000077910430 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 0000000077910220 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 0000000077910280 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AthBtTray.exe[3416] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007769eecd 1 byte [62] .text C:\Program Files (x86)\VVCap\VVCap.exe[3436] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076fea2ba 1 byte [62] |
02.11.2013, 12:14 | #6 |
| (Login) Log bei der Bank zeigt Zeiten wo ich nicht Online gewesen sein kann - Komplett Durchsuchung meines Systems teil 4 Code:
ATTFilter dll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 0000000077910460 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 0000000077910450 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 0000000077910370 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 0000000077910470 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000000779103e0 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 0000000077910320 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000000779103b0 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 0000000077910390 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000000779102e0 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000000779102d0 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 0000000077910310 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000000779103c0 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000000779103f0 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 0000000077910230 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 0000000077910480 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000000779103a0 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c10 5 bytes JMP 00000000779102f0 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 0000000077910350 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 0000000077910290 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000000779102b0 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000000779103d0 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 0000000077910330 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 0000000077910410 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 0000000077910240 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000000779101e0 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 0000000077910250 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 0000000077910490 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000000779104a0 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 0000000077910300 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 0000000077910360 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000000779102a0 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000000779102c0 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 0000000077910380 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 0000000077910340 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 0000000077910440 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 0000000077910260 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 0000000077910270 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 0000000077910400 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000000779101f0 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 0000000077910210 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 0000000077910200 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 0000000077910420 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 0000000077910430 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 0000000077910220 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 0000000077910280 .text C:\Windows\System32\StikyNot.exe[3456] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007769eecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 0000000077910460 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 0000000077910450 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 0000000077910370 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 0000000077910470 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000000779103e0 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 0000000077910320 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 0000000077910390 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 0000000077910310 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000000779103c0 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000000779103f0 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 0000000077910230 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 0000000077910480 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c10 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 0000000077910350 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 0000000077910290 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000000779103d0 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 0000000077910330 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 0000000077910410 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 0000000077910240 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000000779101e0 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 0000000077910250 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 0000000077910490 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 0000000077910300 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 0000000077910360 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 0000000077910380 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 0000000077910340 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 0000000077910440 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 0000000077910260 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 0000000077910270 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 0000000077910400 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000000779101f0 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 0000000077910210 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 0000000077910200 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 0000000077910420 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 0000000077910430 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 0000000077910220 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 0000000077910280 .text C:\Windows\system32\SearchIndexer.exe[4068] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007769eecd 1 byte [62] .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007795f9e0 5 bytes JMP 000000016a6bf270 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey 000000007795fa28 5 bytes JMP 000000016a6bf8d2 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 000000007795fa40 5 bytes JMP 000000016a6be00d .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtQueryKey 000000007795fa90 5 bytes JMP 000000016a6bdb69 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 000000007795faa8 5 bytes JMP 000000016a6bde5a .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey 000000007795fb40 5 bytes JMP 000000016a6bfb12 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007795fc38 5 bytes JMP 000000016a6caccc .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateKey 000000007795fd4c 5 bytes JMP 000000016a6bd9b1 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007795fd64 5 bytes JMP 000000016a6ca2ee .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 000000007795fd98 5 bytes JMP 000000016a6ca5e9 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007795fe44 5 bytes JMP 000000016a6bee45 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 000000007795fe5c 5 bytes JMP 000000016a6ca417 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779600b4 5 bytes JMP 000000016a6ca133 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000779601c4 5 bytes JMP 000000016a6be1b5 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtCreateKeyTransacted 0000000077960754 5 bytes JMP 000000016a6bfbb4 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtDeleteFile 00000000779609e4 5 bytes JMP 000000016a6ca32b .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtDeleteKey 00000000779609fc 5 bytes JMP 000000016a6bd785 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077960a44 5 bytes JMP 000000016a6be36b .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtFlushKey 0000000077960b80 5 bytes JMP 000000016a6bd89b .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 0000000077960f70 5 bytes JMP 000000016a6be7f8 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077960f88 5 bytes JMP 000000016a6be994 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx 0000000077961018 5 bytes JMP 000000016a6bf95f .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyTransacted 0000000077961030 5 bytes JMP 000000016a6bfa82 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyTransactedEx 0000000077961048 5 bytes JMP 000000016a6bf9ef .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 000000007796133c 5 bytes JMP 000000016a6ca500 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 000000007796147c 5 bytes JMP 000000016a6be66b .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 0000000077961528 5 bytes JMP 000000016a6beb58 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey 0000000077961718 5 bytes JMP 000000016a6be4e3 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationKey 0000000077961a58 5 bytes JMP 000000016a6bdd12 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\SysWOW64\ntdll.dll!NtSetSecurityObject 0000000077961b9c 5 bytes JMP 000000016a6becda .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076fc103d 5 bytes JMP 000000016a6a35da .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076fc1072 5 bytes JMP 000000016a6a3a3e .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076fea2ba 1 byte [62] .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076fec965 5 bytes JMP 000000016a6a36f4 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\kernel32.dll!WinExec 0000000077042c51 5 bytes JMP 000000016a6a3938 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075562642 5 bytes JMP 000000016a6a3c4b .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000075b16143 5 bytes JMP 000000016982ebc5 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\ole32.dll!CoResumeClassObjects + 7 0000000075b1ea09 7 bytes JMP 000000016a6de7f9 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\ole32.dll!OleRun 0000000075b207de 5 bytes JMP 000000016a6de338 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\ole32.dll!CoRegisterClassObject 0000000075b221e1 5 bytes JMP 000000016a6e1c0c .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\ole32.dll!OleUninitialize 0000000075b2eba1 6 bytes JMP 000000016a6de2af .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\ole32.dll!OleInitialize 0000000075b2efd7 5 bytes JMP 000000016a6de267 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\ole32.dll!CoGetClassObject 0000000075b454ad 5 bytes JMP 000000016a6e0282 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\ole32.dll!CoInitializeEx 0000000075b509ad 5 bytes JMP 000000016a6de207 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\ole32.dll!CoUninitialize 0000000075b586d3 5 bytes JMP 000000016a6e0c96 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075b59d0b 5 bytes JMP 000000016a6e19b3 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000075b59d4e 5 bytes JMP 000000016a6df891 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\ole32.dll!CoSuspendClassObjects + 7 0000000075b7bb09 7 bytes JMP 000000016a6de380 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\ole32.dll!CoRevokeClassObject 0000000075b9eacf 5 bytes JMP 000000016a6dff46 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\ole32.dll!CoGetInstanceFromFile 0000000075bd340b 5 bytes JMP 000000016a6e0d96 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\ole32.dll!OleRegEnumFormatEtc 0000000075c1cfd9 5 bytes JMP 000000016a6de2f0 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatW 0000000075c89ebd 5 bytes JMP 0000000168da6231 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatA 0000000075c90afa 5 bytes JMP 0000000168dab33f .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\USER32.dll!BeginPaint 0000000075c91361 5 bytes JMP 0000000168dba4b4 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\USER32.dll!ValidateRect 0000000075c97849 5 bytes JMP 0000000168efddcc .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\SHELL32.dll!SHParseDisplayName 00000000763d7fab 5 bytes JMP 0000000168f8eea9 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\oleaut32.dll!SysFreeString 0000000077493e59 5 bytes JMP 0000000168ddce3e .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\oleaut32.dll!VariantClear 0000000077493eae 5 bytes JMP 0000000168df0927 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\oleaut32.dll!SysAllocStringByteLen 0000000077494731 5 bytes JMP 0000000168eab601 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\oleaut32.dll!VariantChangeType 0000000077495dee 5 bytes JMP 0000000168e67eb8 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\oleaut32.dll!RegisterActiveObject 00000000774c279e 1 byte JMP 000000016a6e08a2 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\oleaut32.dll!RegisterActiveObject + 2 00000000774c27a0 3 bytes {JMP RAX} .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\oleaut32.dll!RevokeActiveObject 00000000774c3294 5 bytes JMP 000000016a6de1bf .