Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung

Log-Analyse und Auswertung: Umleitung zu fake java-update

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML

Antwort
Alt 14.04.2014, 19:28   #1
Tobselo
 
Umleitung zu fake java-update - Standard

Umleitung zu fake java-update



Hallo,

ich habe das gleiche Problem wie bereits hier beschrieben:
http://www.trojaner-board.de/150274-...va-update.html
Wenn ich manche Seiten im Browser (Firefox) öffne, werde ich zu einer falschen Java Update Seite umgeleitet.
Vielen Dank für Hilfe!

Anbei defogger_disable.log, FRST.txt und gmer.log

Alt 15.04.2014, 09:23   #2
schrauber
/// the machine
/// TB-Ausbilder
 

Umleitung zu fake java-update - Standard

Umleitung zu fake java-update



Hi,

Logs bitte immer in den Thread posten. Zur Not aufteilen und mehrere Posts nutzen.
Ich kann auf Arbeit keine Anhänge öffnen, danke.

So funktioniert es:
Posten in CODE-Tags
Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
  • Markiere das gesamte Logfile (geht meist mit STRG+A) und kopiere es in die Zwischenablage mit STRG+C.
  • Klicke im Editor auf das #-Symbol. Es erscheinen zwei Klammerausdrücke [CODE] [/CODE].
  • Setze den Curser zwischen die CODE-Tags und drücke STRG+V.
  • Klicke auf Erweitert/Vorschau, um so prüfen, ob du es richtig gemacht hast. Wenn alles stimmt ... auf Antworten.
__________________

__________________

Alt 15.04.2014, 09:31   #3
Tobselo
 
Umleitung zu fake java-update - Standard

Umleitung zu fake java-update



Guten Morgen,

es kam die Meldung:

Der Text, den Sie eingegeben haben, besteht aus 203401 Zeichen und ist damit zu lang. Bitte kürzen Sie den Text auf die maximale Länge von 120000 Zeichen.
Logs bitte als Archiv an den Beitrag anhängen!

Die gmer.log war dann zu groß für das Format, drum musste ich es in ne zip packen.


Aber ich kann es natürlich in mehrere posts splitten:

defogger_disable.log

Code:
ATTFilter
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 19:54 on 14/04/2014 (Tobselo)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-
         


FRST Logfile:
Code:
ATTFilter
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-04-2014 01
Ran by Tobselo (administrator) on TOBSELO-PC on 14-04-2014 19:56:57
Running from C:\Users\Tobselo\Desktop
Windows 7 Professional Service Pack 1 (X64) OS Language: German Standard
Internet Explorer Version 11
Boot Mode: Normal


==================== Processes (Whitelisted) =================

(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
() E:\Tobit Radio.fx\Server\rfx-server.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cistray.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Windows\system32\igfxsrvc.exe
(PassMark (R) Software) C:\Program Files (x86)\BatteryMon\BatteryMon.exe
(PassMark (R) Software) C:\Program Files (x86)\BatteryMon\BatteryMon.exe
(Samsung) C:\Program Files (x86)\Samsung\Kies\Kies.exe
(Tobit.Software) E:\Tobit Radio.fx\Client\rfx-tray.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
(Elaborate Bytes AG) C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
(Dropbox, Inc.) C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cis.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
(AppWork GmbH) C:\Program Files (x86)\JDownloader 2\JDownloader 2.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [COMODO Internet Security] => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [1275608 2014-03-25] (COMODO)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1808168 2009-06-18] (Synaptics Incorporated)
HKLM\...\Run: [IgfxTray] => C:\Windows\system32\igfxtray.exe [159232 2009-09-02] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] => C:\Windows\system32\hkcmd.exe [380928 2009-09-02] (Intel Corporation)
HKLM\...\Run: [Persistence] => C:\Windows\system32\igfxpers.exe [358912 2009-09-02] (Intel Corporation)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [108144 2012-11-05] (Microsoft Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [444904 2012-09-20] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [PrivDogService] => C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe [525480 2013-11-15] (AdTrustMedia)
HKLM-x32\...\Run: [ComodoFSFirefox] => "C:\Program Files (x86)\AdTrustMedia\PrivDog\FinalizeSetup.exe" /f
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-09-05] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe [3478392 2013-09-05] (Adobe Systems Inc.)
HKLM-x32\...\Run: [VirtualCloneDrive] => C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [88984 2013-03-10] (Elaborate Bytes AG)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [224128 2014-03-04] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-19\...\Run: [Sidebar] => C:\Program Files\Windows Sidebar\Sidebar.exe [1475584 2010-11-21] (Microsoft Corporation)
HKU\S-1-5-20\...\Run: [Sidebar] => C:\Program Files\Windows Sidebar\Sidebar.exe [1475584 2010-11-21] (Microsoft Corporation)
HKU\S-1-5-21-3576753261-1654559635-1618898191-1000\...\Run: [BatteryMon] => C:\Program Files (x86)\BatteryMon\BatteryMon.exe [1344960 2012-06-15] (PassMark (R) Software)
HKU\S-1-5-21-3576753261-1654559635-1618898191-1000\...\Run: [] => C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe [1106288 2013-05-23] (Samsung)
HKU\S-1-5-21-3576753261-1654559635-1618898191-1000\...\Run: [KiesPreload] => C:\Program Files (x86)\Samsung\Kies\Kies.exe [1561968 2013-05-23] (Samsung)
HKU\S-1-5-21-3576753261-1654559635-1618898191-1000\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-3576753261-1654559635-1618898191-1000\...\Run: [rfxsrvtray] => E:\Tobit Radio.fx\Client\rfx-tray.exe [1838872 2013-02-07] (Tobit.Software)
HKU\S-1-5-21-3576753261-1654559635-1618898191-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [20922016 2014-02-10] (Skype Technologies S.A.)
Startup: C:\Users\Tobselo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xCC1D71950A2FCE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre8\bin\ssv.dll (Oracle Corporation)
BHO: Adobe Acrobat Create PDF Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre8\bin\jp2ssv.dll (Oracle Corporation)
BHO: Adobe Acrobat Create PDF from Selection - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: PrivDog Extension - {FB16E5C3-A9E2-47A2-8EFC-319E775E62CC} - C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedads.dll No File
BHO-x32: Adobe Acrobat Create PDF Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Adobe Acrobat Create PDF from Selection - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: PrivDog Extension - {FB16E5C3-A9E2-47A2-8EFC-319E775E62CC} - C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedads.dll No File
Toolbar: HKLM - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1

FireFox:
========
FF ProfilePath: C:\Users\Tobselo\AppData\Roaming\Mozilla\Firefox\Profiles\ktk825x4.default
FF SelectedSearchEngine: Google
FF Homepage: hxxp://www.google.com
FF NetworkProxy: "autoconfig_url", "https://secure.premiumize.me/b14557dbbd9013ae2f69facd9bd86bff/proxy.pac"
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_12_0_0_77.dll ()
FF Plugin: @java.com/DTPlugin,version=11.0.2 - C:\Program Files\Java\jre8\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.0.2 - C:\Program Files\Java\jre8\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.0.5 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.1 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.2 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: adobe.com/AdobeAAMDetect - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @nullsoft.com/winampDetector;version=1 - C:\Program Files (x86)\Winamp Detect\npwachk.dll (Nullsoft, Inc.)
FF Plugin-x32: Adobe Acrobat - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems)
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\amazondotcom-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\eBay-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\leo_ende_de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\yahoo-de.xml
FF Extension: FireShot - C:\Users\Tobselo\AppData\Roaming\Mozilla\Firefox\Profiles\ktk825x4.default\Extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba} [2014-03-14]
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [2013-12-13]

==================== Services (Whitelisted) =================

R2 cmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [6812400 2014-03-25] (COMODO)
S3 cmdvirth; C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [2264280 2014-03-25] (COMODO)
R2 Radio.fx; E:\Tobit Radio.fx\Server\rfx-server.exe [3999512 2013-06-03] ()

==================== Drivers (Whitelisted) ====================

R1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [23168 2014-03-25] (COMODO)
R1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [738472 2014-03-25] (COMODO)
R1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [48360 2014-03-25] (COMODO)
R1 inspect; C:\Windows\System32\DRIVERS\inspect.sys [105552 2014-03-25] (COMODO)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-04-14 19:56 - 2014-04-14 19:56 - 00012799 _____ () C:\Users\Tobselo\Desktop\FRST.txt
2014-04-14 19:54 - 2014-04-14 19:54 - 00000476 _____ () C:\Users\Tobselo\Desktop\defogger_disable.log
2014-04-14 19:54 - 2014-04-14 19:54 - 00000000 _____ () C:\Users\Tobselo\defogger_reenable
2014-04-14 19:53 - 2014-04-14 19:53 - 00050477 _____ () C:\Users\Tobselo\Desktop\Defogger.exe
2014-04-14 19:36 - 2014-04-14 19:56 - 00000000 ____D () C:\FRST
2014-04-14 19:33 - 2014-04-14 19:34 - 02157568 _____ (Farbar) C:\Users\Tobselo\Desktop\FRST64.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00312728 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00191384 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00190872 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00111000 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2014-04-13 21:08 - 2014-04-13 21:08 - 00000000 ____D () C:\Program Files\Java
2014-04-13 21:06 - 2014-04-13 21:07 - 34121112 _____ (Oracle Corporation) C:\Users\Tobselo\Downloads\jre-8-windows-x64.exe
2014-04-11 12:16 - 2014-03-31 03:16 - 23134208 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-04-11 12:16 - 2014-03-31 03:13 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-04-11 12:16 - 2014-03-31 02:13 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-04-11 12:16 - 2014-03-31 01:57 - 17073152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-04-11 12:15 - 2014-03-04 11:44 - 01163264 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2014-04-11 12:15 - 2014-03-04 11:44 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2014-04-11 12:15 - 2014-03-04 11:44 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2014-04-11 12:15 - 2014-03-04 11:44 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2014-04-11 12:15 - 2014-03-04 11:44 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2014-04-11 12:15 - 2014-03-04 11:17 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2014-04-11 12:15 - 2014-03-04 11:16 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2014-04-11 12:15 - 2014-03-04 11:16 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2014-04-11 12:15 - 2014-03-04 11:16 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2014-04-11 12:15 - 2014-03-04 10:09 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2014-04-11 12:15 - 2014-03-04 10:09 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2014-04-11 12:15 - 2014-02-04 04:35 - 00274880 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\msiscsi.sys
2014-04-11 12:15 - 2014-02-04 04:35 - 00190912 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\storport.sys
2014-04-11 12:15 - 2014-02-04 04:35 - 00027584 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\Diskdump.sys
2014-04-11 12:15 - 2014-02-04 04:28 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\iologmsg.dll
2014-04-11 12:15 - 2014-02-04 04:00 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iologmsg.dll
2014-04-11 12:15 - 2014-01-24 04:37 - 01684928 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ntfs.sys
2014-04-02 22:56 - 2014-04-02 22:56 - 00000000 ____D () C:\Users\Tobselo\AppData\Local\Skype
2014-04-02 22:55 - 2014-04-02 22:55 - 00002699 _____ () C:\Users\Public\Desktop\Skype.lnk
2014-04-02 22:55 - 2014-04-02 22:55 - 00000000 ___RD () C:\Program Files (x86)\Skype
2014-03-31 01:35 - 2014-03-31 01:35 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-03-26 10:25 - 2014-03-26 10:25 - 00000000 ____D () C:\Windows\SolidWorks
2014-03-26 10:25 - 2014-03-26 10:25 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\SolidWorks
2014-03-25 12:30 - 2014-03-25 12:32 - 00000000 ____D () C:\Users\Tobselo\Documents\Werzi
2014-03-23 00:43 - 2014-03-23 22:48 - 00000000 ____D () C:\AdwCleaner
2014-03-23 00:41 - 2014-03-23 00:42 - 01950720 _____ () C:\Users\Tobselo\Downloads\adwcleaner_3.022.exe
2014-03-22 18:56 - 2014-03-23 22:54 - 00000000 ____D () C:\Program Files (x86)\MediaWatchV1
2014-03-22 18:56 - 2014-03-22 18:56 - 00000512 __RSH () C:\ProgramData\ntuser.pol
2014-03-18 22:47 - 2014-03-18 23:30 - 00540372 _____ () C:\Users\Tobselo\Documents\Ausgaben Budapest.xlsx
2014-03-17 22:31 - 2014-03-17 22:32 - 00000000 ____D () C:\Users\Tobselo\Documents\Bewerbung

==================== One Month Modified Files and Folders =======

2014-04-14 19:57 - 2014-04-14 19:56 - 00012799 _____ () C:\Users\Tobselo\Desktop\FRST.txt
2014-04-14 19:56 - 2014-04-14 19:36 - 00000000 ____D () C:\FRST
2014-04-14 19:54 - 2014-04-14 19:54 - 00000476 _____ () C:\Users\Tobselo\Desktop\defogger_disable.log
2014-04-14 19:54 - 2014-04-14 19:54 - 00000000 _____ () C:\Users\Tobselo\defogger_reenable
2014-04-14 19:54 - 2013-03-31 19:54 - 00000000 ____D () C:\Users\Tobselo
2014-04-14 19:53 - 2014-04-14 19:53 - 00050477 _____ () C:\Users\Tobselo\Desktop\Defogger.exe
2014-04-14 19:50 - 2013-04-01 21:32 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\Skype
2014-04-14 19:49 - 2013-04-01 21:05 - 01474832 _____ () C:\Windows\system32\Drivers\sfi.dat
2014-04-14 19:41 - 2013-03-31 19:54 - 01942388 _____ () C:\Windows\WindowsUpdate.log
2014-04-14 19:34 - 2014-04-14 19:33 - 02157568 _____ (Farbar) C:\Users\Tobselo\Desktop\FRST64.exe
2014-04-14 19:11 - 2013-04-01 21:27 - 00000000 ____D () C:\Program Files (x86)\JDownloader 2
2014-04-14 17:12 - 2013-04-03 21:40 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\vlc
2014-04-14 17:07 - 2011-04-12 09:43 - 00699682 _____ () C:\Windows\system32\perfh007.dat
2014-04-14 17:07 - 2011-04-12 09:43 - 00149790 _____ () C:\Windows\system32\perfc007.dat
2014-04-14 17:07 - 2009-07-14 07:13 - 01620684 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-04-13 23:02 - 2013-04-20 14:58 - 00000266 _____ () C:\Windows\Tasks\AutoKMS.job
2014-04-13 21:08 - 2014-04-13 21:08 - 00312728 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00191384 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00190872 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00111000 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2014-04-13 21:08 - 2014-04-13 21:08 - 00000000 ____D () C:\Program Files\Java
2014-04-13 21:07 - 2014-04-13 21:06 - 34121112 _____ (Oracle Corporation) C:\Users\Tobselo\Downloads\jre-8-windows-x64.exe
2014-04-13 20:42 - 2009-07-14 06:45 - 00034608 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-13 20:42 - 2009-07-14 06:45 - 00034608 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-13 20:40 - 2013-04-03 23:10 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\Dropbox
2014-04-13 20:35 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-04-13 20:35 - 2009-07-14 06:51 - 00068936 _____ () C:\Windows\setupact.log
2014-04-13 20:34 - 2013-04-01 20:59 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-04-13 20:33 - 2014-03-12 21:30 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\TV-Browser
2014-04-13 20:30 - 2013-04-20 14:47 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-04-13 20:28 - 2013-08-02 00:17 - 00000000 ____D () C:\Windows\system32\MRT
2014-04-13 20:24 - 2013-04-04 00:01 - 90655440 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-04-13 18:49 - 2013-08-28 21:52 - 00013092 _____ () C:\Users\Tobselo\Documents\Stromzähler.xlsx
2014-04-09 21:55 - 2013-11-12 23:29 - 00000000 ____D () C:\ProgramData\Adtrustmedia
2014-04-09 21:54 - 2013-12-03 21:58 - 00000000 ____D () C:\Users\Tobselo\AppData\Local\AdTrustMedia
2014-04-02 22:56 - 2014-04-02 22:56 - 00000000 ____D () C:\Users\Tobselo\AppData\Local\Skype
2014-04-02 22:55 - 2014-04-02 22:55 - 00002699 _____ () C:\Users\Public\Desktop\Skype.lnk
2014-04-02 22:55 - 2014-04-02 22:55 - 00000000 ___RD () C:\Program Files (x86)\Skype
2014-04-02 22:55 - 2013-04-01 21:32 - 00000000 ____D () C:\ProgramData\Skype
2014-04-02 22:50 - 2013-04-01 22:04 - 00054108 _____ () C:\Windows\system32\Drivers\fvstore.dat
2014-04-02 22:32 - 2013-04-01 21:05 - 00000000 ____D () C:\Windows\System32\Tasks\COMODO
2014-04-02 22:31 - 2013-04-01 21:05 - 00001838 _____ () C:\Users\Public\Desktop\COMODO Internet Security.lnk
2014-03-31 03:16 - 2014-04-11 12:16 - 23134208 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-03-31 03:13 - 2014-04-11 12:16 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-03-31 02:13 - 2014-04-11 12:16 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-03-31 01:57 - 2014-04-11 12:16 - 17073152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-03-31 01:35 - 2014-03-31 01:35 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-03-26 10:25 - 2014-03-26 10:25 - 00000000 ____D () C:\Windows\SolidWorks
2014-03-26 10:25 - 2014-03-26 10:25 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\SolidWorks
2014-03-25 21:22 - 2013-01-24 22:43 - 00453680 _____ (COMODO) C:\Windows\system32\guard64.dll
2014-03-25 21:22 - 2013-01-24 22:43 - 00363504 _____ (COMODO) C:\Windows\SysWOW64\guard32.dll
2014-03-25 21:22 - 2013-01-24 22:43 - 00043216 _____ (COMODO) C:\Windows\system32\cmdcsr.dll
2014-03-25 21:22 - 2013-01-24 22:42 - 00352984 _____ (COMODO) C:\Windows\system32\cmdvrt64.dll
2014-03-25 21:22 - 2013-01-24 22:42 - 00284888 _____ (COMODO) C:\Windows\SysWOW64\cmdvrt32.dll
2014-03-25 21:22 - 2013-01-24 22:42 - 00045784 _____ (COMODO) C:\Windows\system32\cmdkbd64.dll
2014-03-25 21:22 - 2013-01-24 22:42 - 00040664 _____ (COMODO) C:\Windows\SysWOW64\cmdkbd32.dll
2014-03-25 21:22 - 2013-01-16 19:51 - 00738472 _____ (COMODO) C:\Windows\system32\Drivers\cmdguard.sys
2014-03-25 21:22 - 2013-01-16 19:51 - 00105552 _____ (COMODO) C:\Windows\system32\Drivers\inspect.sys
2014-03-25 21:22 - 2013-01-16 19:51 - 00048360 _____ (COMODO) C:\Windows\system32\Drivers\cmdhlp.sys
2014-03-25 21:22 - 2013-01-16 19:51 - 00023168 _____ (COMODO) C:\Windows\system32\Drivers\cmderd.sys
2014-03-25 12:32 - 2014-03-25 12:30 - 00000000 ____D () C:\Users\Tobselo\Documents\Werzi
2014-03-23 22:54 - 2014-03-22 18:56 - 00000000 ____D () C:\Program Files (x86)\MediaWatchV1
2014-03-23 22:48 - 2014-03-23 00:43 - 00000000 ____D () C:\AdwCleaner
2014-03-23 14:19 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\rescache
2014-03-23 00:42 - 2014-03-23 00:41 - 01950720 _____ () C:\Users\Tobselo\Downloads\adwcleaner_3.022.exe
2014-03-22 18:56 - 2014-03-22 18:56 - 00000512 __RSH () C:\ProgramData\ntuser.pol
2014-03-22 18:56 - 2009-07-14 05:20 - 00000000 ___HD () C:\Windows\system32\GroupPolicy
2014-03-22 18:56 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\SysWOW64\GroupPolicy
2014-03-18 23:30 - 2014-03-18 22:47 - 00540372 _____ () C:\Users\Tobselo\Documents\Ausgaben Budapest.xlsx
2014-03-17 22:32 - 2014-03-17 22:31 - 00000000 ____D () C:\Users\Tobselo\Documents\Bewerbung

