Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung
Verdacht auf Befall mit Schadsoftware Win7

Verdacht auf Befall mit Schadsoftware Win7


Log-Analyse und Auswertung: Verdacht auf Befall mit Schadsoftware Win7

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML

Antwort
Alt 29.01.2014, 10:27   #1
Janne1
 
Verdacht auf Befall mit Schadsoftware Win7 - Standard

Verdacht auf Befall mit Schadsoftware Win7


Hallo an die Experten (wieder einmal nach langer Zeit)

Mein Rechner macht seltsame Sachen, so dass ich eine Infektion befürchte, weiß es aber nicht.... Spybot meldet: keine Spione beim scan

Beim Starten von Win7 (nach der Anmeldung Benutzerkonto, wenn Desktop schon sichtbar) erscheint eine Fehlermeldung wie beim Starten von iTunes, gleiche Fehlermeldung+Nummer, aber Pfad ist zu lang, so das nach Programm Files nur noch Punkte dargestellt werden. Beim starten von iTunes kommt dann dieses:


Fehlermeldung Kopie.jpg - directupload.net


Ich hab versucht, Itunes neu zu installieren, ging nicht, kommt wieder gleiche Fehlermeldung.

Dann macht avast selber komisch Sachen, versucht updates zu machen und geht nicht, Hosts nicht erreichbar. Avast per FirewallControll eigentlich freigegeben.

edit: nach löschen aller Freigaben in Firewall Controll erneiter Versuch, dann neue Freigabe, jetzt geht es wieder. Seltsam
jetzt meldet sich die Firewall mit nem neuen Avast Teil, ist das OK? laut Netzt schein es tatsächlich von Avast zu sein

Firewall .jpg - directupload.net



Avast hat vorher malware gemeldet, Win32-Evo-gen, Popup ist weg, aber im Container sieht man es noch

virus container avast.jpg - directupload.net

So, es wäre toll, wenn Sich einer von Euch sich das mal anschauen könnte.
So, jetzt noch die Logfiles (edit: und Popups) :
Geändert von Janne1 (29.01.2014 um 10:35 Uhr) Grund: Img wird nicht dargestellt

Alt 29.01.2014, 10:45   #2
schrauber
/// the machine
/// TB-Ausbilder
 
Verdacht auf Befall mit Schadsoftware Win7 - Standard

Verdacht auf Befall mit Schadsoftware Win7


Hi,

Logs bitte immer in den Thread posten. Zur Not aufteilen und mehrere Posts nutzen.


So funktioniert es:
Posten in CODE-Tags
Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
  • Markiere das gesamte Logfile (geht meist mit STRG+A) und kopiere es in die Zwischenablage mit STRG+C.
  • Klicke im Editor auf das #-Symbol. Es erscheinen zwei Klammerausdrücke [CODE] [/CODE].
  • Setze den Curser zwischen die CODE-Tags und drücke STRG+V.
  • Klicke auf Erweitert/Vorschau, um so prüfen, ob du es richtig gemacht hast. Wenn alles stimmt ... auf Antworten.
__________________

__________________
Alt 29.01.2014, 10:52   #3
Janne1
 
Verdacht auf Befall mit Schadsoftware Win7 - Standard

Verdacht auf Befall mit Schadsoftware Win7


Ups, sorry, ich habs gelesen und nich richtig geschnallt, ich dachte es wäre so richtig.

Nachricht nach Änderungsversuch zu lang, daher jetzt hier:


FRST Logfile:

FRST Logfile:
Code:
ATTFilter
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 29-01-2014
Ran by Standrechner (administrator) on STANDRECHNER-PC on 29-01-2014 08:43:40
Running from C:\Users\Standrechner\Downloads
Windows 7 Professional Service Pack 1 (X64) OS Language: German Standard
Internet Explorer Version 11
Boot Mode: Normal



==================== Processes (Whitelisted) =================

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(AVAST Software) C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
() C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.05\AsSysCtrlService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\VS7DEBUG\mdm.exe
(Iomega Corp) C:\Program Files (x86)\Iomega Storage Manager\pCloudd.exe
(EMC Corporation) C:\Program Files (x86)\Retrospect\Retrospect Express HD 2.5\retrorun.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
(Telefónica I+D) C:\Program Files (x86)\o2\Mobile Connection Manager\ImpWiFiSvc.exe
(UltraVNC) C:\Program Files\UltraVNC\winvnc.exe
(Sphinx Software) C:\Program Files (x86)\Windows7FirewallControl\Windows7FirewallService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Safer Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
(UltraVNC) C:\Program Files\UltraVNC\winvnc.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\TurboV EVO\TurboVHelp.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe
(Haufe-Lexware GmbH & Co. KG) C:\Program Files (x86)\Lexware\zeitmanagement\2011\Haufe.TimeManagement.exe
(EMC) C:\Program Files (x86)\Iomega Storage Manager\IomegaStorageManager.exe
(AVAST Software) C:\Program Files\Alwil Software\Avast5\AvastUI.exe
(Logitech Inc.) C:\Program Files (x86)\Squeezebox\SqueezeTray.exe
(VIA) C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\TurboV EVO\TurboV_EVO.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe
(Nullsoft, Inc.) C:\Program Files (x86)\Winamp\winampa.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\ControlCenter3\BrccMCtl.exe
(Sphinx Software) C:\Program Files (x86)\Windows7FirewallControl\Windows7FirewallControl.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brmfcmon\BrMfimon.exe
() C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
(Research In Motion Limited) C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
(Haufe-Lexware GmbH & Co. KG) C:\Program Files (x86)\Common Files\Lexware\Update Manager\LxUpdateManager.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Macrovision Europe Ltd.) C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Logitech Inc.) C:\Program Files (x86)\Squeezebox\server\SqueezeSvr.exe
(Crystal Dew World) C:\Program Files (x86)\CrystalDiskInfo\DiskInfo.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunes.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
(Safer Networking Limited) C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [IAAnotif] - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
HKLM-x32\...\Run: [avast5] - C:\Program Files\Alwil Software\Avast5\avastUI.exe [3568312 2013-11-30] (AVAST Software)
HKLM-x32\...\Run: [HDAudDeck] - C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe [2472048 2010-11-23] (VIA)
HKLM-x32\...\Run: [TurboV EVO] - C:\Program Files (x86)\ASUS\TurboV EVO\TurboV_EVO.exe [9936000 2010-07-07] (ASUSTeK Computer Inc.)
HKLM-x32\...\Run: [StartCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-10-26] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [ATICustomerCare] - C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe [311296 2010-05-04] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [GrooveMonitor] - C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [31016 2006-10-27] (Microsoft Corporation)
HKLM-x32\...\Run: [SSBkgdUpdate] - C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [210472 2006-10-25] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PaperPort PTD] - C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe [29984 2008-07-09] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [IndexSearch] - C:\Program Files (x86)\ScanSoft\PaperPort\IndexSearch.exe [46368 2008-07-09] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PPort11reminder] - C:\Program Files (x86)\ScanSoft\PaperPort\Ereg\Ereg.exe [328992 2007-08-31] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [BrMfcWnd] - C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe [1159168 2009-05-26] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [ControlCenter3] - C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe [114688 2008-12-24] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [PDF Seven] - C:\Program Files\PDFSeven\PDF.exe
HKLM-x32\...\Run: [WinampAgent] - C:\Program Files (x86)\Winamp\winampa.exe [74752 2012-06-28] (Nullsoft, Inc.)
HKLM-x32\...\Run: [Windows7FirewallControl] - C:\Program Files (x86)\Windows7FirewallControl\Windows7FirewallControl.exe [798720 2010-11-01] (Sphinx Software)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [624248 2007-05-10] (Adobe Systems Inc.)
HKLM-x32\...\Run: [] - [x]
HKLM-x32\...\Run: [Adobe_ID0EYTHM] - C:\Program Files (x86)\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3Tray.exe [1884160 2007-03-20] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AppleSyncNotifier] - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-09-27] (Apple Inc.)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-01-20] (Apple Inc.)
HKLM-x32\...\Run: [DivXUpdate] - C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe [1259376 2011-07-29] ()
HKLM-x32\...\Run: [RIMBBLaunchAgent.exe] - C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [90448 2011-11-02] (Research In Motion Limited)
HKLM-x32\...\Run: [LexwareInfoService] - C:\Program Files (x86)\Common Files\Lexware\Update Manager\LxUpdateManager.exe [339312 2010-09-15] (Haufe-Lexware GmbH & Co. KG)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-11-02] (Apple Inc.)
HKLM-x32\...\Run: [AvastUI.exe] - C:\Program Files\Alwil Software\Avast5\AvastUI.exe [3568312 2013-11-30] (AVAST Software)
HKCU\...\Run: [SpybotSD TeaTimer] - C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKCU\...\Run: [MobileDocuments] - C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
HKCU\...\Run: [hddhealth] - C:\Program Files (x86)\HDD Health\hddhealth.exe -wl
HKCU\...\Run: [Haufe.TimeManagement] - C:\Program Files (x86)\Lexware\zeitmanagement\2011\Haufe.TimeManagement.exe [1440112 2012-04-20] (Haufe-Lexware GmbH & Co. KG)
HKCU\...\Run: [Akamai NetSession Interface] - "C:\Users\Standrechner\AppData\Local\Akamai\netsession_win.exe"
MountPoints2: {261fd23f-7edb-11e0-bc25-20cf301acabf} - G:\AutoRun.exe
MountPoints2: {261fd289-7edb-11e0-bc25-20cf301acabf} - G:\AutoRun.exe
MountPoints2: {261fd29e-7edb-11e0-bc25-20cf301acabf} - G:\AutoRun.exe

==================== Internet (Whitelisted) ====================

BHO: avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE64.dll (AVAST Software)
BHO: No Name - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -  No File
BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll No File
BHO-x32: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO-x32: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files (x86)\Adobe\/Adobe Contribute CS3/contributeieplugin.dll (Adobe Systems Incorporated.)
BHO-x32: DivX Plus Web Player HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
BHO-x32: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO-x32: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
BHO-x32: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll No File
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE64.dll (AVAST Software)
Toolbar: HKLM-x32 - TerraTec Home Cinema - {AD6E6555-FB2C-47D4-8339-3E2965509877} - C:\Program Files (x86)\TerraTec\TerraTec Home Cinema\ThcDeskBand.dll (TerraTec Electronic GmbH)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files (x86)\Adobe\/Adobe Contribute CS3/contributeieplugin.dll (Adobe Systems Incorporated.)
Toolbar: HKLM-x32 - avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
DPF: HKLM-x32 {6E718D87-6909-4FCE-92D4-EDCB2F725727} file:///C:/Program%20Files%20(x86)/Würth%20Technologieplattform/VIEWERINSTALL/applications/Navigram.cab
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1

FireFox:
========
FF ProfilePath: C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\r5bf80o8.default
FF DefaultSearchEngine: Ixquick HTTPS - Deutsch
FF SelectedSearchEngine: Ixquick HTTPS - Deutsch
FF Homepage: https://www.ixquick.com/deu/
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_12_0_0_43.dll ()
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin: @microsoft.com/GENUINE - C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_43.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @divx.com/DivX Browser Plugin,version=1.0.0 - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF Plugin-x32: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin-x32: @Google.com/GoogleEarthPlugin - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @microsoft.com/GENUINE - C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF Plugin-x32: @parallelgraphics.com/Cortona - C:\Program Files (x86)\Common Files\ParallelGraphics\Cortona\npCortona.dll (ParallelGraphics)
FF Plugin-x32: @RIM.com/WebSLLauncher,version=1.0 - C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\np-mswmp.dll (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npCortona.dll (ParallelGraphics)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPOFF12.DLL (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npwachk.dll (Nullsoft, Inc.)
FF SearchPlugin: C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\r5bf80o8.default\searchplugins\das-rtliche.xml
FF SearchPlugin: C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\r5bf80o8.default\searchplugins\duckduckgo-1.xml
FF SearchPlugin: C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\r5bf80o8.default\searchplugins\duckduckgo.xml
FF SearchPlugin: C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\r5bf80o8.default\searchplugins\ixquick-https---deutsch.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\amazondotcom-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\eBay-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\leo_ende_de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\yahoo-de.xml
FF Extension: FRITZ!Box AddOn - C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\r5bf80o8.default\Extensions\fb_add_on@avm.de [2013-04-15]
FF Extension: Website City + Country Info - C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\r5bf80o8.default\Extensions\ipdata@extension [2012-07-27]
FF Extension: Flagfox - C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\r5bf80o8.default\Extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b} [2014-01-19]
FF Extension: Biet-O-Matic Firefox Erweiterung - C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\r5bf80o8.default\Extensions\{B0D70E72-2FC1-4b9f-A3D4-5921C854D906} [2010-11-23]
FF Extension: pdfViewerSwitcher - C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\r5bf80o8.default\Extensions\jid1-UXDr6c69BeyPVw@jetpack.xpi [2013-09-23]
FF Extension: Ebook PDF Search Engine and Viewer - C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\r5bf80o8.default\Extensions\lintasnusa@gmail.com.xpi [2013-09-23]
FF Extension: Session Manager - C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\r5bf80o8.default\Extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}.xpi [2014-01-28]
FF Extension: RightToClick - C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\r5bf80o8.default\Extensions\{cd617375-6743-4ee8-bac4-fbf10f35729e}.xpi [2011-05-18]
FF Extension: Adblock Plus - C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\r5bf80o8.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2012-07-02]
FF Extension: BetterPrivacy - C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\r5bf80o8.default\Extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi [2013-04-08]
FF Extension: QuickJava - C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\r5bf80o8.default\Extensions\{E6C1199F-E687-42da-8C24-E7770CC3AE66}.xpi [2012-09-10]
FF HKLM-x32\...\Firefox\Extensions: [{23fcfd51-4958-4f00-80a3-ae97e717ed8b}] - C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5
FF Extension: DivX Plus Web Player HTML5 &lt;video&gt; - C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2012-03-25]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\Alwil Software\Avast5\WebRep\FF
FF Extension: avast! Online Security - C:\Program Files\Alwil Software\Avast5\WebRep\FF [2011-06-29]

Chrome: 
=======
CHR HomePage: hxxp://www.google.com
CHR HKLM-x32\...\Chrome\Extension: [nneajnkjbffgblleaoojgaacokifdkhm] - C:\Program Files (x86)\DivX\DivX Plus Web Player\chrome\DivXHTML5\DivXHTML5.crx [2011-12-12]

==================== Services (Whitelisted) =================

R2 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.05\AsSysCtrlService.exe [109056 2010-11-23] ()
R2 avast! Antivirus; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [50344 2013-11-30] (AVAST Software)
R2 PCloudd; C:\Program Files (x86)\Iomega Storage Manager\pCloudd.exe [207360 2011-08-06] (Iomega Corp)
R2 RetroExpLauncher; C:\Program Files (x86)\Retrospect\Retrospect Express HD 2.5\retrorun.exe [120088 2008-12-11] (EMC Corporation)
R2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
R2 TGCM_ImportWiFiSvc; C:\Program Files (x86)\o2\Mobile Connection Manager\ImpWiFiSvc.exe [199600 2010-08-02] (Telefónica I+D)
R2 uvnc_service; C:\Program Files\UltraVNC\WinVNC.exe [2169592 2011-05-18] (UltraVNC)
R2 Windows7FirewallService; C:\Program Files (x86)\Windows7FirewallControl\Windows7FirewallService.exe [401408 2010-11-01] (Sphinx Software)

==================== Drivers (Whitelisted) ====================

S3 AF9035BDA; C:\Windows\System32\DRIVERS\AF15BDA.sys [513600 2009-11-05] (ITETech                  )
R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2010-11-23] ()
R2 aswFsBlk; C:\Windows\system32\drivers\aswFsBlk.sys [38984 2013-11-30] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [84328 2013-11-30] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [92544 2013-11-30] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2013-11-30] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1032416 2013-11-30] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [409832 2013-11-30] (AVAST Software)
R1 aswTdi; C:\Windows\system32\drivers\aswTdi.sys [65264 2013-11-30] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [205320 2013-11-30] ()
S3 ewusbnet; C:\Windows\System32\DRIVERS\ewusbnet.sys [250368 2010-04-07] (Huawei Technologies Co., Ltd.)
S3 MEMSWEEP2; C:\Windows\system32\F4CA.tmp [6144 2010-05-26] (Sophos Plc)
R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2010-11-23] ()
R3 mv2; C:\Windows\System32\DRIVERS\mv2.sys [12904 2011-07-03] (UVNC BVBA)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [74752 2011-07-25] (Research In Motion Limited)
R3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [44032 2011-07-20] (Research in Motion Ltd)
S3 vNICdrv; C:\Windows\System32\DRIVERS\vNICdrv.sys [20048 2011-08-06] (Iomega Corporation)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-01-29 08:39 - 2014-01-29 08:40 - 00029247 _____ C:\Users\Standrechner\Desktop\FRST.txt
2014-01-29 08:38 - 2014-01-29 08:43 - 00021832 _____ C:\Users\Standrechner\Downloads\FRST.txt
2014-01-29 08:38 - 2014-01-29 08:43 - 00000000 ____D C:\FRST
2014-01-29 08:38 - 2014-01-29 08:40 - 00054231 _____ C:\Users\Standrechner\Downloads\Addition.txt
2014-01-29 08:35 - 2014-01-29 08:36 - 02079744 _____ (Farbar) C:\Users\Standrechner\Downloads\FRST64.exe
2014-01-29 08:35 - 2014-01-29 08:35 - 00000486 _____ C:\Users\Standrechner\Downloads\defogger_disable.log
2014-01-29 08:35 - 2014-01-29 08:35 - 00000000 _____ C:\Users\Standrechner\defogger_reenable
2014-01-29 08:34 - 2014-01-29 08:34 - 00050477 _____ C:\Users\Standrechner\Downloads\Defogger.exe
2014-01-27 17:35 - 2014-01-27 17:39 - 148904784 _____ (Apple Inc.) C:\Users\Standrechner\Downloads\iTunes64Setup(1).exe
2014-01-21 16:14 - 2014-01-21 16:17 - 54676293 _____ C:\Users\Standrechner\Downloads\PIKO-Update_v04.11_(incl.Microsoft.NET_v4).zip
2014-01-21 14:26 - 2014-01-21 14:26 - 00001553 _____ C:\Users\Standrechner\AppData\Local\recently-used.xbel
2014-01-21 14:15 - 2014-01-21 14:16 - 21079125 _____ C:\Users\Standrechner\Downloads\gnumeric-1.12.9-20131128.exe
2014-01-21 14:14 - 2014-01-21 14:14 - 00401744 _____ (Softonic                                        ) C:\Users\Standrechner\Downloads\SoftonicDownloader_fuer_gnumeric.exe
2014-01-15 08:03 - 2013-11-27 02:41 - 00343040 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbhub.sys
2014-01-15 08:03 - 2013-11-27 02:41 - 00325120 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbport.sys
2014-01-15 08:03 - 2013-11-27 02:41 - 00099840 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbccgp.sys
2014-01-15 08:03 - 2013-11-27 02:41 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbehci.sys
2014-01-15 08:03 - 2013-11-27 02:41 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbuhci.sys
2014-01-15 08:03 - 2013-11-27 02:41 - 00025600 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbohci.sys
2014-01-15 08:03 - 2013-11-27 02:41 - 00007808 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbd.sys
2014-01-15 08:03 - 2013-11-26 11:32 - 03156480 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys

==================== One Month Modified Files and Folders =======

2014-01-29 08:43 - 2014-01-29 08:38 - 00021832 _____ C:\Users\Standrechner\Downloads\FRST.txt
2014-01-29 08:43 - 2014-01-29 08:38 - 00000000 ____D C:\FRST
2014-01-29 08:40 - 2014-01-29 08:39 - 00029247 _____ C:\Users\Standrechner\Desktop\FRST.txt
2014-01-29 08:40 - 2014-01-29 08:38 - 00054231 _____ C:\Users\Standrechner\Downloads\Addition.txt
2014-01-29 08:36 - 2014-01-29 08:35 - 02079744 _____ (Farbar) C:\Users\Standrechner\Downloads\FRST64.exe
2014-01-29 08:36 - 2010-11-23 11:34 - 01674658 _____ C:\Windows\WindowsUpdate.log
2014-01-29 08:35 - 2014-01-29 08:35 - 00000486 _____ C:\Users\Standrechner\Downloads\defogger_disable.log
2014-01-29 08:35 - 2014-01-29 08:35 - 00000000 _____ C:\Users\Standrechner\defogger_reenable
2014-01-29 08:35 - 2010-11-23 11:37 - 00000000 ____D C:\Users\Standrechner
2014-01-29 08:34 - 2014-01-29 08:34 - 00050477 _____ C:\Users\Standrechner\Downloads\Defogger.exe
2014-01-29 08:19 - 2009-07-14 05:45 - 00014848 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-01-29 08:19 - 2009-07-14 05:45 - 00014848 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-01-29 08:13 - 2012-07-13 19:18 - 00004184 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2014-01-29 08:12 - 2013-10-12 10:16 - 00007513 _____ C:\Windows\setupact.log
2014-01-29 08:12 - 2013-02-27 08:48 - 00001118 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-01-29 08:12 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2014-01-28 20:56 - 2012-04-02 06:58 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-01-28 20:53 - 2013-02-27 08:48 - 00001122 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-01-28 20:01 - 2010-12-01 20:42 - 00000478 _____ C:\Windows\Tasks\SyncBack Jan Eigene Dateien.job
2014-01-28 08:29 - 2010-11-23 13:15 - 00000000 ____D C:\ProgramData\BTrieve
2014-01-27 17:39 - 2014-01-27 17:35 - 148904784 _____ (Apple Inc.) C:\Users\Standrechner\Downloads\iTunes64Setup(1).exe
2014-01-25 21:50 - 2011-01-10 11:32 - 00000000 ____D C:\ProgramData\Apple
2014-01-23 14:57 - 2010-11-23 13:14 - 00000000 ____D C:\Users\Standrechner\AppData\Local\Adobe
2014-01-23 14:36 - 2012-04-02 06:58 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-01-23 14:36 - 2012-04-02 06:58 - 00003822 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-01-23 14:36 - 2011-05-31 20:14 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-01-21 16:17 - 2014-01-21 16:14 - 54676293 _____ C:\Users\Standrechner\Downloads\PIKO-Update_v04.11_(incl.Microsoft.NET_v4).zip
2014-01-21 14:26 - 2014-01-21 14:26 - 00001553 _____ C:\Users\Standrechner\AppData\Local\recently-used.xbel
2014-01-21 14:17 - 2013-07-05 08:36 - 00000000 ____D C:\Program Files (x86)\Gnumeric
2014-01-21 14:16 - 2014-01-21 14:15 - 21079125 _____ C:\Users\Standrechner\Downloads\gnumeric-1.12.9-20131128.exe
2014-01-21 14:14 - 2014-01-21 14:14 - 00401744 _____ (Softonic                                        ) C:\Users\Standrechner\Downloads\SoftonicDownloader_fuer_gnumeric.exe
2014-01-17 22:03 - 2009-07-14 18:58 - 00698742 _____ C:\Windows\system32\perfh007.dat
2014-01-17 22:03 - 2009-07-14 18:58 - 00148798 _____ C:\Windows\system32\perfc007.dat
2014-01-17 22:03 - 2009-07-14 06:13 - 01613412 _____ C:\Windows\system32\PerfStringBackup.INI
2014-01-15 10:55 - 2011-01-14 19:00 - 00000000 ____D C:\Users\Standrechner\AppData\Roaming\Winamp
2014-01-15 10:10 - 2009-07-14 05:45 - 02349448 _____ C:\Windows\system32\FNTCACHE.DAT
2014-01-15 09:40 - 2013-08-14 21:20 - 00000000 ____D C:\Windows\system32\MRT
2014-01-15 09:38 - 2010-11-23 11:43 - 86054176 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-01-10 15:19 - 2010-11-11 15:22 - 00000000 ____D C:\Users\Standrechner\Documents\Lexware F A Daten
2014-01-10 14:01 - 2011-03-13 09:56 - 00000000 ____D C:\Program Files\Common Files\Apple
2014-01-10 14:01 - 2011-01-10 11:34 - 00000000 ____D C:\Users\Standrechner\AppData\Roaming\Apple Computer
2014-01-03 13:52 - 2011-01-10 11:03 - 00000000 ____D C:\ProgramData\FLEXnet

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-01-20 20:03

==================== End Of Log ============================
--- --- ---

--- --- ---


edit: gmer log zu groß, soll ich das in fünf Atworten aufteilen oder reicht das Zipfile?

Hab ich was falsch gemacht beim Scannen, daß das so groß ist?
__________________
Alt 29.01.2014, 13:41   #4
Janne1
 
Verdacht auf Befall mit Schadsoftware Win7 - Standard

Verdacht auf Befall mit Schadsoftware Win7


Code:
ATTFilter
GMER 2.1.19355 - hxxp://www.gmer.net
Rootkit scan 2014-01-29 12:32:33
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-3 Intel___ rev.1.0. 465,76GB
Running: gmer.exe; Driver: C:\Users\STANDR~1\AppData\Local\Temp\fxtoqpob.sys


---- Kernel code sections - GMER 2.1 ----

INITKDBG  C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528                                                                                                                                       fffff80003000000 45 bytes [00, 00, 15, 02, 46, 69, 6C, ...]
INITKDBG  C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575                                                                                                                                       fffff8000300002f 18 bytes [00, 00, 00, 00, 00, 00, 00, ...]