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[1448] C:\Windows\syswow64\oleaut32.dll!GetActiveObject 00000000774d8f40 5 bytes JMP 000000016a6e0a36 .text C:\Windows\SysWOW64\ntdll.dll[1256] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076fea2ba 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3228] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076fea2ba 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3556] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076fea2ba 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 0000000100070460 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 0000000100070450 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 0000000100070370 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 0000000100070470 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000001000703e0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 0000000100070320 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000001000703b0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 0000000100070390 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000001000702e0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000001000702d0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 0000000100070310 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000001000703c0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000001000703f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 0000000100070230 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 0000000100070480 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000001000703a0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c10 5 bytes JMP 00000001000702f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 0000000100070350 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 0000000100070290 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000001000702b0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000001000703d0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 0000000100070330 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 0000000100070410 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 0000000100070240 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000001000701e0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 0000000100070250 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 0000000100070490 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000001000704a0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 0000000100070300 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 0000000100070360 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000001000702a0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000001000702c0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 0000000100070380 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 0000000100070340 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 0000000100070440 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 0000000100070260 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 0000000100070270 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 0000000100070400 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000001000701f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 0000000100070210 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 0000000100070200 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 0000000100070420 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 0000000100070430 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 0000000100070220 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 0000000100070280 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007769eecd 1 byte [62] .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 0000000077910460 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 0000000077910450 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 0000000077910370 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 0000000077910470 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000000779103e0 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 0000000077910320 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 0000000077910390 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 0000000077910310 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000000779103c0 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000000779103f0 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 0000000077910230 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 0000000077910480 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c10 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 0000000077910350 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 0000000077910290 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000000779103d0 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 0000000077910330 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 0000000077910410 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 0000000077910240 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000000779101e0 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 0000000077910250 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 0000000077910490 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000000779104a0 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 0000000077910300 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 0000000077910360 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 0000000077910380 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 0000000077910340 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 0000000077910440 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 0000000077910260 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 0000000077910270 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 0000000077910400 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000000779101f0 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 0000000077910210 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 0000000077910200 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 0000000077910420 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 0000000077910430 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 0000000077910220 .text C:\Windows\system32\taskeng.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 0000000077910280 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2500] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076fea2ba 1 byte [62] .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b1360 5 bytes JMP 0000000077910460 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b13b0 5 bytes JMP 0000000077910450 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777b1510 5 bytes JMP 0000000077910370 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b1560 5 bytes JMP 0000000077910470 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777b1570 5 bytes JMP 00000000779103e0 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1620 5 bytes JMP 0000000077910320 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777b1650 5 bytes JMP 00000000779103b0 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777b1670 5 bytes JMP 0000000077910390 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b16b0 5 bytes JMP 00000000779102e0 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1730 5 bytes JMP 00000000779102d0 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b1750 5 bytes JMP 0000000077910310 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777b1790 5 bytes JMP 00000000779103c0 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777b17e0 5 bytes JMP 00000000779103f0 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b1940 5 bytes JMP 0000000077910230 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b00 5 bytes JMP 0000000077910480 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777b1b30 5 bytes JMP 00000000779103a0 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c10 5 bytes JMP 00000000779102f0 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c20 5 bytes JMP 0000000077910350 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1c80 5 bytes JMP 0000000077910290 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d10 5 bytes JMP 00000000779102b0 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777b1d30 5 bytes JMP 00000000779103d0 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1d40 5 bytes JMP 0000000077910330 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777b1db0 5 bytes JMP 0000000077910410 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1de0 5 bytes JMP 0000000077910240 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b20a0 5 bytes JMP 00000000779101e0 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b2160 5 bytes JMP 0000000077910250 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b2190 5 bytes JMP 0000000077910490 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b21a0 5 bytes JMP 00000000779104a0 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b21d0 5 bytes JMP 0000000077910300 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b21e0 5 bytes JMP 0000000077910360 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b2240 5 bytes JMP 00000000779102a0 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b2290 5 bytes JMP 00000000779102c0 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777b22c0 5 bytes JMP 0000000077910380 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b22d0 5 bytes JMP 0000000077910340 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777b25c0 5 bytes JMP 0000000077910440 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b27c0 5 bytes JMP 0000000077910260 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b27d0 5 bytes JMP 0000000077910270 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777b27e0 5 bytes JMP 0000000077910400 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b29a0 5 bytes JMP 00000000779101f0 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b29b0 5 bytes JMP 0000000077910210 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a20 5 bytes JMP 0000000077910200 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777b2a80 5 bytes JMP 0000000077910420 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777b2a90 5 bytes JMP 0000000077910430 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2aa0 5 bytes JMP 0000000077910220 .text C:\Windows\System32\svchost.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2b80 5 bytes JMP 0000000077910280 .text C:\Users\Tatarus\Desktop\Sicherheit PC\gmer_2.1.19163.exe[6692] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076fea2ba 1 byte [62] ---- Threads - GMER 2.1 ---- Thread [1396:1560] 0000000077992e65 Thread [1396:1588] 0000000077993e85 Thread [1396:1592] 0000000074dcf28e Thread [1396:1596] 0000000077993e85 Thread [1396:1600] 0000000077993e85 Thread [1396:1604] 0000000076057587 Thread [1396:1616] 00000000746f0580 Thread [1396:1624] 0000000074794bd0 Thread [1396:1628] 00000000743ee8e0 Thread [1396:1632] 00000000743ee080 Thread [1396:1636] 0000000072c35da0 Thread [1396:1640] 0000000074dcf28e Thread [1396:1644] 0000000074dcf28e Thread [1396:1648] 0000000074dcf28e Thread [1396:1868] 0000000074dcf28e Thread [1396:1920] 00000000743e0e00 Thread [1396:1924] 00000000743e0e00 Thread [1396:1928] 00000000743e0e00 Thread [1396:1932] 00000000743e0e00 Thread [1396:1936] 00000000743e0e00 Thread [1396:1940] 00000000743e2510 Thread [1396:1944] 00000000743e17d0 Thread [1396:1948] 0000000074416530 Thread [1396:1952] 00000000744150c0 Thread [1396:1956] 0000000074415550 Thread [1396:1960] 00000000743e3bc0 Thread [1396:1964] 00000000743e3bc0 Thread [1396:1968] 00000000743e3bc0 Thread [1396:1972] 00000000743e3bc0 Thread [1396:1976] 00000000743e3bc0 Thread [1396:1980] 00000000725f1080 Thread [1396:1984] 00000000725e1010 Thread [1396:2012] 00000000725b1530 Thread [1396:2016] 0000000074dcf28e Thread [1396:2020] 0000000074dcf28e Thread [1396:2024] 0000000072551600 Thread [1396:2028] 00000000743ef590 Thread [1396:2032] 00000000743e3690 Thread [1396:1200] 0000000074dcf28e Thread [1396:1516] 00000000724952c9 Thread [1396:1512] 000000007443d630 Thread [1396:1552] 00000000742b71c0 Thread [1396:2148] 0000000074dcf28e Thread [1396:2156] 00000000746f4720 Thread [1396:2160] 00000000746f64f0 Thread [1396:2164] 0000000074dcf28e Thread [1396:2168] 00000000746ec750 Thread [1396:2228] 0000000074dcf28e Thread [1396:3264] 0000000077993e85 Thread [1396:3272] 0000000074dcf28e Thread [1396:4144] 0000000077993e85 Thread [1396:3700] 0000000077993e85 Thread [1396:5032] 0000000075b3d864 Thread [1396:4360] 0000000071ef62ee Thread [1396:4976] 0000000077997151 Thread [1396:5040] 00000000725f16d0 Thread [1396:3816] 000000006c0e95d0 Thread [1396:3912] 0000000077993e85 Thread [1396:4824] 0000000074dcf28e Thread [1396:4496] 0000000071ec1960 Thread [1396:4488] 0000000071ec1e90 Thread [1396:4272] 0000000074e176ef Thread [1396:4340] 0000000074e176ef Thread [1396:3576] 0000000074e176ef Thread [1396:3552] 0000000074e176ef Thread [1396:4872] 0000000074e176ef Thread [1396:4852] 0000000074e176ef Thread [1396:3872] 0000000074e176ef Thread [1396:2212] 0000000074e176ef Thread [1396:2492] 0000000074e176ef Thread [1396:2344] 0000000074e176ef Thread [1396:4932] 0000000074e176ef Thread [1396:1452] 0000000060d1fd91 Thread [1396:4920] 0000000060d1fd91 Thread [1396:5692] 0000000077993e85 Thread [1396:6064] 0000000077993e85 Thread [1396:2300] 0000000077993e85 Thread [1396:6336] 0000000077993e85 Thread C:\Windows\SysWOW64\ntdll.dll [1256:1884] 0000000000323c21 Thread C:\Windows\SysWOW64\ntdll.dll [1256:1752] 0000000070d4cff3 Thread C:\Windows\SysWOW64\ntdll.dll [1256:3220] 0000000070ce28ae ---- Processes - GMER 2.1 ---- Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\mso.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [1448] 0000000068d80000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\riched20.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [1448] 0000000068360000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\MSPTLS.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [1448] 0000000063f20000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\csi.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [1448] 0000000063a70000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\ACEOLEDB.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [1448] 0000000063a20000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\ACECORE.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [1448] 0000000063790000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\1031\ACEWSTR.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [1448] 00000000636b0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\ACEES.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [1448] 0000000063610000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\VBAJET32.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [1448] 0000000072f50000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\expsrv.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [1448] 00000000635b0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\ACEERR.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [1448] 000000006c320000 ---- Services - GMER 2.1 ---- Service C:\Windows\system32\drivers\aswFsBlk.sys (*** hidden *** ) [AUTO] aswFsBlk <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswKbd.sys (*** hidden *** ) [SYSTEM] aswKbd <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswMonFlt.sys (*** hidden *** ) [AUTO] aswMonFlt <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswRdr2.sys (*** hidden *** ) [SYSTEM] aswRdr <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswRvrt.sys (*** hidden *** ) [BOOT] aswRvrt <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswSnx.sys (*** hidden *** ) [SYSTEM] aswSnx <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswSP.sys (*** hidden *** ) [SYSTEM] aswSP <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswTdi.sys (*** hidden *** ) [SYSTEM] aswTdi <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswVmm.sys (*** hidden *** ) [BOOT] aswVmm <-- ROOTKIT !!! Service C:\Program Files\AVAST Software\Avast\AvastSvc.exe (*** hidden *** ) [AUTO] avast! Antivirus <-- ROOTKIT !!! Service C:\Program Files\AVAST Software\Avast\afwServ.exe (*** hidden *** ) [AUTO] avast! Firewall <-- ROOTKIT !!! ---- Registry - GMER 2.1 ---- |