Some content of TEMP:
====================
C:\Users\Tobselo\AppData\Local\Temp\htmlayout.dll
C:\Users\Tobselo\AppData\Local\Temp\nsy362F.exe
C:\Users\Tobselo\AppData\Local\Temp\set-app.exe


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-04-11 13:36

==================== End Of Log ============================
         
--- --- ---
__________________

Geändert von Tobselo (15.04.2014 um 09:38 Uhr)

Alt 15.04.2014, 09:36   #4
Tobselo
 
Umleitung zu fake java-update - Standard

Umleitung zu fake java-update



gmer.log Teil I
Code:
ATTFilter
GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2014-04-14 20:16:28
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Samsung_SSD_840_Series rev.DXT06B0Q 232,89GB
Running: Gmer-19357.exe; Driver: C:\Users\Tobselo\AppData\Local\Temp\uwtirfoc.sys


---- User code sections - GMER 2.1 ----

.text    C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                  00000000774e3b10 6 bytes {JMP QWORD [RIP+0x8b5c520]}
.text    C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                       00000000775113a0 6 bytes {JMP QWORD [RIP+0x8b0ec90]}
.text    C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                            0000000077511570 6 bytes {JMP QWORD [RIP+0x90ceac0]}
.text    C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                    00000000775115e0 6 bytes {JMP QWORD [RIP+0x91aea50]}
.text    C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                 0000000077511620 6 bytes {JMP QWORD [RIP+0x916ea10]}
.text    C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                       00000000775116c0 6 bytes {JMP QWORD [RIP+0x91ce970]}
.text    C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                               0000000077511750 6 bytes {JMP QWORD [RIP+0x914e8e0]}
.text    C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                0000000077511790 6 bytes {JMP QWORD [RIP+0x904e8a0]}
.text    C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                             00000000775117e0 6 bytes {JMP QWORD [RIP+0x906e850]}
.text    C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                  0000000077511800 6 bytes {JMP QWORD [RIP+0x918e830]}
.text    C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                             00000000775119f0 6 bytes {JMP QWORD [RIP+0x924e640]}
.text    C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                     0000000077511b00 6 bytes {JMP QWORD [RIP+0x902e530]}
.text    C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                 0000000077511bd0 6 bytes {JMP QWORD [RIP+0x90ee460]}
.text    C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                    0000000077511d20 6 bytes {JMP QWORD [RIP+0x91ee310]}
.text    C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                              0000000077511d30 6 bytes {JMP QWORD [RIP+0x922e300]}
.text    C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                  00000000775120a0 6 bytes {JMP QWORD [RIP+0x910df90]}
.text    C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                         0000000077512130 6 bytes {JMP QWORD [RIP+0x920df00]}
.text    C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                        00000000775129a0 6 bytes {JMP QWORD [RIP+0x912d690]}
.text    C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                              0000000077512a20 6 bytes {JMP QWORD [RIP+0x908d610]}
.text    C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                          0000000077512aa0 6 bytes {JMP QWORD [RIP+0x90ad590]}
.text    C:\Windows\system32\services.exe[564] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                                                                                       00000000773a98e0 6 bytes {JMP QWORD [RIP+0x8cf6750]}
.text    C:\Windows\system32\services.exe[564] C:\Windows\system32\kernel32.dll!CreateProcessW                                                                                                             00000000773c0650 6 bytes {JMP QWORD [RIP+0x8c9f9e0]}
.text    C:\Windows\system32\services.exe[564] C:\Windows\system32\kernel32.dll!CreateProcessA                                                                                                             000000007743acf0 6 bytes {JMP QWORD [RIP+0x8c45340]}
.text    C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                     00000000774e3b10 6 bytes {JMP QWORD [RIP+0x8b5c520]}
.text    C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                          00000000775113a0 6 bytes {JMP QWORD [RIP+0x8b0ec90]}
.text    C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                               0000000077511570 6 bytes {JMP QWORD [RIP+0x90ceac0]}
.text    C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                       00000000775115e0 6 bytes {JMP QWORD [RIP+0x91aea50]}
.text    C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                    0000000077511620 6 bytes {JMP QWORD [RIP+0x916ea10]}
.text    C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                          00000000775116c0 6 bytes {JMP QWORD [RIP+0x91ce970]}
.text    C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                  0000000077511750 6 bytes {JMP QWORD [RIP+0x914e8e0]}
.text    C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                   0000000077511790 6 bytes {JMP QWORD [RIP+0x904e8a0]}
.text    C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                00000000775117e0 6 bytes {JMP QWORD [RIP+0x906e850]}
.text    C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                     0000000077511800 6 bytes {JMP QWORD [RIP+0x918e830]}
.text    C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                00000000775119f0 6 bytes {JMP QWORD [RIP+0x924e640]}
.text    C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                        0000000077511b00 6 bytes {JMP QWORD [RIP+0x902e530]}
.text    C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                    0000000077511bd0 6 bytes {JMP QWORD [RIP+0x90ee460]}
.text    C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                       0000000077511d20 6 bytes {JMP QWORD [RIP+0x91ee310]}
.text    C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                 0000000077511d30 6 bytes {JMP QWORD [RIP+0x922e300]}
.text    C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                     00000000775120a0 6 bytes {JMP QWORD [RIP+0x910df90]}
.text    C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                            0000000077512130 6 bytes {JMP QWORD [RIP+0x920df00]}
.text    C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                           00000000775129a0 6 bytes {JMP QWORD [RIP+0x912d690]}
.text    C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                 0000000077512a20 6 bytes {JMP QWORD [RIP+0x908d610]}
.text    C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                             0000000077512aa0 6 bytes {JMP QWORD [RIP+0x90ad590]}
.text    C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                   00000000774e3b10 6 bytes {JMP QWORD [RIP+0x8b5c520]}
.text    C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                        00000000775113a0 6 bytes {JMP QWORD [RIP+0x8b0ec90]}
.text    C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                             0000000077511570 6 bytes {JMP QWORD [RIP+0x90ceac0]}
.text    C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                     00000000775115e0 6 bytes {JMP QWORD [RIP+0x91aea50]}
.text    C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                  0000000077511620 6 bytes {JMP QWORD [RIP+0x916ea10]}
.text    C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                        00000000775116c0 6 bytes {JMP QWORD [RIP+0x91ce970]}
.text    C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                0000000077511750 6 bytes {JMP QWORD [RIP+0x914e8e0]}
.text    C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                 0000000077511790 6 bytes {JMP QWORD [RIP+0x904e8a0]}
.text    C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                              00000000775117e0 6 bytes {JMP QWORD [RIP+0x906e850]}
.text    C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                   0000000077511800 6 bytes {JMP QWORD [RIP+0x918e830]}
.text    C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                              00000000775119f0 6 bytes {JMP QWORD [RIP+0x924e640]}
.text    C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                      0000000077511b00 6 bytes {JMP QWORD [RIP+0x902e530]}
.text    C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                  0000000077511bd0 6 bytes {JMP QWORD [RIP+0x90ee460]}
.text    C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                     0000000077511d20 6 bytes {JMP QWORD [RIP+0x91ee310]}
.text    C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                               0000000077511d30 6 bytes {JMP QWORD [RIP+0x922e300]}
.text    C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                   00000000775120a0 6 bytes {JMP QWORD [RIP+0x910df90]}
.text    C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                          0000000077512130 6 bytes {JMP QWORD [RIP+0x920df00]}
.text    C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                         00000000775129a0 6 bytes {JMP QWORD [RIP+0x912d690]}
.text    C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                               0000000077512a20 6 bytes {JMP QWORD [RIP+0x908d610]}
.text    C:\Windows\system32\svchost.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                           0000000077512aa0 6 bytes {JMP QWORD [RIP+0x90ad590]}
.text    C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                   00000000774e3b10 6 bytes {JMP QWORD [RIP+0x8b5c520]}
.text    C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                        00000000775113a0 6 bytes {JMP QWORD [RIP+0x8b0ec90]}
.text    C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                             0000000077511570 6 bytes {JMP QWORD [RIP+0x90ceac0]}
.text    C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                     00000000775115e0 6 bytes {JMP QWORD [RIP+0x91aea50]}
.text    C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                  0000000077511620 6 bytes {JMP QWORD [RIP+0x916ea10]}
.text    C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                        00000000775116c0 6 bytes {JMP QWORD [RIP+0x91ce970]}
.text    C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                0000000077511750 6 bytes {JMP QWORD [RIP+0x914e8e0]}
.text    C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                 0000000077511790 6 bytes {JMP QWORD [RIP+0x904e8a0]}
.text    C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                              00000000775117e0 6 bytes {JMP QWORD [RIP+0x906e850]}
.text    C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                   0000000077511800 6 bytes {JMP QWORD [RIP+0x918e830]}
.text    C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                              00000000775119f0 6 bytes {JMP QWORD [RIP+0x924e640]}
.text    C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                      0000000077511b00 6 bytes {JMP QWORD [RIP+0x902e530]}
.text    C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                  0000000077511bd0 6 bytes {JMP QWORD [RIP+0x90ee460]}
.text    C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                     0000000077511d20 6 bytes {JMP QWORD [RIP+0x91ee310]}
.text    C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                               0000000077511d30 6 bytes {JMP QWORD [RIP+0x922e300]}
.text    C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                   00000000775120a0 6 bytes {JMP QWORD [RIP+0x910df90]}
.text    C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                          0000000077512130 6 bytes {JMP QWORD [RIP+0x920df00]}
.text    C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                         00000000775129a0 6 bytes {JMP QWORD [RIP+0x912d690]}
.text    C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                               0000000077512a20 6 bytes {JMP QWORD [RIP+0x908d610]}
.text    C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                           0000000077512aa0 6 bytes {JMP QWORD [RIP+0x90ad590]}
.text    C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                                                          0000000077511430 8 bytes JMP 000000016fff00d8
.text    C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                     0000000077511800 8 bytes JMP 000000016fff0110
.text    C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                   00000000774e3b10 6 bytes {JMP QWORD [RIP+0x8b5c520]}
.text    C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                        00000000775113a0 6 bytes {JMP QWORD [RIP+0x8b0ec90]}
.text    C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                             0000000077511570 6 bytes {JMP QWORD [RIP+0x90ceac0]}
.text    C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                     00000000775115e0 6 bytes {JMP QWORD [RIP+0x91aea50]}
.text    C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                  0000000077511620 6 bytes {JMP QWORD [RIP+0x916ea10]}
.text    C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                        00000000775116c0 6 bytes {JMP QWORD [RIP+0x91ce970]}
.text    C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                0000000077511750 6 bytes {JMP QWORD [RIP+0x914e8e0]}
.text    C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                 0000000077511790 6 bytes {JMP QWORD [RIP+0x904e8a0]}
.text    C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                              00000000775117e0 6 bytes {JMP QWORD [RIP+0x906e850]}
.text    C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                   0000000077511800 6 bytes {JMP QWORD [RIP+0x918e830]}
.text    C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                              00000000775119f0 6 bytes {JMP QWORD [RIP+0x924e640]}
.text    C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                      0000000077511b00 6 bytes {JMP QWORD [RIP+0x902e530]}
.text    C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                  0000000077511bd0 6 bytes {JMP QWORD [RIP+0x90ee460]}
.text    C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                     0000000077511d20 6 bytes {JMP QWORD [RIP+0x91ee310]}
.text    C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                               0000000077511d30 6 bytes {JMP QWORD [RIP+0x922e300]}
.text    C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                   00000000775120a0 6 bytes {JMP QWORD [RIP+0x910df90]}
.text    C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                          0000000077512130 6 bytes {JMP QWORD [RIP+0x920df00]}
.text    C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                         00000000775129a0 6 bytes {JMP QWORD [RIP+0x912d690]}
.text    C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                               0000000077512a20 6 bytes {JMP QWORD [RIP+0x908d610]}
.text    C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                           0000000077512aa0 6 bytes {JMP QWORD [RIP+0x90ad590]}
.text    C:\Windows\system32\svchost.exe[960] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                      000007fefd549055 3 bytes CALL 9000027
.text    C:\Windows\system32\svchost.exe[960] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                              000007fefd5553c0 5 bytes [FF, 25, 70, AC, 0A]
.text    C:\Windows\system32\svchost.exe[960] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA                                                                                                        000007fefec9a6f0 6 bytes {JMP QWORD [RIP+0x365940]}
.text    C:\Windows\system32\svchost.exe[960] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW                                                                                                     000007fefecc0c10 6 bytes {JMP QWORD [RIP+0x35f420]}
.text    C:\Windows\system32\svchost.exe[960] C:\Windows\system32\SspiCli.dll!EncryptMessage                                                                                                               0000000000dc50a0 6 bytes {JMP QWORD [RIP+0x3aaf90]}
.text    C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                  00000000774e3b10 6 bytes {JMP QWORD [RIP+0x8b5c520]}
.text    C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                       00000000775113a0 6 bytes {JMP QWORD [RIP+0x8b0ec90]}
.text    C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                            0000000077511570 6 bytes {JMP QWORD [RIP+0x90ceac0]}
.text    C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                    00000000775115e0 6 bytes {JMP QWORD [RIP+0x91aea50]}
.text    C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                 0000000077511620 6 bytes {JMP QWORD [RIP+0x916ea10]}
.text    C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                       00000000775116c0 6 bytes {JMP QWORD [RIP+0x91ce970]}
.text    C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                               0000000077511750 6 bytes {JMP QWORD [RIP+0x914e8e0]}
.text    C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                0000000077511790 6 bytes {JMP QWORD [RIP+0x904e8a0]}
.text    C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                             00000000775117e0 6 bytes {JMP QWORD [RIP+0x906e850]}
.text    C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                  0000000077511800 6 bytes {JMP QWORD [RIP+0x918e830]}
.text    C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                             00000000775119f0 6 bytes {JMP QWORD [RIP+0x924e640]}
.text    C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                     0000000077511b00 6 bytes {JMP QWORD [RIP+0x902e530]}
.text    C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                 0000000077511bd0 6 bytes {JMP QWORD [RIP+0x90ee460]}
.text    C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                    0000000077511d20 6 bytes {JMP QWORD [RIP+0x91ee310]}
.text    C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                              0000000077511d30 6 bytes {JMP QWORD [RIP+0x922e300]}
.text    C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                  00000000775120a0 6 bytes {JMP QWORD [RIP+0x910df90]}
.text    C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                         0000000077512130 6 bytes {JMP QWORD [RIP+0x920df00]}
.text    C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                        00000000775129a0 6 bytes {JMP QWORD [RIP+0x912d690]}
.text    C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                              0000000077512a20 6 bytes {JMP QWORD [RIP+0x908d610]}
.text    C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                          0000000077512aa0 6 bytes {JMP QWORD [RIP+0x90ad590]}
.text    C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                   00000000774e3b10 6 bytes {JMP QWORD [RIP+0x8b5c520]}
.text    C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                        00000000775113a0 6 bytes {JMP QWORD [RIP+0x8b0ec90]}
.text    C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                             0000000077511570 6 bytes {JMP QWORD [RIP+0x90ceac0]}
.text    C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                     00000000775115e0 6 bytes {JMP QWORD [RIP+0x91aea50]}
.text    C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                  0000000077511620 6 bytes {JMP QWORD [RIP+0x916ea10]}
.text    C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                        00000000775116c0 6 bytes {JMP QWORD [RIP+0x91ce970]}
.text    C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                0000000077511750 6 bytes {JMP QWORD [RIP+0x914e8e0]}
.text    C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                 0000000077511790 6 bytes {JMP QWORD [RIP+0x904e8a0]}
.text    C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                              00000000775117e0 6 bytes {JMP QWORD [RIP+0x906e850]}
.text    C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                   0000000077511800 6 bytes {JMP QWORD [RIP+0x918e830]}
.text    C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                              00000000775119f0 6 bytes {JMP QWORD [RIP+0x924e640]}
.text    C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                      0000000077511b00 6 bytes {JMP QWORD [RIP+0x902e530]}
.text    C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                  0000000077511bd0 6 bytes {JMP QWORD [RIP+0x90ee460]}
.text    C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                     0000000077511d20 6 bytes {JMP QWORD [RIP+0x91ee310]}
.text    C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                               0000000077511d30 6 bytes {JMP QWORD [RIP+0x922e300]}
.text    C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                   00000000775120a0 6 bytes {JMP QWORD [RIP+0x910df90]}
.text    C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                          0000000077512130 6 bytes {JMP QWORD [RIP+0x920df00]}
.text    C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                         00000000775129a0 6 bytes {JMP QWORD [RIP+0x912d690]}
.text    C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                               0000000077512a20 6 bytes {JMP QWORD [RIP+0x908d610]}
.text    C:\Windows\System32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                           0000000077512aa0 6 bytes {JMP QWORD [RIP+0x90ad590]}
.text    C:\Windows\System32\svchost.exe[348] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                                                                                        00000000773a98e0 6 bytes JMP 98bc271
.text    C:\Windows\System32\svchost.exe[348] C:\Windows\system32\kernel32.dll!CreateProcessW                                                                                                              00000000773c0650 6 bytes JMP 8c9f5c8
.text    C:\Windows\System32\svchost.exe[348] C:\Windows\system32\kernel32.dll!CreateProcessA                                                                                                              000000007743acf0 6 bytes JMP 9a324d8
.text    C:\Windows\System32\svchost.exe[348] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                      000007fefd549055 3 bytes [B5, 6F, 06]
.text    C:\Windows\System32\svchost.exe[348] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                              000007fefd5553c0 5 bytes [FF, 25, 70, AC, 0A]
.text    C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                   00000000774e3b10 6 bytes {JMP QWORD [RIP+0x8b5c520]}