---- User code sections - GMER 2.1 ----

.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                                                  0000000076fc1360 5 bytes JMP 0000000149d60460
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                                           0000000076fc13b0 5 bytes JMP 0000000149d60450
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                                           0000000076fc1510 5 bytes JMP 0000000149d60370
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                                                0000000076fc1560 5 bytes JMP 0000000149d60470
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                      0000000076fc1570 5 bytes JMP 0000000149d603e0
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                           0000000076fc1620 5 bytes JMP 0000000149d60320
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                                                    0000000076fc1650 5 bytes JMP 0000000149d603b0
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                                                       0000000076fc1670 5 bytes JMP 0000000149d60390
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                                             0000000076fc16b0 5 bytes JMP 0000000149d602e0
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                           0000000076fc1730 5 bytes JMP 0000000149d602d0
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                         0000000076fc1750 5 bytes JMP 0000000149d60310
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                          0000000076fc1790 5 bytes JMP 0000000149d603c0
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                       0000000076fc17e0 5 bytes JMP 0000000149d603f0
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                                          0000000076fc1940 5 bytes JMP 0000000149d60230
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                               0000000076fc1b00 5 bytes JMP 0000000149d60480
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                                              0000000076fc1b30 5 bytes JMP 0000000149d603a0
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                       0000000076fc1c10 5 bytes JMP 0000000149d602f0
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                                                    0000000076fc1c20 5 bytes JMP 0000000149d60350
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                          0000000076fc1c80 5 bytes JMP 0000000149d60290
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                       0000000076fc1d10 5 bytes JMP 0000000149d602b0
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                        0000000076fc1d30 5 bytes JMP 0000000149d603d0
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                                           0000000076fc1d40 5 bytes JMP 0000000149d60330
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                                                    0000000076fc1db0 5 bytes JMP 0000000149d60410
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                                                       0000000076fc1de0 5 bytes JMP 0000000149d60240
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                            0000000076fc20a0 5 bytes JMP 0000000149d601e0
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                                                       0000000076fc2160 5 bytes JMP 0000000149d60250
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                                                       0000000076fc2190 5 bytes JMP 0000000149d60490
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                                              0000000076fc21a0 5 bytes JMP 0000000149d604a0
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                                                         0000000076fc21d0 5 bytes JMP 0000000149d60300
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                                                      0000000076fc21e0 5 bytes JMP 0000000149d60360
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                                            0000000076fc2240 5 bytes JMP 0000000149d602a0
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                                                         0000000076fc2290 5 bytes JMP 0000000149d602c0
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                                            0000000076fc22c0 5 bytes JMP 0000000149d60380
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                                             0000000076fc22d0 5 bytes JMP 0000000149d60340
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                                                      0000000076fc25c0 5 bytes JMP 0000000149d60440
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                                                     0000000076fc27c0 5 bytes JMP 0000000149d60260
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                                                        0000000076fc27d0 5 bytes JMP 0000000149d60270
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                                      0000000076fc27e0 5 bytes JMP 0000000149d60400
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                  0000000076fc29a0 5 bytes JMP 0000000149d601f0
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                                                   0000000076fc29b0 5 bytes JMP 0000000149d60210
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                        0000000076fc2a20 5 bytes JMP 0000000149d60200
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                                                        0000000076fc2a80 5 bytes JMP 0000000149d60420
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                                                         0000000076fc2a90 5 bytes JMP 0000000149d60430
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                    0000000076fc2aa0 5 bytes JMP 0000000149d60220
.text     C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                                            0000000076fc2b80 5 bytes JMP 0000000149d60280
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                                                0000000076fc1360 5 bytes JMP 0000000077120460
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                                         0000000076fc13b0 5 bytes JMP 0000000077120450
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                                         0000000076fc1510 5 bytes JMP 0000000077120370
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                                              0000000076fc1560 5 bytes JMP 0000000077120470
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                    0000000076fc1570 5 bytes JMP 00000000771203e0
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                         0000000076fc1620 5 bytes JMP 0000000077120320
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                                                  0000000076fc1650 5 bytes JMP 00000000771203b0
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                                                     0000000076fc1670 5 bytes JMP 0000000077120390
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                                           0000000076fc16b0 5 bytes JMP 00000000771202e0
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                         0000000076fc1730 5 bytes JMP 00000000771202d0
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                       0000000076fc1750 5 bytes JMP 0000000077120310
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                        0000000076fc1790 5 bytes JMP 00000000771203c0
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                     0000000076fc17e0 5 bytes JMP 00000000771203f0
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                                        0000000076fc1940 5 bytes JMP 0000000077120230
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                             0000000076fc1b00 5 bytes JMP 0000000077120480
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                                            0000000076fc1b30 5 bytes JMP 00000000771203a0
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                     0000000076fc1c10 5 bytes JMP 00000000771202f0
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                                                  0000000076fc1c20 5 bytes JMP 0000000077120350
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                        0000000076fc1c80 5 bytes JMP 0000000077120290
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                     0000000076fc1d10 5 bytes JMP 00000000771202b0
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                      0000000076fc1d30 5 bytes JMP 00000000771203d0
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                                         0000000076fc1d40 5 bytes JMP 0000000077120330
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                                                  0000000076fc1db0 5 bytes JMP 0000000077120410
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                                                     0000000076fc1de0 5 bytes JMP 0000000077120240
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                          0000000076fc20a0 5 bytes JMP 00000000771201e0
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                                                     0000000076fc2160 5 bytes JMP 0000000077120250
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                                                     0000000076fc2190 5 bytes JMP 0000000077120490
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                                            0000000076fc21a0 5 bytes JMP 00000000771204a0
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                                                       0000000076fc21d0 5 bytes JMP 0000000077120300
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                                                    0000000076fc21e0 5 bytes JMP 0000000077120360
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                                          0000000076fc2240 5 bytes JMP 00000000771202a0
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                                                       0000000076fc2290 5 bytes JMP 00000000771202c0
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                                          0000000076fc22c0 5 bytes JMP 0000000077120380
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                                           0000000076fc22d0 5 bytes JMP 0000000077120340
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                                                    0000000076fc25c0 5 bytes JMP 0000000077120440
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                                                   0000000076fc27c0 5 bytes JMP 0000000077120260
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                                                      0000000076fc27d0 5 bytes JMP 0000000077120270
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                                    0000000076fc27e0 5 bytes JMP 0000000077120400
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                0000000076fc29a0 5 bytes JMP 00000000771201f0
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                                                 0000000076fc29b0 5 bytes JMP 0000000077120210
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                      0000000076fc2a20 5 bytes JMP 0000000077120200
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                                                      0000000076fc2a80 5 bytes JMP 0000000077120420
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                                                       0000000076fc2a90 5 bytes JMP 0000000077120430
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                  0000000076fc2aa0 5 bytes JMP 0000000077120220
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                                          0000000076fc2b80 5 bytes JMP 0000000077120280
.text     C:\Windows\system32\wininit.exe[536] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                                               0000000076daeecd 1 byte [62]
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                                                  0000000076fc1360 5 bytes JMP 0000000100040460
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                                           0000000076fc13b0 5 bytes JMP 0000000100040450
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                                           0000000076fc1510 5 bytes JMP 0000000100040370
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                                                0000000076fc1560 5 bytes JMP 0000000100040470
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                      0000000076fc1570 5 bytes JMP 00000001000403e0
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                           0000000076fc1620 5 bytes JMP 0000000100040320
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                                                    0000000076fc1650 5 bytes JMP 00000001000403b0
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                                                       0000000076fc1670 5 bytes JMP 0000000100040390
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                                             0000000076fc16b0 5 bytes JMP 00000001000402e0
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                           0000000076fc1730 5 bytes JMP 00000001000402d0
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                         0000000076fc1750 5 bytes JMP 0000000100040310
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                          0000000076fc1790 5 bytes JMP 00000001000403c0
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                       0000000076fc17e0 5 bytes JMP 00000001000403f0
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                                          0000000076fc1940 5 bytes JMP 0000000100040230
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                               0000000076fc1b00 5 bytes JMP 0000000100040480
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                                              0000000076fc1b30 5 bytes JMP 00000001000403a0
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                       0000000076fc1c10 5 bytes JMP 00000001000402f0
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                                                    0000000076fc1c20 5 bytes JMP 0000000100040350
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                          0000000076fc1c80 5 bytes JMP 0000000100040290
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                       0000000076fc1d10 5 bytes JMP 00000001000402b0
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                        0000000076fc1d30 5 bytes JMP 00000001000403d0
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                                           0000000076fc1d40 5 bytes JMP 0000000100040330
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                                                    0000000076fc1db0 5 bytes JMP 0000000100040410
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                                                       0000000076fc1de0 5 bytes JMP 0000000100040240
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                            0000000076fc20a0 5 bytes JMP 00000001000401e0
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                                                       0000000076fc2160 5 bytes JMP 0000000100040250
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                                                       0000000076fc2190 5 bytes JMP 0000000100040490
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                                              0000000076fc21a0 5 bytes JMP 00000001000404a0
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                                                         0000000076fc21d0 5 bytes JMP 0000000100040300
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                                                      0000000076fc21e0 5 bytes JMP 0000000100040360
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                                            0000000076fc2240 5 bytes JMP 00000001000402a0
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                                                         0000000076fc2290 5 bytes JMP 00000001000402c0
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                                            0000000076fc22c0 5 bytes JMP 0000000100040380
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                                             0000000076fc22d0 5 bytes JMP 0000000100040340
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                                                      0000000076fc25c0 5 bytes JMP 0000000100040440
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                                                     0000000076fc27c0 5 bytes JMP 0000000100040260
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                                                        0000000076fc27d0 5 bytes JMP 0000000100040270
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                                      0000000076fc27e0 5 bytes JMP 0000000100040400
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                  0000000076fc29a0 5 bytes JMP 00000001000401f0
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                                                   0000000076fc29b0 5 bytes JMP 0000000100040210
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                        0000000076fc2a20 5 bytes JMP 0000000100040200
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                                                        0000000076fc2a80 5 bytes JMP 0000000100040420
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                                                         0000000076fc2a90 5 bytes JMP 0000000100040430
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                    0000000076fc2aa0 5 bytes JMP 0000000100040220
.text     C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                                            0000000076fc2b80 5 bytes JMP 0000000100040280
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                                               0000000076fc1360 5 bytes JMP 0000000077120460
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                                        0000000076fc13b0 5 bytes JMP 0000000077120450
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                                        0000000076fc1510 5 bytes JMP 0000000077120370
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                                             0000000076fc1560 5 bytes JMP 0000000077120470
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                   0000000076fc1570 5 bytes JMP 00000000771203e0
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                        0000000076fc1620 5 bytes JMP 0000000077120320
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                                                 0000000076fc1650 5 bytes JMP 00000000771203b0
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                                                    0000000076fc1670 5 bytes JMP 0000000077120390
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                                          0000000076fc16b0 5 bytes JMP 00000000771202e0
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                        0000000076fc1730 5 bytes JMP 00000000771202d0
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                      0000000076fc1750 5 bytes JMP 0000000077120310
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                       0000000076fc1790 5 bytes JMP 00000000771203c0
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                    0000000076fc17e0 5 bytes JMP 00000000771203f0
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                                       0000000076fc1940 5 bytes JMP 0000000077120230
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                            0000000076fc1b00 5 bytes JMP 0000000077120480
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                                           0000000076fc1b30 5 bytes JMP 00000000771203a0
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                    0000000076fc1c10 5 bytes JMP 00000000771202f0
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                                                 0000000076fc1c20 5 bytes JMP 0000000077120350
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                       0000000076fc1c80 5 bytes JMP 0000000077120290
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                    0000000076fc1d10 5 bytes JMP 00000000771202b0
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                     0000000076fc1d30 5 bytes JMP 00000000771203d0
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                                        0000000076fc1d40 5 bytes JMP 0000000077120330
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                                                 0000000076fc1db0 5 bytes JMP 0000000077120410
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                                                    0000000076fc1de0 5 bytes JMP 0000000077120240
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                         0000000076fc20a0 5 bytes JMP 00000000771201e0
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                                                    0000000076fc2160 5 bytes JMP 0000000077120250
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                                                    0000000076fc2190 5 bytes JMP 0000000077120490
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                                           0000000076fc21a0 5 bytes JMP 00000000771204a0
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                                                      0000000076fc21d0 5 bytes JMP 0000000077120300
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                                                   0000000076fc21e0 5 bytes JMP 0000000077120360
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                                         0000000076fc2240 5 bytes JMP 00000000771202a0
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                                                      0000000076fc2290 5 bytes JMP 00000000771202c0
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                                         0000000076fc22c0 5 bytes JMP 0000000077120380
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                                          0000000076fc22d0 5 bytes JMP 0000000077120340
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                                                   0000000076fc25c0 5 bytes JMP 0000000077120440
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                                                  0000000076fc27c0 5 bytes JMP 0000000077120260
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                                                     0000000076fc27d0 5 bytes JMP 0000000077120270
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                                   0000000076fc27e0 5 bytes JMP 0000000077120400
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                               0000000076fc29a0 5 bytes JMP 00000000771201f0
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                                                0000000076fc29b0 5 bytes JMP 0000000077120210
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                     0000000076fc2a20 5 bytes JMP 0000000077120200
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                                                     0000000076fc2a80 5 bytes JMP 0000000077120420
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                                                      0000000076fc2a90 5 bytes JMP 0000000077120430
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                 0000000076fc2aa0 5 bytes JMP 0000000077120220
.text     C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                                         0000000076fc2b80 5 bytes JMP 0000000077120280
.text     C:\Windows\system32\services.exe[592] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                                              0000000076daeecd 1 byte [62]
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                                                  0000000076fc1360 5 bytes JMP 0000000100070460
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                                           0000000076fc13b0 5 bytes JMP 0000000100070450
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                                           0000000076fc1510 5 bytes JMP 0000000100070370
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                                                0000000076fc1560 5 bytes JMP 0000000100070470
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                      0000000076fc1570 5 bytes JMP 00000001000703e0
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                           0000000076fc1620 5 bytes JMP 0000000100070320
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                                                    0000000076fc1650 5 bytes JMP 00000001000703b0
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                                                       0000000076fc1670 5 bytes JMP 0000000100070390
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                                             0000000076fc16b0 5 bytes JMP 00000001000702e0
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                           0000000076fc1730 5 bytes JMP 00000001000702d0
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                         0000000076fc1750 5 bytes JMP 0000000100070310
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                          0000000076fc1790 5 bytes JMP 00000001000703c0
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                       0000000076fc17e0 5 bytes JMP 00000001000703f0
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                                          0000000076fc1940 5 bytes JMP 0000000100070230
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                               0000000076fc1b00 5 bytes JMP 0000000100070480
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                                              0000000076fc1b30 5 bytes JMP 00000001000703a0
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                       0000000076fc1c10 5 bytes JMP 00000001000702f0
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                                                    0000000076fc1c20 5 bytes JMP 0000000100070350
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                          0000000076fc1c80 5 bytes JMP 0000000100070290
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                       0000000076fc1d10 5 bytes JMP 00000001000702b0
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                        0000000076fc1d30 5 bytes JMP 00000001000703d0
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                                           0000000076fc1d40 5 bytes JMP 0000000100070330
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                                                    0000000076fc1db0 5 bytes JMP 0000000100070410
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                                                       0000000076fc1de0 5 bytes JMP 0000000100070240
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                            0000000076fc20a0 5 bytes JMP 00000001000701e0
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                                                       0000000076fc2160 5 bytes JMP 0000000100070250
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                                                       0000000076fc2190 5 bytes JMP 0000000100070490
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                                              0000000076fc21a0 5 bytes JMP 00000001000704a0
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                                                         0000000076fc21d0 5 bytes JMP 0000000100070300
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                                                      0000000076fc21e0 5 bytes JMP 0000000100070360
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                                            0000000076fc2240 5 bytes JMP 00000001000702a0
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                                                         0000000076fc2290 5 bytes JMP 00000001000702c0
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                                            0000000076fc22c0 5 bytes JMP 0000000100070380
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                                             0000000076fc22d0 5 bytes JMP 0000000100070340
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                                                      0000000076fc25c0 5 bytes JMP 0000000100070440
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                                                     0000000076fc27c0 5 bytes JMP 0000000100070260
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                                                        0000000076fc27d0 5 bytes JMP 0000000100070270
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                                      0000000076fc27e0 5 bytes JMP 0000000100070400
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                  0000000076fc29a0 5 bytes JMP 00000001000701f0
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                                                   0000000076fc29b0 5 bytes JMP 0000000100070210
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                        0000000076fc2a20 5 bytes JMP 0000000100070200
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                                                        0000000076fc2a80 5 bytes JMP 0000000100070420
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                                                         0000000076fc2a90 5 bytes JMP 0000000100070430
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                    0000000076fc2aa0 5 bytes JMP 0000000100070220
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                                            0000000076fc2b80 5 bytes JMP 0000000100070280
.text     C:\Windows\system32\lsass.exe[612] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                                                 0000000076daeecd 1 byte [62]
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                                                    0000000076fc1360 5 bytes JMP 0000000077120460
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                                             0000000076fc13b0 5 bytes JMP 0000000077120450
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                                             0000000076fc1510 5 bytes JMP 0000000077120370
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                                                  0000000076fc1560 5 bytes JMP 0000000077120470
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                        0000000076fc1570 5 bytes JMP 00000000771203e0
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                             0000000076fc1620 5 bytes JMP 0000000077120320
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                                                      0000000076fc1650 5 bytes JMP 00000000771203b0
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                                                         0000000076fc1670 5 bytes JMP 0000000077120390
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                                               0000000076fc16b0 5 bytes JMP 00000000771202e0
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                             0000000076fc1730 5 bytes JMP 00000000771202d0
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                           0000000076fc1750 5 bytes JMP 0000000077120310
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                            0000000076fc1790 5 bytes JMP 00000000771203c0
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                         0000000076fc17e0 5 bytes JMP 00000000771203f0
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                                            0000000076fc1940 5 bytes JMP 0000000077120230
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                 0000000076fc1b00 5 bytes JMP 0000000077120480
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                                                0000000076fc1b30 5 bytes JMP 00000000771203a0
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                         0000000076fc1c10 5 bytes JMP 00000000771202f0
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                                                      0000000076fc1c20 5 bytes JMP 0000000077120350
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                            0000000076fc1c80 5 bytes JMP 0000000077120290
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                         0000000076fc1d10 5 bytes JMP 00000000771202b0
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                          0000000076fc1d30 5 bytes JMP 00000000771203d0
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                                             0000000076fc1d40 5 bytes JMP 0000000077120330
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                                                      0000000076fc1db0 5 bytes JMP 0000000077120410
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                                                         0000000076fc1de0 5 bytes JMP 0000000077120240
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                              0000000076fc20a0 5 bytes JMP 00000000771201e0
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                                                         0000000076fc2160 5 bytes JMP 0000000077120250
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                                                         0000000076fc2190 5 bytes JMP 0000000077120490
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                                                0000000076fc21a0 5 bytes JMP 00000000771204a0
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                                                           0000000076fc21d0 5 bytes JMP 0000000077120300
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                                                        0000000076fc21e0 5 bytes JMP 0000000077120360
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                                              0000000076fc2240 5 bytes JMP 00000000771202a0
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                                                           0000000076fc2290 5 bytes JMP 00000000771202c0
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                                              0000000076fc22c0 5 bytes JMP 0000000077120380
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                                               0000000076fc22d0 5 bytes JMP 0000000077120340
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                                                        0000000076fc25c0 5 bytes JMP 0000000077120440
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                                                       0000000076fc27c0 5 bytes JMP 0000000077120260
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                                                          0000000076fc27d0 5 bytes JMP 0000000077120270
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                                        0000000076fc27e0 5 bytes JMP 0000000077120400
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                    0000000076fc29a0 5 bytes JMP 00000000771201f0
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                                                     0000000076fc29b0 5 bytes JMP 0000000077120210
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                          0000000076fc2a20 5 bytes JMP 0000000077120200
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                                                          0000000076fc2a80 5 bytes JMP 0000000077120420
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                                                           0000000076fc2a90 5 bytes JMP 0000000077120430
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                      0000000076fc2aa0 5 bytes JMP 0000000077120220
.text     C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                                              0000000076fc2b80 5 bytes JMP 0000000077120280
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                                                0000000076fc1360 5 bytes JMP 0000000077120460
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                                         0000000076fc13b0 5 bytes JMP 0000000077120450
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                                         0000000076fc1510 5 bytes JMP 0000000077120370
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                                              0000000076fc1560 5 bytes JMP 0000000077120470
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                    0000000076fc1570 5 bytes JMP 00000000771203e0
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                         0000000076fc1620 5 bytes JMP 0000000077120320
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                                                  0000000076fc1650 5 bytes JMP 00000000771203b0
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                                                     0000000076fc1670 5 bytes JMP 0000000077120390
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                                           0000000076fc16b0 5 bytes JMP 00000000771202e0
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                         0000000076fc1730 5 bytes JMP 00000000771202d0
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                       0000000076fc1750 5 bytes JMP 0000000077120310
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                        0000000076fc1790 5 bytes JMP 00000000771203c0
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                     0000000076fc17e0 5 bytes JMP 00000000771203f0
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                                        0000000076fc1940 5 bytes JMP 0000000077120230
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                             0000000076fc1b00 5 bytes JMP 0000000077120480
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                                            0000000076fc1b30 5 bytes JMP 00000000771203a0
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                     0000000076fc1c10 5 bytes JMP 00000000771202f0
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                                                  0000000076fc1c20 5 bytes JMP 0000000077120350
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                        0000000076fc1c80 5 bytes JMP 0000000077120290
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                     0000000076fc1d10 5 bytes JMP 00000000771202b0
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                      0000000076fc1d30 5 bytes JMP 00000000771203d0
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                                         0000000076fc1d40 5 bytes JMP 0000000077120330
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                                                  0000000076fc1db0 5 bytes JMP 0000000077120410
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                                                     0000000076fc1de0 5 bytes JMP 0000000077120240
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                          0000000076fc20a0 5 bytes JMP 00000000771201e0
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                                                     0000000076fc2160 5 bytes JMP 0000000077120250
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                                                     0000000076fc2190 5 bytes JMP 0000000077120490
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                                            0000000076fc21a0 5 bytes JMP 00000000771204a0
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                                                       0000000076fc21d0 5 bytes JMP 0000000077120300
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                                                    0000000076fc21e0 5 bytes JMP 0000000077120360
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                                          0000000076fc2240 5 bytes JMP 00000000771202a0
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                                                       0000000076fc2290 5 bytes JMP 00000000771202c0
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                                          0000000076fc22c0 5 bytes JMP 0000000077120380
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                                           0000000076fc22d0 5 bytes JMP 0000000077120340
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                                                    0000000076fc25c0 5 bytes JMP 0000000077120440
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                                                   0000000076fc27c0 5 bytes JMP 0000000077120260
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                                                      0000000076fc27d0 5 bytes JMP 0000000077120270
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                                    0000000076fc27e0 5 bytes JMP 0000000077120400
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                0000000076fc29a0 5 bytes JMP 00000000771201f0
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                                                 0000000076fc29b0 5 bytes JMP 0000000077120210
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                      0000000076fc2a20 5 bytes JMP 0000000077120200
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                                                      0000000076fc2a80 5 bytes JMP 0000000077120420
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                                                       0000000076fc2a90 5 bytes JMP 0000000077120430
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                  0000000076fc2aa0 5 bytes JMP 0000000077120220
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                                          0000000076fc2b80 5 bytes JMP 0000000077120280
.text     C:\Windows\system32\svchost.exe[728] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                                               0000000076daeecd 1 byte [62]
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                                               0000000076fc1360 5 bytes JMP 0000000077120460
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                                        0000000076fc13b0 5 bytes JMP 0000000077120450
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                                        0000000076fc1510 5 bytes JMP 0000000077120370
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                                             0000000076fc1560 5 bytes JMP 0000000077120470
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                   0000000076fc1570 5 bytes JMP 00000000771203e0
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                        0000000076fc1620 5 bytes JMP 0000000077120320
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                                                 0000000076fc1650 5 bytes JMP 00000000771203b0
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                                                    0000000076fc1670 5 bytes JMP 0000000077120390
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                                          0000000076fc16b0 5 bytes JMP 00000000771202e0
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                        0000000076fc1730 5 bytes JMP 00000000771202d0
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                      0000000076fc1750 5 bytes JMP 0000000077120310
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                       0000000076fc1790 5 bytes JMP 00000000771203c0
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                    0000000076fc17e0 5 bytes JMP 00000000771203f0
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                                       0000000076fc1940 5 bytes JMP 0000000077120230
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                            0000000076fc1b00 5 bytes JMP 0000000077120480
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                                           0000000076fc1b30 5 bytes JMP 00000000771203a0
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                    0000000076fc1c10 5 bytes JMP 00000000771202f0
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                                                 0000000076fc1c20 5 bytes JMP 0000000077120350
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                       0000000076fc1c80 5 bytes JMP 0000000077120290
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                    0000000076fc1d10 5 bytes JMP 00000000771202b0
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                     0000000076fc1d30 5 bytes JMP 00000000771203d0
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                                        0000000076fc1d40 5 bytes JMP 0000000077120330
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                                                 0000000076fc1db0 5 bytes JMP 0000000077120410
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                                                    0000000076fc1de0 5 bytes JMP 0000000077120240
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                         0000000076fc20a0 5 bytes JMP 00000000771201e0
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                                                    0000000076fc2160 5 bytes JMP 0000000077120250
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                                                    0000000076fc2190 5 bytes JMP 0000000077120490
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                                           0000000076fc21a0 5 bytes JMP 00000000771204a0
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                                                      0000000076fc21d0 5 bytes JMP 0000000077120300
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                                                   0000000076fc21e0 5 bytes JMP 0000000077120360
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                                         0000000076fc2240 5 bytes JMP 00000000771202a0
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                                                      0000000076fc2290 5 bytes JMP 00000000771202c0
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                                         0000000076fc22c0 5 bytes JMP 0000000077120380
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                                          0000000076fc22d0 5 bytes JMP 0000000077120340
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                                                   0000000076fc25c0 5 bytes JMP 0000000077120440
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                                                  0000000076fc27c0 5 bytes JMP 0000000077120260
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                                                     0000000076fc27d0 5 bytes JMP 0000000077120270
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                                   0000000076fc27e0 5 bytes JMP 0000000077120400
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                               0000000076fc29a0 5 bytes JMP 00000000771201f0
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                                                0000000076fc29b0 5 bytes JMP 0000000077120210
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                     0000000076fc2a20 5 bytes JMP 0000000077120200
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                                                     0000000076fc2a80 5 bytes JMP 0000000077120420
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                                                      0000000076fc2a90 5 bytes JMP 0000000077120430
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl

Alt 29.01.2014, 13:42   #5
Janne1
 
Verdacht auf Befall mit Schadsoftware Win7 - Standard

Verdacht auf Befall mit Schadsoftware Win7


Code:
ATTFilter
                                                                                                             0000000076fc2aa0 5 bytes JMP 0000000077120220
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                                         0000000076fc2b80 5 bytes JMP 0000000077120280
.text     C:\Windows\system32\winlogon.exe[752] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                                              0000000076daeecd 1 byte [62]
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                                                0000000076fc1360 5 bytes JMP 0000000077120460
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                                         0000000076fc13b0 5 bytes JMP 0000000077120450
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                                         0000000076fc1510 5 bytes JMP 0000000077120370
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                                              0000000076fc1560 5 bytes JMP 0000000077120470
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                    0000000076fc1570 5 bytes JMP 00000000771203e0
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                         0000000076fc1620 5 bytes JMP 0000000077120320
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                                                  0000000076fc1650 5 bytes JMP 00000000771203b0
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                                                     0000000076fc1670 5 bytes JMP 0000000077120390
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                                           0000000076fc16b0 5 bytes JMP 00000000771202e0
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                         0000000076fc1730 5 bytes JMP 00000000771202d0
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                       0000000076fc1750 5 bytes JMP 0000000077120310
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                        0000000076fc1790 5 bytes JMP 00000000771203c0
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                     0000000076fc17e0 5 bytes JMP 00000000771203f0
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                                        0000000076fc1940 5 bytes JMP 0000000077120230
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                             0000000076fc1b00 5 bytes JMP 0000000077120480
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                                            0000000076fc1b30 5 bytes JMP 00000000771203a0
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                     0000000076fc1c10 5 bytes JMP 00000000771202f0
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                                                  0000000076fc1c20 5 bytes JMP 0000000077120350
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                        0000000076fc1c80 5 bytes JMP 0000000077120290
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                     0000000076fc1d10 5 bytes JMP 00000000771202b0
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                      0000000076fc1d30 5 bytes JMP 00000000771203d0
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                                         0000000076fc1d40 5 bytes JMP 0000000077120330
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                                                  0000000076fc1db0 5 bytes JMP 0000000077120410
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                                                     0000000076fc1de0 5 bytes JMP 0000000077120240
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                          0000000076fc20a0 5 bytes JMP 00000000771201e0
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                                                     0000000076fc2160 5 bytes JMP 0000000077120250
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                                                     0000000076fc2190 5 bytes JMP 0000000077120490
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                                            0000000076fc21a0 5 bytes JMP 00000000771204a0
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                                                       0000000076fc21d0 5 bytes JMP 0000000077120300
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                                                    0000000076fc21e0 5 bytes JMP 0000000077120360
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                                          0000000076fc2240 5 bytes JMP 00000000771202a0
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                                                       0000000076fc2290 5 bytes JMP 00000000771202c0
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                                          0000000076fc22c0 5 bytes JMP 0000000077120380
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                                           0000000076fc22d0 5 bytes JMP 0000000077120340
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                                                    0000000076fc25c0 5 bytes JMP 0000000077120440
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                                                   0000000076fc27c0 5 bytes JMP 0000000077120260
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                                                      0000000076fc27d0 5 bytes JMP 0000000077120270
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                                    0000000076fc27e0 5 bytes JMP 0000000077120400
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                0000000076fc29a0 5 bytes JMP 00000000771201f0
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                                                 0000000076fc29b0 5 bytes JMP 0000000077120210
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                      0000000076fc2a20 5 bytes JMP 0000000077120200
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                                                      0000000076fc2a80 5 bytes JMP 0000000077120420
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                                                       0000000076fc2a90 5 bytes JMP 0000000077120430
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                  0000000076fc2aa0 5 bytes JMP 0000000077120220
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                                          0000000076fc2b80 5 bytes JMP 0000000077120280
.text     C:\Windows\system32\svchost.exe[876] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                                               0000000076daeecd 1 byte [62]
.text     C:\Windows\system32\atiesrxx.exe[940] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                                              0000000076daeecd 1 byte [62]
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                                                0000000076fc1360 5 bytes JMP 0000000077120460
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                                         0000000076fc13b0 5 bytes JMP 0000000077120450
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                                         0000000076fc1510 5 bytes JMP 0000000077120370
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                                              0000000076fc1560 5 bytes JMP 0000000077120470
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                    0000000076fc1570 5 bytes JMP 00000000771203e0
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                         0000000076fc1620 5 bytes JMP 0000000077120320
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                                                  0000000076fc1650 5 bytes JMP 00000000771203b0
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                                                     0000000076fc1670 5 bytes JMP 0000000077120390
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                                           0000000076fc16b0 5 bytes JMP 00000000771202e0
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                         0000000076fc1730 5 bytes JMP 00000000771202d0
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                       0000000076fc1750 5 bytes JMP 0000000077120310
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                        0000000076fc1790 5 bytes JMP 00000000771203c0
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                     0000000076fc17e0 5 bytes JMP 00000000771203f0
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                                        0000000076fc1940 5 bytes JMP 0000000077120230
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                             0000000076fc1b00 5 bytes JMP 0000000077120480
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                                            0000000076fc1b30 5 bytes JMP 00000000771203a0
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                     0000000076fc1c10 5 bytes JMP 00000000771202f0
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                                                  0000000076fc1c20 5 bytes JMP 0000000077120350
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                        0000000076fc1c80 5 bytes JMP 0000000077120290
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                     0000000076fc1d10 5 bytes JMP 00000000771202b0
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                      0000000076fc1d30 5 bytes JMP 00000000771203d0
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                                         0000000076fc1d40 5 bytes JMP 0000000077120330
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                                                  0000000076fc1db0 5 bytes JMP 0000000077120410
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                                                     0000000076fc1de0 5 bytes JMP 0000000077120240
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                          0000000076fc20a0 5 bytes JMP 00000000771201e0
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                                                     0000000076fc2160 5 bytes JMP 0000000077120250
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                                                     0000000076fc2190 5 bytes JMP 0000000077120490
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                                            0000000076fc21a0 5 bytes JMP 00000000771204a0
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                                                       0000000076fc21d0 5 bytes JMP 0000000077120300
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                                                    0000000076fc21e0 5 bytes JMP 0000000077120360
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                                          0000000076fc2240 5 bytes JMP 00000000771202a0
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                                                       0000000076fc2290 5 bytes JMP 00000000771202c0
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                                          0000000076fc22c0 5 bytes JMP 0000000077120380
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                                           0000000076fc22d0 5 bytes JMP 0000000077120340
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                                                    0000000076fc25c0 5 bytes JMP 0000000077120440
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                                                   0000000076fc27c0 5 bytes JMP 0000000077120260
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                                                      0000000076fc27d0 5 bytes JMP 0000000077120270
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                                    0000000076fc27e0 5 bytes JMP 0000000077120400
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                0000000076fc29a0 5 bytes JMP 00000000771201f0
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                                                 0000000076fc29b0 5 bytes JMP 0000000077120210
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                      0000000076fc2a20 5 bytes JMP 0000000077120200
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                                                      0000000076fc2a80 5 bytes JMP 0000000077120420
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                                                       0000000076fc2a90 5 bytes JMP 0000000077120430
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                  0000000076fc2aa0 5 bytes JMP 0000000077120220
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                                          0000000076fc2b80 5 bytes JMP 0000000077120280
.text     C:\Windows\System32\svchost.exe[996] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                                               0000000076daeecd 1 byte [62]
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                                                0000000076fc1360 5 bytes JMP 0000000077120460
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                                         0000000076fc13b0 5 bytes JMP 0000000077120450
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                                         0000000076fc1510 5 bytes JMP 0000000077120370
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                                              0000000076fc1560 5 bytes JMP 0000000077120470
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                    0000000076fc1570 5 bytes JMP 00000000771203e0
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                         0000000076fc1620 5 bytes JMP 0000000077120320
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                                                  0000000076fc1650 5 bytes JMP 00000000771203b0
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                                                     0000000076fc1670 5 bytes JMP 0000000077120390
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                                           0000000076fc16b0 5 bytes JMP 00000000771202e0
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                         0000000076fc1730 5 bytes JMP 00000000771202d0
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                       0000000076fc1750 5 bytes JMP 0000000077120310
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                        0000000076fc1790 5 bytes JMP 00000000771203c0
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                     0000000076fc17e0 5 bytes JMP 00000000771203f0
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                                        0000000076fc1940 5 bytes JMP 0000000077120230
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                             0000000076fc1b00 5 bytes JMP 0000000077120480
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                                            0000000076fc1b30 5 bytes JMP 00000000771203a0
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                     0000000076fc1c10 5 bytes JMP 00000000771202f0
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                                                  0000000076fc1c20 5 bytes JMP 0000000077120350
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                        0000000076fc1c80 5 bytes JMP 0000000077120290
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                     0000000076fc1d10 5 bytes JMP 00000000771202b0
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                      0000000076fc1d30 5 bytes JMP 00000000771203d0
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                                         0000000076fc1d40 5 bytes JMP 0000000077120330
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                                                  0000000076fc1db0 5 bytes JMP 0000000077120410
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                                                     0000000076fc1de0 5 bytes JMP 0000000077120240
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                          0000000076fc20a0 5 bytes JMP 00000000771201e0
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                                                     0000000076fc2160 5 bytes JMP 0000000077120250
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                                                     0000000076fc2190 5 bytes JMP 0000000077120490
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                                            0000000076fc21a0 5 bytes JMP 00000000771204a0
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                                                       0000000076fc21d0 5 bytes JMP 0000000077120300
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                                                    0000000076fc21e0 5 bytes JMP 0000000077120360
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                                          0000000076fc2240 5 bytes JMP 00000000771202a0
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                                                       0000000076fc2290 5 bytes JMP 00000000771202c0
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                                          0000000076fc22c0 5 bytes JMP 0000000077120380
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                                           0000000076fc22d0 5 bytes JMP 0000000077120340
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                                                    0000000076fc25c0 5 bytes JMP 0000000077120440
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                                                   0000000076fc27c0 5 bytes JMP 0000000077120260
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                                                      0000000076fc27d0 5 bytes JMP 0000000077120270
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                                    0000000076fc27e0 5 bytes JMP 0000000077120400
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                0000000076fc29a0 5 bytes JMP 00000000771201f0
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                                                 0000000076fc29b0 5 bytes JMP 0000000077120210
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                      0000000076fc2a20 5 bytes JMP 0000000077120200
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                                                      0000000076fc2a80 5 bytes JMP 0000000077120420
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                                                       0000000076fc2a90 5 bytes JMP 0000000077120430
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                  0000000076fc2aa0 5 bytes JMP 0000000077120220
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                                          0000000076fc2b80 5 bytes JMP 0000000077120280
.text     C:\Windows\System32\svchost.exe[300] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                                               0000000076daeecd 1 byte [62]
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                                                0000000076fc1360 5 bytes JMP 0000000077120460
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                                         0000000076fc13b0 5 bytes JMP 0000000077120450
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                                         0000000076fc1510 5 bytes JMP 0000000077120370
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                                              0000000076fc1560 5 bytes JMP 0000000077120470
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                    0000000076fc1570 5 bytes JMP 00000000771203e0
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                         0000000076fc1620 5 bytes JMP 0000000077120320
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                                                  0000000076fc1650 5 bytes JMP 00000000771203b0
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                                                     0000000076fc1670 5 bytes JMP 0000000077120390
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                                           0000000076fc16b0 5 bytes JMP 00000000771202e0
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                         0000000076fc1730 5 bytes JMP 00000000771202d0
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                       0000000076fc1750 5 bytes JMP 0000000077120310
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                        0000000076fc1790 5 bytes JMP 00000000771203c0
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                     0000000076fc17e0 5 bytes JMP 00000000771203f0
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                                        0000000076fc1940 5 bytes JMP 0000000077120230
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                             0000000076fc1b00 5 bytes JMP 0000000077120480
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                                            0000000076fc1b30 5 bytes JMP 00000000771203a0
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                     0000000076fc1c10 5 bytes JMP 00000000771202f0
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                                                  0000000076fc1c20 5 bytes JMP 0000000077120350
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                        0000000076fc1c80 5 bytes JMP 0000000077120290
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                     0000000076fc1d10 5 bytes JMP 00000000771202b0
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                      0000000076fc1d30 5 bytes JMP 00000000771203d0
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                                         0000000076fc1d40 5 bytes JMP 0000000077120330
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                                                  0000000076fc1db0 5 bytes JMP 0000000077120410
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                                                     0000000076fc1de0 5 bytes JMP 0000000077120240
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                          0000000076fc20a0 5 bytes JMP 00000000771201e0
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                                                     0000000076fc2160 5 bytes JMP 0000000077120250
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                                                     0000000076fc2190 5 bytes JMP 0000000077120490
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                                            0000000076fc21a0 5 bytes JMP 00000000771204a0
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                                                       0000000076fc21d0 5 bytes JMP 0000000077120300
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                                                    0000000076fc21e0 5 bytes JMP 0000000077120360
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                                          0000000076fc2240 5 bytes JMP 00000000771202a0
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                                                       0000000076fc2290 5 bytes JMP 00000000771202c0
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                                          0000000076fc22c0 5 bytes JMP 0000000077120380
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                                           0000000076fc22d0 5 bytes JMP 0000000077120340
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                                                    0000000076fc25c0 5 bytes JMP 0000000077120440
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                                                   0000000076fc27c0 5 bytes JMP 0000000077120260
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                                                      0000000076fc27d0 5 bytes JMP 0000000077120270
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                                    0000000076fc27e0 5 bytes JMP 0000000077120400
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                0000000076fc29a0 5 bytes JMP 00000000771201f0
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                                                 0000000076fc29b0 5 bytes JMP 0000000077120210
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                      0000000076fc2a20 5 bytes JMP 0000000077120200
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                                                      0000000076fc2a80 5 bytes JMP 0000000077120420
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                                                       0000000076fc2a90 5 bytes JMP 0000000077120430
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                  0000000076fc2aa0 5 bytes JMP 0000000077120220
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                                          0000000076fc2b80 5 bytes JMP 0000000077120280
.text     C:\Windows\system32\svchost.exe[420] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                                               0000000076daeecd 1 byte [62]
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                                                0000000076fc1360 5 bytes JMP 0000000077120460
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                                         0000000076fc13b0 5 bytes JMP 0000000077120450
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                                         0000000076fc1510 5 bytes JMP 0000000077120370
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                                              0000000076fc1560 5 bytes JMP 0000000077120470
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                    0000000076fc1570 5 bytes JMP 00000000771203e0
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                         0000000076fc1620 5 bytes JMP 0000000077120320
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                                                  0000000076fc1650 5 bytes JMP 00000000771203b0
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                                                     0000000076fc1670 5 bytes JMP 0000000077120390
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                                           0000000076fc16b0 5 bytes JMP 00000000771202e0
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                         0000000076fc1730 5 bytes JMP 00000000771202d0
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                       0000000076fc1750 5 bytes JMP 0000000077120310
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                        0000000076fc1790 5 bytes JMP 00000000771203c0
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                     0000000076fc17e0 5 bytes JMP 00000000771203f0
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                                        0000000076fc1940 5 bytes JMP 0000000077120230
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                             0000000076fc1b00 5 bytes JMP 0000000077120480
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                                            0000000076fc1b30 5 bytes JMP 00000000771203a0
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                     0000000076fc1c10 5 bytes JMP 00000000771202f0
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                                                  0000000076fc1c20 5 bytes JMP 0000000077120350
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                        0000000076fc1c80 5 bytes JMP 0000000077120290
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                     0000000076fc1d10 5 bytes JMP 00000000771202b0
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                      0000000076fc1d30 5 bytes JMP 00000000771203d0
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                                         0000000076fc1d40 5 bytes JMP 0000000077120330
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                                                  0000000076fc1db0 5 bytes JMP 0000000077120410
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                                                     0000000076fc1de0 5 bytes JMP 0000000077120240
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                          0000000076fc20a0 5 bytes JMP 00000000771201e0
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                                                     0000000076fc2160 5 bytes JMP 0000000077120250
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                                                     0000000076fc2190 5 bytes JMP 0000000077120490
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                                            0000000076fc21a0 5 bytes JMP 00000000771204a0
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                                                       0000000076fc21d0 5 bytes JMP 0000000077120300
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                                                    0000000076fc21e0 5 bytes JMP 0000000077120360
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                                          0000000076fc2240 5 bytes JMP 00000000771202a0
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                                                       0000000076fc2290 5 bytes JMP 00000000771202c0
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                                          0000000076fc22c0 5 bytes JMP 0000000077120380
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                                           0000000076fc22d0 5 bytes JMP 0000000077120340
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                                                    0000000076fc25c0 5 bytes JMP 0000000077120440
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                                                   0000000076fc27c0 5 bytes JMP 0000000077120260
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                                                      0000000076fc27d0 5 bytes JMP 0000000077120270
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                                    0000000076fc27e0 5 bytes JMP 0000000077120400
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                0000000076fc29a0 5 bytes JMP 00000000771201f0
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                                                 0000000076fc29b0 5 bytes JMP 0000000077120210
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                      0000000076fc2a20 5 bytes JMP 0000000077120200
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                                                      0000000076fc2a80 5 bytes JMP 0000000077120420
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                                                       0000000076fc2a90 5 bytes JMP 0000000077120430
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                  0000000076fc2aa0 5 bytes JMP 0000000077120220
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                                          0000000076fc2b80 5 bytes JMP 0000000077120280
.text     C:\Windows\system32\svchost.exe[672] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                                               0000000076daeecd 1 byte [62]
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                                              0000000076fc1360 5 bytes JMP 0000000077120460
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                                       0000000076fc13b0 5 bytes JMP 0000000077120450
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                                       0000000076fc1510 5 bytes JMP 0000000077120370
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                                            0000000076fc1560 5 bytes JMP 0000000077120470
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                  0000000076fc1570 5 bytes JMP 00000000771203e0
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                       0000000076fc1620 5 bytes JMP 0000000077120320
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                                                0000000076fc1650 5 bytes JMP 00000000771203b0
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                                                   0000000076fc1670 5 bytes JMP 0000000077120390
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                                         0000000076fc16b0 5 bytes JMP 00000000771202e0
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                       0000000076fc1730 5 bytes JMP 00000000771202d0
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                     0000000076fc1750 5 bytes JMP 0000000077120310
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                      0000000076fc1790 5 bytes JMP 00000000771203c0
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                   0000000076fc17e0 5 bytes JMP 00000000771203f0
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                                      0000000076fc1940 5 bytes JMP 0000000077120230
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                           0000000076fc1b00 5 bytes JMP 0000000077120480
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                                          0000000076fc1b30 5 bytes JMP 00000000771203a0
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                   0000000076fc1c10 5 bytes JMP 00000000771202f0
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                                                0000000076fc1c20 5 bytes JMP 0000000077120350
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                      0000000076fc1c80 5 bytes JMP 0000000077120290
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                   0000000076fc1d10 5 bytes JMP 00000000771202b0
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                    0000000076fc1d30 5 bytes JMP 00000000771203d0
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                                       0000000076fc1d40 5 bytes JMP 0000000077120330
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                                                0000000076fc1db0 5 bytes JMP 0000000077120410
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                                                   0000000076fc1de0 5 bytes JMP 0000000077120240
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                        0000000076fc20a0 5 bytes JMP 00000000771201e0
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                                                   0000000076fc2160 5 bytes JMP 0000000077120250
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                                                   0000000076fc2190 5 bytes JMP 0000000077120490
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                                          0000000076fc21a0 5 bytes JMP 00000000771204a0
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                                                     0000000076fc21d0 5 bytes JMP 0000000077120300
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                                                  0000000076fc21e0 5 bytes JMP 0000000077120360
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                                        0000000076fc2240 5 bytes JMP 00000000771202a0
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                                                     0000000076fc2290 5 bytes JMP 00000000771202c0
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                                        0000000076fc22c0 5 bytes JMP 0000000077120380
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                                         0000000076fc22d0 5 bytes JMP 0000000077120340
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                                                  0000000076fc25c0 5 bytes JMP 0000000077120440
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                                                 0000000076fc27c0 5 bytes JMP 0000000077120260
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                                                    0000000076fc27d0 5 bytes JMP 0000000077120270
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                                  0000000076fc27e0 5 bytes JMP 0000000077120400
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                              0000000076fc29a0 5 bytes JMP 00000000771201f0
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                                               0000000076fc29b0 5 bytes JMP 0000000077120210
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                    0000000076fc2a20 5 bytes JMP 0000000077120200
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                                                    0000000076fc2a80 5 bytes JMP 0000000077120420
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                                                     0000000076fc2a90 5 bytes JMP 0000000077120430
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                0000000076fc2aa0 5 bytes JMP 0000000077120220
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                                        0000000076fc2b80 5 bytes JMP 0000000077120280
.text     C:\Windows\system32\atieclxx.exe[1164] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                                             0000000076daeecd 1 byte [62]
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                                               0000000076fc1360 5 bytes JMP 0000000100070460
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                                        0000000076fc13b0 5 bytes JMP 0000000100070450
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                                        0000000076fc1510 5 bytes JMP 0000000100070370
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                                             0000000076fc1560 5 bytes JMP 0000000100070470
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                   0000000076fc1570 5 bytes JMP 00000001000703e0
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                        0000000076fc1620 5 bytes JMP 0000000100070320
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                                                 0000000076fc1650 5 bytes JMP 00000001000703b0
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                                                    0000000076fc1670 5 bytes JMP 0000000100070390
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                                          0000000076fc16b0 5 bytes JMP 00000001000702e0
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                        0000000076fc1730 5 bytes JMP 00000001000702d0
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                      0000000076fc1750 5 bytes JMP 0000000100070310
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                       0000000076fc1790 5 bytes JMP 00000001000703c0
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                    0000000076fc17e0 5 bytes JMP 00000001000703f0
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                                       0000000076fc1940 5 bytes JMP 0000000100070230
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                            0000000076fc1b00 5 bytes JMP 0000000100070480
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                                           0000000076fc1b30 5 bytes JMP 00000001000703a0
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                    0000000076fc1c10 5 bytes JMP 00000001000702f0
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                                                 0000000076fc1c20 5 bytes JMP 0000000100070350
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                       0000000076fc1c80 5 bytes JMP 0000000100070290
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                    0000000076fc1d10 5 bytes JMP 00000001000702b0
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                     0000000076fc1d30 5 bytes JMP 00000001000703d0
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                                        0000000076fc1d40 5 bytes JMP 0000000100070330
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                                                 0000000076fc1db0 5 bytes JMP 0000000100070410
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                                                    0000000076fc1de0 5 bytes JMP 0000000100070240
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                         0000000076fc20a0 5 bytes JMP 00000001000701e0
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                                                    0000000076fc2160 5 bytes JMP 0000000100070250
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                                                    0000000076fc2190 5 bytes JMP 0000000100070490
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                                           0000000076fc21a0 5 bytes JMP 00000001000704a0
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                                                      0000000076fc21d0 5 bytes JMP 0000000100070300
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                                                   0000000076fc21e0 5 bytes JMP 0000000100070360
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                                         0000000076fc2240 5 bytes JMP 00000001000702a0
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                                                      0000000076fc2290 5 bytes JMP 00000001000702c0
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                                         0000000076fc22c0 5 bytes JMP 0000000100070380
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                                          0000000076fc22d0 5 bytes JMP 0000000100070340
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                                                   0000000076fc25c0 5 bytes JMP 0000000100070440
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                                                  0000000076fc27c0 5 bytes JMP 0000000100070260
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                                                     0000000076fc27d0 5 bytes JMP 0000000100070270
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                                   0000000076fc27e0 5 bytes JMP 0000000100070400
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                               0000000076fc29a0 5 bytes JMP 00000001000701f0
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                                                0000000076fc29b0 5 bytes JMP 0000000100070210
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                     0000000076fc2a20 5 bytes JMP 0000000100070200
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                                                     0000000076fc2a80 5 bytes JMP 0000000100070420
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                                                      0000000076fc2a90 5 bytes JMP 0000000100070430
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                 0000000076fc2aa0 5 bytes JMP 0000000100070220
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                                         0000000076fc2b80 5 bytes JMP 0000000100070280
.text     C:\Windows\system32\svchost.exe[1228] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                                              0000000076daeecd 1 byte [62]
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                                               0000000076fc1360 5 bytes JMP 0000000077120460
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                                        0000000076fc13b0 5 bytes JMP 0000000077120450
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                                        0000000076fc1510 5 bytes JMP 0000000077120370
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                                             0000000076fc1560 5 bytes JMP 0000000077120470
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                   0000000076fc1570 5 bytes JMP 00000000771203e0
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                        0000000076fc1620 5 bytes JMP 0000000077120320
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                                                 0000000076fc1650 5 bytes JMP 00000000771203b0
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                                                    0000000076fc1670 5 bytes JMP 0000000077120390
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                                          0000000076fc16b0 5 bytes JMP 00000000771202e0
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                        0000000076fc1730 5 bytes JMP 00000000771202d0
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                      0000000076fc1750 5 bytes JMP 0000000077120310
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                       0000000076fc1790 5 bytes JMP 00000000771203c0
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                    0000000076fc17e0 5 bytes JMP 00000000771203f0
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                                       0000000076fc1940 5 bytes JMP 0000000077120230
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                            0000000076fc1b00 5 bytes JMP 0000000077120480
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                                           0000000076fc1b30 5 bytes JMP 00000000771203a0
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                    0000000076fc1c10 5 bytes JMP 00000000771202f0
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                                                 0000000076fc1c20 5 bytes JMP 0000000077120350
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                       0000000076fc1c80 5 bytes JMP 0000000077120290
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                    0000000076fc1d10 5 bytes JMP 00000000771202b0
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                     0000000076fc1d30 5 bytes JMP 00000000771203d0
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                                        0000000076fc1d40 5 bytes JMP 0000000077120330
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                                                 0000000076fc1db0 5 bytes JMP 0000000077120410
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                                                    0000000076fc1de0 5 bytes JMP 0000000077120240
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                         0000000076fc20a0 5 bytes JMP 00000000771201e0
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                                                    0000000076fc2160 5 bytes JMP 0000000077120250
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                                                    0000000076fc2190 5 bytes JMP 0000000077120490
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                                           0000000076fc21a0 5 bytes JMP 00000000771204a0
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                                                      0000000076fc21d0 5 bytes JMP 0000000077120300
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                                                   0000000076fc21e0 5 bytes JMP 0000000077120360
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                                         0000000076fc2240 5 bytes JMP 00000000771202a0
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                                                      0000000076fc2290 5 bytes JMP 00000000771202c0
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                                         0000000076fc22c0 5 bytes JMP 0000000077120380
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                                          0000000076fc22d0 5 bytes JMP 0000000077120340
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                                                   0000000076fc25c0 5 bytes JMP 0000000077120440
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                                                  0000000076fc27c0 5 bytes JMP 0000000077120260
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                                                     0000000076fc27d0 5 bytes JMP 0000000077120270
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                                   0000000076fc27e0 5 bytes JMP 0000000077120400
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                               0000000076fc29a0 5 bytes JMP 00000000771201f0
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                                                0000000076fc29b0 5 bytes JMP 0000000077120210
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                     0000000076fc2a20 5 bytes JMP 0000000077120200
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                                                     0000000076fc2a80 5 bytes JMP 0000000077120420
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                                                      0000000076fc2a90 5 bytes JMP 0000000077120430
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                 0000000076fc2aa0 5 bytes JMP 0000000077120220
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                                         0000000076fc2b80 5 bytes JMP 0000000077120280
.text     C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                                              0000000076daeecd 1 byte [62]
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                                               0000000076fc1360 5 bytes JMP 0000000077120460
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                                        0000000076fc13b0 5 bytes JMP 0000000077120450
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                                        0000000076fc1510 5 bytes JMP 0000000077120370
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                                             0000000076fc1560 5 bytes JMP 0000000077120470
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                   0000000076fc1570 5 bytes JMP 00000000771203e0
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                        0000000076fc1620 5 bytes JMP 0000000077120320
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                                                 0000000076fc1650 5 bytes JMP 00000000771203b0
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                                                    0000000076fc1670 5 bytes JMP 0000000077120390
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                                          0000000076fc16b0 5 bytes JMP 00000000771202e0
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                        0000000076fc1730 5 bytes JMP 00000000771202d0
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                      0000000076fc1750 5 bytes JMP 0000000077120310
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                       0000000076fc1790 5 bytes JMP 00000000771203c0
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                    0000000076fc17e0 5 bytes JMP 00000000771203f0
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                                       0000000076fc1940 5 bytes JMP 0000000077120230
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                            0000000076fc1b00 5 bytes JMP 0000000077120480
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                                           0000000076fc1b30 5 bytes JMP 00000000771203a0
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                    0000000076fc1c10 5 bytes JMP 00000000771202f0
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                                                 0000000076fc1c20 5 bytes JMP 0000000077120350
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                       0000000076fc1c80 5 bytes JMP 0000000077120290
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                    0000000076fc1d10 5 bytes JMP 00000000771202b0
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                     0000000076fc1d30 5 bytes JMP 00000000771203d0
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                                        0000000076fc1d40 5 bytes JMP 0000000077120330
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                                                 0000000076fc1db0 5 bytes JMP 0000000077120410
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                                                    0000000076fc1de0 5 bytes JMP 0000000077120240
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                         0000000076fc20a0 5 bytes JMP 00000000771201e0
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                                                    0000000076fc2160 5 bytes JMP 0000000077120250
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                                                    0000000076fc2190 5 bytes JMP 0000000077120490
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                                           0000000076fc21a0 5 bytes JMP 00000000771204a0
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                                                      0000000076fc21d0 5 bytes JMP 0000000077120300
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                                                   0000000076fc21e0 5 bytes JMP 0000000077120360
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                                         0000000076fc2240 5 bytes JMP 00000000771202a0
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                                                      0000000076fc2290 5 bytes JMP 00000000771202c0
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                                         0000000076fc22c0 5 bytes JMP 0000000077120380
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                                          0000000076fc22d0 5 bytes JMP 0000000077120340
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                                                   0000000076fc25c0 5 bytes JMP 0000000077120440
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                                                  0000000076fc27c0 5 bytes JMP 0000000077120260
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                                                     0000000076fc27d0 5 bytes JMP 0000000077120270
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                                   0000000076fc27e0 5 bytes JMP 0000000077120400
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                               0000000076fc29a0 5 bytes JMP 00000000771201f0
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                                                0000000076fc29b0 5 bytes JMP 0000000077120210
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                     0000000076fc2a20 5 bytes JMP 0000000077120200
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                                                     0000000076fc2a80 5 bytes JMP 0000000077120420
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                                                      0000000076fc2a90 5 bytes JMP 0000000077120430
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                 0000000076fc2aa0 5 bytes JMP 0000000077120220
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                                         0000000076fc2b80 5 bytes JMP 0000000077120280
.text     C:\Windows\System32\spoolsv.exe[1648] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                                              0000000076daeecd 1 byte [62]
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1780] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                 0000000074eda2ba 1 byte [62]
.text     C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.05\AsSysCtrlService.exe[1804] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                                    0000000074eda2ba 1 byte [62]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                                    0000000076fc1360 5 bytes JMP 0000000077120460
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                             0000000076fc13b0 5 bytes JMP 0000000077120450
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                             0000000076fc1510 5 bytes JMP 0000000077120370
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                                  0000000076fc1560 5 bytes JMP 0000000077120470
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                        0000000076fc1570 5 bytes JMP 00000000771203e0
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                             0000000076fc1620 5 bytes JMP 0000000077120320
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                                      0000000076fc1650 5 bytes JMP 00000000771203b0
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                                         0000000076fc1670 5 bytes JMP 0000000077120390
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                               0000000076fc16b0 5 bytes JMP 00000000771202e0
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                             0000000076fc1730 5 bytes JMP 00000000771202d0
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                           0000000076fc1750 5 bytes JMP 0000000077120310
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                            0000000076fc1790 5 bytes JMP 00000000771203c0
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                         0000000076fc17e0 5 bytes JMP 00000000771203f0
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                            0000000076fc1940 5 bytes JMP 0000000077120230
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                 0000000076fc1b00 5 bytes JMP 0000000077120480
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                                0000000076fc1b30 5 bytes JMP 00000000771203a0
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                         0000000076fc1c10 5 bytes JMP 00000000771202f0
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                                      0000000076fc1c20 5 bytes JMP 0000000077120350
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                            0000000076fc1c80 5 bytes JMP 0000000077120290
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                         0000000076fc1d10 5 bytes JMP 00000000771202b0
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                          0000000076fc1d30 5 bytes JMP 00000000771203d0
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                             0000000076fc1d40 5 bytes JMP 0000000077120330
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                                      0000000076fc1db0 5 bytes JMP 0000000077120410
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                                         0000000076fc1de0 5 bytes JMP 0000000077120240
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                              0000000076fc20a0 5 bytes JMP 00000000771201e0
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                                         0000000076fc2160 5 bytes JMP 0000000077120250
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                                         0000000076fc2190 5 bytes JMP 0000000077120490
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                                0000000076fc21a0 5 bytes JMP 00000000771204a0
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                                           0000000076fc21d0 5 bytes JMP 0000000077120300
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                                        0000000076fc21e0 5 bytes JMP 0000000077120360
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                              0000000076fc2240 5 bytes JMP 00000000771202a0