02.11.2013, 12:45 | #7 |
| (Login) Log bei der Bank zeigt Zeiten wo ich nicht Online gewesen sein kann - Komplett Durchsuchung meines Systems Teil 5 Code:
ATTFilter Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description Avast! Mini-filter Driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ImagePath \??\C:\Windows\system32\drivers\aswFsBlk.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@DisplayName aswKbd Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Group Keyboard Port Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Description avast! keyboard filter driver (aswKbd) Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Tag 6 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@ImagePath \??\C:\Windows\system32\drivers\aswKbd.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \??\C:\Windows\system32\drivers\aswRdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 14 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition1\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 431527 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\1382559794 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\1382559794@ Commited Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\1382559794@BootTimeout 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\1382559794@TickTimeout 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\1382559794@CreationTime 0xE5 0xAF 0xE1 0xB3 ... Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\1382559794@SetupOperations MoveFile("\??\c:\program files\avast software\avast\ashwebsv.dll.1382559794","\??\c:\program files\avast software\avast\ashwebsv.dll",TRUE)?MoveFile("\??\c:\program files\avast software\avast\ashwebsv.dll.sum.1382559794","\??\c:\program files\avast software\avast\ashwebsv.dll.sum",TRUE)?MoveFile("\??\c:\program files\avast software\avast\avastui.exe.1382559794","\??\c:\program files\avast software\avast\avastui.exe",TRUE)?MoveFile("\??\c:\program files\avast software\avast\avastui.exe.sum.1382559794","\??\c:\program files\avast software\avast\avastui.exe.sum",TRUE)? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\1382559794@StartBootCounter 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\1382559794@StartTickCounter 8595 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ImagePath \??\C:\Windows\system32\drivers\aswSnx.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \??\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \??\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ImagePath \??\C:\Windows\system32\drivers\aswSP.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \??\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \??\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \??\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \??\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ImagePath \??\C:\Windows\system32\drivers\aswTdi.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 288 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Verwaltet und implementiert die avast! Antivirus Dienste auf diesem Computer. Dies beinhaltet den Echtzeit-Schutz, den Virus Container sowie die Zeitplan. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ImagePath "C:\Program Files\AVAST Software\Avast\afwServ.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@DisplayName avast! Firewall Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Description Implements main functionality for avast! Firewall Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74e543e4472d Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74e543e4472d@0009b092378f 0x7C 0xFC 0x3C 0xD1 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74e543e4472d@b0c4e7321d59 0x1E 0xFD 0x14 0x2D ... Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description Avast! Mini-filter Driver Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ImagePath \??\C:\Windows\system32\drivers\aswFsBlk.sys Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@DisplayName aswKbd Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Group Keyboard Port Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Description avast! keyboard filter driver (aswKbd) Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Tag 6 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@ImagePath \??\C:\Windows\system32\drivers\aswKbd.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \??\C:\Windows\system32\drivers\aswRdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 14 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition1\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 431527 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\1382559794 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\1382559794@ Commited Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\1382559794@BootTimeout 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\1382559794@TickTimeout 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\1382559794@CreationTime 0xE5 0xAF 0xE1 0xB3 ... Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\1382559794@SetupOperations MoveFile("\??\c:\program files\avast software\avast\ashwebsv.dll.1382559794","\??\c:\program files\avast software\avast\ashwebsv.dll",TRUE)?MoveFile("\??\c:\program files\avast software\avast\ashwebsv.dll.sum.1382559794","\??\c:\program files\avast software\avast\ashwebsv.dll.sum",TRUE)?MoveFile("\??\c:\program files\avast software\avast\avastui.exe.1382559794","\??\c:\program files\avast software\avast\avastui.exe",TRUE)?MoveFile("\??\c:\program files\avast software\avast\avastui.exe.sum.1382559794","\??\c:\program files\avast software\avast\avastui.exe.sum",TRUE)? Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\1382559794@StartBootCounter 2 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\1382559794@StartTickCounter 8595 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ImagePath \??\C:\Windows\system32\drivers\aswSnx.sys Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \??\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \??\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ImagePath \??\C:\Windows\system32\drivers\aswSP.sys Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \??\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \??\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \??\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \??\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName aswTdi Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description aswTdi Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ImagePath \??\C:\Windows\system32\drivers\aswTdi.sys Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 288 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Verwaltet und implementiert die avast! Antivirus Dienste auf diesem Computer. Dies beinhaltet den Echtzeit-Schutz, den Virus Container sowie die Zeitplan. Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@ImagePath "C:\Program Files\AVAST Software\Avast\afwServ.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@DisplayName avast! Firewall Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@Description Implements main functionality for avast! Firewall Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74e543e4472d (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74e543e4472d@0009b092378f 0x7C 0xFC 0x3C 0xD1 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74e543e4472d@b0c4e7321d59 0x1E 0xFD 0x14 0x2D ... ---- EOF - GMER 2.1 ---- Vielen Dank im Voraus ! lG GMER has found sytem modi.... Caused ... Rootkit .... Dies kam nicht nur am anfang sondern auch am Ende ? Hitman Pro Log Code:
ATTFilter HitmanPro 3.7.8.208 www.hitmanpro.com Computer name . . . . : Windows . . . . . . . : 6.1.1.7601.X64/4 User name . . . . . . : UAC . . . . . . . . . : Enabled License . . . . . . . : Free Scan date . . . . . . : 2013-11-02 12:40:23 Scan mode . . . . . . : Normal Scan duration . . . . : 1m 44s Disk access mode . . : Direct disk access (SRB) Cloud . . . . . . . . : Internet Reboot . . . . . . . : No Threats . . . . . . . : 0 Traces . . . . . . . : 15 Objects scanned . . . : 1.598.749 Files scanned . . . . : 21.212 Remnants scanned . . : 271.933 files / 1.305.604 keys Potential Unwanted Programs _________________________________________________ HKLM\SOFTWARE\Classes\AppID\secman.DLL\ (Babylon) HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}\ (Babylon) HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\ (Babylon) HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}\ (Babylon) HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager.1\ (Babylon) HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager\ (Babylon) HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}\ (Babylon) HKLM\SOFTWARE\Classes\Wow6432Node\AppID\secman.DLL\ (Babylon) HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}\ (Babylon) HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\ (Babylon) HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}\ (Babylon) HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\ (Babylon) HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}\ (Babylon) HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}\ (Babylon) HKU\S-1-5-21-2026040523-498085690-2578999147-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{4D2D3B0F-69BE-477A-90F5-FDDB05357975} (Claro) |
02.11.2013, 19:07 | #8 |
/// the machine /// TB-Ausbilder | (Login) Log bei der Bank zeigt Zeiten wo ich nicht Online gewesen sein kann - Komplett Durchsuchung meines Systems hi, Bitte lade dir die passende Version von Farbar's Recovery Scan Tool auf deinen Desktop: FRST 32-Bit | FRST 64-Bit (Wenn du nicht sicher bist: Lade beide Versionen oder unter Start > Computer (Rechtsklick) > Eigenschaften nachschauen)
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
02.11.2013, 20:07 | #9 |
| (Login) Log bei der Bank zeigt Zeiten wo ich nicht Online gewesen sein kann - Komplett Durchsuchung meines Systems FRST Logfile: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 31-10-2013 Ran by Tatarus (administrator) on TATARUS-PC on 02-11-2013 19:24:21 Running from C:\Users\Tatarus\Desktop\Sicherheit PC Windows 7 Professional Service Pack 1 (X64) OS Language: German Standard Internet Explorer Version 10 Boot Mode: Normal ==================== Processes (Whitelisted) ================= (AMD) C:\Windows\system32\atiesrxx.exe (AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AMD) C:\Windows\system32\atieclxx.exe (AVAST Software) C:\Program Files\AVAST Software\Avast\afwServ.exe (Atheros Commnucations) C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe (Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe (Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe (Nero AG) C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe (Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe (Prolific Technology Inc.) C:\Windows\SysWOW64\IoctlSvc.exe (Skype Technologies S.A.) C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe (VIA Technologies, Inc.) C:\Windows\system32\viakaraokesrv.exe (G Central) C:\Program Files (x86)\VVCap\VVCap.exe (Microsoft Corporation) C:\Windows\System32\StikyNot.exe (AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe (Adobe Systems Incorporated) C:\Windows\system32\Macromed\Flash\FlashUtil64_11_9_900_117_ActiveX.exe (Microsoft Corporation) C:\Windows\sysWow64\SearchProtocolHost.exe ==================== Registry (Whitelisted) ================== HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] () Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation) HKCU\...\Run: [VVCap] - C:\Program Files (x86)\VVCap\VVCap.exe [765440 2010-12-28] (G Central) HKCU\...\Run: [RESTART_STICKY_NOTES] - C:\Windows\System32\StikyNot.exe [427520 2009-07-14] (Microsoft Corporation) MountPoints2: {1384dd2e-0d88-11e2-be77-806e6f6e6963} - E:\Run.exe HKLM-x32\...\Run: [AvastUI.exe] - C:\Program Files\AVAST Software\Avast\avastui.exe [3567800 2013-10-23] (AVAST Software) ==================== Internet (Whitelisted) ==================== ProxyServer: 190.94.211.163:8080 HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/ HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xE71E92DB9AF4CD01 HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE SearchScopes: HKLM - DefaultScope value is missing. BHO: Lync Browser Helper - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation) BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation) BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation) BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.) BHO: Skype add-on for Internet Explorer - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.) BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation) BHO: Microsoft SkyDrive Pro Browser Helper - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation) BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) BHO-x32: Lync Browser Helper - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\office15\OCHelper.dll (Microsoft Corporation) BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation) BHO-x32: CIESpeechBHO Class - {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\IEPlugIn.dll (Atheros Commnucations) BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) BHO-x32: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\office15\URLREDIR.DLL (Microsoft Corporation) BHO-x32: Microsoft SkyDrive Pro Browser Helper - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\office15\GROOVEEX.DLL (Microsoft Corporation) Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.) Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) DPF: HKLM {67DABFBF-D0AB-41FA-9C46-CC0F21721616} hxxp://download.divx.com/player/DivXBrowserPlugin.cab DPF: HKLM {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.) Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\office15\MSOSB.DLL (Microsoft Corporation) Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies) Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 Chrome: ======= CHR HomePage: hxxp://www.google.com/ CHR RestoreOnStartup: "hxxp://www.google.com/" CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\22.0.1229.79\PepperFlash\pepflashplayer.dll No File CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.101\ppGoogleNaClPluginChrome.dll () CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.101\pdf.dll () CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File CHR Plugin: (Intel\u00AE Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation) CHR Plugin: (Intel\u00AE Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation) CHR Extension: (YouTube) - C:\Users\Tatarus\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0 CHR Extension: (Google Search) - C:\Users\Tatarus\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0 CHR Extension: (JavaScript Compression Tool) - C:\Users\Tatarus\AppData\Local\Google\Chrome\User Data\Default\Extensions\ioedocnocclgpmbkhbaopeapakehljhd\1.0_0 CHR Extension: (Skype Click to Call) - C:\Users\Tatarus\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\6.3.0.11079_0 CHR Extension: (Google Wallet) - C:\Users\Tatarus\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.5.0_0 CHR Extension: (Gmail) - C:\Users\Tatarus\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1 CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx ==================== Services (Whitelisted) ================= S3 AppleChargerSrv; C:\Windows\System32\AppleChargerSrv.exe [31272 2010-04-06] () R2 AtherosSvc; C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe [128640 2012-06-28] (Atheros Commnucations) R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2013-10-23] (AVAST Software) R2 avast! Firewall; C:\Program Files\AVAST Software\Avast\afwServ.exe [179088 2013-10-23] (AVAST Software) R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [161560 2011-12-16] (Intel Corporation) R2 Nero BackItUp Scheduler 3; C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe [877864 2008-02-18] (Nero AG) S3 NMIndexingService; C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe [529704 2008-02-28] (Nero AG) R2 OfficeSvc; C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe [1907896 2013-09-06] (Microsoft Corporation) R2 PLFlash DeviceIoControl Service; C:\Windows\SysWOW64\IoctlSvc.exe [81920 2006-12-19] (Prolific Technology Inc.) R2 VIAKaraokeService; C:\Windows\system32\viakaraokesrv.exe [27792 2012-08-03] (VIA Technologies, Inc.) ==================== Drivers (Whitelisted) ==================== R1 AppleCharger; C:\Windows\System32\DRIVERS\AppleCharger.sys [21616 2011-11-02] () R2 aswFsBlk; C:\Windows\system32\drivers\aswFsBlk.sys [38984 2013-10-23] (AVAST Software) R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [28184 2013-10-23] (AVAST Software) R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [84328 2013-10-23] (AVAST Software) R1 aswNdisFlt; C:\Windows\System32\DRIVERS\aswNdisFlt.sys [447888 2013-10-23] (AVAST Software) R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [92544 2013-10-23] (AVAST Software) R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2013-10-23] () R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1032416 2013-10-23] (AVAST Software) R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [409832 2013-10-23] (AVAST Software) R1 aswTdi; C:\Windows\system32\drivers\aswTdi.sys [65264 2013-10-23] (AVAST Software) R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [205320 2013-10-23] () R3 L1C; C:\Windows\System32\DRIVERS\L1C62x64.sys [118504 2012-12-19] (Qualcomm Atheros Co., Ltd.) S3 gdrv; \??\C:\Windows\gdrv.sys [x] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-11-02 18:45 - 2013-11-02 18:45 - 00000056 _____ C:\Windows\setupact.log 2013-11-02 18:45 - 2013-11-02 18:45 - 00000000 _____ C:\Windows\setuperr.log 2013-11-02 18:44 - 2013-11-02 18:44 - 00000436 _____ C:\Windows\PFRO.log 2013-11-02 13:23 - 2013-11-02 13:23 - 00614816 _____ C:\Users\Tatarus\Downloads\HijackThis - CHIP-Downloader.exe 2013-11-02 13:04 - 2013-11-02 13:04 - 00000000 ___RD C:\Users\Tatarus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BT Devices 2013-11-02 12:52 - 2013-11-02 12:52 - 00066208 _____ C:\Users\Tatarus\Downloads\OTL.Txt 2013-11-02 12:22 - 2013-11-02 12:25 - 00000000 ____D C:\ProgramData\HitmanPro 2013-11-02 11:15 - 2013-11-02 11:15 - 00000000 ____D C:\FRST 2013-11-02 10:45 - 2013-11-02 10:45 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\Tatarus\Downloads\mbam-setup-1.75.0.1300.exe 2013-10-26 22:31 - 2013-10-26 22:31 - 00019530 _____ C:\Users\Tatarus\Downloads\txnhistory_26102013_233132.csv 2013-10-26 22:30 - 2013-10-26 22:30 - 00130992 _____ C:\Users\Tatarus\Downloads\txnhistory_26102013_233020.csv 2013-10-26 22:28 - 2013-10-26 22:28 - 00202870 _____ C:\Users\Tatarus\Downloads\txnhistory_26102013_232815.csv 2013-10-23 20:41 - 2013-10-23 20:41 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\AVAST Software 2013-10-23 20:41 - 2013-10-23 20:41 - 00000000 ____D C:\ProgramData\Google 2013-10-23 20:41 - 2013-10-23 20:41 - 00000000 ____D C:\Program Files\Google 2013-10-23 09:35 - 2013-10-23 09:35 - 00002032 _____ C:\Users\Public\Desktop\avast! SafeZone.lnk 2013-10-20 10:29 - 2013-11-02 19:07 - 00005150 _____ C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for Tatarus-PC-Tatarus Tatarus-PC 2013-10-19 17:51 - 2013-10-19 17:51 - 00000000 ____D C:\Users\Tatarus\Downloads\Kanon der Literatur 2013-10-19 07:10 - 2013-10-19 07:10 - 00000284 _____ C:\Users\Tatarus\Desktop\IC Markets cAlgo.appref-ms 2013-10-19 07:10 - 2013-10-19 07:10 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IC Markets cAlgo 2013-10-19 07:10 - 2013-10-19 07:10 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\IC Markets cAlgo 2013-10-19 07:04 - 2013-10-19 07:10 - 00000000 ____D C:\Users\Tatarus\Documents\cAlgo 2013-10-19 07:04 - 2013-10-19 07:10 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\IC Markets cTrader 2013-10-19 07:04 - 2013-10-19 07:05 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\cTrader 2013-10-19 07:04 - 2013-10-19 07:04 - 00000292 _____ C:\Users\Tatarus\Desktop\IC Markets cTrader.appref-ms 2013-10-19 07:04 - 2013-10-19 07:04 - 00000000 ____D C:\Users\Tatarus\Documents\cTrader 2013-10-19 07:04 - 2013-10-19 07:04 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IC Markets cTrader 2013-10-19 07:04 - 2013-10-19 07:04 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\IC Markets-cTraderCommon 2013-10-19 07:03 - 2013-10-19 07:03 - 00508696 _____ () C:\Users\Tatarus\Downloads\ctrader-icmarkets-setup.exe 2013-10-19 07:03 - 2013-10-19 07:03 - 00508696 _____ () C:\Users\Tatarus\Downloads\ctrader-icmarkets-setup (1).exe 2013-10-17 22:58 - 2013-10-17 22:58 - 00000000 ____D C:\Users\Tatarus\Documents\Benutzerdefinierte Office-Vorlagen 2013-10-16 14:03 - 2013-10-16 14:06 - 00000000 ____D C:\Users\Tatarus\Downloads\04c936e45c28872aef3bb90fbd3b0a2b 2013-10-16 08:10 - 2013-10-16 08:10 - 00000000 ____D C:\Program Files\Microsoft Office 15 2013-10-13 10:39 - 2013-10-13 10:39 - 00000282 _____ C:\Users\Tatarus\Downloads\message (5).amr 2013-10-13 10:38 - 2013-10-13 10:38 - 00016344 _____ C:\Users\Tatarus\Downloads\message (4).amr 2013-10-13 10:38 - 2013-10-13 10:38 - 00005516 _____ C:\Users\Tatarus\Downloads\message (3).amr 2013-10-13 10:37 - 2013-10-13 10:37 - 00011292 _____ C:\Users\Tatarus\Downloads\message (1).amr 2013-10-13 10:37 - 2013-10-13 10:37 - 00007882 _____ C:\Users\Tatarus\Downloads\message (2).amr 2013-10-13 10:36 - 2013-10-13 10:36 - 00003518 _____ C:\Users\Tatarus\Downloads\message.amr 2013-10-11 10:44 - 2013-10-11 10:44 - 00002474 _____ C:\Users\Tatarus\Downloads\license.avastlic 2013-10-11 10:07 - 2013-10-11 10:08 - 00001607 _____ C:\Users\Tatarus\Downloads\itcharts (1).jnlp 2013-10-11 07:25 - 2013-10-11 07:25 - 00001607 _____ C:\Users\Tatarus\Downloads\itcharts.jnlp 2013-10-09 15:45 - 2013-09-23 00:28 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2013-10-09 15:45 - 2013-09-23 00:28 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2013-10-09 15:45 - 2013-09-23 00:27 - 14335488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2013-10-09 15:45 - 2013-09-23 00:27 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2013-10-09 15:45 - 2013-09-23 00:27 - 02876928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2013-10-09 15:45 - 2013-09-23 00:27 - 02048512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2013-10-09 15:45 - 2013-09-23 00:27 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll 2013-10-09 15:45 - 2013-09-23 00:27 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll 2013-10-09 15:45 - 2013-09-23 00:27 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2013-10-09 15:45 - 2013-09-23 00:27 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll 2013-10-09 15:45 - 2013-09-23 00:27 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll 2013-10-09 15:45 - 2013-09-23 00:27 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2013-10-09 15:45 - 2013-09-23 00:27 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll 2013-10-09 15:45 - 2013-09-22 23:55 - 02241024 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll 2013-10-09 15:45 - 2013-09-22 23:55 - 01365504 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll 2013-10-09 15:45 - 2013-09-22 23:55 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe 2013-10-09 15:45 - 2013-09-22 23:54 - 19252224 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll 2013-10-09 15:45 - 2013-09-22 23:54 - 15404544 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll 2013-10-09 15:45 - 2013-09-22 23:54 - 03959296 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll 2013-10-09 15:45 - 2013-09-22 23:54 - 02647552 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll 2013-10-09 15:45 - 2013-09-22 23:54 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll 2013-10-09 15:45 - 2013-09-22 23:54 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll 2013-10-09 15:45 - 2013-09-22 23:54 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll 2013-10-09 15:45 - 2013-09-22 23:54 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll 2013-10-09 15:45 - 2013-09-22 23:54 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll 2013-10-09 15:45 - 2013-09-22 23:54 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll 2013-10-09 15:45 - 2013-09-22 23:54 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll 2013-10-09 15:45 - 2013-09-21 04:38 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb 2013-10-09 15:45 - 2013-09-21 04:30 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2013-10-09 15:45 - 2013-09-21 03:48 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe 2013-10-09 15:45 - 2013-09-21 03:39 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe 2013-10-09 13:28 - 2013-09-14 02:10 - 00497152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys 2013-10-09 13:28 - 2013-09-08 03:30 - 01903552 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys 2013-10-09 13:28 - 2013-09-08 03:27 - 00327168 _____ (Microsoft Corporation) C:\Windows\system32\mswsock.dll 2013-10-09 13:28 - 2013-09-08 03:03 - 00231424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mswsock.dll 2013-10-09 13:28 - 2013-09-04 13:12 - 00343040 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbhub.sys 2013-10-09 13:28 - 2013-09-04 13:11 - 00325120 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbport.sys 2013-10-09 13:28 - 2013-09-04 13:11 - 00099840 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbccgp.sys 2013-10-09 13:28 - 2013-09-04 13:11 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbehci.sys 2013-10-09 13:28 - 2013-09-04 13:11 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbuhci.sys 2013-10-09 13:28 - 2013-09-04 13:11 - 00025600 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbohci.sys 2013-10-09 13:28 - 2013-09-04 13:11 - 00007808 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbd.sys 2013-10-09 13:28 - 2013-08-29 03:17 - 05549504 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe 2013-10-09 13:28 - 2013-08-29 03:16 - 01732032 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll 2013-10-09 13:28 - 2013-08-29 03:16 - 00859648 _____ (Microsoft Corporation) C:\Windows\system32\tdh.dll 2013-10-09 13:28 - 2013-08-29 03:16 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll 2013-10-09 13:28 - 2013-08-29 03:13 - 00878080 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll 2013-10-09 13:28 - 2013-08-29 02:51 - 03969472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe 2013-10-09 13:28 - 2013-08-29 02:51 - 03914176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe 2013-10-09 13:28 - 2013-08-29 02:50 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll 2013-10-09 13:28 - 2013-08-29 02:50 - 00619520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdh.dll 2013-10-09 13:28 - 2013-08-29 02:50 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll 2013-10-09 13:28 - 2013-08-29 02:48 - 00640512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\advapi32.dll 2013-10-09 13:28 - 2013-08-29 01:49 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe 2013-10-09 13:28 - 2013-08-29 01:49 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll 2013-10-09 13:28 - 2013-08-29 01:49 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe 2013-10-09 13:28 - 2013-08-29 01:49 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe 2013-10-09 13:28 - 2013-08-28 02:21 - 03155968 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys 2013-10-09 13:28 - 2013-08-28 02:12 - 00461312 _____ (Microsoft Corporation) C:\Windows\system32\scavengeui.dll 2013-10-09 13:28 - 2013-08-01 13:09 - 00983488 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys 2013-10-09 13:28 - 2013-07-20 11:33 - 00124112 _____ (Microsoft Corporation) C:\Windows\system32\PresentationCFFRasterizerNative_v0300.dll 2013-10-09 13:28 - 2013-07-20 11:33 - 00102608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PresentationCFFRasterizerNative_v0300.dll 2013-10-09 13:28 - 2013-07-12 11:41 - 00100864 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbcir.sys 2013-10-09 13:28 - 2013-07-04 13:57 - 00259584 _____ (Microsoft Corporation) C:\Windows\system32\WebClnt.dll 2013-10-09 13:28 - 2013-07-04 13:50 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\comctl32.dll 2013-10-09 13:28 - 2013-07-04 13:50 - 00102400 _____ (Microsoft Corporation) C:\Windows\system32\davclnt.dll 2013-10-09 13:28 - 2013-07-04 12:57 - 00205824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WebClnt.dll 2013-10-09 13:28 - 2013-07-04 12:51 - 00081920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\davclnt.dll 2013-10-09 13:28 - 2013-07-04 12:50 - 00530432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\comctl32.dll 2013-10-09 13:28 - 2013-07-04 11:11 - 00140800 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys 2013-10-09 13:28 - 2013-07-03 05:40 - 00042496 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbscan.sys 2013-10-09 13:28 - 2013-07-03 05:05 - 00076800 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\hidclass.sys 2013-10-09 13:28 - 2013-07-03 05:05 - 00032896 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\hidparse.sys 2013-10-09 13:28 - 2013-06-25 23:55 - 00785624 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\Wdf01000.sys 2013-10-09 13:28 - 2013-06-06 06:50 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\lpk.dll 2013-10-09 13:28 - 2013-06-06 06:49 - 00100864 _____ (Microsoft Corporation) C:\Windows\system32\fontsub.dll 2013-10-09 13:28 - 2013-06-06 06:49 - 00014336 _____ (Microsoft Corporation) C:\Windows\system32\dciman32.dll 2013-10-09 13:28 - 2013-06-06 06:47 - 00046080 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll 2013-10-09 13:28 - 2013-06-06 05:57 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\lpk.dll 2013-10-09 13:28 - 2013-06-06 05:51 - 00070656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\fontsub.dll 2013-10-09 13:28 - 2013-06-06 05:50 - 00010240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dciman32.dll 2013-10-09 13:28 - 2013-06-06 04:30 - 00368128 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll 2013-10-09 13:28 - 2013-06-06 04:01 - 00295424 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll 2013-10-09 13:28 - 2013-06-06 04:01 - 00034304 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll ==================== One Month Modified Files and Folders ======= 2013-11-02 19:24 - 2013-04-30 00:00 - 00000000 ___RD C:\Users\Tatarus\Desktop\Sicherheit PC 2013-11-02 19:07 - 2013-10-20 10:29 - 00005150 _____ C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for Tatarus-PC-Tatarus Tatarus-PC 2013-11-02 18:53 - 2013-09-22 18:13 - 00000000 ____D C:\Users\Tatarus\Documents\Outlook-Dateien 2013-11-02 18:52 - 2009-07-14 05:45 - 00021504 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-11-02 18:52 - 2009-07-14 05:45 - 00021504 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-11-02 18:50 - 2011-04-12 08:43 - 00707948 _____ C:\Windows\system32\perfh007.dat 2013-11-02 18:50 - 2011-04-12 08:43 - 00153434 _____ C:\Windows\system32\perfc007.dat 2013-11-02 18:50 - 2009-07-14 06:13 - 01644542 _____ C:\Windows\system32\PerfStringBackup.INI 2013-11-02 18:45 - 2013-11-02 18:45 - 00000056 _____ C:\Windows\setupact.log 2013-11-02 18:45 - 2013-11-02 18:45 - 00000000 _____ C:\Windows\setuperr.log 2013-11-02 18:45 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2013-11-02 18:44 - 2013-11-02 18:44 - 00000436 _____ C:\Windows\PFRO.log 2013-11-02 14:30 - 2013-07-28 19:02 - 01125072 _____ C:\Windows\WindowsUpdate.log 2013-11-02 14:28 - 2012-12-17 02:19 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job 2013-11-02 13:33 - 2012-10-03 19:31 - 00000000 ____D C:\Users\Tatarus 2013-11-02 13:23 - 2013-11-02 13:23 - 00614816 _____ C:\Users\Tatarus\Downloads\HijackThis - CHIP-Downloader.exe 2013-11-02 13:20 - 2012-10-03 19:31 - 00000000 ___RD C:\Users\Tatarus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 2013-11-02 13:10 - 2013-06-27 16:51 - 00000000 ____D C:\Users\Tatarus\AppData\Local\CrashDumps 2013-11-02 13:10 - 2012-10-03 20:27 - 00000000 ____D C:\Windows\Panther 2013-11-02 13:04 - 2013-11-02 13:04 - 00000000 ___RD C:\Users\Tatarus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BT Devices 2013-11-02 13:04 - 2013-08-17 23:03 - 00000000 ___RD C:\Users\Tatarus\Dropbox 2013-11-02 13:04 - 2013-08-17 23:01 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\Dropbox 2013-11-02 12:56 - 2013-04-30 18:18 - 00000000 ____D C:\JRT 2013-11-02 12:52 - 2013-11-02 12:52 - 00066208 _____ C:\Users\Tatarus\Downloads\OTL.Txt 2013-11-02 12:25 - 2013-11-02 12:22 - 00000000 ____D C:\ProgramData\HitmanPro 2013-11-02 12:00 - 2013-08-17 23:02 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox 2013-11-02 11:53 - 2013-02-18 16:24 - 00000000 ____D C:\Users\Tatarus\Downloads\Programme 2013-11-02 11:15 - 2013-11-02 11:15 - 00000000 ____D C:\FRST 2013-11-02 10:45 - 2013-11-02 10:45 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\Tatarus\Downloads\mbam-setup-1.75.0.1300.exe 2013-11-01 23:58 - 2012-10-03 20:05 - 00000000 ____D C:\Users\Tatarus\AppData\Local\Deployment 2013-11-01 20:09 - 2012-12-13 15:00 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\Skype 2013-11-01 07:08 - 2012-10-03 20:00 - 00004182 _____ C:\Windows\System32\Tasks\avast! Emergency Update 2013-10-30 01:02 - 2013-01-08 01:41 - 00000000 ___RD C:\Users\Tatarus\Bilder 2013-10-28 18:11 - 2013-03-22 13:57 - 00000000 ____D C:\Users\Tatarus\Documents\Eigene Scans 2013-10-27 15:22 - 2013-09-13 14:23 - 00000600 _____ C:\Users\Tatarus\AppData\Roaming\winscp.rnd 2013-10-27 15:21 - 2013-09-17 11:46 - 00000000 ____D C:\Users\Tatarus\Documents\Schule 2013-10-26 22:31 - 2013-10-26 22:31 - 00019530 _____ C:\Users\Tatarus\Downloads\txnhistory_26102013_233132.csv 2013-10-26 22:30 - 2013-10-26 22:30 - 00130992 _____ C:\Users\Tatarus\Downloads\txnhistory_26102013_233020.csv 2013-10-26 22:28 - 2013-10-26 22:28 - 00202870 _____ C:\Users\Tatarus\Downloads\txnhistory_26102013_232815.csv 2013-10-26 19:25 - 2012-10-03 20:05 - 00001112 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2013-10-26 19:25 - 2012-10-03 20:05 - 00001108 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2013-10-23 20:41 - 2013-10-23 20:41 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\AVAST Software 2013-10-23 20:41 - 2013-10-23 20:41 - 00000000 ____D C:\ProgramData\Google 2013-10-23 20:41 - 2013-10-23 20:41 - 00000000 ____D C:\Program Files\Google 2013-10-23 20:41 - 2012-10-03 20:05 - 00004110 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA 2013-10-23 20:41 - 2012-10-03 20:05 - 00003858 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore 2013-10-23 20:41 - 2012-10-03 20:05 - 00000000 ____D C:\Program Files (x86)\Google 2013-10-23 09:35 - 2013-10-23 09:35 - 00002032 _____ C:\Users\Public\Desktop\avast! SafeZone.lnk 2013-10-23 09:35 - 2013-03-13 00:12 - 00447888 _____ (AVAST Software) C:\Windows\system32\Drivers\aswNdisFlt.sys 2013-10-23 09:35 - 2013-03-13 00:12 - 00205320 _____ C:\Windows\system32\Drivers\aswVmm.sys 2013-10-23 09:35 - 2013-03-13 00:12 - 00065776 _____ C:\Windows\system32\Drivers\aswRvrt.sys 2013-10-23 09:35 - 2012-10-03 20:00 - 01032416 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys 2013-10-23 09:35 - 2012-10-03 20:00 - 00409832 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys 2013-10-23 09:35 - 2012-10-03 20:00 - 00334648 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe 2013-10-23 09:35 - 2012-10-03 20:00 - 00092544 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys 2013-10-23 09:35 - 2012-10-03 20:00 - 00084328 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys 2013-10-23 09:35 - 2012-10-03 20:00 - 00065264 _____ (AVAST Software) C:\Windows\system32\Drivers\aswTdi.sys 2013-10-23 09:35 - 2012-10-03 20:00 - 00038984 _____ (AVAST Software) C:\Windows\system32\Drivers\aswFsBlk.sys 2013-10-23 09:35 - 2012-10-03 20:00 - 00028184 _____ (AVAST Software) C:\Windows\system32\Drivers\aswKbd.sys 2013-10-23 09:35 - 2012-10-03 20:00 - 00001972 _____ C:\Users\Public\Desktop\avast! Internet Security.lnk 2013-10-23 09:35 - 2012-10-03 19:59 - 00043152 _____ (AVAST Software) C:\Windows\avastSS.scr 2013-10-23 09:23 - 2012-10-03 20:00 - 00000000 _____ C:\Windows\SysWOW64\config.nt 2013-10-23 09:23 - 2012-10-03 19:59 - 00000000 ____D C:\ProgramData\AVAST Software 2013-10-19 17:51 - 2013-10-19 17:51 - 00000000 ____D C:\Users\Tatarus\Downloads\Kanon der Literatur 2013-10-19 07:10 - 2013-10-19 07:10 - 00000284 _____ C:\Users\Tatarus\Desktop\IC Markets cAlgo.appref-ms 2013-10-19 07:10 - 2013-10-19 07:10 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IC Markets cAlgo 2013-10-19 07:10 - 2013-10-19 07:10 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\IC Markets cAlgo 2013-10-19 07:10 - 2013-10-19 07:04 - 00000000 ____D C:\Users\Tatarus\Documents\cAlgo 2013-10-19 07:10 - 2013-10-19 07:04 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\IC Markets cTrader 2013-10-19 07:05 - 2013-10-19 07:04 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\cTrader 2013-10-19 07:04 - 2013-10-19 07:04 - 00000292 _____ C:\Users\Tatarus\Desktop\IC Markets cTrader.appref-ms 2013-10-19 07:04 - 2013-10-19 07:04 - 00000000 ____D C:\Users\Tatarus\Documents\cTrader 2013-10-19 07:04 - 2013-10-19 07:04 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IC Markets cTrader 2013-10-19 07:04 - 2013-10-19 07:04 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\IC Markets-cTraderCommon 2013-10-19 07:03 - 2013-10-19 07:03 - 00508696 _____ () C:\Users\Tatarus\Downloads\ctrader-icmarkets-setup.exe 2013-10-19 07:03 - 2013-10-19 07:03 - 00508696 _____ () C:\Users\Tatarus\Downloads\ctrader-icmarkets-setup (1).exe 2013-10-17 22:58 - 2013-10-17 22:58 - 00000000 ____D C:\Users\Tatarus\Documents\Benutzerdefinierte Office-Vorlagen 2013-10-16 20:24 - 2009-07-14 05:45 - 00437448 _____ C:\Windows\system32\FNTCACHE.DAT 2013-10-16 14:06 - 2013-10-16 14:03 - 00000000 ____D C:\Users\Tatarus\Downloads\04c936e45c28872aef3bb90fbd3b0a2b 2013-10-16 10:09 - 2012-10-03 19:42 - 00111040 _____ C:\Users\Tatarus\AppData\Local\GDIPFONTCACHEV1.DAT 2013-10-16 08:28 - 2013-04-07 10:59 - 00000000 ____D C:\ProgramData\Microsoft Help 2013-10-16 08:15 - 2012-12-20 09:12 - 00000000 ____D C:\Program Files (x86)\Microsoft Office 2013-10-16 08:10 - 2013-10-16 08:10 - 00000000 ____D C:\Program Files\Microsoft Office 15 2013-10-14 18:41 - 2012-10-03 20:00 - 00270824 _____ (AVAST Software) C:\Windows\system32\Drivers\aswNdis2.sys 2013-10-14 18:41 - 2012-10-03 20:00 - 00131232 _____ (AVAST Software) C:\Windows\system32\Drivers\aswFW.sys 2013-10-13 16:48 - 2012-10-21 22:31 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\vlc 2013-10-13 10:39 - 2013-10-13 10:39 - 00000282 _____ C:\Users\Tatarus\Downloads\message (5).amr 2013-10-13 10:38 - 2013-10-13 10:38 - 00016344 _____ C:\Users\Tatarus\Downloads\message (4).amr 2013-10-13 10:38 - 2013-10-13 10:38 - 00005516 _____ C:\Users\Tatarus\Downloads\message (3).amr 2013-10-13 10:37 - 2013-10-13 10:37 - 00011292 _____ C:\Users\Tatarus\Downloads\message (1).amr 2013-10-13 10:37 - 2013-10-13 10:37 - 00007882 _____ C:\Users\Tatarus\Downloads\message (2).amr 2013-10-13 10:36 - 2013-10-13 10:36 - 00003518 _____ C:\Users\Tatarus\Downloads\message.amr 2013-10-11 10:44 - 2013-10-11 10:44 - 00002474 _____ C:\Users\Tatarus\Downloads\license.avastlic 2013-10-11 10:08 - 2013-10-11 10:07 - 00001607 _____ C:\Users\Tatarus\Downloads\itcharts (1).jnlp 2013-10-11 07:25 - 2013-10-11 07:25 - 00001607 _____ C:\Users\Tatarus\Downloads\itcharts.jnlp 2013-10-10 14:19 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\rescache 2013-10-09 15:44 - 2012-10-05 19:59 - 01621500 _____ C:\Windows\SysWOW64\PerfStringBackup.INI 2013-10-09 15:42 - 2013-07-17 02:00 - 00000000 ____D C:\Windows\system32\MRT 2013-10-09 15:42 - 2012-10-03 20:56 - 80541720 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe 2013-10-09 14:28 - 2012-12-17 02:19 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2013-10-09 14:28 - 2012-12-17 02:19 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl 2013-10-09 14:28 - 2012-12-17 02:19 - 00003822 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater 2013-10-07 14:02 - 2013-04-07 10:59 - 00000000 ____D C:\Users\Tatarus\AppData\Local\Microsoft Help ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit LastRegBack: 2013-11-01 08:02 ==================== End Of Log ============================ --- --- --- FRST Logfile: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 31-10-2013 Ran by Tatarus (administrator) on TATARUS-PC on 02-11-2013 19:24:21 Running from C:\Users\Tatarus\Desktop\Sicherheit PC Windows 7 Professional Service Pack 1 (X64) OS Language: German Standard Internet Explorer Version 10 Boot Mode: Normal ==================== Processes (Whitelisted) ================= (AMD) C:\Windows\system32\atiesrxx.exe (AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AMD) C:\Windows\system32\atieclxx.exe (AVAST Software) C:\Program Files\AVAST Software\Avast\afwServ.exe (Atheros Commnucations) C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe (Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe (Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe (Nero AG) C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe (Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe (Prolific Technology Inc.) C:\Windows\SysWOW64\IoctlSvc.exe (Skype Technologies S.A.) C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe (VIA Technologies, Inc.) C:\Windows\system32\viakaraokesrv.exe (G Central) C:\Program Files (x86)\VVCap\VVCap.exe (Microsoft Corporation) C:\Windows\System32\StikyNot.exe (AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe (Adobe Systems Incorporated) C:\Windows\system32\Macromed\Flash\FlashUtil64_11_9_900_117_ActiveX.exe (Microsoft Corporation) C:\Windows\sysWow64\SearchProtocolHost.exe ==================== Registry (Whitelisted) ================== HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] () Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation) HKCU\...\Run: [VVCap] - C:\Program Files (x86)\VVCap\VVCap.exe [765440 2010-12-28] (G Central) HKCU\...\Run: [RESTART_STICKY_NOTES] - C:\Windows\System32\StikyNot.exe [427520 2009-07-14] (Microsoft Corporation) MountPoints2: {1384dd2e-0d88-11e2-be77-806e6f6e6963} - E:\Run.exe HKLM-x32\...