.text    C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                        00000000775113a0 6 bytes {JMP QWORD [RIP+0x8b0ec90]}
.text    C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                             0000000077511570 6 bytes {JMP QWORD [RIP+0x90ceac0]}
.text    C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                     00000000775115e0 6 bytes {JMP QWORD [RIP+0x91aea50]}
.text    C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                  0000000077511620 6 bytes {JMP QWORD [RIP+0x916ea10]}
.text    C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                        00000000775116c0 6 bytes {JMP QWORD [RIP+0x91ce970]}
.text    C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                0000000077511750 6 bytes {JMP QWORD [RIP+0x914e8e0]}
.text    C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                 0000000077511790 6 bytes {JMP QWORD [RIP+0x904e8a0]}
.text    C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                              00000000775117e0 6 bytes {JMP QWORD [RIP+0x906e850]}
.text    C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                   0000000077511800 6 bytes {JMP QWORD [RIP+0x918e830]}
.text    C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                              00000000775119f0 6 bytes {JMP QWORD [RIP+0x924e640]}
.text    C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                      0000000077511b00 6 bytes {JMP QWORD [RIP+0x902e530]}
.text    C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                  0000000077511bd0 6 bytes {JMP QWORD [RIP+0x90ee460]}
.text    C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                     0000000077511d20 6 bytes {JMP QWORD [RIP+0x91ee310]}
.text    C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                               0000000077511d30 6 bytes {JMP QWORD [RIP+0x922e300]}
.text    C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                   00000000775120a0 6 bytes {JMP QWORD [RIP+0x910df90]}
.text    C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                          0000000077512130 6 bytes {JMP QWORD [RIP+0x920df00]}
.text    C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                         00000000775129a0 6 bytes {JMP QWORD [RIP+0x912d690]}
.text    C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                               0000000077512a20 6 bytes {JMP QWORD [RIP+0x908d610]}
.text    C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                           0000000077512aa0 6 bytes {JMP QWORD [RIP+0x90ad590]}
.text    C:\Windows\system32\svchost.exe[364] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                      000007fefd549055 3 bytes [B5, 6F, 06]
.text    C:\Windows\system32\svchost.exe[364] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                              000007fefd5553c0 5 bytes [FF, 25, 70, AC, 0A]
.text    C:\Windows\system32\svchost.exe[364] C:\Windows\system32\SSPICLI.DLL!EncryptMessage                                                                                                               0000000000e550a0 6 bytes JMP 0
.text    C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                   00000000774e3b10 6 bytes {JMP QWORD [RIP+0x8b5c520]}
.text    C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                        00000000775113a0 6 bytes {JMP QWORD [RIP+0x8b0ec90]}
.text    C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                             0000000077511570 6 bytes {JMP QWORD [RIP+0x90ceac0]}
.text    C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                     00000000775115e0 6 bytes {JMP QWORD [RIP+0x91aea50]}
.text    C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                  0000000077511620 6 bytes {JMP QWORD [RIP+0x916ea10]}
.text    C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                        00000000775116c0 6 bytes {JMP QWORD [RIP+0x91ce970]}
.text    C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                0000000077511750 6 bytes {JMP QWORD [RIP+0x914e8e0]}
.text    C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                 0000000077511790 6 bytes {JMP QWORD [RIP+0x904e8a0]}
.text    C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                              00000000775117e0 6 bytes {JMP QWORD [RIP+0x906e850]}
.text    C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                   0000000077511800 6 bytes {JMP QWORD [RIP+0x918e830]}
.text    C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                              00000000775119f0 6 bytes {JMP QWORD [RIP+0x924e640]}
.text    C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                      0000000077511b00 6 bytes {JMP QWORD [RIP+0x902e530]}
.text    C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                  0000000077511bd0 6 bytes {JMP QWORD [RIP+0x90ee460]}
.text    C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                     0000000077511d20 6 bytes {JMP QWORD [RIP+0x91ee310]}
.text    C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                               0000000077511d30 6 bytes {JMP QWORD [RIP+0x922e300]}
.text    C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                   00000000775120a0 6 bytes {JMP QWORD [RIP+0x910df90]}
.text    C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                          0000000077512130 6 bytes {JMP QWORD [RIP+0x920df00]}
.text    C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                         00000000775129a0 6 bytes {JMP QWORD [RIP+0x912d690]}
.text    C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                               0000000077512a20 6 bytes {JMP QWORD [RIP+0x908d610]}
.text    C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                           0000000077512aa0 6 bytes {JMP QWORD [RIP+0x90ad590]}
.text    C:\Windows\system32\svchost.exe[904] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                                                                                        00000000773a98e0 6 bytes {JMP QWORD [RIP+0x8cf6750]}
.text    C:\Windows\system32\svchost.exe[904] C:\Windows\system32\kernel32.dll!CreateProcessW                                                                                                              00000000773c0650 6 bytes {JMP QWORD [RIP+0x8c9f9e0]}
.text    C:\Windows\system32\svchost.exe[904] C:\Windows\system32\kernel32.dll!CreateProcessA                                                                                                              000000007743acf0 6 bytes {JMP QWORD [RIP+0x8c45340]}
.text    C:\Windows\system32\svchost.exe[904] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                      000007fefd549055 3 bytes CALL 9000027
.text    C:\Windows\system32\svchost.exe[904] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                              000007fefd5553c0 5 bytes [FF, 25, 70, AC, 0A]
.text    C:\Windows\system32\svchost.exe[904] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx                                                                                                         000007fefeef4750 6 bytes {JMP QWORD [RIP+0x14b8e0]}
.text    C:\Windows\system32\svchost.exe[904] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA                                                                                                        000007fefec9a6f0 6 bytes JMP 2
.text    C:\Windows\system32\svchost.exe[904] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW                                                                                                     000007fefecc0c10 6 bytes JMP 0
.text    C:\Windows\system32\svchost.exe[904] c:\windows\system32\SspiCli.dll!EncryptMessage                                                                                                               0000000000e350a0 6 bytes JMP fcaa5450
.text    C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                  00000000774e3b10 6 bytes {JMP QWORD [RIP+0x8b5c520]}
.text    C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                       00000000775113a0 6 bytes {JMP QWORD [RIP+0x8b0ec90]}
.text    C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                            0000000077511570 6 bytes {JMP QWORD [RIP+0x90ceac0]}
.text    C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                    00000000775115e0 6 bytes {JMP QWORD [RIP+0x91aea50]}
.text    C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                 0000000077511620 6 bytes {JMP QWORD [RIP+0x916ea10]}
.text    C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                       00000000775116c0 6 bytes {JMP QWORD [RIP+0x91ce970]}
.text    C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                               0000000077511750 6 bytes {JMP QWORD [RIP+0x914e8e0]}
.text    C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                0000000077511790 6 bytes {JMP QWORD [RIP+0x904e8a0]}
.text    C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                             00000000775117e0 6 bytes {JMP QWORD [RIP+0x906e850]}
.text    C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                  0000000077511800 6 bytes {JMP QWORD [RIP+0x918e830]}
.text    C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                             00000000775119f0 6 bytes {JMP QWORD [RIP+0x924e640]}
.text    C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                     0000000077511b00 6 bytes {JMP QWORD [RIP+0x902e530]}
.text    C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                 0000000077511bd0 6 bytes {JMP QWORD [RIP+0x90ee460]}
.text    C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                    0000000077511d20 6 bytes {JMP QWORD [RIP+0x91ee310]}
.text    C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                              0000000077511d30 6 bytes {JMP QWORD [RIP+0x922e300]}
.text    C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                  00000000775120a0 6 bytes {JMP QWORD [RIP+0x910df90]}
.text    C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                         0000000077512130 6 bytes {JMP QWORD [RIP+0x920df00]}
.text    C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                        00000000775129a0 6 bytes {JMP QWORD [RIP+0x912d690]}
.text    C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                              0000000077512a20 6 bytes {JMP QWORD [RIP+0x908d610]}
.text    C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                          0000000077512aa0 6 bytes {JMP QWORD [RIP+0x90ad590]}
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SetWindowLongW                                                                                                       00000000753f8332 6 bytes {JMP QWORD [RIP+0x7159001e]}
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                                                                                   00000000753f8bff 6 bytes {JMP QWORD [RIP+0x714d001e]}
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                                                                                00000000753f90d3 6 bytes {JMP QWORD [RIP+0x7108001e]}
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                         00000000753f9679 6 bytes {JMP QWORD [RIP+0x7147001e]}
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                                                                                  00000000753f97d2 6 bytes {JMP QWORD [RIP+0x7141001e]}
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                                                      00000000753fee09 6 bytes {JMP QWORD [RIP+0x715f001e]}
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                                                                       00000000753fefc9 3 bytes [FF, 25, 1E]
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4                                                                                                   00000000753fefcd 2 bytes [0E, 71]
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                         00000000754012a5 6 bytes {JMP QWORD [RIP+0x7153001e]}
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!GetKeyState                                                                                                          000000007540291f 6 bytes {JMP QWORD [RIP+0x7126001e]}
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SetParent                                                                                                            0000000075402d64 3 bytes [FF, 25, 1E]
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SetParent + 4                                                                                                        0000000075402d68 2 bytes [1D, 71]
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!EnableWindow                                                                                                         0000000075402da4 6 bytes {JMP QWORD [RIP+0x7105001e]}
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!MoveWindow                                                                                                           0000000075403698 3 bytes [FF, 25, 1E]
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!MoveWindow + 4                                                                                                       000000007540369c 2 bytes [1A, 71]
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                         0000000075403baa 6 bytes JMP 7157000a
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                                                                                   0000000075403c61 6 bytes JMP 7151000a
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SetWindowLongA                                                                                                       0000000075406110 6 bytes JMP 715d000a
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                         000000007540612e 6 bytes {JMP QWORD [RIP+0x714a001e]}
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                                                                                0000000075406c30 6 bytes {JMP QWORD [RIP+0x710b001e]}
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                    0000000075407603 6 bytes {JMP QWORD [RIP+0x7162001e]}
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                                                                                   0000000075407668 6 bytes {JMP QWORD [RIP+0x7135001e]}
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                                                                                 00000000754076e0 6 bytes {JMP QWORD [RIP+0x713b001e]}
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                                                                                  000000007540781f 6 bytes {JMP QWORD [RIP+0x7144001e]}
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                                                    000000007540835c 6 bytes {JMP QWORD [RIP+0x7165001e]}
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                                                                                   000000007540c4b6 3 bytes [FF, 25, 1E]
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4                                                                                               000000007540c4ba 2 bytes [17, 71]
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                                                                                  000000007541c112 6 bytes {JMP QWORD [RIP+0x7132001e]}
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                                                                                  000000007541d0f5 6 bytes {JMP QWORD [RIP+0x712f001e]}
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                                                                                     000000007541eb96 6 bytes {JMP QWORD [RIP+0x7123001e]}
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                                                                                     000000007541ec68 3 bytes [FF, 25, 1E]
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4                                                                                                 000000007541ec6c 2 bytes [29, 71]
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                            000000007541ff4a 3 bytes [FF, 25, 1E]
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                        000000007541ff4e 2 bytes [2C, 71]
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!GetClipboardData                                                                                                     0000000075439f1d 6 bytes {JMP QWORD [RIP+0x7111001e]}
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                                                                        0000000075441497 6 bytes {JMP QWORD [RIP+0x7102001e]}
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                          000000007545027b 6 bytes {JMP QWORD [RIP+0x7168001e]}
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                          00000000754502bf 6 bytes {JMP QWORD [RIP+0x716b001e]}
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                                                                                 0000000075456cfc 6 bytes {JMP QWORD [RIP+0x713e001e]}
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                                                                                   0000000075456d5d 6 bytes {JMP QWORD [RIP+0x7138001e]}
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!BlockInput                                                                                                           0000000075457dd7 3 bytes [FF, 25, 1E]
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!BlockInput + 4                                                                                                       0000000075457ddb 2 bytes [14, 71]
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                                                                              00000000754588eb 3 bytes [FF, 25, 1E]
.text    E:\Tobit Radio.fx\Server\rfx-server.exe[1668] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4                                                                                          00000000754588ef 2 bytes [20, 71]
.text    C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                            00000000774e3b10 6 bytes {JMP QWORD [RIP+0x8b5c520]}
.text    C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                 00000000775113a0 6 bytes {JMP QWORD [RIP+0x8b0ec90]}
.text    C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                      0000000077511570 6 bytes {JMP QWORD [RIP+0x90ceac0]}
.text    C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                              00000000775115e0 6 bytes {JMP QWORD [RIP+0x91aea50]}
.text    C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                           0000000077511620 6 bytes {JMP QWORD [RIP+0x916ea10]}
.text    C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                 00000000775116c0 6 bytes {JMP QWORD [RIP+0x91ce970]}
.text    C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                         0000000077511750 6 bytes {JMP QWORD [RIP+0x914e8e0]}
.text    C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                          0000000077511790 6 bytes {JMP QWORD [RIP+0x904e8a0]}
.text    C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                       00000000775117e0 6 bytes {JMP QWORD [RIP+0x906e850]}
.text    C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                            0000000077511800 6 bytes {JMP QWORD [RIP+0x918e830]}
.text    C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                       00000000775119f0 6 bytes {JMP QWORD [RIP+0x924e640]}
.text    C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                               0000000077511b00 6 bytes {JMP QWORD [RIP+0x902e530]}
.text    C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                           0000000077511bd0 6 bytes {JMP QWORD [RIP+0x90ee460]}
.text    C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                              0000000077511d20 6 bytes {JMP QWORD [RIP+0x91ee310]}
.text    C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                        0000000077511d30 6 bytes {JMP QWORD [RIP+0x922e300]}
.text    C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                            00000000775120a0 6 bytes {JMP QWORD [RIP+0x910df90]}
.text    C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                   0000000077512130 6 bytes {JMP QWORD [RIP+0x920df00]}
.text    C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                  00000000775129a0 6 bytes {JMP QWORD [RIP+0x912d690]}
.text    C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                        0000000077512a20 6 bytes {JMP QWORD [RIP+0x908d610]}
.text    C:\Windows\system32\SearchIndexer.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                    0000000077512aa0 6 bytes {JMP QWORD [RIP+0x90ad590]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                          00000000774e3b10 6 bytes {JMP QWORD [RIP+0x8b5c520]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                               00000000775113a0 6 bytes {JMP QWORD [RIP+0x8b0ec90]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                                    0000000077511570 6 bytes {JMP QWORD [RIP+0x90ceac0]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                            00000000775115e0 6 bytes {JMP QWORD [RIP+0x91aea50]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                         0000000077511620 6 bytes {JMP QWORD [RIP+0x916ea10]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                               00000000775116c0 6 bytes {JMP QWORD [RIP+0x91ce970]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                                       0000000077511750 6 bytes {JMP QWORD [RIP+0x914e8e0]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                        0000000077511790 6 bytes {JMP QWORD [RIP+0x904e8a0]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                                     00000000775117e0 6 bytes {JMP QWORD [RIP+0x906e850]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                          0000000077511800 6 bytes {JMP QWORD [RIP+0x918e830]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                                     00000000775119f0 6 bytes {JMP QWORD [RIP+0x924e640]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                             0000000077511b00 6 bytes {JMP QWORD [RIP+0x902e530]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                         0000000077511bd0 6 bytes {JMP QWORD [RIP+0x90ee460]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                            0000000077511d20 6 bytes {JMP QWORD [RIP+0x91ee310]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                                      0000000077511d30 6 bytes {JMP QWORD [RIP+0x922e300]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                          00000000775120a0 6 bytes {JMP QWORD [RIP+0x910df90]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                                 0000000077512130 6 bytes {JMP QWORD [RIP+0x920df00]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                                00000000775129a0 6 bytes {JMP QWORD [RIP+0x912d690]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                                      0000000077512a20 6 bytes {JMP QWORD [RIP+0x908d610]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                                  0000000077512aa0 6 bytes {JMP QWORD [RIP+0x90ad590]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                                                                                               00000000773a98e0 6 bytes {JMP QWORD [RIP+0x8cf6750]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\kernel32.dll!CreateProcessW                                                                                                                     00000000773c0650 6 bytes {JMP QWORD [RIP+0x8c9f9e0]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\kernel32.dll!CreateProcessA                                                                                                                     000000007743acf0 6 bytes {JMP QWORD [RIP+0x8c45340]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                             000007fefd549055 3 bytes [B5, 6F, 06]