Alt 29.01.2014, 13:43   #6
Janne1
 
Verdacht auf Befall mit Schadsoftware Win7 - Standard

Verdacht auf Befall mit Schadsoftware Win7


Code:
ATTFilter
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                                           0000000076fc2290 5 bytes JMP 00000000771202c0
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                              0000000076fc22c0 5 bytes JMP 0000000077120380
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                               0000000076fc22d0 5 bytes JMP 0000000077120340
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                                        0000000076fc25c0 5 bytes JMP 0000000077120440
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                                       0000000076fc27c0 5 bytes JMP 0000000077120260
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                                          0000000076fc27d0 5 bytes JMP 0000000077120270
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                        0000000076fc27e0 5 bytes JMP 0000000077120400
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                    0000000076fc29a0 5 bytes JMP 00000000771201f0
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                                     0000000076fc29b0 5 bytes JMP 0000000077120210
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                          0000000076fc2a20 5 bytes JMP 0000000077120200
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                                          0000000076fc2a80 5 bytes JMP 0000000077120420
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                                           0000000076fc2a90 5 bytes JMP 0000000077120430
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                      0000000076fc2aa0 5 bytes JMP 0000000077120220
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                              0000000076fc2b80 5 bytes JMP 0000000077120280
.text     C:\Program Files\Bonjour\mDNSResponder.exe[1840] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                                   0000000076daeecd 1 byte [62]
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                                               0000000076fc1360 5 bytes JMP 0000000077120460
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                                        0000000076fc13b0 5 bytes JMP 0000000077120450
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                                        0000000076fc1510 5 bytes JMP 0000000077120370
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                                             0000000076fc1560 5 bytes JMP 0000000077120470
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                   0000000076fc1570 5 bytes JMP 00000000771203e0
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                        0000000076fc1620 5 bytes JMP 0000000077120320
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                                                 0000000076fc1650 5 bytes JMP 00000000771203b0
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                                                    0000000076fc1670 5 bytes JMP 0000000077120390
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                                          0000000076fc16b0 5 bytes JMP 00000000771202e0
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                        0000000076fc1730 5 bytes JMP 00000000771202d0
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                      0000000076fc1750 5 bytes JMP 0000000077120310
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                       0000000076fc1790 5 bytes JMP 00000000771203c0
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                    0000000076fc17e0 5 bytes JMP 00000000771203f0
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                                       0000000076fc1940 5 bytes JMP 0000000077120230
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                            0000000076fc1b00 5 bytes JMP 0000000077120480
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                                           0000000076fc1b30 5 bytes JMP 00000000771203a0
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                    0000000076fc1c10 5 bytes JMP 00000000771202f0
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                                                 0000000076fc1c20 5 bytes JMP 0000000077120350
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                       0000000076fc1c80 5 bytes JMP 0000000077120290
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                    0000000076fc1d10 5 bytes JMP 00000000771202b0
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                     0000000076fc1d30 5 bytes JMP 00000000771203d0
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                                        0000000076fc1d40 5 bytes JMP 0000000077120330
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                                                 0000000076fc1db0 5 bytes JMP 0000000077120410
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                                                    0000000076fc1de0 5 bytes JMP 0000000077120240
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                         0000000076fc20a0 5 bytes JMP 00000000771201e0
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                                                    0000000076fc2160 5 bytes JMP 0000000077120250
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                                                    0000000076fc2190 5 bytes JMP 0000000077120490
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                                           0000000076fc21a0 5 bytes JMP 00000000771204a0
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                                                      0000000076fc21d0 5 bytes JMP 0000000077120300
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                                                   0000000076fc21e0 5 bytes JMP 0000000077120360
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                                         0000000076fc2240 5 bytes JMP 00000000771202a0
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                                                      0000000076fc2290 5 bytes JMP 00000000771202c0
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                                         0000000076fc22c0 5 bytes JMP 0000000077120380
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                                          0000000076fc22d0 5 bytes JMP 0000000077120340
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                                                   0000000076fc25c0 5 bytes JMP 0000000077120440
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                                                  0000000076fc27c0 5 bytes JMP 0000000077120260
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                                                     0000000076fc27d0 5 bytes JMP 0000000077120270
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                                   0000000076fc27e0 5 bytes JMP 0000000077120400
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                               0000000076fc29a0 5 bytes JMP 00000000771201f0
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                                                0000000076fc29b0 5 bytes JMP 0000000077120210
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                     0000000076fc2a20 5 bytes JMP 0000000077120200
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                                                     0000000076fc2a80 5 bytes JMP 0000000077120420
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                                                      0000000076fc2a90 5 bytes JMP 0000000077120430
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                 0000000076fc2aa0 5 bytes JMP 0000000077120220
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                                         0000000076fc2b80 5 bytes JMP 0000000077120280
.text     C:\Windows\system32\svchost.exe[1880] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                                              0000000076daeecd 1 byte [62]
.text     C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1920] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                                        0000000074eda2ba 1 byte [62]
.text     C:\Program Files (x86)\Retrospect\Retrospect Express HD 2.5\retrorun.exe[2004] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                                     0000000074eda2ba 1 byte [62]
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                                               0000000076fc1360 5 bytes JMP 0000000077120460
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                                        0000000076fc13b0 5 bytes JMP 0000000077120450
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                                        0000000076fc1510 5 bytes JMP 0000000077120370
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                                             0000000076fc1560 5 bytes JMP 0000000077120470
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                   0000000076fc1570 5 bytes JMP 00000000771203e0
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                        0000000076fc1620 5 bytes JMP 0000000077120320
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                                                 0000000076fc1650 5 bytes JMP 00000000771203b0
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                                                    0000000076fc1670 5 bytes JMP 0000000077120390
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                                          0000000076fc16b0 5 bytes JMP 00000000771202e0
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                        0000000076fc1730 5 bytes JMP 00000000771202d0
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                      0000000076fc1750 5 bytes JMP 0000000077120310
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                       0000000076fc1790 5 bytes JMP 00000000771203c0
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                    0000000076fc17e0 5 bytes JMP 00000000771203f0
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                                       0000000076fc1940 5 bytes JMP 0000000077120230
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                            0000000076fc1b00 5 bytes JMP 0000000077120480
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                                           0000000076fc1b30 5 bytes JMP 00000000771203a0
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                    0000000076fc1c10 5 bytes JMP 00000000771202f0
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                                                 0000000076fc1c20 5 bytes JMP 0000000077120350
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                       0000000076fc1c80 5 bytes JMP 0000000077120290
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                    0000000076fc1d10 5 bytes JMP 00000000771202b0
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                     0000000076fc1d30 5 bytes JMP 00000000771203d0
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                                        0000000076fc1d40 5 bytes JMP 0000000077120330
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                                                 0000000076fc1db0 5 bytes JMP 0000000077120410
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                                                    0000000076fc1de0 5 bytes JMP 0000000077120240
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                         0000000076fc20a0 5 bytes JMP 00000000771201e0
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                                                    0000000076fc2160 5 bytes JMP 0000000077120250
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                                                    0000000076fc2190 5 bytes JMP 0000000077120490
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                                           0000000076fc21a0 5 bytes JMP 00000000771204a0
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                                                      0000000076fc21d0 5 bytes JMP 0000000077120300
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                                                   0000000076fc21e0 5 bytes JMP 0000000077120360
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                                         0000000076fc2240 5 bytes JMP 00000000771202a0
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                                                      0000000076fc2290 5 bytes JMP 00000000771202c0
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                                         0000000076fc22c0 5 bytes JMP 0000000077120380
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                                          0000000076fc22d0 5 bytes JMP 0000000077120340
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                                                   0000000076fc25c0 5 bytes JMP 0000000077120440
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                                                  0000000076fc27c0 5 bytes JMP 0000000077120260
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                                                     0000000076fc27d0 5 bytes JMP 0000000077120270
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                                   0000000076fc27e0 5 bytes JMP 0000000077120400
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                               0000000076fc29a0 5 bytes JMP 00000000771201f0
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                                                0000000076fc29b0 5 bytes JMP 0000000077120210
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                     0000000076fc2a20 5 bytes JMP 0000000077120200
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                                                     0000000076fc2a80 5 bytes JMP 0000000077120420
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                                                      0000000076fc2a90 5 bytes JMP 0000000077120430
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                 0000000076fc2aa0 5 bytes JMP 0000000077120220
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                                         0000000076fc2b80 5 bytes JMP 0000000077120280
.text     C:\Windows\system32\svchost.exe[2036] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                                              0000000076daeecd 1 byte [62]
.text     C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[1200] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                                            0000000074eda2ba 1 byte [62]
.text     C:\Program Files (x86)\o2\Mobile Connection Manager\ImpWiFiSvc.exe[2000] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                                           0000000074eda2ba 1 byte [62]
.text     C:\Program Files (x86)\Windows7FirewallControl\Windows7FirewallService.exe[2088] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                                   0000000074eda2ba 1 byte [62]
.text     C:\Program Files (x86)\Windows7FirewallControl\Windows7FirewallService.exe[2088] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                 0000000075941465 2 bytes [94, 75]
.text     C:\Program Files (x86)\Windows7FirewallControl\Windows7FirewallService.exe[2088] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                00000000759414bb 2 bytes [94, 75]
.text     ...                                                                                                                                                                                                      * 2
.text     C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2452] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                                       0000000074eda2ba 1 byte [62]
.text     C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[2496] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                                                0000000074eda2ba 1 byte [62]
.text     C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[2496] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69                                                                              0000000075941465 2 bytes [94, 75]
.text     C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[2496] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155                                                                             00000000759414bb 2 bytes [94, 75]
.text     ...                                                                                                                                                                                                      * 2
.text     C:\Windows\system32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                                              0000000076daeecd 1 byte [62]
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                                              0000000076fc1360 5 bytes JMP 0000000077120460
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                                       0000000076fc13b0 5 bytes JMP 0000000077120450
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                                       0000000076fc1510 5 bytes JMP 0000000077120370
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                                            0000000076fc1560 5 bytes JMP 0000000077120470
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                  0000000076fc1570 5 bytes JMP 00000000771203e0
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                       0000000076fc1620 5 bytes JMP 0000000077120320
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                                                0000000076fc1650 5 bytes JMP 00000000771203b0
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                                                   0000000076fc1670 5 bytes JMP 0000000077120390
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                                         0000000076fc16b0 5 bytes JMP 00000000771202e0
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                       0000000076fc1730 5 bytes JMP 00000000771202d0
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                     0000000076fc1750 5 bytes JMP 0000000077120310
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                      0000000076fc1790 5 bytes JMP 00000000771203c0
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                   0000000076fc17e0 5 bytes JMP 00000000771203f0
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                                      0000000076fc1940 5 bytes JMP 0000000077120230
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                           0000000076fc1b00 5 bytes JMP 0000000077120480
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                                          0000000076fc1b30 5 bytes JMP 00000000771203a0
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                   0000000076fc1c10 5 bytes JMP 00000000771202f0
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                                                0000000076fc1c20 5 bytes JMP 0000000077120350
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                      0000000076fc1c80 5 bytes JMP 0000000077120290
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                   0000000076fc1d10 5 bytes JMP 00000000771202b0
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                    0000000076fc1d30 5 bytes JMP 00000000771203d0
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                                       0000000076fc1d40 5 bytes JMP 0000000077120330
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                                                0000000076fc1db0 5 bytes JMP 0000000077120410
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                                                   0000000076fc1de0 5 bytes JMP 0000000077120240
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                        0000000076fc20a0 5 bytes JMP 00000000771201e0
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                                                   0000000076fc2160 5 bytes JMP 0000000077120250
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                                                   0000000076fc2190 5 bytes JMP 0000000077120490
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                                          0000000076fc21a0 5 bytes JMP 00000000771204a0
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                                                     0000000076fc21d0 5 bytes JMP 0000000077120300
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                                                  0000000076fc21e0 5 bytes JMP 0000000077120360
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                                        0000000076fc2240 5 bytes JMP 00000000771202a0
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                                                     0000000076fc2290 5 bytes JMP 00000000771202c0
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                                        0000000076fc22c0 5 bytes JMP 0000000077120380
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                                         0000000076fc22d0 5 bytes JMP 0000000077120340
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                                                  0000000076fc25c0 5 bytes JMP 0000000077120440
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                                                 0000000076fc27c0 5 bytes JMP 0000000077120260
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                                                    0000000076fc27d0 5 bytes JMP 0000000077120270
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                                  0000000076fc27e0 5 bytes JMP 0000000077120400
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                              0000000076fc29a0 5 bytes JMP 00000000771201f0
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                                               0000000076fc29b0 5 bytes JMP 0000000077120210
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                    0000000076fc2a20 5 bytes JMP 0000000077120200
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                                                    0000000076fc2a80 5 bytes JMP 0000000077120420
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                                                     0000000076fc2a90 5 bytes JMP 0000000077120430
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                0000000076fc2aa0 5 bytes JMP 0000000077120220
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                                        0000000076fc2b80 5 bytes JMP 0000000077120280
.text     C:\Windows\system32\taskhost.exe[3496] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                                             0000000076daeecd 1 byte [62]
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                                               0000000076fc1360 5 bytes JMP 0000000077120460
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                                        0000000076fc13b0 5 bytes JMP 0000000077120450
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                                        0000000076fc1510 5 bytes JMP 0000000077120370
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                                             0000000076fc1560 5 bytes JMP 0000000077120470
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                   0000000076fc1570 5 bytes JMP 00000000771203e0
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                        0000000076fc1620 5 bytes JMP 0000000077120320
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                                                 0000000076fc1650 5 bytes JMP 00000000771203b0
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                                                    0000000076fc1670 5 bytes JMP 0000000077120390
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                                          0000000076fc16b0 5 bytes JMP 00000000771202e0
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                        0000000076fc1730 5 bytes JMP 00000000771202d0
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                      0000000076fc1750 5 bytes JMP 0000000077120310
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                       0000000076fc1790 5 bytes JMP 00000000771203c0
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                    0000000076fc17e0 5 bytes JMP 00000000771203f0
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                                       0000000076fc1940 5 bytes JMP 0000000077120230
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                            0000000076fc1b00 5 bytes JMP 0000000077120480
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                                           0000000076fc1b30 5 bytes JMP 00000000771203a0
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                    0000000076fc1c10 5 bytes JMP 00000000771202f0
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                                                 0000000076fc1c20 5 bytes JMP 0000000077120350
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                       0000000076fc1c80 5 bytes JMP 0000000077120290
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                    0000000076fc1d10 5 bytes JMP 00000000771202b0
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                     0000000076fc1d30 5 bytes JMP 00000000771203d0
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                                        0000000076fc1d40 5 bytes JMP 0000000077120330
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                                                 0000000076fc1db0 5 bytes JMP 0000000077120410
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                                                    0000000076fc1de0 5 bytes JMP 0000000077120240
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                         0000000076fc20a0 5 bytes JMP 00000000771201e0
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                                                    0000000076fc2160 5 bytes JMP 0000000077120250
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                                                    0000000076fc2190 5 bytes JMP 0000000077120490
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                                           0000000076fc21a0 5 bytes JMP 00000000771204a0
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                                                      0000000076fc21d0 5 bytes JMP 0000000077120300
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                                                   0000000076fc21e0 5 bytes JMP 0000000077120360
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                                         0000000076fc2240 5 bytes JMP 00000000771202a0
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                                                      0000000076fc2290 5 bytes JMP 00000000771202c0
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                                         0000000076fc22c0 5 bytes JMP 0000000077120380
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                                          0000000076fc22d0 5 bytes JMP 0000000077120340
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                                                   0000000076fc25c0 5 bytes JMP 0000000077120440
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                                                  0000000076fc27c0 5 bytes JMP 0000000077120260
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                                                     0000000076fc27d0 5 bytes JMP 0000000077120270
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                                   0000000076fc27e0 5 bytes JMP 0000000077120400
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                               0000000076fc29a0 5 bytes JMP 00000000771201f0
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                                                0000000076fc29b0 5 bytes JMP 0000000077120210
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                     0000000076fc2a20 5 bytes JMP 0000000077120200
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                                                     0000000076fc2a80 5 bytes JMP 0000000077120420
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                                                      0000000076fc2a90 5 bytes JMP 0000000077120430
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                 0000000076fc2aa0 5 bytes JMP 0000000077120220
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                                         0000000076fc2b80 5 bytes JMP 0000000077120280
.text     C:\Windows\system32\taskeng.exe[3600] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                                              0000000076daeecd 1 byte [62]
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                                                   0000000076fc1360 5 bytes JMP 0000000077120460
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                                            0000000076fc13b0 5 bytes JMP 0000000077120450
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                                            0000000076fc1510 5 bytes JMP 0000000077120370
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                                                 0000000076fc1560 5 bytes JMP 0000000077120470
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                       0000000076fc1570 5 bytes JMP 00000000771203e0
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                            0000000076fc1620 5 bytes JMP 0000000077120320
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                                                     0000000076fc1650 5 bytes JMP 00000000771203b0
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                                                        0000000076fc1670 5 bytes JMP 0000000077120390
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                                              0000000076fc16b0 5 bytes JMP 00000000771202e0
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                            0000000076fc1730 5 bytes JMP 00000000771202d0
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                          0000000076fc1750 5 bytes JMP 0000000077120310
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                           0000000076fc1790 5 bytes JMP 00000000771203c0
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                        0000000076fc17e0 5 bytes JMP 00000000771203f0
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                                           0000000076fc1940 5 bytes JMP 0000000077120230
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                0000000076fc1b00 5 bytes JMP 0000000077120480
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                                               0000000076fc1b30 5 bytes JMP 00000000771203a0
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                        0000000076fc1c10 5 bytes JMP 00000000771202f0
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                                                     0000000076fc1c20 5 bytes JMP 0000000077120350
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                           0000000076fc1c80 5 bytes JMP 0000000077120290
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                        0000000076fc1d10 5 bytes JMP 00000000771202b0
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                         0000000076fc1d30 5 bytes JMP 00000000771203d0
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                                            0000000076fc1d40 5 bytes JMP 0000000077120330
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                                                     0000000076fc1db0 5 bytes JMP 0000000077120410
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                                                        0000000076fc1de0 5 bytes JMP 0000000077120240
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                             0000000076fc20a0 5 bytes JMP 00000000771201e0
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                                                        0000000076fc2160 5 bytes JMP 0000000077120250
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                                                        0000000076fc2190 5 bytes JMP 0000000077120490
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                                               0000000076fc21a0 5 bytes JMP 00000000771204a0
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                                                          0000000076fc21d0 5 bytes JMP 0000000077120300
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                                                       0000000076fc21e0 5 bytes JMP 0000000077120360
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                                             0000000076fc2240 5 bytes JMP 00000000771202a0
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                                                          0000000076fc2290 5 bytes JMP 00000000771202c0
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                                             0000000076fc22c0 5 bytes JMP 0000000077120380
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                                              0000000076fc22d0 5 bytes JMP 0000000077120340
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                                                       0000000076fc25c0 5 bytes JMP 0000000077120440
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                                                      0000000076fc27c0 5 bytes JMP 0000000077120260
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                                                         0000000076fc27d0 5 bytes JMP 0000000077120270
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                                       0000000076fc27e0 5 bytes JMP 0000000077120400
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                   0000000076fc29a0 5 bytes JMP 00000000771201f0
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                                                    0000000076fc29b0 5 bytes JMP 0000000077120210
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                         0000000076fc2a20 5 bytes JMP 0000000077120200
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                                                         0000000076fc2a80 5 bytes JMP 0000000077120420
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                                                          0000000076fc2a90 5 bytes JMP 0000000077120430
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                     0000000076fc2aa0 5 bytes JMP 0000000077120220
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                                             0000000076fc2b80 5 bytes JMP 0000000077120280
.text     C:\Windows\system32\Dwm.exe[3608] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                                                  0000000076daeecd 1 byte [62]
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                                               0000000076fc1360 5 bytes JMP 0000000077120460
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                                        0000000076fc13b0 5 bytes JMP 0000000077120450
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                                        0000000076fc1510 5 bytes JMP 0000000077120370
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                                             0000000076fc1560 5 bytes JMP 0000000077120470
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                   0000000076fc1570 5 bytes JMP 00000000771203e0
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                        0000000076fc1620 5 bytes JMP 0000000077120320
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                                                 0000000076fc1650 5 bytes JMP 00000000771203b0
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                                                    0000000076fc1670 5 bytes JMP 0000000077120390
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                                          0000000076fc16b0 5 bytes JMP 00000000771202e0
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                        0000000076fc1730 5 bytes JMP 00000000771202d0
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                      0000000076fc1750 5 bytes JMP 0000000077120310
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                       0000000076fc1790 5 bytes JMP 00000000771203c0
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                    0000000076fc17e0 5 bytes JMP 00000000771203f0
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                                       0000000076fc1940 5 bytes JMP 0000000077120230
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                            0000000076fc1b00 5 bytes JMP 0000000077120480
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                                           0000000076fc1b30 5 bytes JMP 00000000771203a0
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                    0000000076fc1c10 5 bytes JMP 00000000771202f0
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                                                 0000000076fc1c20 5 bytes JMP 0000000077120350
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                       0000000076fc1c80 5 bytes JMP 0000000077120290
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                    0000000076fc1d10 5 bytes JMP 00000000771202b0
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                     0000000076fc1d30 5 bytes JMP 00000000771203d0
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                                        0000000076fc1d40 5 bytes JMP 0000000077120330
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                                                 0000000076fc1db0 5 bytes JMP 0000000077120410
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                                                    0000000076fc1de0 5 bytes JMP 0000000077120240
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                         0000000076fc20a0 5 bytes JMP 00000000771201e0
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                                                    0000000076fc2160 5 bytes JMP 0000000077120250
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                                                    0000000076fc2190 5 bytes JMP 0000000077120490
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                                           0000000076fc21a0 5 bytes JMP 00000000771204a0
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                                                      0000000076fc21d0 5 bytes JMP 0000000077120300
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                                                   0000000076fc21e0 5 bytes JMP 0000000077120360
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                                         0000000076fc2240 5 bytes JMP 00000000771202a0
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                                                      0000000076fc2290 5 bytes JMP 00000000771202c0
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                                         0000000076fc22c0 5 bytes JMP 0000000077120380
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                                          0000000076fc22d0 5 bytes JMP 0000000077120340
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                                                   0000000076fc25c0 5 bytes JMP 0000000077120440
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                                                  0000000076fc27c0 5 bytes JMP 0000000077120260
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                                                     0000000076fc27d0 5 bytes JMP 0000000077120270
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                                   0000000076fc27e0 5 bytes JMP 0000000077120400
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                               0000000076fc29a0 5 bytes JMP 00000000771201f0
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                                                0000000076fc29b0 5 bytes JMP 0000000077120210
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                     0000000076fc2a20 5 bytes JMP 0000000077120200
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                                                     0000000076fc2a80 5 bytes JMP 0000000077120420
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                                                      0000000076fc2a90 5 bytes JMP 0000000077120430
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                 0000000076fc2aa0 5 bytes JMP 0000000077120220
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                                         0000000076fc2b80 5 bytes JMP 0000000077120280
.text     C:\Windows\system32\taskeng.exe[3712] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                                              0000000076daeecd 1 byte [62]
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                                                       0000000076fc1360 5 bytes JMP 0000000100070460
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                                                0000000076fc13b0 5 bytes JMP 0000000100070450
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                                                0000000076fc1510 5 bytes JMP 0000000100070370
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                                                     0000000076fc1560 5 bytes JMP 0000000100070470
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                           0000000076fc1570 5 bytes JMP 00000001000703e0
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                                0000000076fc1620 5 bytes JMP 0000000100070320
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                                                         0000000076fc1650 5 bytes JMP 00000001000703b0
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                                                            0000000076fc1670 5 bytes JMP 0000000100070390
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                                                  0000000076fc16b0 5 bytes JMP 00000001000702e0
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                                0000000076fc1730 5 bytes JMP 00000001000702d0
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                              0000000076fc1750 5 bytes JMP 0000000100070310
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                               0000000076fc1790 5 bytes JMP 00000001000703c0
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                            0000000076fc17e0 5 bytes JMP 00000001000703f0
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                                               0000000076fc1940 5 bytes JMP 0000000100070230
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                                    0000000076fc1b00 5 bytes JMP 0000000100070480
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                                                   0000000076fc1b30 5 bytes JMP 00000001000703a0
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                            0000000076fc1c10 5 bytes JMP 00000001000702f0
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                                                         0000000076fc1c20 5 bytes JMP 0000000100070350
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                               0000000076fc1c80 5 bytes JMP 0000000100070290
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                            0000000076fc1d10 5 bytes JMP 00000001000702b0
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                             0000000076fc1d30 5 bytes JMP 00000001000703d0
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                                                0000000076fc1d40 5 bytes JMP 0000000100070330
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                                                         0000000076fc1db0 5 bytes JMP 0000000100070410
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                                                            0000000076fc1de0 5 bytes JMP 0000000100070240
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                                 0000000076fc20a0 5 bytes JMP 00000001000701e0
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                                                            0000000076fc2160 5 bytes JMP 0000000100070250
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                                                            0000000076fc2190 5 bytes JMP 0000000100070490
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                                                   0000000076fc21a0 5 bytes JMP 00000001000704a0
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                                                              0000000076fc21d0 5 bytes JMP 0000000100070300
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                                                           0000000076fc21e0 5 bytes JMP 0000000100070360
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                                                 0000000076fc2240 5 bytes JMP 00000001000702a0
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                                                              0000000076fc2290 5 bytes JMP 00000001000702c0
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                                                 0000000076fc22c0 5 bytes JMP 0000000100070380
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                                                  0000000076fc22d0 5 bytes JMP 0000000100070340
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                                                           0000000076fc25c0 5 bytes JMP 0000000100070440
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                                                          0000000076fc27c0 5 bytes JMP 0000000100070260
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                                                             0000000076fc27d0 5 bytes JMP 0000000100070270
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                                           0000000076fc27e0 5 bytes JMP 0000000100070400
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                       0000000076fc29a0 5 bytes JMP 00000001000701f0
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                                                        0000000076fc29b0 5 bytes JMP 0000000100070210
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                             0000000076fc2a20 5 bytes JMP 0000000100070200
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                                                             0000000076fc2a80 5 bytes JMP 0000000100070420
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                                                              0000000076fc2a90 5 bytes JMP 0000000100070430
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                         0000000076fc2aa0 5 bytes JMP 0000000100070220
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                                                 0000000076fc2b80 5 bytes JMP 0000000100070280
.text     C:\Windows\Explorer.EXE[3752] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                                                      0000000076daeecd 1 byte [62]
.text     C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[4080] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                                       0000000074eda2ba 1 byte [62]
.text     C:\Program Files\Windows Media Player\wmpnetwk.exe[2556] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                           0000000076daeecd 1 byte [62]
.text     C:\Program Files (x86)\ASUS\TurboV EVO\TurboV_EVO.exe[3920] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                                                        0000000074eda2ba 1 byte [62]
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                            0000000076fc1360 5 bytes JMP 00000001001a0460
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                     0000000076fc13b0 5 bytes JMP 00000001001a0450
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                     0000000076fc1510 5 bytes JMP 00000001001a0370
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                          0000000076fc1560 5 bytes JMP 00000001001a0470
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                0000000076fc1570 5 bytes JMP 00000001001a03e0
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                     0000000076fc1620 5 bytes JMP 00000001001a0320
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                              0000000076fc1650 5 bytes JMP 00000001001a03b0
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                 0000000076fc1670 5 bytes JMP 00000001001a0390
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                       0000000076fc16b0 5 bytes JMP 00000001001a02e0
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                     0000000076fc1730 5 bytes JMP 00000001001a02d0
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                   0000000076fc1750 5 bytes JMP 00000001001a0310
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                    0000000076fc1790 5 bytes JMP 00000001001a03c0
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                 0000000076fc17e0 5 bytes JMP 00000001001a03f0
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                    0000000076fc1940 5 bytes JMP 00000001001a0230
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                         0000000076fc1b00 5 bytes JMP 00000001001a0480
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                        0000000076fc1b30 5 bytes JMP 00000001001a03a0
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                 0000000076fc1c10 5 bytes JMP 00000001001a02f0
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                              0000000076fc1c20 5 bytes JMP 00000001001a0350
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                    0000000076fc1c80 5 bytes JMP 00000001001a0290
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                 0000000076fc1d10 5 bytes JMP 00000001001a02b0
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                  0000000076fc1d30 5 bytes JMP 00000001001a03d0
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                     0000000076fc1d40 5 bytes JMP 00000001001a0330
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                              0000000076fc1db0 5 bytes JMP 00000001001a0410
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                 0000000076fc1de0 5 bytes JMP 00000001001a0240
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                      0000000076fc20a0 5 bytes JMP 00000001001a01e0
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                 0000000076fc2160 5 bytes JMP 00000001001a0250
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                 0000000076fc2190 5 bytes JMP 00000001001a0490
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                        0000000076fc21a0 5 bytes JMP 00000001001a04a0
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                   0000000076fc21d0 5 bytes JMP 00000001001a0300
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                0000000076fc21e0 5 bytes JMP 00000001001a0360
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                      0000000076fc2240 5 bytes JMP 00000001001a02a0
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                   0000000076fc2290 5 bytes JMP 00000001001a02c0
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                      0000000076fc22c0 5 bytes JMP 00000001001a0380
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                       0000000076fc22d0 5 bytes JMP 00000001001a0340
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                0000000076fc25c0 5 bytes JMP 00000001001a0440
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                               0000000076fc27c0 5 bytes JMP 00000001001a0260
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                  0000000076fc27d0 5 bytes JMP 00000001001a0270
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                0000000076fc27e0 5 bytes JMP 00000001001a0400
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                            0000000076fc29a0 5 bytes JMP 00000001001a01f0
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                             0000000076fc29b0 5 bytes JMP 00000001001a0210
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                  0000000076fc2a20 5 bytes JMP 00000001001a0200
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                  0000000076fc2a80 5 bytes JMP 00000001001a0420
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                   0000000076fc2a90 5 bytes JMP 00000001001a0430
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                              0000000076fc2aa0 5 bytes JMP 00000001001a0220
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                      0000000076fc2b80 5 bytes JMP 00000001001a0280
.text     C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe[684] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                                                        0000000074eda2ba 1 byte [62]
.text     C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe[4188] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                                                         0000000074eda2ba 1 byte [62]
.text     C:\Program Files (x86)\Windows7FirewallControl\Windows7FirewallControl.exe[4284] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                                   0000000074eda2ba 1 byte [62]
.text     C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\acrotray.exe[4292] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                                                0000000074eda2ba 1 byte [62]
.text     C:\Program Files (x86)\Brother\Brmfcmon\BrMfimon.exe[4308] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                                                         0000000074eda2ba 1 byte [62]
.text     C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[4536] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                      0000000074eda2ba 1 byte [62]
.text     C:\Program Files (x86)\iTunes\iTunesHelper.exe[4860] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                                                               0000000074eda2ba 1 byte [62]
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                           0000000076fc1360 5 bytes JMP 0000000077120460
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                    0000000076fc13b0 5 bytes JMP 0000000077120450
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                    0000000076fc1510 5 bytes JMP 0000000077120370
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                         0000000076fc1560 5 bytes JMP 0000000077120470
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                               0000000076fc1570 5 bytes JMP 00000000771203e0
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                    0000000076fc1620 5 bytes JMP 0000000077120320
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                             0000000076fc1650 5 bytes JMP 00000000771203b0
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                0000000076fc1670 5 bytes JMP 0000000077120390
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                      0000000076fc16b0 5 bytes JMP 00000000771202e0
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                    0000000076fc1730 5 bytes JMP 00000000771202d0
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                  0000000076fc1750 5 bytes JMP 0000000077120310
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                   0000000076fc1790 5 bytes JMP 00000000771203c0
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                0000000076fc17e0 5 bytes JMP 00000000771203f0
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                   0000000076fc1940 5 bytes JMP 0000000077120230
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                        0000000076fc1b00 5 bytes JMP 0000000077120480
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                       0000000076fc1b30 5 bytes JMP 00000000771203a0
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                0000000076fc1c10 5 bytes JMP 00000000771202f0
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                             0000000076fc1c20 5 bytes JMP 0000000077120350
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                   0000000076fc1c80 5 bytes JMP 0000000077120290
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                0000000076fc1d10 5 bytes JMP 00000000771202b0
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                 0000000076fc1d30 5 bytes JMP 00000000771203d0
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                    0000000076fc1d40 5 bytes JMP 0000000077120330
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                             0000000076fc1db0 5 bytes JMP 0000000077120410
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                0000000076fc1de0 5 bytes JMP 0000000077120240
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                     0000000076fc20a0 5 bytes JMP 00000000771201e0
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                0000000076fc2160 5 bytes JMP 0000000077120250
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                0000000076fc2190 5 bytes JMP 0000000077120490
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                       0000000076fc21a0 5 bytes JMP 00000000771204a0
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                  0000000076fc21d0 5 bytes JMP 0000000077120300
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                               0000000076fc21e0 5 bytes JMP 0000000077120360
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                     0000000076fc2240 5 bytes JMP 00000000771202a0
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                  0000000076fc2290 5 bytes JMP 00000000771202c0
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                     0000000076fc22c0 5 bytes JMP 0000000077120380
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                      0000000076fc22d0 5 bytes JMP 0000000077120340
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                               0000000076fc25c0 5 bytes JMP 0000000077120440
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                              0000000076fc27c0 5 bytes JMP 0000000077120260
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                 0000000076fc27d0 5 bytes JMP 0000000077120270
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                               0000000076fc27e0 5 bytes JMP 0000000077120400
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                           0000000076fc29a0 5 bytes JMP 00000000771201f0
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                            0000000076fc29b0 5 bytes JMP 0000000077120210
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                 0000000076fc2a20 5 bytes JMP 0000000077120200
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                 0000000076fc2a80 5 bytes JMP 0000000077120420
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                  0000000076fc2a90 5 bytes JMP 0000000077120430
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                             0000000076fc2aa0 5 bytes JMP 0000000077120220