\Run: [AvastUI.exe] - C:\Program Files\AVAST Software\Avast\avastui.exe [3567800 2013-10-23] (AVAST Software) ==================== Internet (Whitelisted) ==================== ProxyServer: 190.94.211.163:8080 HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/ HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xE71E92DB9AF4CD01 HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE SearchScopes: HKLM - DefaultScope value is missing. BHO: Lync Browser Helper - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation) BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation) BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation) BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.) BHO: Skype add-on for Internet Explorer - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.) BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation) BHO: Microsoft SkyDrive Pro Browser Helper - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation) BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) BHO-x32: Lync Browser Helper - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\office15\OCHelper.dll (Microsoft Corporation) BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation) BHO-x32: CIESpeechBHO Class - {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\IEPlugIn.dll (Atheros Commnucations) BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) BHO-x32: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\office15\URLREDIR.DLL (Microsoft Corporation) BHO-x32: Microsoft SkyDrive Pro Browser Helper - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\office15\GROOVEEX.DLL (Microsoft Corporation) Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.) Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) DPF: HKLM {67DABFBF-D0AB-41FA-9C46-CC0F21721616} hxxp://download.divx.com/player/DivXBrowserPlugin.cab DPF: HKLM {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.) Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\office15\MSOSB.DLL (Microsoft Corporation) Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies) Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 Chrome: ======= CHR HomePage: hxxp://www.google.com/ CHR RestoreOnStartup: "hxxp://www.google.com/" CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\22.0.1229.79\PepperFlash\pepflashplayer.dll No File CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.101\ppGoogleNaClPluginChrome.dll () CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.101\pdf.dll () CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File CHR Plugin: (Intel\u00AE Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation) CHR Plugin: (Intel\u00AE Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation) CHR Extension: (YouTube) - C:\Users\Tatarus\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0 CHR Extension: (Google Search) - C:\Users\Tatarus\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0 CHR Extension: (JavaScript Compression Tool) - C:\Users\Tatarus\AppData\Local\Google\Chrome\User Data\Default\Extensions\ioedocnocclgpmbkhbaopeapakehljhd\1.0_0 CHR Extension: (Skype Click to Call) - C:\Users\Tatarus\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\6.3.0.11079_0 CHR Extension: (Google Wallet) - C:\Users\Tatarus\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.5.0_0 CHR Extension: (Gmail) - C:\Users\Tatarus\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1 CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx ==================== Services (Whitelisted) ================= S3 AppleChargerSrv; C:\Windows\System32\AppleChargerSrv.exe [31272 2010-04-06] () R2 AtherosSvc; C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe [128640 2012-06-28] (Atheros Commnucations) R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2013-10-23] (AVAST Software) R2 avast! Firewall; C:\Program Files\AVAST Software\Avast\afwServ.exe [179088 2013-10-23] (AVAST Software) R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [161560 2011-12-16] (Intel Corporation) R2 Nero BackItUp Scheduler 3; C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe [877864 2008-02-18] (Nero AG) S3 NMIndexingService; C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe [529704 2008-02-28] (Nero AG) R2 OfficeSvc; C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe [1907896 2013-09-06] (Microsoft Corporation) R2 PLFlash DeviceIoControl Service; C:\Windows\SysWOW64\IoctlSvc.exe [81920 2006-12-19] (Prolific Technology Inc.) R2 VIAKaraokeService; C:\Windows\system32\viakaraokesrv.exe [27792 2012-08-03] (VIA Technologies, Inc.) ==================== Drivers (Whitelisted) ==================== R1 AppleCharger; C:\Windows\System32\DRIVERS\AppleCharger.sys [21616 2011-11-02] () R2 aswFsBlk; C:\Windows\system32\drivers\aswFsBlk.sys [38984 2013-10-23] (AVAST Software) R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [28184 2013-10-23] (AVAST Software) R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [84328 2013-10-23] (AVAST Software) R1 aswNdisFlt; C:\Windows\System32\DRIVERS\aswNdisFlt.sys [447888 2013-10-23] (AVAST Software) R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [92544 2013-10-23] (AVAST Software) R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2013-10-23] () R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1032416 2013-10-23] (AVAST Software) R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [409832 2013-10-23] (AVAST Software) R1 aswTdi; C:\Windows\system32\drivers\aswTdi.sys [65264 2013-10-23] (AVAST Software) R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [205320 2013-10-23] () R3 L1C; C:\Windows\System32\DRIVERS\L1C62x64.sys [118504 2012-12-19] (Qualcomm Atheros Co., Ltd.) S3 gdrv; \??\C:\Windows\gdrv.sys [x] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-11-02 18:45 - 2013-11-02 18:45 - 00000056 _____ C:\Windows\setupact.log 2013-11-02 18:45 - 2013-11-02 18:45 - 00000000 _____ C:\Windows\setuperr.log 2013-11-02 18:44 - 2013-11-02 18:44 - 00000436 _____ C:\Windows\PFRO.log 2013-11-02 13:23 - 2013-11-02 13:23 - 00614816 _____ C:\Users\Tatarus\Downloads\HijackThis - CHIP-Downloader.exe 2013-11-02 13:04 - 2013-11-02 13:04 - 00000000 ___RD C:\Users\Tatarus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BT Devices 2013-11-02 12:52 - 2013-11-02 12:52 - 00066208 _____ C:\Users\Tatarus\Downloads\OTL.Txt 2013-11-02 12:22 - 2013-11-02 12:25 - 00000000 ____D C:\ProgramData\HitmanPro 2013-11-02 11:15 - 2013-11-02 11:15 - 00000000 ____D C:\FRST 2013-11-02 10:45 - 2013-11-02 10:45 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\Tatarus\Downloads\mbam-setup-1.75.0.1300.exe 2013-10-26 22:31 - 2013-10-26 22:31 - 00019530 _____ C:\Users\Tatarus\Downloads\txnhistory_26102013_233132.csv 2013-10-26 22:30 - 2013-10-26 22:30 - 00130992 _____ C:\Users\Tatarus\Downloads\txnhistory_26102013_233020.csv 2013-10-26 22:28 - 2013-10-26 22:28 - 00202870 _____ C:\Users\Tatarus\Downloads\txnhistory_26102013_232815.csv 2013-10-23 20:41 - 2013-10-23 20:41 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\AVAST Software 2013-10-23 20:41 - 2013-10-23 20:41 - 00000000 ____D C:\ProgramData\Google 2013-10-23 20:41 - 2013-10-23 20:41 - 00000000 ____D C:\Program Files\Google 2013-10-23 09:35 - 2013-10-23 09:35 - 00002032 _____ C:\Users\Public\Desktop\avast! SafeZone.lnk 2013-10-20 10:29 - 2013-11-02 19:07 - 00005150 _____ C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for Tatarus-PC-Tatarus Tatarus-PC 2013-10-19 17:51 - 2013-10-19 17:51 - 00000000 ____D C:\Users\Tatarus\Downloads\Kanon der Literatur 2013-10-19 07:10 - 2013-10-19 07:10 - 00000284 _____ C:\Users\Tatarus\Desktop\IC Markets cAlgo.appref-ms 2013-10-19 07:10 - 2013-10-19 07:10 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IC Markets cAlgo 2013-10-19 07:10 - 2013-10-19 07:10 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\IC Markets cAlgo 2013-10-19 07:04 - 2013-10-19 07:10 - 00000000 ____D C:\Users\Tatarus\Documents\cAlgo 2013-10-19 07:04 - 2013-10-19 07:10 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\IC Markets cTrader 2013-10-19 07:04 - 2013-10-19 07:05 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\cTrader 2013-10-19 07:04 - 2013-10-19 07:04 - 00000292 _____ C:\Users\Tatarus\Desktop\IC Markets cTrader.appref-ms 2013-10-19 07:04 - 2013-10-19 07:04 - 00000000 ____D C:\Users\Tatarus\Documents\cTrader 2013-10-19 07:04 - 2013-10-19 07:04 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IC Markets cTrader 2013-10-19 07:04 - 2013-10-19 07:04 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\IC Markets-cTraderCommon 2013-10-19 07:03 - 2013-10-19 07:03 - 00508696 _____ () C:\Users\Tatarus\Downloads\ctrader-icmarkets-setup.exe 2013-10-19 07:03 - 2013-10-19 07:03 - 00508696 _____ () C:\Users\Tatarus\Downloads\ctrader-icmarkets-setup (1).exe 2013-10-17 22:58 - 2013-10-17 22:58 - 00000000 ____D C:\Users\Tatarus\Documents\Benutzerdefinierte Office-Vorlagen 2013-10-16 14:03 - 2013-10-16 14:06 - 00000000 ____D C:\Users\Tatarus\Downloads\04c936e45c28872aef3bb90fbd3b0a2b 2013-10-16 08:10 - 2013-10-16 08:10 - 00000000 ____D C:\Program Files\Microsoft Office 15 2013-10-13 10:39 - 2013-10-13 10:39 - 00000282 _____ C:\Users\Tatarus\Downloads\message (5).amr 2013-10-13 10:38 - 2013-10-13 10:38 - 00016344 _____ C:\Users\Tatarus\Downloads\message (4).amr 2013-10-13 10:38 - 2013-10-13 10:38 - 00005516 _____ C:\Users\Tatarus\Downloads\message (3).amr 2013-10-13 10:37 - 2013-10-13 10:37 - 00011292 _____ C:\Users\Tatarus\Downloads\message (1).amr 2013-10-13 10:37 - 2013-10-13 10:37 - 00007882 _____ C:\Users\Tatarus\Downloads\message (2).amr 2013-10-13 10:36 - 2013-10-13 10:36 - 00003518 _____ C:\Users\Tatarus\Downloads\message.amr 2013-10-11 10:44 - 2013-10-11 10:44 - 00002474 _____ C:\Users\Tatarus\Downloads\license.avastlic 2013-10-11 10:07 - 2013-10-11 10:08 - 00001607 _____ C:\Users\Tatarus\Downloads\itcharts (1).jnlp 2013-10-11 07:25 - 2013-10-11 07:25 - 00001607 _____ C:\Users\Tatarus\Downloads\itcharts.jnlp 2013-10-09 15:45 - 2013-09-23 00:28 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2013-10-09 15:45 - 2013-09-23 00:28 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2013-10-09 15:45 - 2013-09-23 00:27 - 14335488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2013-10-09 15:45 - 2013-09-23 00:27 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2013-10-09 15:45 - 2013-09-23 00:27 - 02876928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2013-10-09 15:45 - 2013-09-23 00:27 - 02048512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2013-10-09 15:45 - 2013-09-23 00:27 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll 2013-10-09 15:45 - 2013-09-23 00:27 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll 2013-10-09 15:45 - 2013-09-23 00:27 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2013-10-09 15:45 - 2013-09-23 00:27 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll 2013-10-09 15:45 - 2013-09-23 00:27 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll 2013-10-09 15:45 - 2013-09-23 00:27 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2013-10-09 15:45 - 2013-09-23 00:27 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll 2013-10-09 15:45 - 2013-09-22 23:55 - 02241024 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll 2013-10-09 15:45 - 2013-09-22 23:55 - 01365504 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll 2013-10-09 15:45 - 2013-09-22 23:55 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe 2013-10-09 15:45 - 2013-09-22 23:54 - 19252224 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll 2013-10-09 15:45 - 2013-09-22 23:54 - 15404544 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll 2013-10-09 15:45 - 2013-09-22 23:54 - 03959296 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll 2013-10-09 15:45 - 2013-09-22 23:54 - 02647552 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll 2013-10-09 15:45 - 2013-09-22 23:54 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll 2013-10-09 15:45 - 2013-09-22 23:54 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll 2013-10-09 15:45 - 2013-09-22 23:54 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll 2013-10-09 15:45 - 2013-09-22 23:54 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll 2013-10-09 15:45 - 2013-09-22 23:54 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll 2013-10-09 15:45 - 2013-09-22 23:54 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll 2013-10-09 15:45 - 2013-09-22 23:54 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll 2013-10-09 15:45 - 2013-09-21 04:38 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb 2013-10-09 15:45 - 2013-09-21 04:30 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2013-10-09 15:45 - 2013-09-21 03:48 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe 2013-10-09 15:45 - 2013-09-21 03:39 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe 2013-10-09 13:28 - 2013-09-14 02:10 - 00497152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys 2013-10-09 13:28 - 2013-09-08 03:30 - 01903552 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys 2013-10-09 13:28 - 2013-09-08 03:27 - 00327168 _____ (Microsoft Corporation) C:\Windows\system32\mswsock.dll 2013-10-09 13:28 - 2013-09-08 03:03 - 00231424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mswsock.dll 2013-10-09 13:28 - 2013-09-04 13:12 - 00343040 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbhub.sys 2013-10-09 13:28 - 2013-09-04 13:11 - 00325120 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbport.sys 2013-10-09 13:28 - 2013-09-04 13:11 - 00099840 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbccgp.sys 2013-10-09 13:28 - 2013-09-04 13:11 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbehci.sys 2013-10-09 13:28 - 2013-09-04 13:11 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbuhci.sys 2013-10-09 13:28 - 2013-09-04 13:11 - 00025600 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbohci.sys 2013-10-09 13:28 - 2013-09-04 13:11 - 00007808 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbd.sys 2013-10-09 13:28 - 2013-08-29 03:17 - 05549504 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe 2013-10-09 13:28 - 2013-08-29 03:16 - 01732032 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll 2013-10-09 13:28 - 2013-08-29 03:16 - 00859648 _____ (Microsoft Corporation) C:\Windows\system32\tdh.dll 2013-10-09 13:28 - 2013-08-29 03:16 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll 2013-10-09 13:28 - 2013-08-29 03:13 - 00878080 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll 2013-10-09 13:28 - 2013-08-29 02:51 - 03969472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe 2013-10-09 13:28 - 2013-08-29 02:51 - 03914176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe 2013-10-09 13:28 - 2013-08-29 02:50 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll 2013-10-09 13:28 - 2013-08-29 02:50 - 00619520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdh.dll 2013-10-09 13:28 - 2013-08-29 02:50 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll 2013-10-09 13:28 - 2013-08-29 02:48 - 00640512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\advapi32.dll 2013-10-09 13:28 - 2013-08-29 01:49 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe 2013-10-09 13:28 - 2013-08-29 01:49 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll 2013-10-09 13:28 - 2013-08-29 01:49 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe 2013-10-09 13:28 - 2013-08-29 01:49 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe 2013-10-09 13:28 - 2013-08-28 02:21 - 03155968 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys 2013-10-09 13:28 - 2013-08-28 02:12 - 00461312 _____ (Microsoft Corporation) C:\Windows\system32\scavengeui.dll 2013-10-09 13:28 - 2013-08-01 13:09 - 00983488 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys 2013-10-09 13:28 - 2013-07-20 11:33 - 00124112 _____ (Microsoft Corporation) C:\Windows\system32\PresentationCFFRasterizerNative_v0300.dll 2013-10-09 13:28 - 2013-07-20 11:33 - 00102608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PresentationCFFRasterizerNative_v0300.dll 2013-10-09 13:28 - 2013-07-12 11:41 - 00100864 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbcir.sys 2013-10-09 13:28 - 2013-07-04 13:57 - 00259584 _____ (Microsoft Corporation) C:\Windows\system32\WebClnt.dll 2013-10-09 13:28 - 2013-07-04 13:50 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\comctl32.dll 2013-10-09 13:28 - 2013-07-04 13:50 - 00102400 _____ (Microsoft Corporation) C:\Windows\system32\davclnt.dll 2013-10-09 13:28 - 2013-07-04 12:57 - 00205824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WebClnt.dll 2013-10-09 13:28 - 2013-07-04 12:51 - 00081920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\davclnt.dll 2013-10-09 13:28 - 2013-07-04 12:50 - 00530432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\comctl32.dll 2013-10-09 13:28 - 2013-07-04 11:11 - 00140800 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys 2013-10-09 13:28 - 2013-07-03 05:40 - 00042496 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbscan.sys 2013-10-09 13:28 - 2013-07-03 05:05 - 00076800 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\hidclass.sys 2013-10-09 13:28 - 2013-07-03 05:05 - 00032896 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\hidparse.sys 2013-10-09 13:28 - 2013-06-25 23:55 - 00785624 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\Wdf01000.sys 2013-10-09 13:28 - 2013-06-06 06:50 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\lpk.dll 2013-10-09 13:28 - 2013-06-06 06:49 - 00100864 _____ (Microsoft Corporation) C:\Windows\system32\fontsub.dll 2013-10-09 13:28 - 2013-06-06 06:49 - 00014336 _____ (Microsoft Corporation) C:\Windows\system32\dciman32.dll 2013-10-09 13:28 - 2013-06-06 06:47 - 00046080 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll 2013-10-09 13:28 - 2013-06-06 05:57 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\lpk.dll 2013-10-09 13:28 - 2013-06-06 05:51 - 00070656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\fontsub.dll 2013-10-09 13:28 - 2013-06-06 05:50 - 00010240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dciman32.dll 2013-10-09 13:28 - 2013-06-06 04:30 - 00368128 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll 2013-10-09 13:28 - 2013-06-06 04:01 - 00295424 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll 2013-10-09 13:28 - 2013-06-06 04:01 - 00034304 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll ==================== One Month Modified Files and Folders ======= 2013-11-02 19:24 - 2013-04-30 00:00 - 00000000 ___RD C:\Users\Tatarus\Desktop\Sicherheit PC 2013-11-02 19:07 - 2013-10-20 10:29 - 00005150 _____ C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for Tatarus-PC-Tatarus Tatarus-PC 2013-11-02 18:53 - 2013-09-22 18:13 - 00000000 ____D C:\Users\Tatarus\Documents\Outlook-Dateien 2013-11-02 18:52 - 2009-07-14 05:45 - 00021504 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-11-02 18:52 - 2009-07-14 05:45 - 00021504 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-11-02 18:50 - 2011-04-12 08:43 - 00707948 _____ C:\Windows\system32\perfh007.dat 2013-11-02 18:50 - 2011-04-12 08:43 - 00153434 _____ C:\Windows\system32\perfc007.dat 2013-11-02 18:50 - 2009-07-14 06:13 - 01644542 _____ C:\Windows\system32\PerfStringBackup.INI 2013-11-02 18:45 - 2013-11-02 18:45 - 00000056 _____ C:\Windows\setupact.log 2013-11-02 18:45 - 2013-11-02 18:45 - 00000000 _____ C:\Windows\setuperr.log 2013-11-02 18:45 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2013-11-02 18:44 - 2013-11-02 18:44 - 00000436 _____ C:\Windows\PFRO.log 2013-11-02 14:30 - 2013-07-28 19:02 - 01125072 _____ C:\Windows\WindowsUpdate.log 2013-11-02 14:28 - 2012-12-17 02:19 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job 2013-11-02 13:33 - 2012-10-03 19:31 - 00000000 ____D C:\Users\Tatarus 2013-11-02 13:23 - 2013-11-02 13:23 - 00614816 _____ C:\Users\Tatarus\Downloads\HijackThis - CHIP-Downloader.exe 2013-11-02 13:20 - 2012-10-03 19:31 - 00000000 ___RD C:\Users\Tatarus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 2013-11-02 13:10 - 2013-06-27 16:51 - 00000000 ____D C:\Users\Tatarus\AppData\Local\CrashDumps 2013-11-02 13:10 - 2012-10-03 20:27 - 00000000 ____D C:\Windows\Panther 2013-11-02 13:04 - 2013-11-02 13:04 - 00000000 ___RD C:\Users\Tatarus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BT Devices 2013-11-02 13:04 - 2013-08-17 23:03 - 00000000 ___RD C:\Users\Tatarus\Dropbox 2013-11-02 13:04 - 2013-08-17 23:01 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\Dropbox 2013-11-02 12:56 - 2013-04-30 18:18 - 00000000 ____D C:\JRT 2013-11-02 12:52 - 2013-11-02 12:52 - 00066208 _____ C:\Users\Tatarus\Downloads\OTL.Txt 2013-11-02 12:25 - 2013-11-02 12:22 - 00000000 ____D C:\ProgramData\HitmanPro 2013-11-02 12:00 - 2013-08-17 23:02 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox 2013-11-02 11:53 - 2013-02-18 16:24 - 00000000 ____D C:\Users\Tatarus\Downloads\Programme 2013-11-02 11:15 - 2013-11-02 11:15 - 00000000 ____D C:\FRST 2013-11-02 10:45 - 2013-11-02 10:45 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\Tatarus\Downloads\mbam-setup-1.75.0.1300.exe 2013-11-01 23:58 - 2012-10-03 20:05 - 00000000 ____D C:\Users\Tatarus\AppData\Local\Deployment 2013-11-01 20:09 - 2012-12-13 15:00 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\Skype 2013-11-01 07:08 - 2012-10-03 20:00 - 00004182 _____ C:\Windows\System32\Tasks\avast! Emergency Update 2013-10-30 01:02 - 2013-01-08 01:41 - 00000000 ___RD C:\Users\Tatarus\Bilder 2013-10-28 18:11 - 2013-03-22 13:57 - 00000000 ____D C:\Users\Tatarus\Documents\Eigene Scans 2013-10-27 15:22 - 2013-09-13 14:23 - 00000600 _____ C:\Users\Tatarus\AppData\Roaming\winscp.rnd 2013-10-27 15:21 - 2013-09-17 11:46 - 00000000 ____D C:\Users\Tatarus\Documents\Schule 2013-10-26 22:31 - 2013-10-26 22:31 - 00019530 _____ C:\Users\Tatarus\Downloads\txnhistory_26102013_233132.csv 2013-10-26 22:30 - 2013-10-26 22:30 - 00130992 _____ C:\Users\Tatarus\Downloads\txnhistory_26102013_233020.csv 2013-10-26 22:28 - 2013-10-26 22:28 - 00202870 _____ C:\Users\Tatarus\Downloads\txnhistory_26102013_232815.csv 2013-10-26 19:25 - 2012-10-03 20:05 - 00001112 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2013-10-26 19:25 - 2012-10-03 20:05 - 00001108 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2013-10-23 20:41 - 2013-10-23 20:41 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\AVAST Software 2013-10-23 20:41 - 2013-10-23 20:41 - 00000000 ____D C:\ProgramData\Google 2013-10-23 20:41 - 2013-10-23 20:41 - 00000000 ____D C:\Program Files\Google 2013-10-23 20:41 - 2012-10-03 20:05 - 00004110 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA 2013-10-23 20:41 - 2012-10-03 20:05 - 00003858 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore 2013-10-23 20:41 - 2012-10-03 20:05 - 00000000 ____D C:\Program Files (x86)\Google 2013-10-23 09:35 - 2013-10-23 09:35 - 00002032 _____ C:\Users\Public\Desktop\avast! SafeZone.lnk 2013-10-23 09:35 - 2013-03-13 00:12 - 00447888 _____ (AVAST Software) C:\Windows\system32\Drivers\aswNdisFlt.sys 2013-10-23 09:35 - 2013-03-13 00:12 - 00205320 _____ C:\Windows\system32\Drivers\aswVmm.sys 2013-10-23 09:35 - 2013-03-13 00:12 - 00065776 _____ C:\Windows\system32\Drivers\aswRvrt.sys 2013-10-23 09:35 - 2012-10-03 20:00 - 01032416 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys 2013-10-23 09:35 - 2012-10-03 20:00 - 00409832 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys 2013-10-23 09:35 - 2012-10-03 20:00 - 00334648 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe 2013-10-23 09:35 - 2012-10-03 20:00 - 00092544 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys 2013-10-23 09:35 - 2012-10-03 20:00 - 00084328 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys 2013-10-23 09:35 - 2012-10-03 20:00 - 00065264 _____ (AVAST Software) C:\Windows\system32\Drivers\aswTdi.sys 2013-10-23 09:35 - 2012-10-03 20:00 - 00038984 _____ (AVAST Software) C:\Windows\system32\Drivers\aswFsBlk.sys 2013-10-23 09:35 - 2012-10-03 20:00 - 00028184 _____ (AVAST Software) C:\Windows\system32\Drivers\aswKbd.sys 2013-10-23 09:35 - 2012-10-03 20:00 - 00001972 _____ C:\Users\Public\Desktop\avast! Internet Security.lnk 2013-10-23 09:35 - 2012-10-03 19:59 - 00043152 _____ (AVAST Software) C:\Windows\avastSS.scr 2013-10-23 09:23 - 2012-10-03 20:00 - 00000000 _____ C:\Windows\SysWOW64\config.nt 2013-10-23 09:23 - 2012-10-03 19:59 - 00000000 ____D C:\ProgramData\AVAST Software 2013-10-19 17:51 - 2013-10-19 17:51 - 00000000 ____D C:\Users\Tatarus\Downloads\Kanon der Literatur 2013-10-19 07:10 - 2013-10-19 07:10 - 00000284 _____ C:\Users\Tatarus\Desktop\IC Markets cAlgo.appref-ms 2013-10-19 07:10 - 2013-10-19 07:10 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IC Markets cAlgo 2013-10-19 07:10 - 2013-10-19 07:10 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\IC Markets cAlgo 2013-10-19 07:10 - 2013-10-19 07:04 - 00000000 ____D C:\Users\Tatarus\Documents\cAlgo 2013-10-19 07:10 - 2013-10-19 07:04 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\IC Markets cTrader 2013-10-19 07:05 - 2013-10-19 07:04 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\cTrader 2013-10-19 07:04 - 2013-10-19 07:04 - 00000292 _____ C:\Users\Tatarus\Desktop\IC Markets cTrader.appref-ms 2013-10-19 07:04 - 2013-10-19 07:04 - 00000000 ____D C:\Users\Tatarus\Documents\cTrader 2013-10-19 07:04 - 2013-10-19 07:04 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IC Markets cTrader 2013-10-19 07:04 - 2013-10-19 07:04 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\IC Markets-cTraderCommon 2013-10-19 07:03 - 2013-10-19 07:03 - 00508696 _____ () C:\Users\Tatarus\Downloads\ctrader-icmarkets-setup.exe 2013-10-19 07:03 - 2013-10-19 07:03 - 00508696 _____ () C:\Users\Tatarus\Downloads\ctrader-icmarkets-setup (1).exe 2013-10-17 22:58 - 2013-10-17 22:58 - 00000000 ____D C:\Users\Tatarus\Documents\Benutzerdefinierte Office-Vorlagen 2013-10-16 20:24 - 2009-07-14 05:45 - 00437448 _____ C:\Windows\system32\FNTCACHE.DAT 2013-10-16 14:06 - 2013-10-16 14:03 - 00000000 ____D C:\Users\Tatarus\Downloads\04c936e45c28872aef3bb90fbd3b0a2b 2013-10-16 10:09 - 2012-10-03 19:42 - 00111040 _____ C:\Users\Tatarus\AppData\Local\GDIPFONTCACHEV1.DAT 2013-10-16 08:28 - 2013-04-07 10:59 - 00000000 ____D C:\ProgramData\Microsoft Help 2013-10-16 08:15 - 2012-12-20 09:12 - 00000000 ____D C:\Program Files (x86)\Microsoft Office 2013-10-16 08:10 - 2013-10-16 08:10 - 00000000 ____D C:\Program Files\Microsoft Office 15 2013-10-14 18:41 - 2012-10-03 20:00 - 00270824 _____ (AVAST Software) C:\Windows\system32\Drivers\aswNdis2.sys 2013-10-14 18:41 - 2012-10-03 20:00 - 00131232 _____ (AVAST Software) C:\Windows\system32\Drivers\aswFW.sys 2013-10-13 16:48 - 2012-10-21 22:31 - 00000000 ____D C:\Users\Tatarus\AppData\Roaming\vlc 2013-10-13 10:39 - 2013-10-13 10:39 - 00000282 _____ C:\Users\Tatarus\Downloads\message (5).amr 2013-10-13 10:38 - 2013-10-13 10:38 - 00016344 _____ C:\Users\Tatarus\Downloads\message (4).amr 2013-10-13 10:38 - 2013-10-13 10:38 - 00005516 _____ C:\Users\Tatarus\Downloads\message (3).amr 2013-10-13 10:37 - 2013-10-13 10:37 - 00011292 _____ C:\Users\Tatarus\Downloads\message (1).amr 2013-10-13 10:37 - 2013-10-13 10:37 - 00007882 _____ C:\Users\Tatarus\Downloads\message (2).amr 2013-10-13 10:36 - 2013-10-13 10:36 - 00003518 _____ C:\Users\Tatarus\Downloads\message.amr 2013-10-11 10:44 - 2013-10-11 10:44 - 00002474 _____ C:\Users\Tatarus\Downloads\license.avastlic 2013-10-11 10:08 - 2013-10-11 10:07 - 00001607 _____ C:\Users\Tatarus\Downloads\itcharts (1).jnlp 2013-10-11 07:25 - 2013-10-11 07:25 - 00001607 _____ C:\Users\Tatarus\Downloads\itcharts.jnlp 2013-10-10 14:19 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\rescache 2013-10-09 15:44 - 2012-10-05 19:59 - 01621500 _____ C:\Windows\SysWOW64\PerfStringBackup.INI 2013-10-09 15:42 - 2013-07-17 02:00 - 00000000 ____D C:\Windows\system32\MRT 2013-10-09 15:42 - 2012-10-03 20:56 - 80541720 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe 2013-10-09 14:28 - 2012-12-17 02:19 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2013-10-09 14:28 - 2012-12-17 02:19 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl 2013-10-09 14:28 - 2012-12-17 02:19 - 00003822 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater 2013-10-07 14:02 - 2013-04-07 10:59 - 00000000 ____D C:\Users\Tatarus\AppData\Local\Microsoft Help ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit LastRegBack: 2013-11-01 08:02 ==================== End Of Log ============================ --- --- --- |
03.11.2013, 08:07 | #10 | |
/// the machine /// TB-Ausbilder | (Login) Log bei der Bank zeigt Zeiten wo ich nicht Online gewesen sein kann - Komplett Durchsuchung meines SystemsCombofix sollte ausschließlich ausgeführt werden, wenn dies von einem Teammitglied angewiesen wurde!Downloade dir bitte Combofix vom folgenden Downloadspiegel Link 1 WICHTIG - Speichere Combofix auf deinem Desktop
Wenn Combofix fertig ist, wird es eine Logfile erstellen. Bitte poste die C:\Combofix.txt in deiner nächsten Antwort. Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten Zitat:
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
03.11.2013, 13:20 | #11 |
| (Login) Log bei der Bank zeigt Zeiten wo ich nicht Online gewesen sein kann - Komplett Durchsuchung meines SystemsCode:
ATTFilter ComboFix 13-11-03.02 - Tatarus 03.11.2013 13:06:08.1.4 - x64 Microsoft Windows 7 Professional 6.1.7601.1.1252.49.1031.18.8150.6452 [GMT 1:00] ausgeführt von:: c:\users\Tatarus\Downloads\ComboFix.exe AV: avast! Internet Security *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B} FW: avast! Internet Security *Disabled* {2F96FC65-F07D-9D1E-5A6E-3DA5C487EAF0} SP: avast! Internet Security *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736} SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . . c:\users\Tatarus\AppData\Local\assembly\tmp d:\$recycle.bin\S-1-5-21-3527194521-2343086423-3724204936-1000\$RDHHPAL\dotnetfx30\xpsepsc-x86-en-us.exe d:\$recycle.bin\S-1-5-21-3527194521-2343086423-3724204936-1000\$RDHHPAL\dotnetfx35\x86\netfx35_x86.exe d:\$recycle.bin\S-1-5-21-3527194521-2343086423-3724204936-1000\$RDHHPAL\tools\clwireg.exe d:\$recycle.bin\S-1-5-21-3527194521-2343086423-3724204936-1000\$RNL3AL4\amd64\filterpipelineprintproc.dll d:\$recycle.bin\S-1-5-21-3527194521-2343086423-3724204936-1000\$RNL3AL4\amd64\mxdwdrv.dll d:\$recycle.bin\S-1-5-21-3527194521-2343086423-3724204936-1000\$RNL3AL4\amd64\xpssvcs.dll d:\$recycle.bin\S-1-5-21-3527194521-2343086423-3724204936-1000\$RNL3AL4\i386\filterpipelineprintproc.dll d:\$recycle.bin\S-1-5-21-3527194521-2343086423-3724204936-1000\$RNL3AL4\i386\mxdwdrv.dll d:\$recycle.bin\S-1-5-21-3527194521-2343086423-3724204936-1000\$RNL3AL4\i386\xpssvcs.dll . . ((((((((((((((((((((((( Dateien erstellt von 2013-10-03 bis 2013-11-03 )))))))))))))))))))))))))))))) . . 2013-11-03 12:08 . 2013-11-03 12:08 -------- d-----w- c:\users\Default\AppData\Local\temp 2013-11-03 11:36 . 2013-11-03 11:36 76232 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{365E6FCF-5066-4A2C-BBC8-89B99F52FF61}\offreg.dll 2013-11-02 11:22 . 2013-11-02 11:25 -------- d-----w- c:\programdata\HitmanPro 2013-11-02 10:15 . 2013-11-02 10:15 -------- d-----w- C:\FRST 2013-10-23 19:41 . 2013-10-23 19:41 -------- d-----w- c:\program files\Google 2013-10-23 19:41 . 2013-10-23 19:41 -------- d-----w- c:\users\Tatarus\AppData\Roaming\AVAST Software 2013-10-19 06:10 . 2013-11-03 12:07 -------- d-----w- c:\users\Tatarus\AppData\Local\assembly 2013-10-19 06:10 . 2013-10-19 06:10 -------- d-----w- c:\users\Tatarus\AppData\Roaming\IC Markets cAlgo 2013-10-19 06:04 . 2013-10-19 06:05 -------- d-----w- c:\users\Tatarus\AppData\Roaming\cTrader 2013-10-19 06:04 . 2013-10-19 06:04 -------- d-----w- c:\users\Tatarus\AppData\Roaming\IC Markets-cTraderCommon 2013-10-19 06:04 . 2013-10-19 06:10 -------- d-----w- c:\users\Tatarus\AppData\Roaming\IC Markets cTrader 2013-10-16 07:18 . 2013-10-16 07:14 566480 ----a-w- c:\programdata\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe 2013-10-16 07:15 . 2013-10-16 07:29 -------- d-----w- c:\programdata\regid.1991-06.com.microsoft 2013-10-16 07:10 . 2013-10-16 07:10 -------- d-----w- c:\program files\Microsoft Office 15 2013-10-11 06:24 . 2013-09-05 05:32 9694160 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{365E6FCF-5066-4A2C-BBC8-89B99F52FF61}\mpengine.dll 2013-10-09 12:28 . 2013-07-04 12:50 633856 ----a-w- c:\windows\system32\comctl32.dll . . . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-10-23 08:35 . 2013-03-12 23:12 65776 ----a-w- c:\windows\system32\drivers\aswRvrt.sys 2013-10-23 08:35 . 2013-03-12 23:12 205320 ----a-w- c:\windows\system32\drivers\aswVmm.sys 2013-10-23 08:35 . 2012-10-03 19:00 409832 ----a-w- c:\windows\system32\drivers\aswSP.sys 2013-10-23 08:35 . 2012-10-03 19:00 38984 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2013-10-23 08:35 . 2012-10-03 19:00 92544 ----a-w- c:\windows\system32\drivers\aswRdr2.sys 2013-10-23 08:35 . 2012-10-03 19:00 84328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys 2013-10-23 08:35 . 2012-10-03 19:00 65264 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2013-10-23 08:35 . 2012-10-03 19:00 334648 ----a-w- c:\windows\system32\aswBoot.exe 2013-10-23 08:35 . 2012-10-03 19:00 1032416 ----a-w- c:\windows\system32\drivers\aswSnx.sys 2013-10-23 08:35 . 2012-10-03 18:59 43152 ----a-w- c:\windows\avastSS.scr 2013-10-23 08:35 . 2012-10-03 19:00 28184 ----a-w- c:\windows\system32\drivers\aswKbd.sys 2013-10-23 08:35 . 2013-03-12 23:12 447888 ----a-w- c:\windows\system32\drivers\aswNdisFlt.sys 2013-10-14 17:41 . 2012-10-03 19:00 131232 ----a-w- c:\windows\system32\drivers\aswFW.sys 2013-10-14 17:41 . 2012-10-03 19:00 270824 ----a-w- c:\windows\system32\drivers\aswNdis2.sys 2013-10-09 14:42 . 2012-10-03 19:56 80541720 ----a-w- c:\windows\system32\MRT.exe 2013-10-09 13:28 . 2012-12-17 01:19 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2013-10-09 13:28 . 2012-12-17 01:19 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2013-08-29 01:48 . 2013-10-09 12:28 44032 ----a-w- c:\windows\apppatch\acwow64.dll 2013-08-07 02:22 . 2010-11-21 03:27 278800 ------w- c:\windows\system32\MpSigStub.exe . . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)] @="{8BA85C75-763B-4103-94EB-9470F12FE0F7}" [HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}] 2013-10-16 07:20 1724616 ----a-w- c:\program files\Microsoft Office 15\root\office15\GROOVEEX.DLL . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)] @="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}" [HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}] 2013-10-16 07:20 1724616 ----a-w- c:\program files\Microsoft Office 15\root\office15\GROOVEEX.DLL . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)] @="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}" [HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}] 2013-10-16 07:20 1724616 ----a-w- c:\program files\Microsoft Office 15\root\office15\GROOVEEX.DLL . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2013-09-11 02:09 131248 ----a-w- c:\users\Tatarus\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2013-09-11 02:09 131248 ----a-w- c:\users\Tatarus\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2013-09-11 02:09 131248 ----a-w- c:\users\Tatarus\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "VVCap"="c:\program files (x86)\VVCap\VVCap.exe" [2010-12-28 765440] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2013-10-23 3567800] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows] "LoadAppInit_DLLs"=1 (0x1) . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys] @="" . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x] R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [x] R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x] R3 AppleChargerSrv;AppleChargerSrv;c:\windows\system32\AppleChargerSrv.exe;c:\windows\SYSNATIVE\AppleChargerSrv.exe [x] R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssudbus.sys [x] R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x] R3 IntcDAud;Intel(R) Display-Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x] R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssudmdm.sys [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x] R3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x] S0 aswRvrt;avast! Revert; [x] S0 aswVmm;avast! VM Monitor; [x] S0 iusb3hcs;Intel(R) USB 3.0 Hostcontroller-Switchtreiber;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x] S1 AppleCharger;AppleCharger;c:\windows\system32\DRIVERS\AppleCharger.sys;c:\windows\SYSNATIVE\DRIVERS\AppleCharger.sys [x] S1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys;c:\windows\SYSNATIVE\drivers\aswKbd.sys [x] S1 aswNdisFlt;Avast! Firewall Driver;c:\windows\system32\DRIVERS\aswNdisFlt.sys;c:\windows\SYSNATIVE\DRIVERS\aswNdisFlt.sys [x] S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys;c:\windows\SYSNATIVE\drivers\aswSnx.sys [x] S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys;c:\windows\SYSNATIVE\drivers\aswSP.sys [x] S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x] S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys;c:\windows\SYSNATIVE\drivers\aswFsBlk.sys [x] S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys [x] S2 AtherosSvc;AtherosSvc;c:\program files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe;c:\program files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe [x] S2 avast! Firewall;avast! Firewall;c:\program files\AVAST Software\Avast\afwServ.exe;c:\program files\AVAST Software\Avast\afwServ.exe [x] S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x] S2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe [x] S2 jhi_service;Intel(R) Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [x] S2 OfficeSvc;Microsoft Office-Dienst;c:\program files\Microsoft Office 15\ClientX64\integratedoffice.exe;c:\program files\Microsoft Office 15\ClientX64\integratedoffice.exe [x] S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [x] S2 VIAKaraokeService;VIA Karaoke digital mixer Service;c:\windows\system32\viakaraokesrv.exe;c:\windows\SYSNATIVE\viakaraokesrv.exe [x] S3 AthBTPort;Atheros Virtual Bluetooth Class;c:\windows\system32\DRIVERS\btath_flt.sys;c:\windows\SYSNATIVE\DRIVERS\btath_flt.sys [x] S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x] S3 BTATH_A2DP;Bluetooth A2DP Audio Driver;c:\windows\system32\drivers\btath_a2dp.sys;c:\windows\SYSNATIVE\drivers\btath_a2dp.sys [x] S3 btath_avdt;Atheros Bluetooth AVDT Service;c:\windows\system32\drivers\btath_avdt.sys;c:\windows\SYSNATIVE\drivers\btath_avdt.sys [x] S3 BTATH_BUS;Atheros Bluetooth Bus;c:\windows\system32\DRIVERS\btath_bus.sys;c:\windows\SYSNATIVE\DRIVERS\btath_bus.sys [x] S3 BTATH_HCRP;Bluetooth HCRP Server driver;c:\windows\system32\DRIVERS\btath_hcrp.sys;c:\windows\SYSNATIVE\DRIVERS\btath_hcrp.sys [x] S3 BTATH_LWFLT;Bluetooth LWFLT Device;c:\windows\system32\DRIVERS\btath_lwflt.sys;c:\windows\SYSNATIVE\DRIVERS\btath_lwflt.sys [x] S3 BTATH_RCP;Bluetooth AVRCP Device;c:\windows\system32\DRIVERS\btath_rcp.sys;c:\windows\SYSNATIVE\DRIVERS\btath_rcp.sys [x] S3 BtFilter;BtFilter;c:\windows\system32\DRIVERS\btfilter.sys;c:\windows\SYSNATIVE\DRIVERS\btfilter.sys [x] S3 iusb3hub;Intel(R) USB 3.0-Hubtreiber;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x] S3 iusb3xhc;Intel(R) USB 3.0 eXtensible-Hostcontrollertreiber;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x] S3 L1C;NDIS Miniport Driver for Qualcomm Atheros AR81xx PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x] S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys;c:\windows\SYSNATIVE\drivers\viahduaa.sys [x] . . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}] 2013-10-15 19:52 1185744 ----a-w- c:\program files (x86)\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe . Inhalt des "geplante Tasks" Ordners . 2013-11-03 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-17 13:28] . 2013-10-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-03 19:05] . 2013-10-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-03 19:05] . 2012-10-10 c:\windows\Tasks\WebReg HP Photosmart C4200 series.job - c:\program files (x86)\HP\Digital Imaging\bin\hpqwrg.exe [2009-05-21 18:40] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)] @="{8BA85C75-763B-4103-94EB-9470F12FE0F7}" [HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}] 2013-10-16 07:20 2328264 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)] @="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}" [HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}] 2013-10-16 07:20 2328264 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)] @="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}" [HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}] 2013-10-16 07:20 2328264 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast] @="{472083B0-C522-11CF-8763-00608CC02F24}" [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}] 2013-10-23 08:35 326944 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2013-09-11 02:09 164016 ----a-w- c:\users\Tatarus\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2013-09-11 02:09 164016 ----a-w- c:\users\Tatarus\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2013-09-11 02:09 164016 ----a-w- c:\users\Tatarus\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4] @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}] 2013-09-11 02:09 164016 ----a-w- c:\users\Tatarus\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-05-21 170304] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-05-21 398656] "Persistence"="c:\windows\system32\igfxpers.exe" [2012-05-21 440128] . ------- Zusätzlicher Suchlauf ------- . uLocal Page = c:\windows\system32\blank.htm mLocal Page = c:\windows\SysWOW64\blank.htm uInternet Settings,ProxyServer = 190.94.211.163:8080 IE: An OneNote s&enden - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105 IE: E&xport to Microsoft Excel - c:\program files\Microsoft Office 15\Root\Office15\EXCEL.EXE/3000 IE: Nach Microsoft E&xcel exportieren - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\program files\Microsoft Office 15\Root\Office15\ONBttnIE.dll/105 TCP: DhcpNameServer = 192.168.0.1 . - - - - Entfernte verwaiste Registrierungseinträge - - - - . Wow6432Node-HKCU-Run-RESTART_STICKY_NOTES - c:\windows\System32\StikyNot.exe HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start . . . --------------------- Gesperrte Registrierungsschluessel --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}] @Denied: (A) (Everyone) "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3] @Denied: (A) (Everyone) . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0] "Key"="ActionsPane3" "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Zeit der Fertigstellung: 2013-11-03 13:09:04 ComboFix-quarantined-files.txt 2013-11-03 12:09 . Vor Suchlauf: 13 Verzeichnis(se), 193.961.177.088 Bytes frei Nach Suchlauf: 19 Verzeichnis(se), 193.417.261.056 Bytes frei . - - End Of File - - AC340F19D460BD56BBB285FECA40B79D |
04.11.2013, 09:01 | #12 |
/// the machine /// TB-Ausbilder | (Login) Log bei der Bank zeigt Zeiten wo ich nicht Online gewesen sein kann - Komplett Durchsuchung meines Systems Downloade Dir bitte Malwarebytes Anti-Malware
Downloade Dir bitte AdwCleaner auf deinen Desktop.
Beende bitte Deine Schutzsoftware um eventuelle Konflikte zu vermeiden.
und ein frisches FRST log bitte.
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
Themen zu (Login) Log bei der Bank zeigt Zeiten wo ich nicht Online gewesen sein kann - Komplett Durchsuchung meines Systems |
anleitung, ausschalten, befolgt, defogger, disable, durchsuchung, frst log, gemeinde, gmer, komplett, leitung, liebe, log, login, online, schritt, system, systems, zeiten |