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                                     000007fefd5553c0 5 bytes [FF, 25, 70, AC, 0C]
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                              000007fefee422d0 6 bytes JMP fb169340
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                                000007fefee424b8 6 bytes JMP 0
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                               000007fefee45be0 6 bytes {JMP QWORD [RIP+0x59a450]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                             000007fefee48384 6 bytes {JMP QWORD [RIP+0x427cac]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                             000007fefee489c4 6 bytes {JMP QWORD [RIP+0x40766c]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                              000007fefee4933c 6 bytes {JMP QWORD [RIP+0x536cf4]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                            000007fefee4b9e8 6 bytes {JMP QWORD [RIP+0x5d4648]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                                000007fefee4c8b0 6 bytes {JMP QWORD [RIP+0x5b3780]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!RegisterRawInputDevices                                                                                                              00000000772a6ef0 6 bytes {JMP QWORD [RIP+0x9139140]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SystemParametersInfoA                                                                                                                00000000772a8184 6 bytes {JMP QWORD [RIP+0x9217eac]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SetParent                                                                                                                            00000000772a8530 6 bytes {JMP QWORD [RIP+0x9157b00]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SetWindowLongA                                                                                                                       00000000772a9bcc 6 bytes {JMP QWORD [RIP+0x8eb6464]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!PostMessageA                                                                                                                         00000000772aa404 6 bytes {JMP QWORD [RIP+0x8ef5c2c]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!EnableWindow                                                                                                                         00000000772aaaa0 6 bytes {JMP QWORD [RIP+0x9255590]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!MoveWindow                                                                                                                           00000000772aaad0 6 bytes {JMP QWORD [RIP+0x9175560]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!GetAsyncKeyState                                                                                                                     00000000772ac720 6 bytes {JMP QWORD [RIP+0x9113910]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!RegisterHotKey                                                                                                                       00000000772acd50 6 bytes {JMP QWORD [RIP+0x91f32e0]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!PostThreadMessageA                                                                                                                   00000000772ad2b0 6 bytes {JMP QWORD [RIP+0x8f32d80]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SendMessageA                                                                                                                         00000000772ad338 6 bytes {JMP QWORD [RIP+0x8f72cf8]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SendNotifyMessageW                                                                                                                   00000000772adc40 6 bytes {JMP QWORD [RIP+0x90523f0]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SystemParametersInfoW                                                                                                                00000000772af510 6 bytes {JMP QWORD [RIP+0x9230b20]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SetWindowsHookExW                                                                                                                    00000000772af874 6 bytes {JMP QWORD [RIP+0x8e707bc]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SendMessageTimeoutW                                                                                                                  00000000772afac0 6 bytes {JMP QWORD [RIP+0x8fd0570]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!PostThreadMessageW                                                                                                                   00000000772b0b74 6 bytes {JMP QWORD [RIP+0x8f4f4bc]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SetWindowLongW                                                                                                                       00000000772b33b0 6 bytes {JMP QWORD [RIP+0x8eccc80]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SetWinEventHook + 1                                                                                                                  00000000772b4d4d 5 bytes {JMP QWORD [RIP+0x8e8b2e4]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!GetKeyState                                                                                                                          00000000772b5010 6 bytes {JMP QWORD [RIP+0x90eb020]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SendMessageCallbackW                                                                                                                 00000000772b5438 6 bytes {JMP QWORD [RIP+0x900abf8]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SendMessageW                                                                                                                         00000000772b6b50 6 bytes {JMP QWORD [RIP+0x8f894e0]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!PostMessageW                                                                                                                         00000000772b76e4 6 bytes {JMP QWORD [RIP+0x8f0894c]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SendDlgItemMessageW                                                                                                                  00000000772bdd90 4 bytes [FF, 25, A0, 22]
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SendDlgItemMessageW + 5                                                                                                              00000000772bdd95 1 byte [09]
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!GetClipboardData                                                                                                                     00000000772be874 6 bytes {JMP QWORD [RIP+0x91c17bc]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SetClipboardViewer                                                                                                                   00000000772bf780 6 bytes {JMP QWORD [RIP+0x91808b0]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SendNotifyMessageA                                                                                                                   00000000772c28e4 6 bytes {JMP QWORD [RIP+0x901d74c]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!mouse_event                                                                                                                          00000000772c3894 6 bytes {JMP QWORD [RIP+0x8e1c79c]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!GetKeyboardState                                                                                                                     00000000772c8a10 6 bytes {JMP QWORD [RIP+0x90b7620]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SendMessageTimeoutA                                                                                                                  00000000772c8be0 6 bytes {JMP QWORD [RIP+0x8f97450]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SetWindowsHookExA                                                                                                                    00000000772c8c20 6 bytes {JMP QWORD [RIP+0x8e37410]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SendInput                                                                                                                            00000000772c8cd0 6 bytes {JMP QWORD [RIP+0x9097360]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!BlockInput                                                                                                                           00000000772cad60 6 bytes {JMP QWORD [RIP+0x91952d0]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!ExitWindowsEx                                                                                                                        00000000772f14e0 6 bytes {JMP QWORD [RIP+0x922eb50]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!keybd_event                                                                                                                          00000000773145a4 6 bytes {JMP QWORD [RIP+0x8daba8c]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SendDlgItemMessageA                                                                                                                  000000007731cc08 6 bytes {JMP QWORD [RIP+0x9003428]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\USER32.dll!SendMessageCallbackA                                                                                                                 000000007731df18 6 bytes {JMP QWORD [RIP+0x8f82118]}
.text    C:\Windows\Explorer.EXE[3588] C:\Windows\system32\SSPICLI.DLL!EncryptMessage                                                                                                                      000007fefd0f50a0 6 bytes {JMP QWORD [RIP+0x8af90]}
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3700] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                                                                         00000000773a98e0 6 bytes {JMP QWORD [RIP+0x8cf6750]}
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3700] C:\Windows\system32\kernel32.dll!CreateProcessW                                                                                               00000000773c0650 6 bytes {JMP QWORD [RIP+0x8c9f9e0]}
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3700] C:\Windows\system32\kernel32.dll!CreateProcessA                                                                                               000000007743acf0 6 bytes {JMP QWORD [RIP+0x8c45340]}
.text    C:\Windows\system32\igfxsrvc.exe[3932] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                                     000007fefee422d0 6 bytes {JMP QWORD [RIP+0x55dd60]}
.text    C:\Windows\system32\igfxsrvc.exe[3932] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                                       000007fefee424b8 6 bytes {JMP QWORD [RIP+0x57db78]}
.text    C:\Windows\system32\igfxsrvc.exe[3932] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                                      000007fefee45be0 6 bytes {JMP QWORD [RIP+0x59a450]}
.text    C:\Windows\system32\igfxsrvc.exe[3932] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                                    000007fefee48384 6 bytes {JMP QWORD [RIP+0x427cac]}
.text    C:\Windows\system32\igfxsrvc.exe[3932] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                                    000007fefee489c4 6 bytes {JMP QWORD [RIP+0x40766c]}
.text    C:\Windows\system32\igfxsrvc.exe[3932] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                                     000007fefee4933c 6 bytes {JMP QWORD [RIP+0x536cf4]}
.text    C:\Windows\system32\igfxsrvc.exe[3932] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                                   000007fefee4b9e8 6 bytes {JMP QWORD [RIP+0x5d4648]}
.text    C:\Windows\system32\igfxsrvc.exe[3932] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                                       000007fefee4c8b0 6 bytes {JMP QWORD [RIP+0x5b3780]}
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                          00000000776bf9e0 3 bytes JMP 71af000a
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4                                                                                                      00000000776bf9e4 2 bytes JMP 71af000a
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                               00000000776bfcb0 3 bytes [FF, 25, 1E]
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4                                                                                           00000000776bfcb4 2 bytes [F6, 70]
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                       00000000776bfd64 3 bytes [FF, 25, 1E]
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                   00000000776bfd68 2 bytes [E1, 70]
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                                                    00000000776bfdc8 3 bytes [FF, 25, 1E]
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4                                                                                                00000000776bfdcc 2 bytes [E7, 70]
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                                                          00000000776bfec0 3 bytes [FF, 25, 1E]
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4                                                                                      00000000776bfec4 2 bytes [DE, 70]
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                                                  00000000776bffa4 3 bytes [FF, 25, 1E]
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4                                                                                              00000000776bffa8 2 bytes [EA, 70]
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                                   00000000776c0004 3 bytes [FF, 25, 1E]
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4                                                                                               00000000776c0008 2 bytes [02, 71]
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                                00000000776c0084 3 bytes JMP 7100000a
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4                                                                                            00000000776c0088 2 bytes JMP 7100000a
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                     00000000776c00b4 3 bytes JMP 70e5000a
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                 00000000776c00b8 2 bytes JMP 70e5000a
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                                                                00000000776c03b8 3 bytes JMP 70d3000a
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4                                                                                            00000000776c03bc 2 bytes JMP 70d3000a
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                        00000000776c0550 3 bytes JMP 7106000a
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4                                                                                    00000000776c0554 2 bytes JMP 7106000a
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                                                                    00000000776c0694 3 bytes [FF, 25, 1E]
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4                                                                                                00000000776c0698 2 bytes [F3, 70]
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                                       00000000776c088c 3 bytes [FF, 25, 1E]
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4                                                                                   00000000776c0890 2 bytes [DB, 70]
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                                 00000000776c08a4 3 bytes JMP 70d6000a
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4                                                                                             00000000776c08a8 2 bytes JMP 70d6000a
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                                     00000000776c0df4 3 bytes [FF, 25, 1E]
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4                                                                                                 00000000776c0df8 2 bytes [F0, 70]
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                                                            00000000776c0ed8 3 bytes [FF, 25, 1E]
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4                                                                                        00000000776c0edc 2 bytes [D8, 70]
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                                           00000000776c1be4 3 bytes [FF, 25, 1E]
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4                                                                                       00000000776c1be8 2 bytes [ED, 70]
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                                                                 00000000776c1cb4 3 bytes [FF, 25, 1E]
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4                                                                                             00000000776c1cb8 2 bytes [FC, 70]
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                                                             00000000776c1d8c 3 bytes [FF, 25, 1E]
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4                                                                                         00000000776c1d90 2 bytes [F9, 70]
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                                     00000000776e1287 6 bytes JMP 71a8000a
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW                                                                                                0000000076de103d 6 bytes {JMP QWORD [RIP+0x719b001e]}
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA                                                                                                0000000076de1072 6 bytes {JMP QWORD [RIP+0x7198001e]}
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW                                                                                          0000000076e0c9b5 6 bytes {JMP QWORD [RIP+0x718f001e]}
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                                                                000000007725f776 6 bytes {JMP QWORD [RIP+0x719e001e]}
.text    C:\Program Files (x86)\Samsung\Kies\Kies.exe[1984] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                        0000000077262c91 4 bytes {CALL QWORD [RIP+0x71ac000a]}
.text    C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3208] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                                      000000007725f776 6 bytes {JMP QWORD [RIP+0x719e001e]}
.text    C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3208] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                              0000000077262c91 4 bytes {CALL QWORD [RIP+0x71ac000a]}
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                               00000000776bf9e0 3 bytes JMP 71af000a
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4                                                                                           00000000776bf9e4 2 bytes JMP 71af000a
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                    00000000776bfcb0 3 bytes [FF, 25, 1E]
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4                                                                                00000000776bfcb4 2 bytes [F6, 70]
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                            00000000776bfd64 3 bytes JMP 70e2000a
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                        00000000776bfd68 2 bytes JMP 70e2000a
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                                         00000000776bfdc8 3 bytes [FF, 25, 1E]
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4                                                                                     00000000776bfdcc 2 bytes [E7, 70]
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                                               00000000776bfec0 3 bytes [FF, 25, 1E]
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4                                                                           00000000776bfec4 2 bytes [DE, 70]
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                                       00000000776bffa4 3 bytes [FF, 25, 1E]
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4                                                                                   00000000776bffa8 2 bytes [EA, 70]
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                        00000000776c0004 3 bytes [FF, 25, 1E]
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4                                                                                    00000000776c0008 2 bytes [02, 71]
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                     00000000776c0084 3 bytes JMP 7100000a
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4                                                                                 00000000776c0088 2 bytes
         