Alt 29.01.2014, 13:44   #7
Janne1
 
Verdacht auf Befall mit Schadsoftware Win7 - Standard

Verdacht auf Befall mit Schadsoftware Win7


Code:
ATTFilter
.text     C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                     0000000076fc2b80 5 bytes JMP 0000000077120280
.text     C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[1628] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                             0000000074eda2ba 1 byte [62]
.text     C:\Program Files\iPod\bin\iPodService.exe[660] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                                     0000000076daeecd 1 byte [62]
.text     C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE[5156] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                                                                     0000000074eda2ba 1 byte [62]
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                                               0000000076fc1360 5 bytes JMP 0000000077120460
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                                        0000000076fc13b0 5 bytes JMP 0000000077120450
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                                        0000000076fc1510 5 bytes JMP 0000000077120370
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                                             0000000076fc1560 5 bytes JMP 0000000077120470
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                   0000000076fc1570 5 bytes JMP 00000000771203e0
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                        0000000076fc1620 5 bytes JMP 0000000077120320
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                                                 0000000076fc1650 5 bytes JMP 00000000771203b0
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                                                    0000000076fc1670 5 bytes JMP 0000000077120390
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                                          0000000076fc16b0 5 bytes JMP 00000000771202e0
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                        0000000076fc1730 5 bytes JMP 00000000771202d0
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                      0000000076fc1750 5 bytes JMP 0000000077120310
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                       0000000076fc1790 5 bytes JMP 00000000771203c0
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                    0000000076fc17e0 5 bytes JMP 00000000771203f0
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                                       0000000076fc1940 5 bytes JMP 0000000077120230
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                            0000000076fc1b00 5 bytes JMP 0000000077120480
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                                           0000000076fc1b30 5 bytes JMP 00000000771203a0
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                    0000000076fc1c10 5 bytes JMP 00000000771202f0
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                                                 0000000076fc1c20 5 bytes JMP 0000000077120350
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                       0000000076fc1c80 5 bytes JMP 0000000077120290
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                    0000000076fc1d10 5 bytes JMP 00000000771202b0
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                     0000000076fc1d30 5 bytes JMP 00000000771203d0
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                                        0000000076fc1d40 5 bytes JMP 0000000077120330
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                                                 0000000076fc1db0 5 bytes JMP 0000000077120410
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                                                    0000000076fc1de0 5 bytes JMP 0000000077120240
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                         0000000076fc20a0 5 bytes JMP 00000000771201e0
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                                                    0000000076fc2160 5 bytes JMP 0000000077120250
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                                                    0000000076fc2190 5 bytes JMP 0000000077120490
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                                           0000000076fc21a0 5 bytes JMP 00000000771204a0
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                                                      0000000076fc21d0 5 bytes JMP 0000000077120300
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                                                   0000000076fc21e0 5 bytes JMP 0000000077120360
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                                         0000000076fc2240 5 bytes JMP 00000000771202a0
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                                                      0000000076fc2290 5 bytes JMP 00000000771202c0
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                                         0000000076fc22c0 5 bytes JMP 0000000077120380
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                                          0000000076fc22d0 5 bytes JMP 0000000077120340
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                                                   0000000076fc25c0 5 bytes JMP 0000000077120440
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                                                  0000000076fc27c0 5 bytes JMP 0000000077120260
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                                                     0000000076fc27d0 5 bytes JMP 0000000077120270
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                                   0000000076fc27e0 5 bytes JMP 0000000077120400
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                               0000000076fc29a0 5 bytes JMP 00000000771201f0
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                                                0000000076fc29b0 5 bytes JMP 0000000077120210
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                     0000000076fc2a20 5 bytes JMP 0000000077120200
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                                                     0000000076fc2a80 5 bytes JMP 0000000077120420
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                                                      0000000076fc2a90 5 bytes JMP 0000000077120430
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                 0000000076fc2aa0 5 bytes JMP 0000000077120220
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                                         0000000076fc2b80 5 bytes JMP 0000000077120280
.text     C:\Windows\System32\svchost.exe[2812] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                                              0000000076daeecd 1 byte [62]
.text     C:\Windows\system32\svchost.exe[3212] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                                              0000000076daeecd 1 byte [62]
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                                              0000000076fc1360 5 bytes JMP 0000000100060460
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                                       0000000076fc13b0 5 bytes JMP 0000000100060450
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                                       0000000076fc1510 5 bytes JMP 0000000100060370
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                                            0000000076fc1560 5 bytes JMP 0000000100060470
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                  0000000076fc1570 5 bytes JMP 00000001000603e0
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                       0000000076fc1620 5 bytes JMP 0000000100060320
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                                                0000000076fc1650 5 bytes JMP 00000001000603b0
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                                                   0000000076fc1670 5 bytes JMP 0000000100060390
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                                         0000000076fc16b0 5 bytes JMP 00000001000602e0
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                                       0000000076fc1730 5 bytes JMP 00000001000602d0
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                     0000000076fc1750 5 bytes JMP 0000000100060310
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                      0000000076fc1790 5 bytes JMP 00000001000603c0
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                   0000000076fc17e0 5 bytes JMP 00000001000603f0
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                                      0000000076fc1940 5 bytes JMP 0000000100060230
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                           0000000076fc1b00 5 bytes JMP 0000000100060480
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                                          0000000076fc1b30 5 bytes JMP 00000001000603a0
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                                   0000000076fc1c10 5 bytes JMP 00000001000602f0
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                                                0000000076fc1c20 5 bytes JMP 0000000100060350
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                                      0000000076fc1c80 5 bytes JMP 0000000100060290
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                                   0000000076fc1d10 5 bytes JMP 00000001000602b0
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                    0000000076fc1d30 5 bytes JMP 00000001000603d0
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                                       0000000076fc1d40 5 bytes JMP 0000000100060330
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                                                0000000076fc1db0 5 bytes JMP 0000000100060410
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                                                   0000000076fc1de0 5 bytes JMP 0000000100060240
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                        0000000076fc20a0 5 bytes JMP 00000001000601e0
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                                                   0000000076fc2160 5 bytes JMP 0000000100060250
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                                                   0000000076fc2190 5 bytes JMP 0000000100060490
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                                          0000000076fc21a0 5 bytes JMP 00000001000604a0
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                                                     0000000076fc21d0 5 bytes JMP 0000000100060300
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                                                  0000000076fc21e0 5 bytes JMP 0000000100060360
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                                        0000000076fc2240 5 bytes JMP 00000001000602a0
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                                                     0000000076fc2290 5 bytes JMP 00000001000602c0
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                                        0000000076fc22c0 5 bytes JMP 0000000100060380
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                                         0000000076fc22d0 5 bytes JMP 0000000100060340
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                                                  0000000076fc25c0 5 bytes JMP 0000000100060440
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                                                 0000000076fc27c0 5 bytes JMP 0000000100060260
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                                                    0000000076fc27d0 5 bytes JMP 0000000100060270
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                                  0000000076fc27e0 5 bytes JMP 0000000100060400
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                              0000000076fc29a0 5 bytes JMP 00000001000601f0
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                                               0000000076fc29b0 5 bytes JMP 0000000100060210
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                    0000000076fc2a20 5 bytes JMP 0000000100060200
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                                                    0000000076fc2a80 5 bytes JMP 0000000100060420
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                                                     0000000076fc2a90 5 bytes JMP 0000000100060430
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                0000000076fc2aa0 5 bytes JMP 0000000100060220
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                                        0000000076fc2b80 5 bytes JMP 0000000100060280
.text     C:\Windows\system32\taskhost.exe[3320] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                                             0000000076daeecd 1 byte [62]
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2116] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                                                 0000000074eda2ba 1 byte [62]
.text     C:\Windows\system32\SearchIndexer.exe[5572] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                                        0000000076daeecd 1 byte [62]
.text     C:\Program Files\Alwil Software\Avast5\AvastUI.exe[5684] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                                                           0000000074eda2ba 1 byte [62]
.text     C:\Users\Standrechner\Downloads\gmer.exe[1464] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                                                                     0000000074eda2ba 1 byte [62]

---- Threads - GMER 2.1 ----

Thread    C:\Windows\system32\svchost.exe [420:2384]                                                                                                                                                               000007feeea5d3c8
Thread    C:\Windows\system32\svchost.exe [420:3300]                                                                                                                                                               000007feeea5d3c8
Thread    C:\Windows\system32\svchost.exe [420:6040]                                                                                                                                                               000007feeea5d3c8
Thread    C:\Windows\system32\svchost.exe [420:5148]                                                                                                                                                               000007feeea5d3c8
Thread    C:\Windows\system32\svchost.exe [1228:4212]                                                                                                                                                              000007fef6735170
Thread    C:\Windows\system32\svchost.exe [1364:1684]                                                                                                                                                              000007fefc7c1a70
Thread    C:\Windows\system32\svchost.exe [1364:1696]                                                                                                                                                              000007fefc7c1a70
Thread    C:\Windows\system32\svchost.exe [1364:1708]                                                                                                                                                              000007fefc7c1a70
Thread    C:\Windows\system32\svchost.exe [1364:1716]                                                                                                                                                              000007fef98b2c70
Thread    C:\Windows\system32\svchost.exe [1364:1752]                                                                                                                                                              000007fef98bfb40
Thread    C:\Windows\system32\svchost.exe [1364:1760]                                                                                                                                                              000007fef98d1d20
Thread    C:\Windows\system32\svchost.exe [1364:1764]                                                                                                                                                              000007fef98bf6f0
Thread    C:\Windows\system32\svchost.exe [1364:1912]                                                                                                                                                              000007fef97835c0
Thread    C:\Windows\system32\svchost.exe [1364:2840]                                                                                                                                                              000007fef9785600
Thread    C:\Windows\system32\svchost.exe [1364:2920]                                                                                                                                                              000007fef7902940
Thread    C:\Windows\system32\svchost.exe [1364:3512]                                                                                                                                                              000007fef72f2888
Thread    C:\Windows\System32\svchost.exe [2812:5696]                                                                                                                                                              000007feecba9688
---- Processes - GMER 2.1 ----

Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\perl514.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                                                            0000000028000000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\31638f63e39b38d3e250a9a57cb9d1c5\Cwd.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                               0000000010000000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\f233f63b6654362865c7577442edb9e3\Win32.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                             0000000000230000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\32785c19dc6898fbbbf06f3b776edd08\Fcntl.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156](2014-01-29 07:14:09)        00000000003b0000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\e56c61f7248672819579325af3387035\POSIX.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                             00000000003c0000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\5ffd05b2cbd58528e56519784ca9c869\Hostname.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                          00000000003d0000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\df1ba73f49c38cbbc7a11c779c3506d2\OLE.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                               00000000003e0000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\eaeabd54205de2f10c00aea80bbf0d83\Registry.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                          0000000001170000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\3a7ccbf8181ee5a145227a6dfce3594c\WinError.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                          0000000001190000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\60ff464e01c2cd5526dbdad5a125081d\Dumper.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                            00000000011b0000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\4461f48e31bde5c56b31b973b773de09\List.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                              00000000011c0000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\c199d3c1960e7aeeecb599487952bed2\HiRes.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                             00000000011d0000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\961b0d62fa52b1dd29c795a822fbf1cf\DBI.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                               00000000011e0000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\c5cce8d16a1bd48692b421dcf46d3396\Util.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                              00000000046d0000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\7f177c338672436e01c4f0bdbcf94491\EV.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                                000000005c380000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\44727051c604ef6b79894b64d4c63832\Expat.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156](2014-01-29 07:14:09)        000000005c350000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\2b1fc61b36a6711ea149b18bf3b41500\Parser.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                            00000000046e0000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\dacfd0ab9b5fd029ed8d29e4482b0775\XS.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                                000000005c340000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\fa9e3c814aa32db2ad5f17bdfbc22746\attributes.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                        00000000046f0000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\c344fd5536724b2af2e6453833b60203\SHA1.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                              0000000004700000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\eb138ef0e4282611dbf485a302784646\LibYAML.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                           0000000004710000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\de446fdd1ae335c7d2b9e62bb8cdf765\B.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                                 0000000004730000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\bd5179a413bc0c4b82eedc22c6cab101\re.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                                0000000004740000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\b979ace6da01e63d651cce9ee2474fdc\Name.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                              0000000004770000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\d1e7c33431cd8713f2ce3582829a8b14\Socket.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                            0000000004fc0000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\d0bf009923f29116535c26d228271d6d\Scan.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156](2014-01-29 07:14:10)         000000005b5b0000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\17d0b152e63e6bfe81b4b19588538896\mro.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                               0000000004fe0000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\3b7106dd14676048b10bbb09a990f74c\XS.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                                0000000004ff0000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\7ef0d901bf4203fbcf7a0fff0e82aa5f\Encode.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                            0000000005000000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\cf5fe81e2f5dcbfecfd0495e1648c991\Unicode.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                           0000000005010000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\3a8764e0d7c5d453e01d9ad08cf7fb58\IO.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                                0000000005020000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\aff7ee779ea184f884ed432c30a58f5d\Scale.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                             000000005b340000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\d10c2c06ba2044cccc247c4315f5c7d3\Process.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                           0000000005040000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\4f2c03383aab0133b8dc0a3fa2dd92fa\Storable.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                          0000000005050000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\7f2598c08178217a0e2c754f3d568f28\Byte.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                              00000000062e0000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\c19d5e3dc664d9f4ce700001e2621cee\MD5.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                               00000000050d0000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\d1c77e404b5c4b954fa537ed63c8fb7b\File.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                              0000000005150000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\0665c25e931c1ac0151b062449e91028\XSAccessor.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                        00000000672c0000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\e2e81dd6b3e5a36f0bdae076393cc11d\SQLite.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                            000000005aaf0000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\e2e81dd6b3e5a36f0bdae076393cc11d\icuuc46.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                           000000005a9c0000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\e2e81dd6b3e5a36f0bdae076393cc11d\icudt46.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                           000000005a9b0000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\e2e81dd6b3e5a36f0bdae076393cc11d\icuin46.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                           000000005a2f0000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\c668a322917d32a5ea22894518aa9897\Base64.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156](2014-01-29 07:14:11)       0000000006190000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\38a10ee333cf1a9afec3f0acdf1bbebc\Scan.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                              0000000059b60000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\8fedeb86a4a984edfc1fb255d4ea965c\XS.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                                0000000059110000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\bc147d83c7c868eeee67082dcf55430c\File.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                              0000000006360000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\b6bd87c968599725b8ab2e5c25d3046a\API.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156]                               0000000007390000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\19febd96672ffdb7ea244cef36aaa062\Zlib.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156](2014-01-29 07:14:23)         00000000074f0000
Library   C:\Users\STANDR~1\AppData\Local\Temp\pdk-Standrechner-5156\87fe0906e4bfbcec428293cf9a5ac335\NetResource.dll (*** suspicious ***) @ C:\PROGRA~2\SQUEEZ~1\server\SQUEEZ~3.EXE [5156](2014-01-29 09:25:00)  0000000007760000

---- Services - GMER 2.1 ----

Service   C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (*** hidden *** )                                                                                                                                    [AUTO] avast! Antivirus                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           <-- ROOTKIT !!!

---- Registry - GMER 2.1 ----

Reg       HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations                                                                                                                        ?????/???????????s??????????? l????????????e?????????????????k??????????????@machine.inf,%*pnp0c02.devicedesc%;Hauptplatinenressourcen??????@machine.inf,%gendev_mfg%;(Standardsystemger?te)?????k?l?m?m???k?l?m?l???l???????????????????????????l??? ??????????????????@volume.inf,%msft%;Microsoft?????????????????}???????????_???????????e?f?f???d??@machine.inf,%*pnp0c04.devicedesc%;Numerischer Coprozessor?????????????????????r?????k?k?k?k?k???k????????????????????????????????I??? ??????????????????j?j?j?j?j?j?j?j???j?j?j?j????N????????????D?????????????????i???????????{?{?{?{?|?|?????????????????????????????f???5??? ??????????????????{00000000-0000-0000-FFFF-FFFFFFFFFFFF}????????N????????????D????? ???????????????????????????????U?e?e???????k?U?k???k??????????????{4d36e972-e325-11ce-bfc1-08002be10318}\0007??6??system32\drivers\Wdf01000.sys???0.sys???????????????????????????????????????????.NTAMD64?????j?j?j?j??(??????????j??@%systemroot%\system32\rascfg.dll,-32000????????????????????????????????11196 11198????????
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type                                                                                                                                                    2
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start                                                                                                                                                   2
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl                                                                                                                                            1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath                                                                                                                                               \??\C:\Windows\system32\drivers\aswMonFlt.sys
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName                                                                                                                                             aswMonFlt
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group                                                                                                                                                   FSFilter Anti-Virus
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService                                                                                                                                         FltMgr?
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description                                                                                                                                             avast! mini-filter driver (aswMonFlt)
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances                                                                                                                                               
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance                                                                                                                               aswMonFlt Instance
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance                                                                                                                            
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude                                                                                                                   320700
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags                                                                                                                      0
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt                                                                                                                                                         
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type                                                                                                                                                       1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start                                                                                                                                                      1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl                                                                                                                                               1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName                                                                                                                                                aswRdr
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group                                                                                                                                                      PNP_TDI
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService                                                                                                                                            tcpip?
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description                                                                                                                                                avast! WFP Redirect driver
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath                                                                                                                                                  \??\C:\Windows\system32\drivers\aswRdr2.sys
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters                                                                                                                                                 
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault                                                                                                                              
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault                                                                                                                              nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRdr                                                                                                                                                            
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type                                                                                                                                                      1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start                                                                                                                                                     0
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl                                                                                                                                              1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName                                                                                                                                               avast! Revert
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description                                                                                                                                               avast! Revert
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRvrt                                                                                                                                                           
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type                                                                                                                                                       2
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start                                                                                                                                                      1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl                                                                                                                                               1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName                                                                                                                                                aswSnx
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group                                                                                                                                                      FSFilter Virtualization
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService                                                                                                                                            FltMgr?
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description                                                                                                                                                avast! virtualization driver (aswSnx)
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag                                                                                                                                                        2
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ImagePath                                                                                                                                                  \??\C:\Windows\system32\drivers\aswSnx.sys
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances                                                                                                                                                  
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance                                                                                                                                  aswSnx Instance
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance                                                                                                                                  
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude                                                                                                                         137600
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags                                                                                                                            0
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters                                                                                                                                                 
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder                                                                                                                                   \??\C:\Program Files\Alwil Software\Avast5
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder                                                                                                                                      \??\C:\ProgramData\Alwil Software\Avast5
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx                                                                                                                                                            
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type                                                                                                                                                        2
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start                                                                                                                                                       1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl                                                                                                                                                1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName                                                                                                                                                 aswSP
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description                                                                                                                                                 avast! Self Protection
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSP@ImagePath                                                                                                                                                   \??\C:\Windows\system32\drivers\aswSP.sys
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSP@Group                                                                                                                                                       FSFilter Activity Monitor
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSP@DependOnService                                                                                                                                             FltMgr?
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSP\Instances                                                                                                                                                   
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSP\Instances@DefaultInstance                                                                                                                                   aswSP Instance
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSP\Instances\aswSP Instance                                                                                                                                    
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSP\Instances\aswSP Instance@Altitude                                                                                                                           388400
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSP\Instances\aswSP Instance@Flags                                                                                                                              0
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters                                                                                                                                                  
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder                                                                                                                                    \??\C:\Program Files\Alwil Software\Avast5
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder                                                                                                                                       \??\C:\ProgramData\Alwil Software\Avast5
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield                                                                                                                                      0
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@NoWelcomeScreen                                                                                                                                  1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder                                                                                                                               \??\C:\Program Files
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder                                                                                                                                     \??\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSP                                                                                                                                                             
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswStm@Type                                                                                                                                                       1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswStm@Start                                                                                                                                                      3
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswStm@ErrorControl                                                                                                                                               1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswStm@ImagePath                                                                                                                                                  \??\C:\Windows\system32\drivers\aswStm.sys
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswStm@DisplayName                                                                                                                                                aswStm
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswStm@Group                                                                                                                                                      NDIS
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswStm@DependOnService                                                                                                                                            tcpip?
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswStm@Description                                                                                                                                                avast! StreamFilter Callout Driver
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswStm                                                                                                                                                            
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type                                                                                                                                                       1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start                                                                                                                                                      0
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl                                                                                                                                               1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName                                                                                                                                                avast! VM Monitor
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description                                                                                                                                                avast! VM Monitor
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters                                                                                                                                                 
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswVmm                                                                                                                                                            
Reg       HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type                                                                                                                                             32
Reg       HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start                                                                                                                                            2
Reg       HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl                                                                                                                                     1
Reg       HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath                                                                                                                                        "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe"
Reg       HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName                                                                                                                                      avast! Antivirus
Reg       HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group                                                                                                                                            ShellSvcGroup
Reg       HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService                                                                                                                                  aswMonFlt?RpcSS?
Reg       HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64                                                                                                                                            1
Reg       HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName                                                                                                                                       LocalSystem
Reg       HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description                                                                                                                                      Verwaltet und implementiert die avast! Antivirus Dienste auf diesem Computer. Dies beinhaltet den Echtzeit-Schutz, den Virus Container sowie die Zeitplan.
Reg       HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType                                                                                                                                   1
Reg       HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus\Parameters                                                                                                                                       
Reg       HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus                                                                                                                                                  
Reg       HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type                                                                                                                                                         2
Reg       HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start                                                                                                                                                        2
Reg       HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl                                                                                                                                                 1
Reg       HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName                                                                                                                                                  aswFsBlk
Reg       HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group                                                                                                                                                        FSFilter Activity Monitor
Reg       HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService                                                                                                                                              FltMgr?
Reg       HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description                                                                                                                                                  Avast! Mini-filter Driver
Reg       HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag                                                                                                                                                          2
Reg       HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ImagePath                                                                                                                                                    \??\C:\Windows\system32\drivers\aswFsBlk.sys
Reg       HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet)                                                                                                                            
Reg       HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance                                                                                                                                    aswFsBlk Instance
Reg       HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet)                                                                                                          
Reg       HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude                                                                                                                         388400
Reg       HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags                                                                                                                            0
Reg       HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type                                                                                                                                                        2
Reg       HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start                                                                                                                                                       2
Reg       HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl                                                                                                                                                1
Reg       HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath                                                                                                                                                   \??\C:\Windows\system32\drivers\aswMonFlt.sys
Reg       HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName                                                                                                                                                 aswMonFlt
Reg       HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group                                                                                                                                                       FSFilter Anti-Virus
Reg       HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService                                                                                                                                             FltMgr?
Reg       HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description                                                                                                                                                 avast! mini-filter driver (aswMonFlt)
Reg       HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet)                                                                                                                           
Reg       HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance                                                                                                                                   aswMonFlt Instance
Reg       HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet)                                                                                                        
Reg       HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude                                                                                                                       320700
Reg       HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags                                                                                                                          0
Reg       HKLM\SYSTEM\ControlSet002\services\aswRdr@Type                                                                                                                                                           1
Reg       HKLM\SYSTEM\ControlSet002\services\aswRdr@Start                                                                                                                                                          1
Reg       HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl                                                                                                                                                   1
Reg       HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName                                                                                                                                                    aswRdr
Reg       HKLM\SYSTEM\ControlSet002\services\aswRdr@Group                                                                                                                                                          PNP_TDI
Reg       HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService                                                                                                                                                tcpip?
Reg       HKLM\SYSTEM\ControlSet002\services\aswRdr@Description                                                                                                                                                    avast! WFP Redirect driver
Reg       HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath                                                                                                                                                      \??\C:\Windows\system32\drivers\aswRdr2.sys
Reg       HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet)                                                                                                                             
Reg       HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault                                                                                                                                  
Reg       HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault                                                                                                                                  nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll
Reg       HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type                                                                                                                                                          1
Reg       HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start                                                                                                                                                         0
Reg       HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl                                                                                                                                                  1
Reg       HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName                                                                                                                                                   avast! Revert
Reg       HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description                                                                                                                                                   avast! Revert
Reg       HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet)                                                                                                                            
Reg       HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter                                                                                                                                        53
Reg       HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter                                                                                                                                        2421586
Reg       HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot                                                                                                                                         \Device\Harddisk0\Partition2\Windows
Reg       HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown                                                                                                                                   1
Reg       HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\1387457120 (not active ControlSet)                                                                                                                 
Reg       HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\1387457120@                                                                                                                                        Commited
Reg       HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\1387457120@BootTimeout                                                                                                                             0
Reg       HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\1387457120@TickTimeout                                                                                                                             0
Reg       HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\1387457120@CreationTime                                                                                                                            0x58 0xE9 0x0C 0x2E ...
Reg       HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\1387457120@SetupOperations                                                                                                                         MoveFile("\??\c:\program files\alwil software\avast5\setup\instup.dll.1387457120","\??\c:\program files\alwil software\avast5\setup\instup.dll",TRUE)?MoveFile("\??\c:\program files\alwil software\avast5\setup\instup.dll.sum.1387457120","\??\c:\program files\alwil software\avast5\setup\instup.dll.sum",TRUE)?
Reg       HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\1387457120@StartBootCounter                                                                                                                        22
Reg       HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\1387457120@StartTickCounter                                                                                                                        580158
Reg       HKLM\SYSTEM\ControlSet002\services\aswSnx@Type                                                                                                                                                           2
Reg       HKLM\SYSTEM\ControlSet002\services\aswSnx@Start                                                                                                                                                          1
Reg       HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl                                                                                                                                                   1
Reg       HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName                                                                                                                                                    aswSnx
Reg       HKLM\SYSTEM\ControlSet002\services\aswSnx@Group                                                                                                                                                          FSFilter Virtualization
Reg       HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService                                                                                                                                                FltMgr?
Reg       HKLM\SYSTEM\ControlSet002\services\aswSnx@Description                                                                                                                                                    avast! virtualization driver (aswSnx)
Reg       HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag                                                                                                                                                            2
Reg       HKLM\SYSTEM\ControlSet002\services\aswSnx@ImagePath                                                                                                                                                      \??\C:\Windows\system32\drivers\aswSnx.sys
Reg       HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet)                                                                                                                              
Reg       HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance                                                                                                                                      aswSnx Instance
Reg       HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet)                                                                                                              
Reg       HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude                                                                                                                             137600
Reg       HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags                                                                                                                                0
Reg       HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet)                                                                                                                             
Reg       HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder                                                                                                                                       \??\C:\Program Files\Alwil Software\Avast5
Reg       HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder                                                                                                                                          \??\C:\ProgramData\Alwil Software\Avast5
Reg       HKLM\SYSTEM\ControlSet002\services\aswSP@Type                                                                                                                                                            1
Reg       HKLM\SYSTEM\ControlSet002\services\aswSP@Start                                                                                                                                                           1
Reg       HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl                                                                                                                                                    1
Reg       HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName                                                                                                                                                     aswSP
Reg       HKLM\SYSTEM\ControlSet002\services\aswSP@Description                                                                                                                                                     avast! Self Protection
Reg       HKLM\SYSTEM\ControlSet002\services\aswSP@ImagePath                                                                                                                                                       \??\C:\Windows\system32\drivers\aswSP.sys
Reg       HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet)                                                                                                                              
Reg       HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder                                                                                                                                        \??\C:\Program Files\Alwil Software\Avast5
Reg       HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder                                                                                                                                           \??\C:\ProgramData\Alwil Software\Avast5
Reg       HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield                                                                                                                                          0
Reg       HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@NoWelcomeScreen                                                                                                                                      1
Reg       HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder                                                                                                                                   \??\C:\Program Files
Reg       HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder                                                                                                                                         \??\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget
Reg       HKLM\SYSTEM\ControlSet002\services\aswTdi@Type                                                                                                                                                           1
Reg       HKLM\SYSTEM\ControlSet002\services\aswTdi@Start                                                                                                                                                          1
Reg       HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl                                                                                                                                                   1
Reg       HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName                                                                                                                                                    aswTdi
Reg       HKLM\SYSTEM\ControlSet002\services\aswTdi@Group                                                                                                                                                          PNP_TDI
Reg       HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService                                                                                                                                                tcpip?
Reg       HKLM\SYSTEM\ControlSet002\services\aswTdi@Description                                                                                                                                                    aswTdi
Reg       HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag                                                                                                                                                            9
Reg       HKLM\SYSTEM\ControlSet002\services\aswTdi@ImagePath                                                                                                                                                      \??\C:\Windows\system32\drivers\aswTdi.sys
Reg       HKLM\SYSTEM\ControlSet002\services\aswVmm@Type                                                                                                                                                           1
Reg       HKLM\SYSTEM\ControlSet002\services\aswVmm@Start                                                                                                                                                          0
Reg       HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl                                                                                                                                                   1
Reg       HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName                                                                                                                                                    avast! VM Monitor
Reg       HKLM\SYSTEM\ControlSet002\services\aswVmm@Description                                                                                                                                                    avast! VM Monitor
Reg       HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet)                                                                                                                             
Reg       HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type                                                                                                                                                 288
Reg       HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start                                                                                                                                                2
Reg       HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl                                                                                                                                         1
Reg       HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath                                                                                                                                            "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe"
Reg       HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName                                                                                                                                          avast! Antivirus
Reg       HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group                                                                                                                                                ShellSvcGroup
Reg       HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService                                                                                                                                      aswMonFlt?RpcSS?
Reg       HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64                                                                                                                                                1
Reg       HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName                                                                                                                                           LocalSystem
Reg       HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description                                                                                                                                          Verwaltet und implementiert die avast! Antivirus Dienste auf diesem Computer. Dies beinhaltet den Echtzeit-Schutz, den Virus Container sowie die Zeitplan.
Reg       HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType                                                                                                                                       1
Reg       HKLM\SYSTEM\ControlSet002\services\avast! Antivirus\Parameters (not active ControlSet)                                                                                                                   

---- EOF - GMER 2.1 ----

Alt 29.01.2014, 18:57   #8
schrauber
/// the machine
/// TB-Ausbilder
 
Verdacht auf Befall mit Schadsoftware Win7 - Standard

Verdacht auf Befall mit Schadsoftware Win7


Downloade Dir bitte AdwCleaner Logo Icon AdwCleaner auf deinen Desktop.
  • Schließe alle offenen Programme und Browser. Bebilderte Anleitung zu AdwCleaner.
  • Starte die AdwCleaner.exe mit einem Doppelklick.
  • Stimme den Nutzungsbedingungen zu.
  • Klicke auf Optionen und vergewissere dich, dass die folgenden Punkte ausgewählt sind:
    • "Tracing" Schlüssel löschen
    • Winsock Einstellungen zurücksetzen
    • Proxy Einstellungen zurücksetzen
    • Internet Explorer Richtlinien zurücksetzen
    • Chrome Richtlinien zurücksetzen
    • Stelle sicher, dass alle 5 Optionen wie hier dargestellt, ausgewählt sind
  • Klicke auf Suchlauf und warte bis dieser abgeschlossen ist.
  • Klicke nun auf Löschen und bestätige auftretende Hinweise mit Ok.
  • Dein Rechner wird automatisch neu gestartet. Nach dem Neustart öffnet sich eine Textdatei. Poste mir deren Inhalt mit deiner nächsten Antwort.
  • Die Logdatei findest du auch unter C:\AdwCleaner\AdwCleaner[Cx].txt. (x = fortlaufende Nummer).

Beende bitte Deine Schutzsoftware um eventuelle Konflikte zu vermeiden.
Bitte lade Junkware Removal Tool auf Deinen Desktop

  • Starte das Tool mit Doppelklick. Ab Windows Vista (oder höher) bitte mit Rechtsklick "als Administrator ausführen" starten.
  • Drücke eine beliebige Taste, um das Tool zu starten.
  • Je nach System kann der Scan eine Weile dauern.
  • Wenn das Tool fertig ist wird das Logfile (JRT.txt) auf dem Desktop gespeichert und automatisch geöffnet.
  • Bitte poste den Inhalt der JRT.txt in Deiner nächsten Antwort.


und ein frisches FRST log bitte.
__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Alt 29.01.2014, 19:50   #9
Janne1
 
Verdacht auf Befall mit Schadsoftware Win7 - Standard

Verdacht auf Befall mit Schadsoftware Win7


Ok, merci schonmal.

Bekomme ich kurze Hinweise, sobald irgendwas auftaucht?

Code:
ATTFilter
# AdwCleaner v3.018 - Bericht erstellt am 29/01/2014 um 19:29:06
# Updated 28/01/2014 von Xplode
# Betriebssystem : Windows 7 Professional Service Pack 1 (64 bits)
# Benutzername : Standrechner - STANDRECHNER-PC
# Gestartet von : C:\Users\Standrechner\Downloads\adwcleaner.exe
# Option : Löschen

***** [ Dienste ] *****


***** [ Dateien / Ordner ] *****

Ordner Gelöscht : C:\Users\Standrechner\AppData\LocalLow\boost_interprocess

***** [ Verknüpfungen ] *****


***** [ Registrierungsdatenbank ] *****

Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_fuer_k-lite-codec-pack_RASAPI32
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_fuer_k-lite-codec-pack_RASMANCS
Schlüssel Gelöscht : HKCU\Software\Conduit
Schlüssel Gelöscht : HKCU\Software\Softonic
Schlüssel Gelöscht : HKCU\Software\YahooPartnerToolbar

***** [ Browser ] *****

-\\ Internet Explorer v11.0.9600.16428


-\\ Mozilla Firefox v26.0 (de)

[ Datei : C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\gonfmzxi.default\prefs.js ]


[ Datei : C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\r5bf80o8.default\prefs.js ]


-\\ Google Chrome v

[ Datei : C:\Users\Standrechner\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [1649 octets] - [29/01/2014 19:27:47]
AdwCleaner[S0].txt - [1409 octets] - [29/01/2014 19:29:06]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1469 octets] ##########
Code:
ATTFilter
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.0 (01.07.2014:1)
OS: Windows 7 Professional x64
Ran by Standrechner on 29.01.2014 at 19:36:22,36
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ FireFox

Successfully deleted the following from C:\Users\Standrechner\AppData\Roaming\mozilla\firefox\profiles\r5bf80o8.default\prefs.js

user_pref("browser.startup.homepage", "hxxps://www.ixquick.com/deu/");
user_pref("extensions.searchgby.data", "{\r\n	\"v\":\"1.1\",\r\n	\"help\": \"hxxp://searchgby.com/pages/help/\",\r\n	\"news\":{\r\n		\"news\":[\r\n			\"hxxp://www.cnn.com/\",\
user_pref("extensions.searchgby.dd", "1322128828789");
user_pref("extensions.searchgby.dd.data", "{\"v\":\"1.2\",\"ip\":\"89.0.2.100\",\"widget\":{\"meta\": {\"code\": 200},\"response\": {\"deals\": []}}}");
user_pref("extensions.searchgby.lastupdate", "1322125710922");
Emptied folder: C:\Users\Standrechner\AppData\Roaming\mozilla\firefox\profiles\r5bf80o8.default\minidumps [388 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 29.01.2014 at 19:41:24,64
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

FRST Logfile:

FRST Logfile:
Code:
ATTFilter
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 29-01-2014
Ran by Standrechner (administrator) on STANDRECHNER-PC on 29-01-2014 19:42:30
Running from C:\Users\Standrechner\Downloads
Windows 7 Professional Service Pack 1 (X64) OS Language: German Standard
Internet Explorer Version 11
Boot Mode: Normal



==================== Processes (Whitelisted) =================

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(AVAST Software) C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
() C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.05\AsSysCtrlService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\VS7DEBUG\mdm.exe
(Iomega Corp) C:\Program Files (x86)\Iomega Storage Manager\pCloudd.exe
(EMC Corporation) C:\Program Files (x86)\Retrospect\Retrospect Express HD 2.5\retrorun.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
(Telefónica I+D) C:\Program Files (x86)\o2\Mobile Connection Manager\ImpWiFiSvc.exe
(UltraVNC) C:\Program Files\UltraVNC\winvnc.exe
(Sphinx Software) C:\Program Files (x86)\Windows7FirewallControl\Windows7FirewallService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Safer Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
(UltraVNC) C:\Program Files\UltraVNC\winvnc.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\TurboV EVO\TurboVHelp.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe
(Haufe-Lexware GmbH & Co. KG) C:\Program Files (x86)\Lexware\zeitmanagement\2011\Haufe.TimeManagement.exe
(Secure Banking) C:\Program Files (x86)\Secure Banking\SecureBanking.exe
(EMC) C:\Program Files (x86)\Iomega Storage Manager\IomegaStorageManager.exe
(AVAST Software) C:\Program Files\Alwil Software\Avast5\AvastUI.exe
(Logitech Inc.) C:\Program Files (x86)\Squeezebox\SqueezeTray.exe
() C:\Program Files (x86)\Secure Banking\sbservice.exe
(VIA) C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\TurboV EVO\TurboV_EVO.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\ControlCenter3\BrccMCtl.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brmfcmon\BrMfimon.exe
(Nullsoft, Inc.) C:\Program Files (x86)\Winamp\winampa.exe
(Sphinx Software) C:\Program Files (x86)\Windows7FirewallControl\Windows7FirewallControl.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
(Research In Motion Limited) C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
(Haufe-Lexware GmbH & Co. KG) C:\Program Files (x86)\Common Files\Lexware\Update Manager\LxUpdateManager.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
() C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
(Logitech Inc.) C:\Program Files (x86)\Squeezebox\server\SqueezeSvr.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Macrovision Europe Ltd.) C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Crystal Dew World) C:\Program Files (x86)\CrystalDiskInfo\DiskInfo.exe
(Thisisu) C:\Users\Standrechner\Downloads\JRT.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Microsoft Corporation) C:\Windows\SysWOW64\notepad.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [IAAnotif] - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
HKLM-x32\...\Run: [avast5] - C:\Program Files\Alwil Software\Avast5\avastUI.exe [3767096 2014-01-29] (AVAST Software)
HKLM-x32\...\Run: [HDAudDeck] - C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe [2472048 2010-11-23] (VIA)
HKLM-x32\...\Run: [TurboV EVO] - C:\Program Files (x86)\ASUS\TurboV EVO\TurboV_EVO.exe [9936000 2010-07-07] (ASUSTeK Computer Inc.)
HKLM-x32\...\Run: [StartCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-10-26] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [ATICustomerCare] - C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe [311296 2010-05-04] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [GrooveMonitor] - C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [31016 2006-10-27] (Microsoft Corporation)
HKLM-x32\...\Run: [SSBkgdUpdate] - C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [210472 2006-10-25] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PaperPort PTD] - C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe [29984 2008-07-09] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [IndexSearch] - C:\Program Files (x86)\ScanSoft\PaperPort\IndexSearch.exe [46368 2008-07-09] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PPort11reminder] - C:\Program Files (x86)\ScanSoft\PaperPort\Ereg\Ereg.exe [328992 2007-08-31] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [BrMfcWnd] - C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe [1159168 2009-05-26] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [ControlCenter3] - C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe [114688 2008-12-24] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [PDF Seven] - C:\Program Files\PDFSeven\PDF.exe
HKLM-x32\...\Run: [WinampAgent] - C:\Program Files (x86)\Winamp\winampa.exe [74752 2012-06-28] (Nullsoft, Inc.)
HKLM-x32\...\Run: [Windows7FirewallControl] - C:\Program Files (x86)\Windows7FirewallControl\Windows7FirewallControl.exe [798720 2010-11-01] (Sphinx Software)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [624248 2007-05-10] (Adobe Systems Inc.)
HKLM-x32\...\Run: [] - [x]
HKLM-x32\...\Run: [Adobe_ID0EYTHM] - C:\Program Files (x86)\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3Tray.exe [1884160 2007-03-20] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AppleSyncNotifier] - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-09-27] (Apple Inc.)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-01-20] (Apple Inc.)
HKLM-x32\...\Run: [RIMBBLaunchAgent.exe] - C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [90448 2011-11-02] (Research In Motion Limited)
HKLM-x32\...\Run: [LexwareInfoService] - C:\Program Files (x86)\Common Files\Lexware\Update Manager\LxUpdateManager.exe [339312 2010-09-15] (Haufe-Lexware GmbH & Co. KG)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-11-02] (Apple Inc.)
HKLM-x32\...\Run: [AvastUI.exe] - C:\Program Files\Alwil Software\Avast5\AvastUI.exe [3767096 2014-01-29] (AVAST Software)
HKLM-x32\...\Run: [DivXMediaServer] - C:\Program Files (x86)\DivX\DivX Media Server\DivXMediaServer.exe [450560 2013-12-23] (DivX, LLC)
HKLM-x32\...\Run: [DivXUpdate] - C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe [1861968 2013-11-15] ()
HKCU\...\Run: [SpybotSD TeaTimer] - C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKCU\...\Run: [MobileDocuments] - C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
HKCU\...\Run: [hddhealth] - C:\Program Files (x86)\HDD Health\hddhealth.exe -wl
HKCU\...\Run: [Haufe.TimeManagement] - C:\Program Files (x86)\Lexware\zeitmanagement\2011\Haufe.TimeManagement.exe [1440112 2012-04-20] (Haufe-Lexware GmbH & Co. KG)
HKCU\...\Run: [Akamai NetSession Interface] - "C:\Users\Standrechner\AppData\Local\Akamai\netsession_win.exe"
HKCU\...\Run: [SecureBanking] - C:\Program Files (x86)\Secure Banking\SecureBanking.exe [507904 2013-06-30] (Secure Banking)
MountPoints2: {261fd23f-7edb-11e0-bc25-20cf301acabf} - G:\AutoRun.exe
MountPoints2: {261fd289-7edb-11e0-bc25-20cf301acabf} - G:\AutoRun.exe
MountPoints2: {261fd29e-7edb-11e0-bc25-20cf301acabf} - G:\AutoRun.exe

==================== Internet (Whitelisted) ====================

BHO: avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE64.dll (AVAST Software)
BHO: No Name - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -  No File
BHO: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE64.dll (AVAST Software)
BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll No File
BHO-x32: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO-x32: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files (x86)\Adobe\/Adobe Contribute CS3/contributeieplugin.dll (Adobe Systems Incorporated.)
BHO-x32: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO-x32: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
BHO-x32: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll No File
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE64.dll (AVAST Software)
Toolbar: HKLM - avast! Online Security - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE64.dll (AVAST Software)
Toolbar: HKLM-x32 - TerraTec Home Cinema - {AD6E6555-FB2C-47D4-8339-3E2965509877} - C:\Program Files (x86)\TerraTec\TerraTec Home Cinema\ThcDeskBand.dll (TerraTec Electronic GmbH)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files (x86)\Adobe\/Adobe Contribute CS3/contributeieplugin.dll (Adobe Systems Incorporated.)
Toolbar: HKLM-x32 - avast! Online Security - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
DPF: HKLM-x32 {6E718D87-6909-4FCE-92D4-EDCB2F725727} file:///C:/Program%20Files%20(x86)/Würth%20Technologieplattform/VIEWERINSTALL/applications/Navigram.cab
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1

FireFox:
========
FF ProfilePath: C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\r5bf80o8.default
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_12_0_0_43.dll ()
FF Plugin: @microsoft.com/GENUINE - C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_43.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin-x32: @divx.com/DivX Web Player Plug-In,version=1.0.0 - C:\Program Files (x86)\DivX\DivX Web Player\npdivx32.dll (DivX, LLC)
FF Plugin-x32: @Google.com/GoogleEarthPlugin - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @microsoft.com/GENUINE - C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF Plugin-x32: @parallelgraphics.com/Cortona - C:\Program Files (x86)\Common Files\ParallelGraphics\Cortona\npCortona.dll (ParallelGraphics)
FF Plugin-x32: @RIM.com/WebSLLauncher,version=1.0 - C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.21.169\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.21.169\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\np-mswmp.dll (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npCortona.dll (ParallelGraphics)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPOFF12.DLL (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npwachk.dll (Nullsoft, Inc.)
FF SearchPlugin: C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\r5bf80o8.default\searchplugins\das-rtliche.xml
FF SearchPlugin: C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\r5bf80o8.default\searchplugins\duckduckgo-1.xml
FF SearchPlugin: C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\r5bf80o8.default\searchplugins\duckduckgo.xml
FF SearchPlugin: C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\r5bf80o8.default\searchplugins\ixquick-https---deutsch.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\amazondotcom-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\eBay-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\leo_ende_de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\yahoo-de.xml
FF Extension: FRITZ!Box AddOn - C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\r5bf80o8.default\Extensions\fb_add_on@avm.de [2013-04-15]
FF Extension: Website City + Country Info - C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\r5bf80o8.default\Extensions\ipdata@extension [2012-07-27]
FF Extension: Flagfox - C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\r5bf80o8.default\Extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b} [2014-01-19]
FF Extension: Biet-O-Matic Firefox Erweiterung - C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\r5bf80o8.default\Extensions\{B0D70E72-2FC1-4b9f-A3D4-5921C854D906} [2010-11-23]
FF Extension: pdfViewerSwitcher - C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\r5bf80o8.default\Extensions\jid1-UXDr6c69BeyPVw@jetpack.xpi [2013-09-23]
FF Extension: Ebook PDF Search Engine and Viewer - C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\r5bf80o8.default\Extensions\lintasnusa@gmail.com.xpi [2013-09-23]
FF Extension: Session Manager - C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\r5bf80o8.default\Extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}.xpi [2014-01-28]
FF Extension: RightToClick - C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\r5bf80o8.default\Extensions\{cd617375-6743-4ee8-bac4-fbf10f35729e}.xpi [2011-05-18]
FF Extension: Adblock Plus - C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\r5bf80o8.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2012-07-02]
FF Extension: BetterPrivacy - C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\r5bf80o8.default\Extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi [2013-04-08]
FF Extension: QuickJava - C:\Users\Standrechner\AppData\Roaming\Mozilla\Firefox\Profiles\r5bf80o8.default\Extensions\{E6C1199F-E687-42da-8C24-E7770CC3AE66}.xpi [2012-09-10]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\Alwil Software\Avast5\WebRep\FF
FF Extension: avast! Online Security - C:\Program Files\Alwil Software\Avast5\WebRep\FF [2011-06-29]

Chrome: 
=======
CHR HomePage: hxxp://www.google.com

==================== Services (Whitelisted) =================

R2 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.05\AsSysCtrlService.exe [109056 2010-11-23] ()
R2 avast! Antivirus; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [50344 2014-01-29] (AVAST Software)
R2 PCloudd; C:\Program Files (x86)\Iomega Storage Manager\pCloudd.exe [207360 2011-08-06] (Iomega Corp)
R2 RetroExpLauncher; C:\Program Files (x86)\Retrospect\Retrospect Express HD 2.5\retrorun.exe [120088 2008-12-11] (EMC Corporation)
R2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
R2 TGCM_ImportWiFiSvc; C:\Program Files (x86)\o2\Mobile Connection Manager\ImpWiFiSvc.exe [199600 2010-08-02] (Telefónica I+D)
R2 uvnc_service; C:\Program Files\UltraVNC\WinVNC.exe [2169592 2011-05-18] (UltraVNC)
R2 Windows7FirewallService; C:\Program Files (x86)\Windows7FirewallControl\Windows7FirewallService.exe [401408 2010-11-01] (Sphinx Software)

==================== Drivers (Whitelisted) ====================

S3 AF9035BDA; C:\Windows\System32\DRIVERS\AF15BDA.sys [513600 2009-11-05] (ITETech                  )
R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2010-11-23] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [78648 2014-01-29] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [92544 2013-11-30] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2013-11-30] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1038072 2014-01-29] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [421704 2014-01-29] (AVAST Software)
S3 aswStm; C:\Windows\system32\drivers\aswStm.sys [80184 2014-01-29] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [207904 2014-01-29] ()
S3 ewusbnet; C:\Windows\System32\DRIVERS\ewusbnet.sys [250368 2010-04-07] (Huawei Technologies Co., Ltd.)
S3 MEMSWEEP2; C:\Windows\system32\F4CA.tmp [6144 2010-05-26] (Sophos Plc)
R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2010-11-23] ()
R3 mv2; C:\Windows\System32\DRIVERS\mv2.sys [12904 2011-07-03] (UVNC BVBA)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [74752 2011-07-25] (Research In Motion Limited)
R3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [44032 2011-07-20] (Research in Motion Ltd)
S3 vNICdrv; C:\Windows\System32\DRIVERS\vNICdrv.sys [20048 2011-08-06] (Iomega Corporation)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-01-29 19:41 - 2014-01-29 19:41 - 00001427 _____ C:\Users\Standrechner\Desktop\JRT.txt
2014-01-29 19:36 - 2014-01-29 19:36 - 00000000 ____D C:\Windows\ERUNT
2014-01-29 19:32 - 2014-01-29 19:32 - 00001549 _____ C:\Users\Standrechner\Desktop\AdwCleaner[S0].txt
2014-01-29 19:27 - 2014-01-29 19:29 - 00000000 ____D C:\AdwCleaner
2014-01-29 19:25 - 2014-01-29 19:25 - 01037068 _____ (Thisisu) C:\Users\Standrechner\Downloads\JRT.exe
2014-01-29 19:24 - 2014-01-29 19:24 - 01166132 _____ C:\Users\Standrechner\Downloads\adwcleaner.exe
2014-01-29 18:18 - 2014-01-29 18:19 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Standrechner\Downloads\mbam-setup-1.75.0.1300.exe
2014-01-29 17:50 - 2014-01-29 17:50 - 00414150 _____ C:\Users\Standrechner\Downloads\Secure Banking v1.5.2.rar
2014-01-29 17:48 - 2014-01-29 17:55 - 00001078 _____ C:\Users\Public\Desktop\Secure Banking.lnk
2014-01-29 17:48 - 2014-01-29 17:55 - 00000000 ____D C:\Program Files (x86)\Secure Banking
2014-01-29 17:47 - 2014-01-29 17:47 - 00399347 _____ C:\Users\Standrechner\Downloads\Secure Banking v1.5.1.rar
2014-01-29 17:47 - 2014-01-29 17:47 - 00000000 ____D C:\Users\Standrechner\Downloads\Secure Banking v1.5.1
2014-01-29 10:47 - 2014-01-29 10:47 - 00028172 _____ C:\Users\Standrechner\Downloads\Logfiles.zip
2014-01-29 10:46 - 2014-01-29 10:46 - 00001627 _____ C:\Users\Standrechner\Desktop\DivX Movies.lnk
2014-01-29 10:46 - 2014-01-29 10:46 - 00001131 _____ C:\Users\Public\Desktop\DivX Converter.lnk
2014-01-29 10:46 - 2014-01-29 10:46 - 00001066 _____ C:\Users\Public\Desktop\DivX Player.lnk
2014-01-29 10:39 - 2014-01-29 10:39 - 00993600 _____ (DivX, LLC) C:\Users\Standrechner\Downloads\DivXInstaller(1).exe
2014-01-29 10:30 - 2014-01-29 10:30 - 00091274 _____ C:\Users\Standrechner\Desktop\Fehlermeldungen Popups.zip
2014-01-29 10:22 - 2014-01-29 10:22 - 00028172 _____ C:\Users\Standrechner\Desktop\Logfiles.zip
2014-01-29 09:57 - 2014-01-29 09:57 - 00222967 _____ C:\Users\Standrechner\Desktop\Fehlermeldung.psd
2014-01-29 09:20 - 2014-01-29 09:20 - 00080184 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2014-01-29 09:07 - 2014-01-29 12:32 - 00417946 _____ C:\Users\Standrechner\Desktop\gmer.txt
2014-01-29 09:06 - 2014-01-29 09:06 - 00564701 _____ C:\Users\Standrechner\Documents\gmer.txt
2014-01-29 08:44 - 2014-01-29 08:44 - 00054632 _____ C:\Users\Standrechner\Desktop\Addition.txt
2014-01-29 08:39 - 2014-01-29 08:44 - 00029410 _____ C:\Users\Standrechner\Desktop\FRST.txt
2014-01-29 08:38 - 2014-01-29 19:42 - 00021291 _____ C:\Users\Standrechner\Downloads\FRST.txt
2014-01-29 08:38 - 2014-01-29 19:42 - 00000000 ____D C:\FRST
2014-01-29 08:38 - 2014-01-29 08:44 - 00054632 _____ C:\Users\Standrechner\Downloads\Addition.txt
2014-01-29 08:35 - 2014-01-29 08:36 - 02079744 _____ (Farbar) C:\Users\Standrechner\Downloads\FRST64.exe
2014-01-29 08:35 - 2014-01-29 08:35 - 00000486 _____ C:\Users\Standrechner\Downloads\defogger_disable.log
2014-01-29 08:35 - 2014-01-29 08:35 - 00000000 _____ C:\Users\Standrechner\defogger_reenable
2014-01-29 08:34 - 2014-01-29 08:34 - 00050477 _____ C:\Users\Standrechner\Downloads\Defogger.exe
2014-01-27 17:35 - 2014-01-27 17:39 - 148904784 _____ (Apple Inc.) C:\Users\Standrechner\Downloads\iTunes64Setup(1).exe
2014-01-21 21:56 - 2014-01-21 21:56 - 00380416 _____ C:\Users\Standrechner\Downloads\gmer.exe
2014-01-21 16:14 - 2014-01-21 16:17 - 54676293 _____ C:\Users\Standrechner\Downloads\PIKO-Update_v04.11_(incl.Microsoft.NET_v4).zip
2014-01-21 14:26 - 2014-01-21 14:26 - 00001553 _____ C:\Users\Standrechner\AppData\Local\recently-used.xbel
2014-01-21 14:15 - 2014-01-21 14:16 - 21079125 _____ C:\Users\Standrechner\Downloads\gnumeric-1.12.9-20131128.exe
2014-01-21 14:14 - 2014-01-21 14:14 - 00401744 _____ (Softonic                                        ) C:\Users\Standrechner\Downloads\SoftonicDownloader_fuer_gnumeric.exe
2014-01-15 08:03 - 2013-11-27 02:41 - 00343040 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbhub.sys
2014-01-15 08:03 - 2013-11-27 02:41 - 00325120 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbport.sys
2014-01-15 08:03 - 2013-11-27 02:41 - 00099840 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbccgp.sys
2014-01-15 08:03 - 2013-11-27 02:41 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbehci.sys
2014-01-15 08:03 - 2013-11-27 02:41 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbuhci.sys
2014-01-15 08:03 - 2013-11-27 02:41 - 00025600 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbohci.sys
2014-01-15 08:03 - 2013-11-27 02:41 - 00007808 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbd.sys
2014-01-15 08:03 - 2013-11-26 11:32 - 03156480 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys

==================== One Month Modified Files and Folders =======

2014-01-29 19:42 - 2014-01-29 08:38 - 00021291 _____ C:\Users\Standrechner\Downloads\FRST.txt
2014-01-29 19:42 - 2014-01-29 08:38 - 00000000 ____D C:\FRST
2014-01-29 19:41 - 2014-01-29 19:41 - 00001427 _____ C:\Users\Standrechner\Desktop\JRT.txt
2014-01-29 19:38 - 2009-07-14 05:45 - 00014848 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-01-29 19:38 - 2009-07-14 05:45 - 00014848 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-01-29 19:36 - 2014-01-29 19:36 - 00000000 ____D C:\Windows\ERUNT
2014-01-29 19:32 - 2014-01-29 19:32 - 00001549 _____ C:\Users\Standrechner\Desktop\AdwCleaner[S0].txt
2014-01-29 19:31 - 2013-10-12 10:16 - 00007681 _____ C:\Windows\setupact.log
2014-01-29 19:31 - 2013-02-27 08:48 - 00001118 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-01-29 19:31 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2014-01-29 19:30 - 2010-11-23 11:34 - 01721682 _____ C:\Windows\WindowsUpdate.log
2014-01-29 19:29 - 2014-01-29 19:27 - 00000000 ____D C:\AdwCleaner
2014-01-29 19:25 - 2014-01-29 19:25 - 01037068 _____ (Thisisu) C:\Users\Standrechner\Downloads\JRT.exe
2014-01-29 19:24 - 2014-01-29 19:24 - 01166132 _____ C:\Users\Standrechner\Downloads\adwcleaner.exe
2014-01-29 19:17 - 2013-02-27 08:48 - 00001122 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-01-29 18:56 - 2012-04-02 06:58 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-01-29 18:22 - 2011-01-17 09:56 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-01-29 18:19 - 2014-01-29 18:18 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Standrechner\Downloads\mbam-setup-1.75.0.1300.exe
2014-01-29 17:55 - 2014-01-29 17:48 - 00001078 _____ C:\Users\Public\Desktop\Secure Banking.lnk
2014-01-29 17:55 - 2014-01-29 17:48 - 00000000 ____D C:\Program Files (x86)\Secure Banking
2014-01-29 17:50 - 2014-01-29 17:50 - 00414150 _____ C:\Users\Standrechner\Downloads\Secure Banking v1.5.2.rar
2014-01-29 17:47 - 2014-01-29 17:47 - 00399347 _____ C:\Users\Standrechner\Downloads\Secure Banking v1.5.1.rar
2014-01-29 17:47 - 2014-01-29 17:47 - 00000000 ____D C:\Users\Standrechner\Downloads\Secure Banking v1.5.1
2014-01-29 13:11 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\system32\NDF
2014-01-29 13:06 - 2013-10-12 10:16 - 00091840 _____ C:\Windows\PFRO.log
2014-01-29 12:32 - 2014-01-29 09:07 - 00417946 _____ C:\Users\Standrechner\Desktop\gmer.txt
2014-01-29 11:12 - 2013-02-27 08:48 - 00004118 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-01-29 11:12 - 2013-02-27 08:48 - 00003866 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-01-29 10:47 - 2014-01-29 10:47 - 00028172 _____ C:\Users\Standrechner\Downloads\Logfiles.zip
2014-01-29 10:46 - 2014-01-29 10:46 - 00001627 _____ C:\Users\Standrechner\Desktop\DivX Movies.lnk
2014-01-29 10:46 - 2014-01-29 10:46 - 00001131 _____ C:\Users\Public\Desktop\DivX Converter.lnk
2014-01-29 10:46 - 2014-01-29 10:46 - 00001066 _____ C:\Users\Public\Desktop\DivX Player.lnk
2014-01-29 10:46 - 2013-12-11 13:42 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
2014-01-29 10:46 - 2012-03-25 23:46 - 00000000 ____D C:\Users\Standrechner\AppData\Roaming\DivX
2014-01-29 10:46 - 2012-03-25 23:45 - 00000000 ____D C:\Program Files\DivX
2014-01-29 10:46 - 2012-03-25 23:45 - 00000000 ____D C:\Program Files (x86)\DivX
2014-01-29 10:46 - 2012-03-25 23:38 - 00000000 ____D C:\ProgramData\DivX
2014-01-29 10:39 - 2014-01-29 10:39 - 00993600 _____ (DivX, LLC) C:\Users\Standrechner\Downloads\DivXInstaller(1).exe
2014-01-29 10:30 - 2014-01-29 10:30 - 00091274 _____ C:\Users\Standrechner\Desktop\Fehlermeldungen Popups.zip
2014-01-29 10:22 - 2014-01-29 10:22 - 00028172 _____ C:\Users\Standrechner\Desktop\Logfiles.zip
2014-01-29 09:57 - 2014-01-29 09:57 - 00222967 _____ C:\Users\Standrechner\Desktop\Fehlermeldung.psd
2014-01-29 09:53 - 2011-03-24 09:36 - 00000000 ____D C:\Users\Standrechner\Documents\Anne
2014-01-29 09:20 - 2014-01-29 09:20 - 00080184 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2014-01-29 09:20 - 2013-08-12 11:04 - 00207904 _____ C:\Windows\system32\Drivers\aswVmm.sys
2014-01-29 09:20 - 2012-07-13 19:18 - 00003926 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2014-01-29 09:20 - 2011-06-29 09:25 - 01038072 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2014-01-29 09:20 - 2011-01-23 14:50 - 00334136 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2014-01-29 09:20 - 2010-11-23 11:56 - 00421704 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2014-01-29 09:20 - 2010-11-23 11:56 - 00001977 _____ C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2014-01-29 09:20 - 2010-11-23 11:55 - 00078648 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2014-01-29 09:20 - 2010-11-23 11:55 - 00043152 _____ (AVAST Software) C:\Windows\avastSS.scr
2014-01-29 09:06 - 2014-01-29 09:06 - 00564701 _____ C:\Users\Standrechner\Documents\gmer.txt
2014-01-29 08:44 - 2014-01-29 08:44 - 00054632 _____ C:\Users\Standrechner\Desktop\Addition.txt
2014-01-29 08:44 - 2014-01-29 08:39 - 00029410 _____ C:\Users\Standrechner\Desktop\FRST.txt
2014-01-29 08:44 - 2014-01-29 08:38 - 00054632 _____ C:\Users\Standrechner\Downloads\Addition.txt
2014-01-29 08:36 - 2014-01-29 08:35 - 02079744 _____ (Farbar) C:\Users\Standrechner\Downloads\FRST64.exe
2014-01-29 08:35 - 2014-01-29 08:35 - 00000486 _____ C:\Users\Standrechner\Downloads\defogger_disable.log
2014-01-29 08:35 - 2014-01-29 08:35 - 00000000 _____ C:\Users\Standrechner\defogger_reenable
2014-01-29 08:35 - 2010-11-23 11:37 - 00000000 ____D C:\Users\Standrechner
2014-01-29 08:34 - 2014-01-29 08:34 - 00050477 _____ C:\Users\Standrechner\Downloads\Defogger.exe
2014-01-28 20:01 - 2010-12-01 20:42 - 00000478 _____ C:\Windows\Tasks\SyncBack Jan Eigene Dateien.job
2014-01-28 08:29 - 2010-11-23 13:15 - 00000000 ____D C:\ProgramData\BTrieve
2014-01-27 17:39 - 2014-01-27 17:35 - 148904784 _____ (Apple Inc.) C:\Users\Standrechner\Downloads\iTunes64Setup(1).exe
2014-01-25 21:50 - 2011-01-10 11:32 - 00000000 ____D C:\ProgramData\Apple
2014-01-23 14:57 - 2010-11-23 13:14 - 00000000 ____D C:\Users\Standrechner\AppData\Local\Adobe
2014-01-23 14:36 - 2012-04-02 06:58 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-01-23 14:36 - 2012-04-02 06:58 - 00003822 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-01-23 14:36 - 2011-05-31 20:14 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-01-21 21:56 - 2014-01-21 21:56 - 00380416 _____ C:\Users\Standrechner\Downloads\gmer.exe
2014-01-21 16:17 - 2014-01-21 16:14 - 54676293 _____ C:\Users\Standrechner\Downloads\PIKO-Update_v04.11_(incl.Microsoft.NET_v4).zip
2014-01-21 14:26 - 2014-01-21 14:26 - 00001553 _____ C:\Users\Standrechner\AppData\Local\recently-used.xbel
2014-01-21 14:17 - 2013-07-05 08:36 - 00000000 ____D C:\Program Files (x86)\Gnumeric
2014-01-21 14:16 - 2014-01-21 14:15 - 21079125 _____ C:\Users\Standrechner\Downloads\gnumeric-1.12.9-20131128.exe
2014-01-21 14:14 - 2014-01-21 14:14 - 00401744 _____ (Softonic                                        ) C:\Users\Standrechner\Downloads\SoftonicDownloader_fuer_gnumeric.exe
2014-01-17 22:03 - 2009-07-14 18:58 - 00698742 _____ C:\Windows\system32\perfh007.dat
2014-01-17 22:03 - 2009-07-14 18:58 - 00148798 _____ C:\Windows\system32\perfc007.dat
2014-01-17 22:03 - 2009-07-14 06:13 - 01613412 _____ C:\Windows\system32\PerfStringBackup.INI
2014-01-15 10:55 - 2011-01-14 19:00 - 00000000 ____D C:\Users\Standrechner\AppData\Roaming\Winamp
2014-01-15 10:10 - 2009-07-14 05:45 - 02349448 _____ C:\Windows\system32\FNTCACHE.DAT
2014-01-15 09:40 - 2013-08-14 21:20 - 00000000 ____D C:\Windows\system32\MRT
2014-01-15 09:38 - 2010-11-23 11:43 - 86054176 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-01-10 15:19 - 2010-11-11 15:22 - 00000000 ____D C:\Users\Standrechner\Documents\Lexware F A Daten
2014-01-10 14:01 - 2011-03-13 09:56 - 00000000 ____D C:\Program Files\Common Files\Apple
2014-01-10 14:01 - 2011-01-10 11:34 - 00000000 ____D C:\Users\Standrechner\AppData\Roaming\Apple Computer
2014-01-03 13:52 - 2011-01-10 11:03 - 00000000 ____D C:\ProgramData\FLEXnet

Some content of TEMP:
====================
C:\Users\Standrechner\AppData\Local\Temp\Quarantine.exe


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-01-20 20:03

==================== End Of Log ============================
--- --- ---

--- --- ---

Alt 30.01.2014, 16:21   #10
schrauber
/// the machine
/// TB-Ausbilder
 
Verdacht auf Befall mit Schadsoftware Win7 - Standard

Verdacht auf Befall mit Schadsoftware Win7



ESET Online Scanner

  • Hier findest du eine bebilderte Anleitung zu ESET Online Scanner
  • Lade und starte Eset Online Scanner
  • Setze einen Haken bei Ja, ich bin mit den Nutzungsbedingungen einverstanden und klicke auf Starten.
  • Aktiviere die "Erkennung von eventuell unerwünschten Anwendungen" und wähle folgende Einstellungen.
  • Klicke auf Starten.
  • Die Signaturen werden heruntergeladen, der Scan beginnt automatisch.
  • Klicke am Ende des Suchlaufs auf Fertig stellen.
  • Schließe das Fenster von ESET.
  • Explorer öffnen.
  • C:\Programme\Eset\EsetOnlineScanner\log.txt (bei 64 Bit auch C:\Programme (x86)\Eset\EsetOnlineScanner\log.txt) suchen und mit Deinem Editor öffnen (bebildert).
  • Logfile hier posten.
  • Deinstallation: Systemsteuerung => Software / Programme deinstallieren => Eset Online Scanner V3 entfernen.
  • Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset


Downloade Dir bitte SecurityCheck und:

  • Speichere es auf dem Desktop.
  • Starte SecurityCheck.exe und folge den Anweisungen in der DOS-Box.
  • Wenn der Scan beendet wurde sollte sich ein Textdokument (checkup.txt) öffnen.
Poste den Inhalt bitte hier.

und ein frisches FRST log bitte. Noch Probleme?
__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Alt 31.01.2014, 08:19   #11
Janne1
 
Verdacht auf Befall mit Schadsoftware Win7 - Standard

Verdacht auf Befall mit Schadsoftware Win7


Hallo Schrauber,

danke bis hierher schonmal. Ich muss jetzt Häppchenweise weitermachen (wg Arbeit), daher erstmal ESET Log. Anscheinend kein Fund.

Das Programm/Log befindet sich übrigens im Ordner mit Leerzeichen C:\Program Files (x86)\ESET\ESET Online Scanner, evtl könnt Ihr das für die faulen user mit copy+paste Neigung mal korrigiren, dann geht das einfacher.
Code:
ATTFilter
ESETSmartInstaller@High as downloader log:
Can not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetesets_scanner_update returned -1 esets_gle=12
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=f2390fba715fa14c858c148416dfd474
# engine=16871
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2014-01-31 06:32:23
# local_time=2014-01-31 07:32:23 (+0100, Mitteleuropäische Zeit)
# country="Germany"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776573 100 94 169437 142779793 0 0
# scanned=309438
# found=0
# cleaned=0
# scan_time=35666
Oben im (edit: ) gmer Log stand was von Rootkit, war das eineFehlermeldung?

Grüße
Jan

Code:
ATTFilter
 Results of screen317's Security Check version 0.99.79  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
avast! Antivirus   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:````````` 
 MVPS Hosts File  
 Spybot - Search & Destroy 
 Sophos Anti-Rootkit 1.5.4   
 Malwarebytes Anti-Malware Version 1.75.0.1300  
 Adobe Flash Player 10 Flash Player out of Date! 
  Adobe Flash Player 12.0.0.43 Flash Player out of Date!  
 Adobe Reader XI  
 Mozilla Firefox (26.0) 
 Mozilla Thunderbird (24.2.0) 
````````Process Check: objlist.exe by Laurent````````  
 Spybot Teatimer.exe is disabled! 
 Windows7FirewallControl Windows7FirewallService.exe   
 Windows7FirewallControl Windows7FirewallControl.exe   
 Alwil Software Avast5 AvastSvc.exe  
 Alwil Software Avast5 AvastUI.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  
````````````````````End of Log``````````````````````

FRST Logfile:

FRST Logfile:

FRST Logfile:

FRST Logfile:

FRST Logfile:

FRST Logfile:
Code:
ATTFilter
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 29-01-2014
Ran by Adminkonto (administrator) on STANDRECHNER-PC on 31-01-2014 08:17:35
Running from C:\Users\Standrechner\Downloads
Windows 7 Professional Service Pack 1 (X64) OS Language: German Standard
Internet Explorer Version 11
Boot Mode: Normal



==================== Processes (Whitelisted) =================

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(AVAST Software) C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
() C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.05\AsSysCtrlService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\VS7DEBUG\mdm.exe
(Iomega Corp) C:\Program Files (x86)\Iomega Storage Manager\pCloudd.exe
(EMC Corporation) C:\Program Files (x86)\Retrospect\Retrospect Express HD 2.5\retrorun.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
(Telefónica I+D) C:\Program Files (x86)\o2\Mobile Connection Manager\ImpWiFiSvc.exe
(UltraVNC) C:\Program Files\UltraVNC\winvnc.exe
(Sphinx Software) C:\Program Files (x86)\Windows7FirewallControl\Windows7FirewallService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Safer Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(Haufe-Lexware GmbH & Co. KG) C:\Program Files (x86)\Lexware\zeitmanagement\2011\Haufe.TimeManagement.exe
(Secure Banking) C:\Program Files (x86)\Secure Banking\SecureBanking.exe
(EMC) C:\Program Files (x86)\Iomega Storage Manager\IomegaStorageManager.exe
(Logitech Inc.) C:\Program Files (x86)\Squeezebox\SqueezeTray.exe
(AVAST Software) C:\Program Files\Alwil Software\Avast5\AvastUI.exe
(VIA) C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\TurboV EVO\TurboV_EVO.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
() C:\Program Files (x86)\Secure Banking\sbservice.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe
(Nullsoft, Inc.) C:\Program Files (x86)\Winamp\winampa.exe
(Sphinx Software) C:\Program Files (x86)\Windows7FirewallControl\Windows7FirewallControl.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\ControlCenter3\BrccMCtl.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brmfcmon\BrMfimon.exe
(Research In Motion Limited) C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
(Haufe-Lexware GmbH & Co. KG) C:\Program Files (x86)\Common Files\Lexware\Update Manager\LxUpdateManager.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
() C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Macrovision Europe Ltd.) C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Logitech Inc.) C:\Program Files (x86)\Squeezebox\server\SqueezeSvr.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\TurboV EVO\TurboVHelp.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_43.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_43.exe
(Crystal Dew World) C:\Program Files (x86)\CrystalDiskInfo\DiskInfo.exe
(UltraVNC) C:\Program Files\UltraVNC\winvnc.exe
() C:\Users\Standrechner\Downloads\SecurityCheck.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Don HO don.h@free.fr) C:\Program Files (x86)\Notepad++\notepad++.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [IAAnotif] - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
HKLM-x32\...\Run: [avast5] - C:\Program Files\Alwil Software\Avast5\avastUI.exe [3767096 2014-01-29] (AVAST Software)
HKLM-x32\...\Run: [HDAudDeck] - C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe [2472048 2010-11-23] (VIA)
HKLM-x32\...\Run: [TurboV EVO] - C:\Program Files (x86)\ASUS\TurboV EVO\TurboV_EVO.exe [9936000 2010-07-07] (ASUSTeK Computer Inc.)
HKLM-x32\...\Run: [StartCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-10-26] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [ATICustomerCare] - C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe [311296 2010-05-04] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [GrooveMonitor] - C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [31016 2006-10-27] (Microsoft Corporation)
HKLM-x32\...\Run: [SSBkgdUpdate] - C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [210472 2006-10-25] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PaperPort PTD] - C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe [29984 2008-07-09] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [IndexSearch] - C:\Program Files (x86)\ScanSoft\PaperPort\IndexSearch.exe [46368 2008-07-09] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PPort11reminder] - C:\Program Files (x86)\ScanSoft\PaperPort\Ereg\Ereg.exe [328992 2007-08-31] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [BrMfcWnd] - C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe [1159168 2009-05-26] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [ControlCenter3] - C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe [114688 2008-12-24] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [PDF Seven] - C:\Program Files\PDFSeven\PDF.exe
HKLM-x32\...\Run: [WinampAgent] - C:\Program Files (x86)\Winamp\winampa.exe [74752 2012-06-28] (Nullsoft, Inc.)
HKLM-x32\...\Run: [Windows7FirewallControl] - C:\Program Files (x86)\Windows7FirewallControl\Windows7FirewallControl.exe [798720 2010-11-01] (Sphinx Software)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [624248 2007-05-10] (Adobe Systems Inc.)
HKLM-x32\...\Run: [] - [x]
HKLM-x32\...\Run: [Adobe_ID0EYTHM] - C:\Program Files (x86)\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3Tray.exe [1884160 2007-03-20] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AppleSyncNotifier] - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-09-27] (Apple Inc.)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-01-20] (Apple Inc.)
HKLM-x32\...\Run: [RIMBBLaunchAgent.exe] - C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [90448 2011-11-02] (Research In Motion Limited)
HKLM-x32\...\Run: [LexwareInfoService] - C:\Program Files (x86)\Common Files\Lexware\Update Manager\LxUpdateManager.exe [339312 2010-09-15] (Haufe-Lexware GmbH & Co. KG)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-11-02] (Apple Inc.)
HKLM-x32\...\Run: [AvastUI.exe] - C:\Program Files\Alwil Software\Avast5\AvastUI.exe [3767096 2014-01-29] (AVAST Software)
HKLM-x32\...\Run: [DivXMediaServer] - C:\Program Files (x86)\DivX\DivX Media Server\DivXMediaServer.exe [450560 2013-12-23] (DivX, LLC)
HKLM-x32\...\Run: [DivXUpdate] - C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe [1861968 2013-11-15] ()

==================== Internet (Whitelisted) ====================

BHO: avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE64.dll (AVAST Software)
BHO: No Name - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -  No File
BHO: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE64.dll (AVAST Software)
BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll No File
BHO-x32: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO-x32: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files (x86)\Adobe\/Adobe Contribute CS3/contributeieplugin.dll (Adobe Systems Incorporated.)
BHO-x32: No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
BHO-x32: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO-x32: No Name - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -  No File
BHO-x32: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
BHO-x32: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll No File
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE64.dll (AVAST Software)
Toolbar: HKLM - avast! Online Security - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE64.dll (AVAST Software)
Toolbar: HKLM-x32 - TerraTec Home Cinema - {AD6E6555-FB2C-47D4-8339-3E2965509877} - C:\Program Files (x86)\TerraTec\TerraTec Home Cinema\ThcDeskBand.dll (TerraTec Electronic GmbH)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files (x86)\Adobe\/Adobe Contribute CS3/contributeieplugin.dll (Adobe Systems Incorporated.)
Toolbar: HKLM-x32 - avast! Online Security - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
DPF: HKLM-x32 {6E718D87-6909-4FCE-92D4-EDCB2F725727} file:///C:/Program%20Files%20(x86)/Würth%20Technologieplattform/VIEWERINSTALL/applications/Navigram.cab
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1

==================== Services (Whitelisted) =================

R2 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.05\AsSysCtrlService.exe [109056 2010-11-23] ()
R2 avast! Antivirus; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [50344 2014-01-29] (AVAST Software)
R2 PCloudd; C:\Program Files (x86)\Iomega Storage Manager\pCloudd.exe [207360 2011-08-06] (Iomega Corp)
R2 RetroExpLauncher; C:\Program Files (x86)\Retrospect\Retrospect Express HD 2.5\retrorun.exe [120088 2008-12-11] (EMC Corporation)
R2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
R2 TGCM_ImportWiFiSvc; C:\Program Files (x86)\o2\Mobile Connection Manager\ImpWiFiSvc.exe [199600 2010-08-02] (Telefónica I+D)
R2 uvnc_service; C:\Program Files\UltraVNC\WinVNC.exe [2169592 2011-05-18] (UltraVNC)
R2 Windows7FirewallService; C:\Program Files (x86)\Windows7FirewallControl\Windows7FirewallService.exe [401408 2010-11-01] (Sphinx Software)

==================== Drivers (Whitelisted) ====================

S3 AF9035BDA; C:\Windows\System32\DRIVERS\AF15BDA.sys [513600 2009-11-05] (ITETech                  )
R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2010-11-23] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [78648 2014-01-29] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [92544 2013-11-30] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2013-11-30] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1038072 2014-01-29] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [421704 2014-01-29] (AVAST Software)
R3 aswStm; C:\Windows\system32\drivers\aswStm.sys [80184 2014-01-29] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [207904 2014-01-29] ()
S3 ewusbnet; C:\Windows\System32\DRIVERS\ewusbnet.sys [250368 2010-04-07] (Huawei Technologies Co., Ltd.)
S3 MEMSWEEP2; C:\Windows\system32\F4CA.tmp [6144 2010-05-26] (Sophos Plc)
R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2010-11-23] ()
R3 mv2; C:\Windows\System32\DRIVERS\mv2.sys [12904 2011-07-03] (UVNC BVBA)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [74752 2011-07-25] (Research In Motion Limited)
R3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [44032 2011-07-20] (Research in Motion Ltd)
S3 vNICdrv; C:\Windows\System32\DRIVERS\vNICdrv.sys [20048 2011-08-06] (Iomega Corporation)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-01-31 08:11 - 2014-01-31 08:11 - 00000000 ____D C:\Users\Adminkonto\AppData\Roaming\Notepad++
2014-01-31 08:08 - 2014-01-31 08:09 - 00987425 _____ C:\Users\Standrechner\Downloads\SecurityCheck.exe
2014-01-30 21:32 - 2014-01-30 21:32 - 02347384 _____ (ESET) C:\Users\Standrechner\Downloads\esetsmartinstaller_enu.exe
2014-01-30 14:34 - 2014-01-30 14:34 - 00114064 _____ C:\Users\Adminkonto\AppData\Local\GDIPFONTCACHEV1.DAT
2014-01-30 14:34 - 2014-01-30 14:34 - 00001425 _____ C:\Users\Adminkonto\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-01-30 14:34 - 2014-01-30 14:34 - 00000000 ___RD C:\Users\Adminkonto\Virtual Machines
2014-01-30 14:34 - 2014-01-30 14:34 - 00000000 ___RD C:\Users\Adminkonto\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-01-30 14:34 - 2014-01-30 14:34 - 00000000 ___RD C:\Users\Adminkonto\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2014-01-30 14:34 - 2014-01-30 14:34 - 00000000 ____D C:\Users\Adminkonto\AppData\Roaming\AVAST Software
2014-01-30 14:34 - 2014-01-30 14:34 - 00000000 ____D C:\Users\Adminkonto\AppData\Roaming\ATI
2014-01-30 14:34 - 2014-01-30 14:34 - 00000000 ____D C:\Users\Adminkonto\AppData\Roaming\Apple Computer
2014-01-30 14:34 - 2014-01-30 14:34 - 00000000 ____D C:\Users\Adminkonto\AppData\Roaming\Adobe
2014-01-30 14:34 - 2014-01-30 14:34 - 00000000 ____D C:\Users\Adminkonto\AppData\Local\Scansoft
2014-01-30 14:34 - 2014-01-30 14:34 - 00000000 ____D C:\Users\Adminkonto\AppData\Local\IomegaStorageManager
2014-01-30 14:34 - 2014-01-30 14:34 - 00000000 ____D C:\Users\Adminkonto\AppData\Local\ATI
2014-01-30 14:34 - 2014-01-30 14:34 - 00000000 ____D C:\Users\Adminkonto\AppData\Local\Apple Computer
2014-01-30 14:34 - 2014-01-30 14:34 - 00000000 ____D C:\Users\Adminkonto\AppData\Local\Adobe
2014-01-30 14:33 - 2014-01-30 14:34 - 00000000 ____D C:\Users\Adminkonto\AppData\Local\VirtualStore
2014-01-30 14:33 - 2014-01-30 14:34 - 00000000 ____D C:\Users\Adminkonto
2014-01-30 14:33 - 2014-01-30 14:33 - 00000020 ___SH C:\Users\Adminkonto\ntuser.ini
2014-01-30 14:33 - 2014-01-30 14:33 - 00000000 _SHDL C:\Users\Adminkonto\Vorlagen
2014-01-30 14:33 - 2014-01-30 14:33 - 00000000 _SHDL C:\Users\Adminkonto\Startmenü
2014-01-30 14:33 - 2014-01-30 14:33 - 00000000 _SHDL C:\Users\Adminkonto\Netzwerkumgebung
2014-01-30 14:33 - 2014-01-30 14:33 - 00000000 _SHDL C:\Users\Adminkonto\Lokale Einstellungen
2014-01-30 14:33 - 2014-01-30 14:33 - 00000000 _SHDL C:\Users\Adminkonto\Eigene Dateien
2014-01-30 14:33 - 2014-01-30 14:33 - 00000000 _SHDL C:\Users\Adminkonto\Druckumgebung
2014-01-30 14:33 - 2014-01-30 14:33 - 00000000 _SHDL C:\Users\Adminkonto\Documents\Eigene Musik
2014-01-30 14:33 - 2014-01-30 14:33 - 00000000 _SHDL C:\Users\Adminkonto\Documents\Eigene Bilder
2014-01-30 14:33 - 2014-01-30 14:33 - 00000000 _SHDL C:\Users\Adminkonto\AppData\Roaming\Microsoft\Windows\Start Menu\Programme
2014-01-30 14:33 - 2014-01-30 14:33 - 00000000 _SHDL C:\Users\Adminkonto\AppData\Local\Verlauf
2014-01-30 14:33 - 2014-01-30 14:33 - 00000000 _SHDL C:\Users\Adminkonto\AppData\Local\Anwendungsdaten
2014-01-30 14:33 - 2014-01-30 14:33 - 00000000 _SHDL C:\Users\Adminkonto\Anwendungsdaten
2014-01-30 14:33 - 2009-07-14 05:54 - 00000000 ___RD C:\Users\Adminkonto\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2014-01-30 14:33 - 2009-07-14 05:49 - 00000000 ___RD C:\Users\Adminkonto\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2014-01-30 14:14 - 2014-01-30 14:18 - 148904784 _____ (Apple Inc.) C:\Users\Standrechner\Downloads\iTunes64Setup(3).exe
2014-01-29 19:41 - 2014-01-29 19:41 - 00001427 _____ C:\Users\Standrechner\Desktop\JRT.txt
2014-01-29 19:36 - 2014-01-29 19:36 - 00000000 ____D C:\Windows\ERUNT
2014-01-29 19:32 - 2014-01-29 19:32 - 00001549 _____ C:\Users\Standrechner\Desktop\AdwCleaner[S0].txt
2014-01-29 19:27 - 2014-01-29 19:29 - 00000000 ____D C:\AdwCleaner
2014-01-29 19:25 - 2014-01-29 19:25 - 01037068 _____ (Thisisu) C:\Users\Standrechner\Downloads\JRT.exe
2014-01-29 19:24 - 2014-01-29 19:24 - 01166132 _____ C:\Users\Standrechner\Downloads\adwcleaner.exe
2014-01-29 18:18 - 2014-01-29 18:19 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Standrechner\Downloads\mbam-setup-1.75.0.1300.exe
2014-01-29 17:50 - 2014-01-29 17:50 - 00414150 _____ C:\Users\Standrechner\Downloads\Secure Banking v1.5.2.rar
2014-01-29 17:48 - 2014-01-29 17:55 - 00001078 _____ C:\Users\Public\Desktop\Secure Banking.lnk
2014-01-29 17:48 - 2014-01-29 17:55 - 00000000 ____D C:\Program Files (x86)\Secure Banking
2014-01-29 17:47 - 2014-01-29 17:47 - 00399347 _____ C:\Users\Standrechner\Downloads\Secure Banking v1.5.1.rar
2014-01-29 17:47 - 2014-01-29 17:47 - 00000000 ____D C:\Users\Standrechner\Downloads\Secure Banking v1.5.1
2014-01-29 10:47 - 2014-01-29 10:47 - 00028172 _____ C:\Users\Standrechner\Downloads\Logfiles.zip
2014-01-29 10:46 - 2014-01-29 10:46 - 00001627 _____ C:\Users\Standrechner\Desktop\DivX Movies.lnk
2014-01-29 10:46 - 2014-01-29 10:46 - 00001131 _____ C:\Users\Public\Desktop\DivX Converter.lnk
2014-01-29 10:46 - 2014-01-29 10:46 - 00001066 _____ C:\Users\Public\Desktop\DivX Player.lnk
2014-01-29 10:39 - 2014-01-29 10:39 - 00993600 _____ (DivX, LLC) C:\Users\Standrechner\Downloads\DivXInstaller(1).exe
2014-01-29 10:30 - 2014-01-29 10:30 - 00091274 _____ C:\Users\Standrechner\Desktop\Fehlermeldungen Popups.zip
2014-01-29 10:22 - 2014-01-29 10:22 - 00028172 _____ C:\Users\Standrechner\Desktop\Logfiles.zip
2014-01-29 09:57 - 2014-01-29 09:57 - 00222967 _____ C:\Users\Standrechner\Desktop\Fehlermeldung.psd
2014-01-29 09:20 - 2014-01-29 09:20 - 00080184 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2014-01-29 09:07 - 2014-01-29 12:32 - 00417946 _____ C:\Users\Standrechner\Desktop\gmer.txt
2014-01-29 09:06 - 2014-01-29 09:06 - 00564701 _____ C:\Users\Standrechner\Documents\gmer.txt
2014-01-29 08:44 - 2014-01-29 08:44 - 00054632 _____ C:\Users\Standrechner\Desktop\Addition.txt
2014-01-29 08:39 - 2014-01-29 08:44 - 00029410 _____ C:\Users\Standrechner\Desktop\FRST.txt
2014-01-29 08:38 - 2014-01-31 08:17 - 00014655 _____ C:\Users\Standrechner\Downloads\FRST.txt
2014-01-29 08:38 - 2014-01-31 08:17 - 00000000 ____D C:\FRST
2014-01-29 08:38 - 2014-01-29 08:44 - 00054632 _____ C:\Users\Standrechner\Downloads\Addition.txt
2014-01-29 08:35 - 2014-01-29 08:36 - 02079744 _____ (Farbar) C:\Users\Standrechner\Downloads\FRST64.exe
2014-01-29 08:35 - 2014-01-29 08:35 - 00000486 _____ C:\Users\Standrechner\Downloads\defogger_disable.log
2014-01-29 08:35 - 2014-01-29 08:35 - 00000000 _____ C:\Users\Standrechner\defogger_reenable
2014-01-29 08:34 - 2014-01-29 08:34 - 00050477 _____ C:\Users\Standrechner\Downloads\Defogger.exe
2014-01-27 17:35 - 2014-01-27 17:39 - 148904784 _____ (Apple Inc.) C:\Users\Standrechner\Downloads\iTunes64Setup(1).exe
2014-01-21 21:56 - 2014-01-21 21:56 - 00380416 _____ C:\Users\Standrechner\Downloads\gmer.exe
2014-01-21 16:14 - 2014-01-21 16:17 - 54676293 _____ C:\Users\Standrechner\Downloads\PIKO-Update_v04.11_(incl.Microsoft.NET_v4).zip
2014-01-21 14:26 - 2014-01-21 14:26 - 00001553 _____ C:\Users\Standrechner\AppData\Local\recently-used.xbel
2014-01-21 14:15 - 2014-01-21 14:16 - 21079125 _____ C:\Users\Standrechner\Downloads\gnumeric-1.12.9-20131128.exe
2014-01-21 14:14 - 2014-01-21 14:14 - 00401744 _____ (Softonic                                        ) C:\Users\Standrechner\Downloads\SoftonicDownloader_fuer_gnumeric.exe
2014-01-15 08:03 - 2013-11-27 02:41 - 00343040 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbhub.sys
2014-01-15 08:03 - 2013-11-27 02:41 - 00325120 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbport.sys
2014-01-15 08:03 - 2013-11-27 02:41 - 00099840 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbccgp.sys
2014-01-15 08:03 - 2013-11-27 02:41 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbehci.sys
2014-01-15 08:03 - 2013-11-27 02:41 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbuhci.sys
2014-01-15 08:03 - 2013-11-27 02:41 - 00025600 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbohci.sys
2014-01-15 08:03 - 2013-11-27 02:41 - 00007808 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbd.sys
2014-01-15 08:03 - 2013-11-26 11:32 - 03156480 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys

==================== One Month Modified Files and Folders =======

2014-01-31 08:17 - 2014-01-29 08:38 - 00014655 _____ C:\Users\Standrechner\Downloads\FRST.txt
2014-01-31 08:17 - 2014-01-29 08:38 - 00000000 ____D C:\FRST
2014-01-31 08:17 - 2013-02-27 08:48 - 00001122 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-01-31 08:11 - 2014-01-31 08:11 - 00000000 ____D C:\Users\Adminkonto\AppData\Roaming\Notepad++
2014-01-31 08:09 - 2014-01-31 08:08 - 00987425 _____ C:\Users\Standrechner\Downloads\SecurityCheck.exe
2014-01-31 07:56 - 2012-04-02 06:58 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-01-31 03:00 - 2010-11-23 11:34 - 01750039 _____ C:\Windows\WindowsUpdate.log
2014-01-30 21:34 - 2009-07-14 05:45 - 00014848 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-01-30 21:34 - 2009-07-14 05:45 - 00014848 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-01-30 21:33 - 2009-07-14 18:58 - 00698742 _____ C:\Windows\system32\perfh007.dat
2014-01-30 21:33 - 2009-07-14 18:58 - 00148798 _____ C:\Windows\system32\perfc007.dat
2014-01-30 21:33 - 2009-07-14 06:13 - 01613412 _____ C:\Windows\system32\PerfStringBackup.INI
2014-01-30 21:32 - 2014-01-30 21:32 - 02347384 _____ (ESET) C:\Users\Standrechner\Downloads\esetsmartinstaller_enu.exe
2014-01-30 21:29 - 2013-02-27 08:48 - 00001118 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-01-30 21:26 - 2013-10-12 10:16 - 00008420 _____ C:\Windows\setupact.log
2014-01-30 21:26 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2014-01-30 14:36 - 2011-01-16 22:11 - 00000000 ____D C:\Windows\system32\appmgmt
2014-01-30 14:34 - 2014-01-30 14:34 - 00114064 _____ C:\Users\Adminkonto\AppData\Local\GDIPFONTCACHEV1.DAT
2014-01-30 14:34 - 2014-01-30 14:34 - 00001425 _____ C:\Users\Adminkonto\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-01-30 14:34 - 2014-01-30 14:34 - 00000000 ___RD C:\Users\Adminkonto\Virtual Machines
2014-01-30 14:34 - 2014-01-30 14:34 - 00000000 ___RD C:\Users\Adminkonto\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-01-30 14:34 - 2014-01-30 14:34 - 00000000 ___RD C:\Users\Adminkonto\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2014-01-30 14:34 - 2014-01-30 14:34 - 00000000 ____D C:\Users\Adminkonto\AppData\Roaming\AVAST Software
2014-01-30 14:34 - 2014-01-30 14:34 - 00000000 ____D C:\Users\Adminkonto\AppData\Roaming\ATI
2014-01-30 14:34 - 2014-01-30 14:34 - 00000000 ____D C:\Users\Adminkonto\AppData\Roaming\Apple Computer
2014-01-30 14:34 - 2014-01-30 14:34 - 00000000 ____D C:\Users\Adminkonto\AppData\Roaming\Adobe
2014-01-30 14:34 - 2014-01-30 14:34 - 00000000 ____D C:\Users\Adminkonto\AppData\Local\Scansoft
2014-01-30 14:34 - 2014-01-30 14:34 - 00000000 ____D C:\Users\Adminkonto\AppData\Local\IomegaStorageManager
2014-01-30 14:34 - 2014-01-30 14:34 - 00000000 ____D C:\Users\Adminkonto\AppData\Local\ATI
2014-01-30 14:34 - 2014-01-30 14:34 - 00000000 ____D C:\Users\Adminkonto\AppData\Local\Apple Computer
2014-01-30 14:34 - 2014-01-30 14:34 - 00000000 ____D C:\Users\Adminkonto\AppData\Local\Adobe
2014-01-30 14:34 - 2014-01-30 14:33 - 00000000 ____D C:\Users\Adminkonto\AppData\Local\VirtualStore
2014-01-30 14:34 - 2014-01-30 14:33 - 00000000 ____D C:\Users\Adminkonto
2014-01-30 14:33 - 2014-01-30 14:33 - 00000020 ___SH C:\Users\Adminkonto\ntuser.ini
2014-01-30 14:33 - 2014-01-30 14:33 - 00000000 _SHDL C:\Users\Adminkonto\Vorlagen
2014-01-30 14:33 - 2014-01-30 14:33 - 00000000 _SHDL C:\Users\Adminkonto\Startmenü
2014-01-30 14:33 - 2014-01-30 14:33 - 00000000 _SHDL C:\Users\Adminkonto\Netzwerkumgebung
2014-01-30 14:33 - 2014-01-30 14:33 - 00000000 _SHDL C:\Users\Adminkonto\Lokale Einstellungen
2014-01-30 14:33 - 2014-01-30 14:33 - 00000000 _SHDL C:\Users\Adminkonto\Eigene Dateien
2014-01-30 14:33 - 2014-01-30 14:33 - 00000000 _SHDL C:\Users\Adminkonto\Druckumgebung
2014-01-30 14:33 - 2014-01-30 14:33 - 00000000 _SHDL C:\Users\Adminkonto\Documents\Eigene Musik
2014-01-30 14:33 - 2014-01-30 14:33 - 00000000 _SHDL C:\Users\Adminkonto\Documents\Eigene Bilder
2014-01-30 14:33 - 2014-01-30 14:33 - 00000000 _SHDL C:\Users\Adminkonto\AppData\Roaming\Microsoft\Windows\Start Menu\Programme
2014-01-30 14:33 - 2014-01-30 14:33 - 00000000 _SHDL C:\Users\Adminkonto\AppData\Local\Verlauf
2014-01-30 14:33 - 2014-01-30 14:33 - 00000000 _SHDL C:\Users\Adminkonto\AppData\Local\Anwendungsdaten
2014-01-30 14:33 - 2014-01-30 14:33 - 00000000 _SHDL C:\Users\Adminkonto\Anwendungsdaten
2014-01-30 14:18 - 2014-01-30 14:14 - 148904784 _____ (Apple Inc.) C:\Users\Standrechner\Downloads\iTunes64Setup(3).exe
2014-01-29 20:00 - 2010-12-01 20:42 - 00000478 _____ C:\Windows\Tasks\SyncBack Jan Eigene Dateien.job
2014-01-29 19:41 - 2014-01-29 19:41 - 00001427 _____ C:\Users\Standrechner\Desktop\JRT.txt
2014-01-29 19:36 - 2014-01-29 19:36 - 00000000 ____D C:\Windows\ERUNT
2014-01-29 19:32 - 2014-01-29 19:32 - 00001549 _____ C:\Users\Standrechner\Desktop\AdwCleaner[S0].txt
2014-01-29 19:29 - 2014-01-29 19:27 - 00000000 ____D C:\AdwCleaner
2014-01-29 19:25 - 2014-01-29 19:25 - 01037068 _____ (Thisisu) C:\Users\Standrechner\Downloads\JRT.exe
2014-01-29 19:24 - 2014-01-29 19:24 - 01166132 _____ C:\Users\Standrechner\Downloads\adwcleaner.exe
2014-01-29 18:22 - 2011-01-17 09:56 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-01-29 18:19 - 2014-01-29 18:18 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Standrechner\Downloads\mbam-setup-1.75.0.1300.exe
2014-01-29 17:55 - 2014-01-29 17:48 - 00001078 _____ C:\Users\Public\Desktop\Secure Banking.lnk
2014-01-29 17:55 - 2014-01-29 17:48 - 00000000 ____D C:\Program Files (x86)\Secure Banking
2014-01-29 17:50 - 2014-01-29 17:50 - 00414150 _____ C:\Users\Standrechner\Downloads\Secure Banking v1.5.2.rar
2014-01-29 17:47 - 2014-01-29 17:47 - 00399347 _____ C:\Users\Standrechner\Downloads\Secure Banking v1.5.1.rar
2014-01-29 17:47 - 2014-01-29 17:47 - 00000000 ____D C:\Users\Standrechner\Downloads\Secure Banking v1.5.1
2014-01-29 13:11 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\system32\NDF
2014-01-29 13:06 - 2013-10-12 10:16 - 00091840 _____ C:\Windows\PFRO.log
2014-01-29 12:32 - 2014-01-29 09:07 - 00417946 _____ C:\Users\Standrechner\Desktop\gmer.txt
2014-01-29 11:12 - 2013-02-27 08:48 - 00004118 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-01-29 11:12 - 2013-02-27 08:48 - 00003866 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-01-29 10:47 - 2014-01-29 10:47 - 00028172 _____ C:\Users\Standrechner\Downloads\Logfiles.zip
2014-01-29 10:46 - 2014-01-29 10:46 - 00001627 _____ C:\Users\Standrechner\Desktop\DivX Movies.lnk
2014-01-29 10:46 - 2014-01-29 10:46 - 00001131 _____ C:\Users\Public\Desktop\DivX Converter.lnk
2014-01-29 10:46 - 2014-01-29 10:46 - 00001066 _____ C:\Users\Public\Desktop\DivX Player.lnk
2014-01-29 10:46 - 2013-12-11 13:42 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
2014-01-29 10:46 - 2012-03-25 23:46 - 00000000 ____D C:\Users\Standrechner\AppData\Roaming\DivX
2014-01-29 10:46 - 2012-03-25 23:45 - 00000000 ____D C:\Program Files\DivX
2014-01-29 10:46 - 2012-03-25 23:45 - 00000000 ____D C:\Program Files (x86)\DivX
2014-01-29 10:46 - 2012-03-25 23:38 - 00000000 ____D C:\ProgramData\DivX
2014-01-29 10:39 - 2014-01-29 10:39 - 00993600 _____ (DivX, LLC) C:\Users\Standrechner\Downloads\DivXInstaller(1).exe
2014-01-29 10:30 - 2014-01-29 10:30 - 00091274 _____ C:\Users\Standrechner\Desktop\Fehlermeldungen Popups.zip
2014-01-29 10:22 - 2014-01-29 10:22 - 00028172 _____ C:\Users\Standrechner\Desktop\Logfiles.zip
2014-01-29 09:57 - 2014-01-29 09:57 - 00222967 _____ C:\Users\Standrechner\Desktop\Fehlermeldung.psd
2014-01-29 09:53 - 2011-03-24 09:36 - 00000000 ____D C:\Users\Standrechner\Documents\Anne
2014-01-29 09:20 - 2014-01-29 09:20 - 00080184 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2014-01-29 09:20 - 2013-08-12 11:04 - 00207904 _____ C:\Windows\system32\Drivers\aswVmm.sys
2014-01-29 09:20 - 2012-07-13 19:18 - 00003926 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2014-01-29 09:20 - 2011-06-29 09:25 - 01038072 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2014-01-29 09:20 - 2011-01-23 14:50 - 00334136 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2014-01-29 09:20 - 2010-11-23 11:56 - 00421704 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2014-01-29 09:20 - 2010-11-23 11:56 - 00001977 _____ C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2014-01-29 09:20 - 2010-11-23 11:55 - 00078648 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2014-01-29 09:20 - 2010-11-23 11:55 - 00043152 _____ (AVAST Software) C:\Windows\avastSS.scr
2014-01-29 09:06 - 2014-01-29 09:06 - 00564701 _____ C:\Users\Standrechner\Documents\gmer.txt
2014-01-29 08:44 - 2014-01-29 08:44 - 00054632 _____ C:\Users\Standrechner\Desktop\Addition.txt
2014-01-29 08:44 - 2014-01-29 08:39 - 00029410 _____ C:\Users\Standrechner\Desktop\FRST.txt
2014-01-29 08:44 - 2014-01-29 08:38 - 00054632 _____ C:\Users\Standrechner\Downloads\Addition.txt
2014-01-29 08:36 - 2014-01-29 08:35 - 02079744 _____ (Farbar) C:\Users\Standrechner\Downloads\FRST64.exe
2014-01-29 08:35 - 2014-01-29 08:35 - 00000486 _____ C:\Users\Standrechner\Downloads\defogger_disable.log
2014-01-29 08:35 - 2014-01-29 08:35 - 00000000 _____ C:\Users\Standrechner\defogger_reenable
2014-01-29 08:35 - 2010-11-23 11:37 - 00000000 ____D C:\Users\Standrechner
2014-01-29 08:34 - 2014-01-29 08:34 - 00050477 _____ C:\Users\Standrechner\Downloads\Defogger.exe
2014-01-28 08:29 - 2010-11-23 13:15 - 00000000 ____D C:\ProgramData\BTrieve
2014-01-27 17:39 - 2014-01-27 17:35 - 148904784 _____ (Apple Inc.) C:\Users\Standrechner\Downloads\iTunes64Setup(1).exe
2014-01-25 21:50 - 2011-01-10 11:32 - 00000000 ____D C:\ProgramData\Apple
2014-01-23 14:57 - 2010-11-23 13:14 - 00000000 ____D C:\Users\Standrechner\AppData\Local\Adobe
2014-01-23 14:36 - 2012-04-02 06:58 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-01-23 14:36 - 2012-04-02 06:58 - 00003822 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-01-23 14:36 - 2011-05-31 20:14 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-01-21 21:56 - 2014-01-21 21:56 - 00380416 _____ C:\Users\Standrechner\Downloads\gmer.exe
2014-01-21 16:17 - 2014-01-21 16:14 - 54676293 _____ C:\Users\Standrechner\Downloads\PIKO-Update_v04.11_(incl.Microsoft.NET_v4).zip
2014-01-21 14:26 - 2014-01-21 14:26 - 00001553 _____ C:\Users\Standrechner\AppData\Local\recently-used.xbel
2014-01-21 14:17 - 2013-07-05 08:36 - 00000000 ____D C:\Program Files (x86)\Gnumeric
2014-01-21 14:16 - 2014-01-21 14:15 - 21079125 _____ C:\Users\Standrechner\Downloads\gnumeric-1.12.9-20131128.exe
2014-01-21 14:14 - 2014-01-21 14:14 - 00401744 _____ (Softonic                                        ) C:\Users\Standrechner\Downloads\SoftonicDownloader_fuer_gnumeric.exe
2014-01-15 10:55 - 2011-01-14 19:00 - 00000000 ____D C:\Users\Standrechner\AppData\Roaming\Winamp
2014-01-15 10:10 - 2009-07-14 05:45 - 02349448 _____ C:\Windows\system32\FNTCACHE.DAT
2014-01-15 09:40 - 2013-08-14 21:20 - 00000000 ____D C:\Windows\system32\MRT
2014-01-15 09:38 - 2010-11-23 11:43 - 86054176 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-01-10 15:19 - 2010-11-11 15:22 - 00000000 ____D C:\Users\Standrechner\Documents\Lexware F A Daten
2014-01-10 14:01 - 2011-03-13 09:56 - 00000000 ____D C:\Program Files\Common Files\Apple
2014-01-10 14:01 - 2011-01-10 11:34 - 00000000 ____D C:\Users\Standrechner\AppData\Roaming\Apple Computer
2014-01-03 13:52 - 2011-01-10 11:03 - 00000000 ____D C:\ProgramData\FLEXnet

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-01-20 20:03

==================== End Of Log ============================
--- --- ---

--- --- ---

--- --- ---

--- --- ---

--- --- ---

--- --- ---
Geändert von Janne1 (31.01.2014 um 08:36 Uhr)

Alt 01.02.2014, 10:05   #12
schrauber
/// the machine
/// TB-Ausbilder
 
Verdacht auf Befall mit Schadsoftware Win7 - Standard

Verdacht auf Befall mit Schadsoftware Win7


Die Zeile welche als Rootkit angemeckert wird haste aber gesehen?
Das ist Avast.


Fertig

Falls Du Lob oder Kritik loswerden möchtest kannst Du das hier tun


Die Reihenfolge ist hier entscheidend.
  1. Falls Defogger benutzt wurde: Defogger nochmal starten und auf re-enable klicken.
  2. Falls Combofix benutzt wurde: (Alternativ in uninstall.exe umbenennen und starten)
    • Windowstaste + R > Combofix /Uninstall (eingeben) > OK
    • Alternative: Combofix.exe in uninstall.exe umbenennen und starten
    • Combofix wird jetzt starten, sich evtl updaten und dann alle Reste von sich selbst entfernen.
  3. Downloade Dir bitte auf jeden Fall DelFix Download DelFix auf deinen Desktop:
    • Schließe alle offenen Programme.
    • Starte die delfix.exe mit einem Doppelklick.
    • Setze vor jede Funktion ein Häkchen.
    • Klicke auf Start.
    • Hinweis: DelFix entfernt u. a. alle verwendeten Programme, die Quarantäne unserer Scanner, den Java-Cache und löscht sich abschließend selbst.
    • Starte deinen Rechner abschließend neu.
  4. Sollten jetzt noch Programme aus unserer Bereinigung übrig sein kannst du sie bedenkenlos löschen.


Hier noch ein paar Tipps zur Absicherung deines Systems.


Ich kann garnicht zu oft erwähnen, wie wichtig es ist, dass dein System Up to Date ist.
  • Bitte überprüfe ob dein System Windows Updates automatisch herunter lädt
  • Windows Updates
    • Windows XP: Start --> Systemsteuerung --> Doppelklick auf Automatische Updates
    • Windows Vista / 7: Start --> Systemsteuerung --> System und Sicherheit --> Automatische Updates aktivieren oder deaktivieren
  • Gehe sicher das die automatischen Updates aktiviert sind.
  • Software Updates
    Installierte Software kann ebenfalls Sicherheitslücken haben, welche Malware nutzen kann, um dein System zu infizieren.
    Um deine Installierte Software up to date zu halten, empfehle ich dir Secunia Online Software.


Anti- Viren Software
  • Gehe sicher immer eine Anti Viren Software installiert zu haben und das diese auch up to date ist. Es ist nämlich nutzlos wenn diese out of date sind.


Zusätzlicher Schutz
  • MalwareBytes Anti Malware
    Dies ist eines der besten Anti-Malware Tools auf dem Markt. Es ist ein On- Demond Scan Tool welches viele aktuelle Malware erkennt und auch entfernt.
    Update das Tool und lass es einmal in der Woche laufen. Die Kaufversion biete zudem noch einen Hintergrundwächter.
    Ein Tutorial zur Verwendung findest Du hier.
  • WinPatrol
    Diese Software macht einen Snapshot deines Systems und warnt dich vor eventuellen Änderungen. Downloade dir die Freeware Version von hier.


Sicheres Browsen
  • SpywareBlaster
    Eine kurze Einführung findest du Hier
  • MVPs hosts file
    Ein Tutorial findest Du hier. Leider habe ich bis jetzt kein deutschsprachiges gefunden.
  • WOT (Web of trust)
    Dieses AddOn warnt Dich bevor Du eine als schädlich gemeldete Seite besuchst.


Alternative Browser

Andere Browser tendieren zu etwas mehr Sicherheit als der IE, da diese keine Active X Elemente verwenden. Diese können von Spyware zur Infektion deines Systems missbraucht werden.
  • Opera
  • Mozilla Firefox.
    • Hinweis: Für diesen Browser habe ich hier ein paar nützliche Add Ons
    • NoScript
      Dieses AddOn blockt JavaScript, Java and Flash und andere Plugins. Sie werden nur dann ausgeführt wenn Du es bestätigst.
    • AdblockPlus
      Dieses AddOn blockt die meisten Werbung von selbst. Ein Rechtsklick auf den Banner um diesen zu AdBlockPlus hinzu zu fügen reicht und dieser wird nicht mehr geladen.
      Es spart ausserdem Downloadkapazität.

Performance
Bereinige regelmäßig deine Temp Files. Ich empfehle hierzu TFC
Halte dich fern von jedlichen Registry Cleanern.
Diese Schaden deinem System mehr als sie helfen. Hier ein paar ( englishe ) Links
Miekemoes Blogspot ( MVP )
Bill Castner ( MVP )



Don'ts
  • Klicke nicht auf alles nur weil es Dich dazu auffordert und schön bunt ist.
  • verwende keine peer to peer oder Filesharing Software (Emule, uTorrent,..)
  • Lass die Finger von Cracks, Keygens, Serials oder anderer illegaler Software.
  • Öffne keine Anhänge von Dir nicht bekannten Emails. Achte vor allem auf die Dateiendung wie zb deinFoto.jpg.exe
Nun bleibt mir nur noch dir viel Spass beim sicheren Surfen zu wünschen.

Hinweis: Bitte gib mir eine kurze Rückmeldung wenn alles erledigt ist und keine Fragen mehr vorhanden sind, so das ich diesen Thread aus meinen Abos löschen kann.
__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Alt 03.02.2014, 14:54   #13
Janne1
 
Verdacht auf Befall mit Schadsoftware Win7 - Standard

Verdacht auf Befall mit Schadsoftware Win7


OK, vielen Dank,

bitte aus der Beobachtungsliste entfernen

Alt 04.02.2014, 09:57   #14
schrauber
/// the machine
/// TB-Ausbilder
 
Verdacht auf Befall mit Schadsoftware Win7 - Standard

Verdacht auf Befall mit Schadsoftware Win7


Gern Geschehen
__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Antwort

Themen zu Verdacht auf Befall mit Schadsoftware Win7
anmeldung, avast, befall, benutzerkonto, desktop, fehlermeldung, infektion, itunes, kommt wieder, logfiles, löschen, malware, meldung, neu, neue, neuen, popup, programm, rechner, spybot, starten, updates, verdacht, win, win7


« Telekom /Abuse sperrt meinen MailAccount. Versenden schädlicher Software | Windows 7: ddlhost.exe zieht gesamten Arbeitsspeicher »


Ähnliche Themen: Verdacht auf Befall mit Schadsoftware Win7


  1. WIN7 DHL mail mit schadsoftware geööfnet
    Log-Analyse und Auswertung - 22.03.2015 (9)
  2. Anhang einer gefälschten Telekom-Email geöffnet. Verdacht auf Schadsoftware
    Log-Analyse und Auswertung - 01.12.2014 (7)
  3. Asprire-Notebook wurde mit der Zeit immer langsamer - Verdacht auf Schadsoftware
    Plagegeister aller Art und deren Bekämpfung - 25.03.2014 (13)
  4. Zip-Datei von Spam-Mail geöffnet und nun verdacht auf Schadsoftware.
    Plagegeister aller Art und deren Bekämpfung - 15.03.2014 (8)
  5. Leichter Verdacht auf Befall - will sichergehen
    Plagegeister aller Art und deren Bekämpfung - 16.02.2014 (26)
  6. "Abuse-Meldung" von Telekom erhalten - Verdacht auf Schadsoftware..
    Log-Analyse und Auswertung - 03.09.2013 (13)
  7. Win7: Schadsoftware mit Avira gefunden - Spy.ZBot und weiteres
    Log-Analyse und Auswertung - 12.08.2013 (11)
  8. PC nach Installation von Adware befallen + Verdacht auf weitere Schadsoftware
    Plagegeister aller Art und deren Bekämpfung - 03.06.2013 (13)
  9. Verdacht auf Schadsoftware - erhöhte CPU-Nutzung, Strg von selbst betätigt
    Plagegeister aller Art und deren Bekämpfung - 13.04.2013 (12)
  10. USB-Stick auf Schadsoftware überprüfen (WIN7)
    Alles rund um Windows - 22.07.2012 (8)
  11. Verdacht auf Befall
    Log-Analyse und Auswertung - 24.09.2010 (1)
  12. Verdacht auf Befall
    Log-Analyse und Auswertung - 18.02.2010 (1)
  13. Dringender Befall-Verdacht
    Log-Analyse und Auswertung - 30.01.2010 (1)
  14. Verdacht auf Viren-Befall
    Log-Analyse und Auswertung - 26.12.2009 (19)
  15. Verdacht auf Befall?
    Plagegeister aller Art und deren Bekämpfung - 29.04.2009 (0)
  16. Verdacht auf Schadsoftware
    Log-Analyse und Auswertung - 21.06.2008 (7)
  17. Verdacht auf Virus befall
    Mülltonne - 23.11.2006 (1)
Anleitungen und Tipps

- Für alle Hilfesuchenden! Was beachten?

- Anleitung: MyStartSearch.com entfernen

- Anleitung: WebSearches löschen

- Hilfe: iStartSurf entfernen – so gehts!

- Anleitung: Omiga Plus richtig entfernen

- Browser Viren entfernen


Zum Thema Verdacht auf Befall mit Schadsoftware Win7 - Hallo an die Experten (wieder einmal nach langer Zeit) Mein Rechner macht seltsame Sachen, so dass ich eine Infektion befürchte, weiß es aber nicht.... Spybot meldet: keine Spione beim scan - Verdacht auf Befall mit Schadsoftware Win7...
Archiv
Du betrachtest: Verdacht auf Befall mit Schadsoftware Win7 auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129