Alt 15.04.2014, 09:36   #5
Tobselo
 
Umleitung zu fake java-update - Standard

Umleitung zu fake java-update



gmer.log Teil II

Code:
ATTFilter
JMP 7100000a
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                          00000000776c00b4 3 bytes JMP 70e5000a
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                      00000000776c00b8 2 bytes JMP 70e5000a
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                                                     00000000776c03b8 3 bytes JMP 70d3000a
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4                                                                                 00000000776c03bc 2 bytes JMP 70d3000a
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                                                             00000000776c0550 3 bytes JMP 7106000a
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4                                                                         00000000776c0554 2 bytes JMP 7106000a
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                                                         00000000776c0694 3 bytes [FF, 25, 1E]
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4                                                                                     00000000776c0698 2 bytes [F3, 70]
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                            00000000776c088c 3 bytes [FF, 25, 1E]
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4                                                                        00000000776c0890 2 bytes [DB, 70]
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                      00000000776c08a4 3 bytes JMP 70d6000a
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4                                                                                  00000000776c08a8 2 bytes JMP 70d6000a
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                          00000000776c0df4 3 bytes [FF, 25, 1E]
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4                                                                                      00000000776c0df8 2 bytes [F0, 70]
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                                                 00000000776c0ed8 3 bytes [FF, 25, 1E]
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4                                                                             00000000776c0edc 2 bytes [D8, 70]
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                                00000000776c1be4 3 bytes [FF, 25, 1E]
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4                                                                            00000000776c1be8 2 bytes [ED, 70]
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                                                      00000000776c1cb4 3 bytes [FF, 25, 1E]
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4                                                                                  00000000776c1cb8 2 bytes [FC, 70]
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                                                  00000000776c1d8c 3 bytes [FF, 25, 1E]
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4                                                                              00000000776c1d90 2 bytes [F9, 70]
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                          00000000776e1287 6 bytes JMP 71a8000a
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\syswow64\kernel32.dll!CreateProcessW                                                                                     0000000076de103d 6 bytes {JMP QWORD [RIP+0x719b001e]}
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                                                                     0000000076de1072 6 bytes {JMP QWORD [RIP+0x7198001e]}
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW                                                                               0000000076e0c9b5 6 bytes {JMP QWORD [RIP+0x718f001e]}
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                                                     000000007725f776 6 bytes {JMP QWORD [RIP+0x719e001e]}
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                             0000000077262c91 4 bytes CALL 71ac0000
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA                                                                               00000000763f2642 6 bytes {JMP QWORD [RIP+0x7195001e]}
.text    C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe[916] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW                                                                            00000000763f5429 6 bytes {JMP QWORD [RIP+0x7192001e]}
.text    C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                                                  00000000774e3b10 6 bytes {JMP QWORD [RIP+0x8b5c520]}
.text    C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                                       00000000775113a0 6 bytes {JMP QWORD [RIP+0x8b0ec90]}
.text    C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                            0000000077511570 6 bytes {JMP QWORD [RIP+0x90ceac0]}
.text    C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                    00000000775115e0 6 bytes {JMP QWORD [RIP+0x91aea50]}
.text    C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                                 0000000077511620 6 bytes {JMP QWORD [RIP+0x916ea10]}
.text    C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                                       00000000775116c0 6 bytes {JMP QWORD [RIP+0x91ce970]}
.text    C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                               0000000077511750 6 bytes {JMP QWORD [RIP+0x914e8e0]}
.text    C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                                0000000077511790 6 bytes {JMP QWORD [RIP+0x904e8a0]}
.text    C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                             00000000775117e0 6 bytes {JMP QWORD [RIP+0x906e850]}
.text    C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                  0000000077511800 6 bytes {JMP QWORD [RIP+0x918e830]}
.text    C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                                             00000000775119f0 6 bytes {JMP QWORD [RIP+0x924e640]}
.text    C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                     0000000077511b00 6 bytes {JMP QWORD [RIP+0x902e530]}
.text    C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                                                 0000000077511bd0 6 bytes {JMP QWORD [RIP+0x90ee460]}
.text    C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                    0000000077511d20 6 bytes {JMP QWORD [RIP+0x91ee310]}
.text    C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                              0000000077511d30 6 bytes {JMP QWORD [RIP+0x922e300]}
.text    C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                                  00000000775120a0 6 bytes {JMP QWORD [RIP+0x910df90]}
.text    C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                                         0000000077512130 6 bytes {JMP QWORD [RIP+0x920df00]}
.text    C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                                        00000000775129a0 6 bytes {JMP QWORD [RIP+0x912d690]}
.text    C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                              0000000077512a20 6 bytes {JMP QWORD [RIP+0x908d610]}
.text    C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                          0000000077512aa0 6 bytes {JMP QWORD [RIP+0x90ad590]}
.text    C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\System32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                     000007fefd549055 3 bytes [B5, 6F, 06]
.text    C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters                                                                                             000007fefd5553c0 5 bytes [FF, 25, 70, AC, 0A]
.text    C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\System32\GDI32.dll!DeleteDC                                                                                                                      000007fefee422d0 6 bytes {JMP QWORD [RIP+0x55dd60]}
.text    C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\System32\GDI32.dll!BitBlt                                                                                                                        000007fefee424b8 6 bytes {JMP QWORD [RIP+0x57db78]}
.text    C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\System32\GDI32.dll!MaskBlt                                                                                                                       000007fefee45be0 6 bytes {JMP QWORD [RIP+0x59a450]}
.text    C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\System32\GDI32.dll!CreateDCW                                                                                                                     000007fefee48384 6 bytes {JMP QWORD [RIP+0x427cac]}
.text    C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\System32\GDI32.dll!CreateDCA                                                                                                                     000007fefee489c4 6 bytes {JMP QWORD [RIP+0x40766c]}
.text    C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\System32\GDI32.dll!GetPixel                                                                                                                      000007fefee4933c 6 bytes {JMP QWORD [RIP+0x536cf4]}
.text    C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\System32\GDI32.dll!StretchBlt                                                                                                                    000007fefee4b9e8 6 bytes {JMP QWORD [RIP+0x5d4648]}
.text    C:\Windows\system32\AUDIODG.EXE[3792] C:\Windows\System32\GDI32.dll!PlgBlt                                                                                                                        000007fefee4c8b0 6 bytes {JMP QWORD [RIP+0x5b3780]}
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                                       00000000776bf9e0 3 bytes JMP 71af000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4                                                                                                                   00000000776bf9e4 2 bytes JMP 71af000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                                            00000000776bfcb0 3 bytes JMP 70f7000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4                                                                                                        00000000776bfcb4 2 bytes JMP 70f7000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                    00000000776bfd64 3 bytes JMP 70e2000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                00000000776bfd68 2 bytes JMP 70e2000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                                                                 00000000776bfdc8 3 bytes JMP 70e8000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4                                                                                                             00000000776bfdcc 2 bytes JMP 70e8000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                                                                       00000000776bfec0 3 bytes JMP 70df000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4                                                                                                   00000000776bfec4 2 bytes JMP 70df000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                                                               00000000776bffa4 3 bytes JMP 70eb000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4                                                                                                           00000000776bffa8 2 bytes JMP 70eb000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                                                00000000776c0004 3 bytes JMP 7103000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4                                                                                                            00000000776c0008 2 bytes JMP 7103000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                                             00000000776c0084 3 bytes JMP 7100000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4                                                                                                         00000000776c0088 2 bytes JMP 7100000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                  00000000776c00b4 3 bytes JMP 70e5000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                              00000000776c00b8 2 bytes JMP 70e5000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                                                                             00000000776c03b8 3 bytes JMP 70d3000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4                                                                                                         00000000776c03bc 2 bytes JMP 70d3000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                                     00000000776c0550 3 bytes JMP 7106000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4                                                                                                 00000000776c0554 2 bytes JMP 7106000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                                                                                 00000000776c0694 3 bytes JMP 70f4000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4                                                                                                             00000000776c0698 2 bytes JMP 70f4000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                    00000000776c088c 3 bytes JMP 70dc000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4                                                                                                00000000776c0890 2 bytes JMP 70dc000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                                              00000000776c08a4 3 bytes JMP 70d6000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4                                                                                                          00000000776c08a8 2 bytes JMP 70d6000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                                                  00000000776c0df4 3 bytes JMP 70f1000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4                                                                                                              00000000776c0df8 2 bytes JMP 70f1000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                                                                         00000000776c0ed8 3 bytes JMP 70d9000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4                                                                                                     00000000776c0edc 2 bytes JMP 70d9000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                                                        00000000776c1be4 3 bytes JMP 70ee000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4                                                                                                    00000000776c1be8 2 bytes JMP 70ee000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                                                                              00000000776c1cb4 3 bytes JMP 70fd000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4                                                                                                          00000000776c1cb8 2 bytes JMP 70fd000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                                                                          00000000776c1d8c 3 bytes JMP 70fa000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4                                                                                                      00000000776c1d90 2 bytes JMP 70fa000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                                                  00000000776e1287 6 bytes JMP 71a8000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\kernel32.dll!CreateProcessW                                                                                                             0000000076de103d 6 bytes JMP 719c000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                                                                                             0000000076de1072 6 bytes JMP 7199000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW                                                                                                       0000000076e0c9b5 6 bytes JMP 7190000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                                                                             000000007725f776 6 bytes JMP 719f000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                     0000000077262c91 4 bytes CALL 71ac0000
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                                                                                      00000000763258b3 6 bytes JMP 7184000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\GDI32.dll!BitBlt                                                                                                                        0000000076325ea6 6 bytes JMP 717e000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                                                                                     0000000076327bcc 6 bytes JMP 718d000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                                                                                    000000007632b895 6 bytes JMP 7175000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                                                                                       000000007632c332 6 bytes JMP 717b000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\GDI32.dll!GetPixel                                                                                                                      000000007632cbfb 6 bytes JMP 7187000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                                                                                     000000007632e743 6 bytes JMP 718a000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                                                                                        000000007635480f 6 bytes JMP 7178000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SetWindowLongW                                                                                                               00000000753f8332 6 bytes JMP 7160000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                                                                                           00000000753f8bff 6 bytes JMP 7154000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                                                                                        00000000753f90d3 6 bytes JMP 710f000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                 00000000753f9679 6 bytes JMP 714e000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                                                                                          00000000753f97d2 6 bytes JMP 7148000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                                                              00000000753fee09 6 bytes JMP 7166000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                                                                               00000000753fefc9 3 bytes JMP 7115000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4                                                                                                           00000000753fefcd 2 bytes JMP 7115000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                 00000000754012a5 6 bytes JMP 715a000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!GetKeyState                                                                                                                  000000007540291f 6 bytes JMP 712d000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SetParent                                                                                                                    0000000075402d64 3 bytes JMP 7124000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SetParent + 4                                                                                                                0000000075402d68 2 bytes JMP 7124000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!EnableWindow                                                                                                                 0000000075402da4 6 bytes JMP 710c000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!MoveWindow                                                                                                                   0000000075403698 3 bytes JMP 7121000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!MoveWindow + 4                                                                                                               000000007540369c 2 bytes JMP 7121000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                 0000000075403baa 6 bytes JMP 715d000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                                                                                           0000000075403c61 6 bytes JMP 7157000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SetWindowLongA                                                                                                               0000000075406110 6 bytes JMP 7163000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                 000000007540612e 6 bytes JMP 7151000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                                                                                        0000000075406c30 6 bytes JMP 7112000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                            0000000075407603 6 bytes JMP 7169000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                                                                                           0000000075407668 6 bytes JMP 713c000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                                                                                         00000000754076e0 6 bytes JMP 7142000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                                                                                          000000007540781f 6 bytes JMP 714b000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                                                            000000007540835c 6 bytes JMP 716c000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                                                                                           000000007540c4b6 3 bytes JMP 711e000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4                                                                                                       000000007540c4ba 2 bytes JMP 711e000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                                                                                          000000007541c112 6 bytes JMP 7139000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                                                                                          000000007541d0f5 6 bytes JMP 7136000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                                                                                             000000007541eb96 6 bytes JMP 712a000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                                                                                             000000007541ec68 3 bytes JMP 7130000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4                                                                                                         000000007541ec6c 2 bytes JMP 7130000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                    000000007541ff4a 3 bytes JMP 7133000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                000000007541ff4e 2 bytes JMP 7133000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!GetClipboardData                                                                                                             0000000075439f1d 6 bytes JMP 7118000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                                                                                0000000075441497 6 bytes JMP 7109000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                  000000007545027b 6 bytes JMP 716f000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                  00000000754502bf 6 bytes JMP 7172000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                                                                                         0000000075456cfc 6 bytes JMP 7145000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                                                                                           0000000075456d5d 6 bytes JMP 713f000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!BlockInput                                                                                                                   0000000075457dd7 3 bytes JMP 711b000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!BlockInput + 4                                                                                                               0000000075457ddb 2 bytes JMP 711b000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                                                                                      00000000754588eb 3 bytes JMP 7127000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4                                                                                                  00000000754588ef 2 bytes JMP 7127000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA                                                                                                       00000000763f2642 6 bytes JMP 7196000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW                                                                                                    00000000763f5429 6 bytes JMP 7193000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\SspiCli.dll!EncryptMessage                                                                                                              00000000750e124e 6 bytes JMP 7181000a
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                     00000000763a1465 2 bytes [3A, 76]
.text    C:\Windows\SysWOW64\DllHost.exe[4552] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                    00000000763a14bb 2 bytes [3A, 76]
.text    ...                                                                                                                                                                                               * 2
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                               00000000776bf9e0 3 bytes JMP 71af000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4                                                                                                           00000000776bf9e4 2 bytes JMP 71af000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                                    00000000776bfcb0 3 bytes JMP 70f7000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4                                                                                                00000000776bfcb4 2 bytes JMP 70f7000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                            00000000776bfd64 3 bytes JMP 70e2000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                        00000000776bfd68 2 bytes JMP 70e2000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                                                         00000000776bfdc8 3 bytes JMP 70e8000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4                                                                                                     00000000776bfdcc 2 bytes JMP 70e8000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                                                               00000000776bfec0 3 bytes JMP 70df000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4                                                                                           00000000776bfec4 2 bytes JMP 70df000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                                                       00000000776bffa4 3 bytes JMP 70eb000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4                                                                                                   00000000776bffa8 2 bytes JMP 70eb000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                                        00000000776c0004 3 bytes JMP 7103000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4                                                                                                    00000000776c0008 2 bytes JMP 7103000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                                     00000000776c0084 3 bytes JMP 7100000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4                                                                                                 00000000776c0088 2 bytes JMP 7100000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                          00000000776c00b4 3 bytes JMP 70e5000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                      00000000776c00b8 2 bytes JMP 70e5000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                                                                     00000000776c03b8 3 bytes JMP 70d3000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4                                                                                                 00000000776c03bc 2 bytes JMP 70d3000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                             00000000776c0550 3 bytes JMP 7106000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4                                                                                         00000000776c0554 2 bytes JMP 7106000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                                                                         00000000776c0694 3 bytes JMP 70f4000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4                                                                                                     00000000776c0698 2 bytes JMP 70f4000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                                            00000000776c088c 3 bytes JMP 70dc000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4                                                                                        00000000776c0890 2 bytes JMP 70dc000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                                      00000000776c08a4 3 bytes JMP 70d6000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4                                                                                                  00000000776c08a8 2 bytes JMP 70d6000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                                          00000000776c0df4 3 bytes JMP 70f1000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4                                                                                                      00000000776c0df8 2 bytes JMP 70f1000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                                                                 00000000776c0ed8 3 bytes JMP 70d9000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4                                                                                             00000000776c0edc 2 bytes JMP 70d9000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                                                00000000776c1be4 3 bytes JMP 70ee000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4                                                                                            00000000776c1be8 2 bytes JMP 70ee000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                                                                      00000000776c1cb4 3 bytes JMP 70fd000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4                                                                                                  00000000776c1cb8 2 bytes JMP 70fd000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                                                                  00000000776c1d8c 3 bytes JMP 70fa000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4                                                                                              00000000776c1d90 2 bytes JMP 70fa000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                                                          00000000776e1287 6 bytes JMP 71a8000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\kernel32.dll!CreateProcessW                                                                                                     0000000076de103d 6 bytes JMP 719c000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                                                                                     0000000076de1072 6 bytes JMP 7199000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW                                                                                               0000000076e0c9b5 6 bytes JMP 7190000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                                                                     000000007725f776 6 bytes JMP 719f000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                             0000000077262c91 4 bytes CALL 71ac0000
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SetWindowLongW                                                                                                       00000000753f8332 6 bytes JMP 7160000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                                                                                   00000000753f8bff 6 bytes JMP 7154000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                                                                                00000000753f90d3 6 bytes JMP 710f000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                         00000000753f9679 6 bytes JMP 714e000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                                                                                  00000000753f97d2 6 bytes JMP 7148000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                                                      00000000753fee09 6 bytes JMP 7166000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                                                                       00000000753fefc9 3 bytes JMP 7115000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4                                                                                                   00000000753fefcd 2 bytes JMP 7115000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                         00000000754012a5 6 bytes JMP 715a000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!GetKeyState                                                                                                          000000007540291f 6 bytes JMP 712d000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SetParent                                                                                                            0000000075402d64 3 bytes JMP 7124000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SetParent + 4                                                                                                        0000000075402d68 2 bytes JMP 7124000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!EnableWindow                                                                                                         0000000075402da4 6 bytes JMP 710c000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!MoveWindow                                                                                                           0000000075403698 3 bytes JMP 7121000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!MoveWindow + 4                                                                                                       000000007540369c 2 bytes JMP 7121000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                         0000000075403baa 6 bytes JMP 715d000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                                                                                   0000000075403c61 6 bytes JMP 7157000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SetWindowLongA                                                                                                       0000000075406110 6 bytes JMP 7163000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                         000000007540612e 6 bytes JMP 7151000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                                                                                0000000075406c30 6 bytes JMP 7112000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                                                    0000000075407603 6 bytes JMP 7169000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                                                                                   0000000075407668 6 bytes JMP 713c000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                                                                                 00000000754076e0 6 bytes JMP 7142000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                                                                                  000000007540781f 6 bytes JMP 714b000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                                                    000000007540835c 6 bytes JMP 716c000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                                                                                   000000007540c4b6 3 bytes JMP 711e000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4                                                                                               000000007540c4ba 2 bytes JMP 711e000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                                                                                  000000007541c112 6 bytes JMP 7139000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                                                                                  000000007541d0f5 6 bytes JMP 7136000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                                                                                     000000007541eb96 6 bytes JMP 712a000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                                                                                     000000007541ec68 3 bytes JMP 7130000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4                                                                                                 000000007541ec6c 2 bytes JMP 7130000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                            000000007541ff4a 3 bytes JMP 7133000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                        000000007541ff4e 2 bytes JMP 7133000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!GetClipboardData                                                                                                     0000000075439f1d 6 bytes JMP 7118000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                                                                        0000000075441497 6 bytes JMP 7109000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                          000000007545027b 6 bytes JMP 716f000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                          00000000754502bf 6 bytes JMP 7172000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                                                                                 0000000075456cfc 6 bytes JMP 7145000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                                                                                   0000000075456d5d 6 bytes JMP 713f000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!BlockInput                                                                                                           0000000075457dd7 3 bytes JMP 711b000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!BlockInput + 4                                                                                                       0000000075457ddb 2 bytes JMP 711b000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                                                                              00000000754588eb 3 bytes JMP 7127000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4                                                                                          00000000754588ef 2 bytes JMP 7127000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                                                                              00000000763258b3 6 bytes JMP 7184000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\GDI32.dll!BitBlt                                                                                                                0000000076325ea6 6 bytes JMP 717e000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                                                                             0000000076327bcc 6 bytes JMP 718d000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                                                                            000000007632b895 6 bytes JMP 7175000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                                                                               000000007632c332 6 bytes JMP 717b000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\GDI32.dll!GetPixel                                                                                                              000000007632cbfb 6 bytes JMP 7187000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                                                                             000000007632e743 6 bytes JMP 718a000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                                                                                000000007635480f 6 bytes JMP 7178000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA                                                                                               00000000763f2642 6 bytes JMP 7196000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW                                                                                            00000000763f5429 6 bytes JMP 7193000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\SspiCli.dll!EncryptMessage                                                                                                      00000000750e124e 6 bytes JMP 7181000a
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                             00000000763a1465 2 bytes [3A, 76]
.text    C:\Users\Tobselo\Desktop\Gmer-19357.exe[3532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                            00000000763a14bb 2 bytes [3A, 76]
.text    ...                                                                                                                                                                                               * 2
---- Processes - GMER 2.1 ----

Library  C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\wxmsw28uh_vc.dll (*** suspicious ***) @ C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe [916](2014-01-03 00:45:04)                          0000000004260000
Library  C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\libcef.dll (*** suspicious ***) @ C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe [916](2013-10-18 23:55:02)                                0000000068d30000
Library  C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\icudt.dll (*** suspicious ***) @ C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe [916] (ICU Data DLL/The ICU Project)(2013-10-18 23:55:00)  000000006d490000

---- Registry - GMER 2.1 ----

Reg      HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations@SymbolicLinkValue                                                                                                             0x5C 0x00 0x52 0x00 ...
Reg      HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Data@SymbolicLinkValue                                                                                                                       0x5C 0x00 0x52 0x00 ...
Reg      HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Options@SymbolicLinkValue                                                                                                                    0x5C 0x00 0x52 0x00 ...
Reg      HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations@SymbolicLinkValue                                                                                                                 0x5C 0x00 0x52 0x00 ...
Reg      HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Data@SymbolicLinkValue                                                                                                                           0x5C 0x00 0x52 0x00 ...
Reg      HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Options@SymbolicLinkValue                                                                                                                        0x5C 0x00 0x52 0x00 ...
Reg      HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue                                                                                                                                                 0x5C 0x00 0x52 0x00 ...
Reg      HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue                                                                                                                                        0x5C 0x00 0x52 0x00 ...

---- EOF - GMER 2.1 ----
         


Alt 16.04.2014, 09:55   #6
schrauber
/// the machine
/// TB-Ausbilder
 

Umleitung zu fake java-update - Standard

Umleitung zu fake java-update



hi,

Scan mit Combofix
WARNUNG an die MITLESER:
Combofix sollte ausschließlich ausgeführt werden, wenn dies von einem Teammitglied angewiesen wurde!

Downloade dir bitte Combofix vom folgenden Downloadspiegel: Link
  • WICHTIG: Speichere Combofix auf deinem Desktop.
  • Deaktiviere bitte alle deine Antivirensoftware sowie Malware/Spyware Scanner. Diese können Combofix bei der Arbeit stören. Combofix meckert auch manchmal trotzdem noch, das kannst du dann ignorieren, mir aber bitte mitteilen.
  • Starte die Combofix.exe und folge den Anweisungen auf dem Bildschirm.
  • Während Combofix läuft bitte nicht am Computer arbeiten, die Maus bewegen oder ins Combofixfenster klicken!
  • Wenn Combofix fertig ist, wird es ein Logfile erstellen.
  • Bitte poste die C:\Combofix.txt in deiner nächsten Antwort (möglichst in CODE-Tags).
Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten
Es wurde versucht, einen Registrierungsschlüssel einem ungültigen Vorgang zu unterziehen, der zum Löschen markiert wurde.
starte den Rechner einfach neu. Dies sollte das Problem beheben.

__________________
--> Umleitung zu fake java-update

Alt 16.04.2014, 22:21   #7
Tobselo
 
Umleitung zu fake java-update - Standard

Umleitung zu fake java-update



Hi,

Code:
ATTFilter
ComboFix 14-04-12.01 - Tobselo 16.04.2014  22:49:33.2.2 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.49.1031.18.1979.1128 [GMT 2:00]
ausgeführt von:: c:\users\Tobselo\Desktop\ComboFix.exe
AV: COMODO Antivirus *Disabled/Updated* {B74CC7D2-B407-E1DC-1033-DD315BCDC8C8}
FW: COMODO Firewall *Disabled* {8F7746F7-FE68-E084-3B6C-7404A51E8FB3}
SP: COMODO Antivirus *Disabled/Updated* {0C2D2636-923D-EE52-2A83-E643204A8275}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((   Dateien erstellt von 2014-03-16 bis 2014-04-16  ))))))))))))))))))))))))))))))
.
.
2014-04-16 21:00 . 2014-04-16 21:00	--------	d-----w-	c:\users\Default\AppData\Local\temp
2014-04-14 19:15 . 2014-04-14 19:15	--------	d-----w-	c:\program files\CCleaner
2014-04-14 17:36 . 2014-04-14 17:57	--------	d-----w-	C:\FRST
2014-04-13 19:09 . 2014-04-13 19:09	--------	d-----w-	c:\program files (x86)\Common Files\Java
2014-04-13 19:08 . 2014-04-13 19:08	312728	----a-w-	c:\windows\system32\javaws.exe
2014-04-13 19:08 . 2014-04-13 19:08	191384	----a-w-	c:\windows\system32\javaw.exe
2014-04-13 19:08 . 2014-04-13 19:08	190872	----a-w-	c:\windows\system32\java.exe
2014-04-13 19:08 . 2014-04-13 19:08	111000	----a-w-	c:\windows\system32\WindowsAccessBridge-64.dll
2014-04-13 19:08 . 2014-04-13 19:08	--------	d-----w-	c:\program files\Java
2014-04-11 10:16 . 2014-03-31 01:16	23134208	----a-w-	c:\windows\system32\mshtml.dll
2014-04-11 10:16 . 2014-03-31 01:13	2724864	----a-w-	c:\windows\system32\mshtml.tlb
2014-04-11 10:16 . 2014-03-31 00:13	2724864	----a-w-	c:\windows\SysWow64\mshtml.tlb
2014-04-02 20:56 . 2014-04-02 20:56	--------	d-----w-	c:\users\Tobselo\AppData\Local\Skype
2014-04-02 20:55 . 2014-04-02 20:55	--------	d-----w-	c:\program files (x86)\Common Files\Skype
2014-04-02 20:55 . 2014-04-02 20:55	--------	d-----r-	c:\program files (x86)\Skype
2014-03-26 08:26 . 2014-03-26 08:26	--------	d-----w-	c:\program files (x86)\Common Files\SolidWorks Installations-Manager
2014-03-26 08:25 . 2014-03-26 08:25	--------	d-----w-	c:\windows\SolidWorks
2014-03-26 08:25 . 2014-03-26 08:25	--------	d-----w-	c:\users\Tobselo\AppData\Roaming\SolidWorks
2014-03-22 22:43 . 2014-04-14 19:03	--------	d-----w-	C:\AdwCleaner
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-04-13 18:24 . 2013-04-03 22:01	90655440	----a-w-	c:\windows\system32\MRT.exe
2014-03-25 19:22 . 2013-01-16 17:51	105552	----a-w-	c:\windows\system32\drivers\inspect.sys
2014-03-25 19:22 . 2013-01-16 17:51	48360	----a-w-	c:\windows\system32\drivers\cmdhlp.sys
2014-03-25 19:22 . 2013-01-16 17:51	738472	----a-w-	c:\windows\system32\drivers\cmdguard.sys
2014-03-25 19:22 . 2013-01-16 17:51	23168	----a-w-	c:\windows\system32\drivers\cmderd.sys
2014-03-25 19:22 . 2013-01-24 20:43	43216	----a-w-	c:\windows\system32\cmdcsr.dll
2014-03-25 19:22 . 2013-01-24 20:43	363504	----a-w-	c:\windows\SysWow64\guard32.dll
2014-03-25 19:22 . 2013-01-24 20:43	453680	----a-w-	c:\windows\system32\guard64.dll
2014-03-25 19:22 . 2013-01-24 20:42	352984	----a-w-	c:\windows\system32\cmdvrt64.dll
2014-03-25 19:22 . 2013-01-24 20:42	45784	----a-w-	c:\windows\system32\cmdkbd64.dll
2014-03-25 19:22 . 2013-01-24 20:42	284888	----a-w-	c:\windows\SysWow64\cmdvrt32.dll
2014-03-25 19:22 . 2013-01-24 20:42	40664	----a-w-	c:\windows\SysWow64\cmdkbd32.dll
2014-03-14 18:23 . 2013-04-03 19:06	71048	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-03-14 18:23 . 2013-04-03 19:06	692616	----a-w-	c:\windows\SysWow64\FlashPlayerApp.exe
2014-03-04 09:17 . 2014-04-11 10:15	44032	----a-w-	c:\windows\apppatch\acwow64.dll
2014-03-01 05:16 . 2014-03-13 18:00	4096	----a-w-	c:\windows\system32\ieetwcollectorres.dll
2014-03-01 04:58 . 2014-03-13 18:00	2765824	----a-w-	c:\windows\system32\iertutil.dll
2014-03-01 04:52 . 2014-03-13 18:00	66048	----a-w-	c:\windows\system32\iesetup.dll
2014-03-01 04:51 . 2014-03-13 18:00	48640	----a-w-	c:\windows\system32\ieetwproxystub.dll
2014-03-01 04:42 . 2014-03-13 18:00	53760	----a-w-	c:\windows\system32\jsproxy.dll
2014-03-01 04:40 . 2014-03-13 18:00	33792	----a-w-	c:\windows\system32\iernonce.dll
2014-03-01 04:37 . 2014-03-13 18:00	574976	----a-w-	c:\windows\system32\ieui.dll
2014-03-01 04:33 . 2014-03-13 18:00	139264	----a-w-	c:\windows\system32\ieUnatt.exe
2014-03-01 04:33 . 2014-03-13 18:00	111616	----a-w-	c:\windows\system32\ieetwcollector.exe
2014-03-01 04:32 . 2014-03-13 18:00	708608	----a-w-	c:\windows\system32\jscript9diag.dll
2014-03-01 04:23 . 2014-03-13 18:00	940032	----a-w-	c:\windows\system32\MsSpellCheckingFacility.exe
2014-03-01 04:17 . 2014-03-13 18:00	218624	----a-w-	c:\windows\system32\ie4uinit.exe
2014-03-01 04:02 . 2014-03-13 18:00	195584	----a-w-	c:\windows\system32\msrating.dll
2014-03-01 03:54 . 2014-03-13 18:00	5768704	----a-w-	c:\windows\system32\jscript9.dll
2014-03-01 03:52 . 2014-03-13 18:00	61952	----a-w-	c:\windows\SysWow64\iesetup.dll
2014-03-01 03:51 . 2014-03-13 18:00	51200	----a-w-	c:\windows\SysWow64\ieetwproxystub.dll
2014-03-01 03:42 . 2014-03-13 18:00	627200	----a-w-	c:\windows\system32\msfeeds.dll
2014-03-01 03:38 . 2014-03-13 18:00	112128	----a-w-	c:\windows\SysWow64\ieUnatt.exe
2014-03-01 03:37 . 2014-03-13 18:00	553472	----a-w-	c:\windows\SysWow64\jscript9diag.dll
2014-03-01 03:35 . 2014-03-13 18:00	2041856	----a-w-	c:\windows\system32\inetcpl.cpl
2014-03-01 03:18 . 2014-03-13 18:00	13051904	----a-w-	c:\windows\system32\ieframe.dll
2014-03-01 03:14 . 2014-03-13 18:00	4244480	----a-w-	c:\windows\SysWow64\jscript9.dll
2014-03-01 03:10 . 2014-03-13 18:00	2334208	----a-w-	c:\windows\system32\wininet.dll
2014-03-01 03:00 . 2014-03-13 18:00	1964032	----a-w-	c:\windows\SysWow64\inetcpl.cpl
2014-03-01 02:38 . 2014-03-13 18:00	1393664	----a-w-	c:\windows\system32\urlmon.dll
2014-03-01 02:32 . 2014-03-13 18:00	1820160	----a-w-	c:\windows\SysWow64\wininet.dll
2014-03-01 02:25 . 2014-03-13 18:00	817664	----a-w-	c:\windows\system32\ieapfltr.dll
2014-02-07 01:23 . 2014-03-13 18:00	3156480	----a-w-	c:\windows\system32\win32k.sys
2014-02-04 02:32 . 2014-03-13 17:59	1424384	----a-w-	c:\windows\system32\WindowsCodecs.dll
2014-02-04 02:32 . 2014-03-13 17:59	624128	----a-w-	c:\windows\system32\qedit.dll
2014-02-04 02:04 . 2014-03-13 17:59	1230336	----a-w-	c:\windows\SysWow64\WindowsCodecs.dll
2014-02-04 02:04 . 2014-03-13 17:59	509440	----a-w-	c:\windows\SysWow64\qedit.dll
2014-01-29 02:32 . 2014-03-13 18:00	484864	----a-w-	c:\windows\system32\wer.dll
2014-01-29 02:06 . 2014-03-13 18:00	381440	----a-w-	c:\windows\SysWow64\wer.dll
2014-01-28 02:32 . 2014-03-13 18:00	228864	----a-w-	c:\windows\system32\wwansvc.dll
2014-01-25 14:50 . 2014-01-25 14:50	175	----a-w-	C:\whx.bat
2014-01-25 14:08 . 2014-01-25 14:08	119808	----a-r-	c:\users\Tobselo\AppData\Roaming\Microsoft\Installer\{CCF298AF-9CE1-4B26-B251-486E98A34789}\icons.exe
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{FB16E5C3-A9E2-47A2-8EFC-319E775E62CC}]
c:\program files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedads.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54	131248	----a-w-	c:\users\Tobselo\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54	131248	----a-w-	c:\users\Tobselo\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54	131248	----a-w-	c:\users\Tobselo\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BatteryMon"="c:\program files (x86)\BatteryMon\BatteryMon.exe" [2012-06-15 1344960]
"KiesPreload"="c:\program files (x86)\Samsung\Kies\Kies.exe" [2013-05-23 1561968]
"rfxsrvtray"="e:\tobit radio.fx\Client\rfx-tray.exe" [2013-02-07 1838872]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2014-02-10 20922016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"PrivDogService"="c:\program files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe" [2013-11-15 525480]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-09-05 958576]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe" [2013-09-05 3478392]
"VirtualCloneDrive"="c:\program files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2013-03-10 88984]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2014-03-04 224128]
.
c:\users\Tobselo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2014-1-3 30714328]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
SolidWorks Hintergrund-Downloader.lnk - c:\program files (x86)\Common Files\SolidWorks Installations-Manager\BackgroundDownloading\sldBgDwld.exe /launch_from 0 [2014-3-26 2740264]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 cmdvirth;COMODO Virtual Service Manager;c:\program files\COMODO\COMODO Internet Security\cmdvirth.exe;c:\program files\COMODO\COMODO Internet Security\cmdvirth.exe [x]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssudbus.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssudmdm.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WSDScan;WSD-Scanunterstützung durch UMB;c:\windows\system32\drivers\WSDScan.sys;c:\windows\SYSNATIVE\drivers\WSDScan.sys [x]
S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys;c:\windows\SYSNATIVE\DRIVERS\cmderd.sys [x]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys;c:\windows\SYSNATIVE\DRIVERS\cmdguard.sys [x]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys;c:\windows\SYSNATIVE\DRIVERS\cmdhlp.sys [x]
S2 Radio.fx;Radio.fx Server;e:\tobit radio.fx\Server\rfx-server.exe;e:\tobit radio.fx\Server\rfx-server.exe [x]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys;c:\windows\SYSNATIVE\drivers\IntcHdmi.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]
S3 NETw5s64;Intel(R) Wireless WiFi Link Adaptertreiber für Windows 7 64-Bit;c:\windows\system32\DRIVERS\NETw5s64.sys;c:\windows\SYSNATIVE\DRIVERS\NETw5s64.sys [x]
.
.
--- Andere Dienste/Treiber im Speicher ---
.
*NewlyCreated* - WS2IFSL
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54	164016	----a-w-	c:\users\Tobselo\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54	164016	----a-w-	c:\users\Tobselo\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54	164016	----a-w-	c:\users\Tobselo\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54	164016	----a-w-	c:\users\Tobselo\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cistray.exe" [2014-03-25 1275608]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-02 159232]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-02 380928]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-02 358912]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 108144]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-09-20 444904]
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Nach Microsoft E&xcel exportieren - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: {{2F5C139F-79BD-4C84-A95A-E7140525BC55} - {5B06364D-FF00-4BD5-9D01-4379952513F2} - c:\program files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedads.dll
TCP: DhcpNameServer = 192.168.178.1
FF - ProfilePath - c:\users\Tobselo\AppData\Roaming\Mozilla\Firefox\Profiles\ktk825x4.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 0
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
AddRemove-PrivDog - c:\program files (x86)\AdTrustMedia\PrivDog\UninstallTrustedAds.exe
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_175_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_175_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_175.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_175.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_175.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_175.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\COMODO\CIS\Installer\Sym_Cam\CIS]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\Mode\Configurations]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,59,00,53,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\Mode\Data]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\Mode\Options]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Cam]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,59,00,53,00,\
.
Zeit der Fertigstellung: 2014-04-16  23:16:08
ComboFix-quarantined-files.txt  2014-04-16 21:16
.
Vor Suchlauf: 3.640.221.696 Bytes frei
Nach Suchlauf: 3.567.673.344 Bytes frei
.
- - End Of File - - 046B5D252C279C2F4F534A02E1E3E678
A36C5E4F47E84449FF07ED3517B43A31
         

Alt 17.04.2014, 19:34   #8
schrauber
/// the machine
/// TB-Ausbilder
 

Umleitung zu fake java-update - Standard

Umleitung zu fake java-update



Downloade Dir bitte Malwarebytes Anti-Malware
  • Installiere das Programm in den vorgegebenen Pfad. (Bebilderte Anleitung zu MBAM)
  • Starte Malwarebytes' Anti-Malware (MBAM).
  • Klicke im Anschluss auf Scannen, wähle den Bedrohungssuchlauf aus und klicke auf Suchlauf starten.
  • Lass am Ende des Suchlaufs alle Funde (falls vorhanden) in die Quarantäne verschieben. Klicke dazu auf Auswahl entfernen.
  • Lass deinen Rechner ggf. neu starten, um die Bereinigung abzuschließen.
  • Starte MBAM, klicke auf Verlauf und dann auf Anwendungsprotokolle.
  • Wähle das neueste Scan-Protokoll aus und klicke auf Export. Wähle Textdatei (.txt) aus und speichere die Datei als mbam.txt auf dem Desktop ab. Das Logfile von MBAM findest du hier.
  • Füge den Inhalt der mbam.txt mit deiner nächsten Antwort hinzu.


Downloade Dir bitte AdwCleaner Logo Icon AdwCleaner auf deinen Desktop.
  • Schließe alle offenen Programme und Browser. Bebilderte Anleitung zu AdwCleaner.
  • Starte die AdwCleaner.exe mit einem Doppelklick.
  • Stimme den Nutzungsbedingungen zu.
  • Klicke auf Optionen und vergewissere dich, dass die folgenden Punkte ausgewählt sind:
    • "Tracing" Schlüssel löschen
    • Winsock Einstellungen zurücksetzen
    • Proxy Einstellungen zurücksetzen
    • Internet Explorer Richtlinien zurücksetzen
    • Chrome Richtlinien zurücksetzen
    • Stelle sicher, dass alle 5 Optionen wie hier dargestellt, ausgewählt sind
  • Klicke auf Suchlauf und warte bis dieser abgeschlossen ist.
  • Klicke nun auf Löschen und bestätige auftretende Hinweise mit Ok.
  • Dein Rechner wird automatisch neu gestartet. Nach dem Neustart öffnet sich eine Textdatei. Poste mir deren Inhalt mit deiner nächsten Antwort.
  • Die Logdatei findest du auch unter C:\AdwCleaner\AdwCleaner[Cx].txt. (x = fortlaufende Nummer).

Beende bitte Deine Schutzsoftware um eventuelle Konflikte zu vermeiden.
Bitte lade Junkware Removal Tool auf Deinen Desktop

  • Starte das Tool mit Doppelklick. Ab Windows Vista (oder höher) bitte mit Rechtsklick "als Administrator ausführen" starten.
  • Drücke eine beliebige Taste, um das Tool zu starten.
  • Je nach System kann der Scan eine Weile dauern.
  • Wenn das Tool fertig ist wird das Logfile (JRT.txt) auf dem Desktop gespeichert und automatisch geöffnet.
  • Bitte poste den Inhalt der JRT.txt in Deiner nächsten Antwort.


und ein frisches FRST log bitte.
__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Alt 18.04.2014, 20:14   #9
Tobselo
 
Umleitung zu fake java-update - Standard

Umleitung zu fake java-update



Guten Abend,

mbam.txt
Code:
ATTFilter
 Malwarebytes Anti-Malware 
www.malwarebytes.org

Suchlauf Datum: 18.04.2014
Suchlauf-Zeit: 19:19:19
Logdatei: Malwarebytes.txt
Administrator: Ja

Version: 2.00.1.1004
Malware Datenbank: v2014.04.18.07
Rootkit Datenbank: v2014.03.27.01
Lizenz: Testversion
Malware Schutz: Aktiviert
Bösartiger Webseiten Schutz: Aktiviert
Chameleon: Deaktiviert

Betriebssystem: Windows 7 Service Pack 1
CPU: x64
Dateisystem: NTFS
Benutzer: Tobselo

Suchlauf-Art: Bedrohungs-Suchlauf
Ergebnis: Abgeschlossen
Durchsuchte Objekte: 258516
Verstrichene Zeit: 30 Min, 51 Sek

Speicher: Aktiviert
Autostart: Aktiviert
Dateisystem: Aktiviert
Archive: Aktiviert
Rootkits: Aktiviert
Shuriken: Aktiviert
PUP: Aktiviert
PUM: Aktiviert

Prozesse: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registrierungsschlüssel: 0
(No malicious items detected)

Registrierungswerte: 0
(No malicious items detected)

Registrierungsdaten: 0
(No malicious items detected)

Ordner: 0
(No malicious items detected)

Dateien: 4
Hacktool.Agent, C:\Users\Tobselo\Downloads\2-lodda-21.rar, In Quarantäne, [0ff15ea28e727a86535888bce51c1de3], 
PUP.MailPassView, C:\Users\Tobselo\Downloads\mailpv_setup.exe, In Quarantäne, [35cb659b16ea2bd5c27fc27214f09967], 
PUP.Optional.OpenCandy, C:\Users\Tobselo\Downloads\winamp565_full_emusic-7plus_all.exe, In Quarantäne, [3fc18d735aa67d839f1edc6fe61e3fc1], 
PUP.Optional.YourFileDownloader, C:\Users\Tobselo\Downloads\YourFile_downloader.exe, In Quarantäne, [a55bea1613ed14ecb9497ca2926e07f9], 

Physische Sektoren: 0
(No malicious items detected)


(end)
         
ADWcleaner:
Code:
ATTFilter
# AdwCleaner v3.023 - Bericht erstellt am 18/04/2014 um 19:29:39
# Aktualisiert 01/04/2014 von Xplode
# Betriebssystem : Windows 7 Professional Service Pack 1 (64 bits)
# Benutzername : Tobselo - TOBSELO-PC
# Gestartet von : C:\Users\Tobselo\Downloads\adwcleaner3023.exe
# Option : Löschen

***** [ Dienste ] *****


***** [ Dateien / Ordner ] *****


***** [ Verknüpfungen ] *****


***** [ Registrierungsdatenbank ] *****


***** [ Browser ] *****

-\\ Internet Explorer v11.0.9600.16521


-\\ Mozilla Firefox v28.0 (de)

[ Datei : C:\Users\Tobselo\AppData\Roaming\Mozilla\Firefox\Profiles\ktk825x4.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [4807 octets] - [23/03/2014 00:43:37]
AdwCleaner[R1].txt - [1166 octets] - [23/03/2014 00:53:56]
AdwCleaner[R2].txt - [1287 octets] - [23/03/2014 00:59:54]
AdwCleaner[R3].txt - [1407 octets] - [23/03/2014 22:47:07]
AdwCleaner[R4].txt - [1610 octets] - [14/04/2014 21:01:56]
AdwCleaner[R5].txt - [1358 octets] - [18/04/2014 19:26:20]
AdwCleaner[R6].txt - [1419 octets] - [18/04/2014 19:28:32]
AdwCleaner[S0].txt - [4665 octets] - [23/03/2014 00:45:11]
AdwCleaner[S1].txt - [1228 octets] - [23/03/2014 00:57:11]
AdwCleaner[S2].txt - [1348 octets] - [23/03/2014 01:03:37]
AdwCleaner[S3].txt - [1623 octets] - [14/04/2014 21:03:50]
AdwCleaner[S4].txt - [1340 octets] - [18/04/2014 19:29:39]

########## EOF - C:\AdwCleaner\AdwCleaner[S4].txt - [1400 octets] ##########
         
JRT:
Code:
ATTFilter
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Professional x64
Ran by Tobselo on 18.04.2014 at 19:34:33,21
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\privdogservice



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FB16E5C3-A9E2-47A2-8EFC-319E775E62CC}



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\adtrustmedia"
Successfully deleted: [Folder] "C:\Program Files (x86)\adtrustmedia"



~~~ FireFox

Successfully deleted the following from C:\Users\Tobselo\AppData\Roaming\mozilla\firefox\profiles\ktk825x4.default\prefs.js

user_pref("extensions.trusted-ads.TrustAd", "{\"r\":[{\"t\":\"FQDN\",\"r\":\"trustedads.adtrustmedia.com\",\"c\":[{\"i\":\"1\",\"s\":[\"display.clickpoint.com\",\"www.africawi
Emptied folder: C:\Users\Tobselo\AppData\Roaming\mozilla\firefox\profiles\ktk825x4.default\minidumps [10 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 18.04.2014 at 20:45:32,08
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         
FRST:

FRST Logfile:
Code:
ATTFilter
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-04-2014 01
Ran by Tobselo (administrator) on TOBSELO-PC on 18-04-2014 21:07:09
Running from C:\Users\Tobselo\Desktop
Windows 7 Professional Service Pack 1 (X64) OS Language: German Standard
Internet Explorer Version 11
Boot Mode: Normal



==================== Processes (Whitelisted) =================

(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cistray.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(PassMark (R) Software) C:\Program Files (x86)\BatteryMon\BatteryMon.exe
(Samsung) C:\Program Files (x86)\Samsung\Kies\Kies.exe
(Tobit.Software) E:\Tobit Radio.fx\Client\rfx-tray.exe
(Intel Corporation) C:\Windows\system32\igfxsrvc.exe
(PassMark (R) Software) C:\Program Files (x86)\BatteryMon\BatteryMon.exe
(Dropbox, Inc.) C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
(Elaborate Bytes AG) C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cis.exe
() E:\Tobit Radio.fx\Server\rfx-server.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [COMODO Internet Security] => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [1275608 2014-03-25] (COMODO)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1808168 2009-06-18] (Synaptics Incorporated)
HKLM\...\Run: [IgfxTray] => C:\Windows\system32\igfxtray.exe [159232 2009-09-02] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] => C:\Windows\system32\hkcmd.exe [380928 2009-09-02] (Intel Corporation)
HKLM\...\Run: [Persistence] => C:\Windows\system32\igfxpers.exe [358912 2009-09-02] (Intel Corporation)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [108144 2012-11-05] (Microsoft Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [444904 2012-09-20] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-09-05] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe [3478392 2013-09-05] (Adobe Systems Inc.)
HKLM-x32\...\Run: [VirtualCloneDrive] => C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [88984 2013-03-10] (Elaborate Bytes AG)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [224128 2014-03-04] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3576753261-1654559635-1618898191-1000\...\Run: [BatteryMon] => C:\Program Files (x86)\BatteryMon\BatteryMon.exe [1344960 2012-06-15] (PassMark (R) Software)
HKU\S-1-5-21-3576753261-1654559635-1618898191-1000\...\Run: [KiesPreload] => C:\Program Files (x86)\Samsung\Kies\Kies.exe [1561968 2013-05-23] (Samsung)
HKU\S-1-5-21-3576753261-1654559635-1618898191-1000\...\Run: [rfxsrvtray] => E:\Tobit Radio.fx\Client\rfx-tray.exe [1838872 2013-02-07] (Tobit.Software)
HKU\S-1-5-21-3576753261-1654559635-1618898191-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [20922016 2014-02-10] (Skype Technologies S.A.)
Startup: C:\Users\Tobselo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xCC1D71950A2FCE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre8\bin\ssv.dll (Oracle Corporation)
BHO: Adobe Acrobat Create PDF Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre8\bin\jp2ssv.dll (Oracle Corporation)
BHO: Adobe Acrobat Create PDF from Selection - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Adobe Acrobat Create PDF Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Adobe Acrobat Create PDF from Selection - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1

FireFox:
========
FF ProfilePath: C:\Users\Tobselo\AppData\Roaming\Mozilla\Firefox\Profiles\ktk825x4.default
FF SelectedSearchEngine: Google
FF Homepage: hxxp://www.google.com
FF NetworkProxy: "autoconfig_url", "https://secure.premiumize.me/b14557dbbd9013ae2f69facd9bd86bff/proxy.pac"
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_12_0_0_77.dll ()
FF Plugin: @java.com/DTPlugin,version=11.0.2 - C:\Program Files\Java\jre8\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.0.2 - C:\Program Files\Java\jre8\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.0.5 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.1 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.2 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: adobe.com/AdobeAAMDetect - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @nullsoft.com/winampDetector;version=1 - C:\Program Files (x86)\Winamp Detect\npwachk.dll (Nullsoft, Inc.)
FF Plugin-x32: Adobe Acrobat - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems)
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\amazondotcom-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\eBay-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\leo_ende_de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\yahoo-de.xml
FF Extension: FireShot - C:\Users\Tobselo\AppData\Roaming\Mozilla\Firefox\Profiles\ktk825x4.default\Extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba} [2014-03-14]
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [2013-12-13]

==================== Services (Whitelisted) =================

R2 cmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [6812400 2014-03-25] (COMODO)
S3 cmdvirth; C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [2264280 2014-03-25] (COMODO)
R2 Radio.fx; E:\Tobit Radio.fx\Server\rfx-server.exe [3999512 2013-06-03] ()

==================== Drivers (Whitelisted) ====================

R1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [23168 2014-03-25] (COMODO)
R1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [738472 2014-03-25] (COMODO)
R1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [48360 2014-03-25] (COMODO)
R1 inspect; C:\Windows\System32\DRIVERS\inspect.sys [105552 2014-03-25] (COMODO)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [119512 2014-04-18] (Malwarebytes Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-04-18 20:52 - 2014-03-06 11:32 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-04-18 20:52 - 2014-03-06 10:57 - 00548352 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-04-18 20:52 - 2014-03-06 10:32 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-04-18 20:52 - 2014-03-06 10:32 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-04-18 20:52 - 2014-03-06 10:02 - 00455168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-04-18 20:52 - 2014-03-06 09:40 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-04-18 20:51 - 2014-03-06 12:21 - 23549440 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-04-18 20:51 - 2014-03-06 11:31 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-04-18 20:51 - 2014-03-06 11:19 - 17387008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-04-18 20:51 - 2014-03-06 10:59 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-04-18 20:51 - 2014-03-06 10:57 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-04-18 20:51 - 2014-03-06 10:53 - 02767360 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-04-18 20:51 - 2014-03-06 10:40 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-04-18 20:51 - 2014-03-06 10:39 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-04-18 20:51 - 2014-03-06 10:29 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-04-18 20:51 - 2014-03-06 10:29 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-04-18 20:51 - 2014-03-06 10:28 - 00752640 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-04-18 20:51 - 2014-03-06 10:15 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-04-18 20:51 - 2014-03-06 10:11 - 05784064 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-04-18 20:51 - 2014-03-06 10:09 - 00453120 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-04-18 20:51 - 2014-03-06 10:03 - 00586240 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-04-18 20:51 - 2014-03-06 10:02 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-04-18 20:51 - 2014-03-06 10:01 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-04-18 20:51 - 2014-03-06 09:56 - 00038400 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-04-18 20:51 - 2014-03-06 09:48 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-04-18 20:51 - 2014-03-06 09:47 - 02178048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-04-18 20:51 - 2014-03-06 09:46 - 04254720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-04-18 20:51 - 2014-03-06 09:46 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-04-18 20:51 - 2014-03-06 09:45 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-04-18 20:51 - 2014-03-06 09:42 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-04-18 20:51 - 2014-03-06 09:38 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-04-18 20:51 - 2014-03-06 09:36 - 00592896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-04-18 20:51 - 2014-03-06 09:22 - 00367616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-04-18 20:51 - 2014-03-06 09:21 - 00628736 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-04-18 20:51 - 2014-03-06 09:13 - 00032256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-04-18 20:51 - 2014-03-06 09:11 - 02043904 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-04-18 20:51 - 2014-03-06 09:07 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-04-18 20:51 - 2014-03-06 09:01 - 00244224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-04-18 20:51 - 2014-03-06 08:53 - 13551104 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-04-18 20:51 - 2014-03-06 08:46 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-04-18 20:51 - 2014-03-06 08:40 - 01967104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-04-18 20:51 - 2014-03-06 08:36 - 11745792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-04-18 20:51 - 2014-03-06 08:22 - 02260480 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-04-18 20:51 - 2014-03-06 07:58 - 01400832 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-04-18 20:51 - 2014-03-06 07:50 - 00846336 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-04-18 20:51 - 2014-03-06 07:43 - 00704512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-04-18 20:51 - 2014-03-06 07:41 - 01789440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-04-18 20:51 - 2014-03-06 07:36 - 01143808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-04-18 20:45 - 2014-04-18 20:49 - 00001494 _____ () C:\Users\Tobselo\Desktop\JRT.txt
2014-04-18 19:34 - 2014-04-18 19:34 - 00000000 ____D () C:\Windows\ERUNT
2014-04-18 19:33 - 2014-04-18 19:33 - 01016261 _____ (Thisisu) C:\Users\Tobselo\Desktop\JRT.exe
2014-04-18 19:31 - 2014-04-18 19:31 - 00001480 _____ () C:\Users\Tobselo\Desktop\AdwCleaner[S4].txt
2014-04-18 19:24 - 2014-04-18 19:24 - 00001633 _____ () C:\Users\Tobselo\Desktop\Malwarebytes.txt
2014-04-18 18:46 - 2014-04-18 20:58 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-04-18 18:45 - 2014-04-18 18:45 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-18 18:44 - 2014-04-18 18:44 - 17305616 _____ (Malwarebytes Corporation ) C:\Users\Tobselo\Downloads\mbam-setup-2.0.1.1004.exe
2014-04-16 23:16 - 2014-04-16 23:16 - 00023752 _____ () C:\ComboFix.txt
2014-04-16 22:28 - 2014-04-18 21:04 - 00000336 _____ () C:\Windows\setupact.log
2014-04-16 22:28 - 2014-04-18 19:20 - 00002906 _____ () C:\Windows\PFRO.log
2014-04-16 22:28 - 2014-04-16 22:28 - 00000000 _____ () C:\Windows\setuperr.log
2014-04-16 22:10 - 2011-06-26 08:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-04-16 22:10 - 2010-11-07 19:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-04-16 22:10 - 2009-04-20 06:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-04-16 22:10 - 2000-08-31 02:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-04-16 22:10 - 2000-08-31 02:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-04-16 22:10 - 2000-08-31 02:00 - 00098816 _____ () C:\Windows\sed.exe
2014-04-16 22:10 - 2000-08-31 02:00 - 00080412 _____ () C:\Windows\grep.exe
2014-04-16 22:10 - 2000-08-31 02:00 - 00068096 _____ () C:\Windows\zip.exe
2014-04-16 22:09 - 2014-04-16 23:16 - 00000000 ____D () C:\Qoobox
2014-04-16 22:09 - 2014-04-16 22:30 - 00000000 ____D () C:\Windows\erdnt
2014-04-16 22:05 - 2014-04-16 22:07 - 05194807 ____R (Swearware) C:\Users\Tobselo\Desktop\ComboFix.exe
2014-04-14 21:15 - 2014-04-14 21:15 - 00002776 _____ () C:\Windows\System32\Tasks\CCleanerSkipUAC
2014-04-14 21:15 - 2014-04-14 21:15 - 00000822 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2014-04-14 21:15 - 2014-04-14 21:15 - 00000000 ____D () C:\Program Files\CCleaner
2014-04-14 21:13 - 2014-04-14 21:14 - 04765152 _____ (Piriform Ltd) C:\Users\Tobselo\Downloads\ccsetup411.exe
2014-04-14 20:59 - 2014-04-14 21:00 - 01426178 _____ () C:\Users\Tobselo\Downloads\adwcleaner3023.exe
2014-04-14 20:27 - 2014-04-14 20:27 - 00009156 _____ () C:\Users\Tobselo\Desktop\gmer.zip
2014-04-14 20:07 - 2014-04-14 20:16 - 00177488 _____ () C:\Users\Tobselo\Desktop\gmer.log
2014-04-14 19:58 - 2014-04-14 19:58 - 00380416 _____ () C:\Users\Tobselo\Desktop\Gmer-19357.exe
2014-04-14 19:56 - 2014-04-18 21:07 - 00011692 _____ () C:\Users\Tobselo\Desktop\FRST.txt
2014-04-14 19:54 - 2014-04-14 19:54 - 00000476 _____ () C:\Users\Tobselo\Desktop\defogger_disable.log
2014-04-14 19:54 - 2014-04-14 19:54 - 00000000 _____ () C:\Users\Tobselo\defogger_reenable
2014-04-14 19:53 - 2014-04-14 19:53 - 00050477 _____ () C:\Users\Tobselo\Desktop\Defogger.exe
2014-04-14 19:36 - 2014-04-18 21:07 - 00000000 ____D () C:\FRST
2014-04-14 19:33 - 2014-04-14 19:34 - 02157568 _____ (Farbar) C:\Users\Tobselo\Desktop\FRST64.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00312728 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00191384 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00190872 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00111000 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2014-04-13 21:08 - 2014-04-13 21:08 - 00000000 ____D () C:\Program Files\Java
2014-04-13 21:06 - 2014-04-13 21:07 - 34121112 _____ (Oracle Corporation) C:\Users\Tobselo\Downloads\jre-8-windows-x64.exe
2014-04-11 12:15 - 2014-03-04 11:44 - 01163264 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2014-04-11 12:15 - 2014-03-04 11:44 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2014-04-11 12:15 - 2014-03-04 11:44 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2014-04-11 12:15 - 2014-03-04 11:44 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2014-04-11 12:15 - 2014-03-04 11:44 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2014-04-11 12:15 - 2014-03-04 11:17 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2014-04-11 12:15 - 2014-03-04 11:16 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2014-04-11 12:15 - 2014-03-04 11:16 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2014-04-11 12:15 - 2014-03-04 11:16 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2014-04-11 12:15 - 2014-03-04 10:09 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2014-04-11 12:15 - 2014-03-04 10:09 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2014-04-11 12:15 - 2014-02-04 04:35 - 00274880 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\msiscsi.sys
2014-04-11 12:15 - 2014-02-04 04:35 - 00190912 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\storport.sys
2014-04-11 12:15 - 2014-02-04 04:35 - 00027584 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\Diskdump.sys
2014-04-11 12:15 - 2014-02-04 04:28 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\iologmsg.dll
2014-04-11 12:15 - 2014-02-04 04:00 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iologmsg.dll
2014-04-11 12:15 - 2014-01-24 04:37 - 01684928 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ntfs.sys
2014-04-02 22:56 - 2014-04-02 22:56 - 00000000 ____D () C:\Users\Tobselo\AppData\Local\Skype
2014-04-02 22:55 - 2014-04-02 22:55 - 00002699 _____ () C:\Users\Public\Desktop\Skype.lnk
2014-04-02 22:55 - 2014-04-02 22:55 - 00000000 ___RD () C:\Program Files (x86)\Skype
2014-03-31 01:35 - 2014-03-31 01:35 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-03-26 10:25 - 2014-03-26 10:25 - 00000000 ____D () C:\Windows\SolidWorks
2014-03-26 10:25 - 2014-03-26 10:25 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\SolidWorks
2014-03-25 12:30 - 2014-03-25 12:32 - 00000000 ____D () C:\Users\Tobselo\Documents\Werzi
2014-03-23 00:43 - 2014-04-18 19:29 - 00000000 ____D () C:\AdwCleaner
2014-03-23 00:41 - 2014-03-23 00:42 - 01950720 _____ () C:\Users\Tobselo\Downloads\adwcleaner_3.022.exe
2014-03-22 18:56 - 2014-03-22 18:56 - 00000512 __RSH () C:\ProgramData\ntuser.pol

==================== One Month Modified Files and Folders =======

2014-04-18 21:07 - 2014-04-14 19:56 - 00011692 _____ () C:\Users\Tobselo\Desktop\FRST.txt
2014-04-18 21:07 - 2014-04-14 19:36 - 00000000 ____D () C:\FRST
2014-04-18 21:06 - 2013-04-01 21:32 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\Skype
2014-04-18 21:05 - 2013-04-03 23:10 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\Dropbox
2014-04-18 21:04 - 2014-04-16 22:28 - 00000336 _____ () C:\Windows\setupact.log
2014-04-18 21:04 - 2013-04-01 21:05 - 01474832 _____ () C:\Windows\system32\Drivers\sfi.dat
2014-04-18 21:04 - 2013-03-31 19:54 - 02080658 _____ () C:\Windows\WindowsUpdate.log
2014-04-18 21:04 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-04-18 21:03 - 2011-04-12 09:43 - 00699682 _____ () C:\Windows\system32\perfh007.dat
2014-04-18 21:03 - 2011-04-12 09:43 - 00149790 _____ () C:\Windows\system32\perfc007.dat
2014-04-18 21:03 - 2009-07-14 07:13 - 01620684 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-04-18 21:02 - 2009-07-14 06:45 - 00034608 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-18 21:02 - 2009-07-14 06:45 - 00034608 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-18 20:58 - 2014-04-18 18:46 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-04-18 20:57 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\PolicyDefinitions
2014-04-18 20:49 - 2014-04-18 20:45 - 00001494 _____ () C:\Users\Tobselo\Desktop\JRT.txt
2014-04-18 19:34 - 2014-04-18 19:34 - 00000000 ____D () C:\Windows\ERUNT
2014-04-18 19:33 - 2014-04-18 19:33 - 01016261 _____ (Thisisu) C:\Users\Tobselo\Desktop\JRT.exe
2014-04-18 19:31 - 2014-04-18 19:31 - 00001480 _____ () C:\Users\Tobselo\Desktop\AdwCleaner[S4].txt
2014-04-18 19:29 - 2014-03-23 00:43 - 00000000 ____D () C:\AdwCleaner
2014-04-18 19:24 - 2014-04-18 19:24 - 00001633 _____ () C:\Users\Tobselo\Desktop\Malwarebytes.txt
2014-04-18 19:20 - 2014-04-16 22:28 - 00002906 _____ () C:\Windows\PFRO.log
2014-04-18 19:19 - 2013-04-01 21:27 - 00000000 ____D () C:\Program Files (x86)\JDownloader 2
2014-04-18 18:45 - 2014-04-18 18:45 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-18 18:44 - 2014-04-18 18:44 - 17305616 _____ (Malwarebytes Corporation ) C:\Users\Tobselo\Downloads\mbam-setup-2.0.1.1004.exe
2014-04-17 00:55 - 2013-04-03 21:40 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\vlc
2014-04-16 23:16 - 2014-04-16 23:16 - 00023752 _____ () C:\ComboFix.txt
2014-04-16 23:16 - 2014-04-16 22:09 - 00000000 ____D () C:\Qoobox
2014-04-16 23:00 - 2009-07-14 04:34 - 00000215 _____ () C:\Windows\system.ini
2014-04-16 22:45 - 2009-07-14 05:20 - 00000000 __RHD () C:\Users\Default
2014-04-16 22:30 - 2014-04-16 22:09 - 00000000 ____D () C:\Windows\erdnt
2014-04-16 22:28 - 2014-04-16 22:28 - 00000000 _____ () C:\Windows\setuperr.log
2014-04-16 22:07 - 2014-04-16 22:05 - 05194807 ____R (Swearware) C:\Users\Tobselo\Desktop\ComboFix.exe
2014-04-14 21:17 - 2013-10-17 20:43 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\Winamp
2014-04-14 21:17 - 2013-05-06 00:21 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\FileZilla
2014-04-14 21:17 - 2013-03-31 20:50 - 00000000 ____D () C:\Windows\Panther
2014-04-14 21:15 - 2014-04-14 21:15 - 00002776 _____ () C:\Windows\System32\Tasks\CCleanerSkipUAC
2014-04-14 21:15 - 2014-04-14 21:15 - 00000822 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2014-04-14 21:15 - 2014-04-14 21:15 - 00000000 ____D () C:\Program Files\CCleaner
2014-04-14 21:14 - 2014-04-14 21:13 - 04765152 _____ (Piriform Ltd) C:\Users\Tobselo\Downloads\ccsetup411.exe
2014-04-14 21:00 - 2014-04-14 20:59 - 01426178 _____ () C:\Users\Tobselo\Downloads\adwcleaner3023.exe
2014-04-14 20:27 - 2014-04-14 20:27 - 00009156 _____ () C:\Users\Tobselo\Desktop\gmer.zip
2014-04-14 20:16 - 2014-04-14 20:07 - 00177488 _____ () C:\Users\Tobselo\Desktop\gmer.log
2014-04-14 20:07 - 2013-03-31 19:54 - 00000000 ____D () C:\Users\Tobselo
2014-04-14 19:58 - 2014-04-14 19:58 - 00380416 _____ () C:\Users\Tobselo\Desktop\Gmer-19357.exe
2014-04-14 19:54 - 2014-04-14 19:54 - 00000476 _____ () C:\Users\Tobselo\Desktop\defogger_disable.log
2014-04-14 19:54 - 2014-04-14 19:54 - 00000000 _____ () C:\Users\Tobselo\defogger_reenable
2014-04-14 19:53 - 2014-04-14 19:53 - 00050477 _____ () C:\Users\Tobselo\Desktop\Defogger.exe
2014-04-14 19:34 - 2014-04-14 19:33 - 02157568 _____ (Farbar) C:\Users\Tobselo\Desktop\FRST64.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00312728 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00191384 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00190872 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00111000 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2014-04-13 21:08 - 2014-04-13 21:08 - 00000000 ____D () C:\Program Files\Java
2014-04-13 21:07 - 2014-04-13 21:06 - 34121112 _____ (Oracle Corporation) C:\Users\Tobselo\Downloads\jre-8-windows-x64.exe
2014-04-13 20:34 - 2013-04-01 20:59 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-04-13 20:33 - 2014-03-12 21:30 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\TV-Browser
2014-04-13 20:30 - 2013-04-20 14:47 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-04-13 20:28 - 2013-08-02 00:17 - 00000000 ____D () C:\Windows\system32\MRT
2014-04-13 20:24 - 2013-04-04 00:01 - 90655440 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-04-13 18:49 - 2013-08-28 21:52 - 00013092 _____ () C:\Users\Tobselo\Documents\Stromzähler.xlsx
2014-04-09 21:54 - 2013-12-03 21:58 - 00000000 ____D () C:\Users\Tobselo\AppData\Local\AdTrustMedia
2014-04-02 22:56 - 2014-04-02 22:56 - 00000000 ____D () C:\Users\Tobselo\AppData\Local\Skype
2014-04-02 22:55 - 2014-04-02 22:55 - 00002699 _____ () C:\Users\Public\Desktop\Skype.lnk
2014-04-02 22:55 - 2014-04-02 22:55 - 00000000 ___RD () C:\Program Files (x86)\Skype
2014-04-02 22:55 - 2013-04-01 21:32 - 00000000 ____D () C:\ProgramData\Skype
2014-04-02 22:50 - 2013-04-01 22:04 - 00054108 _____ () C:\Windows\system32\Drivers\fvstore.dat
2014-04-02 22:32 - 2013-04-01 21:05 - 00000000 ____D () C:\Windows\System32\Tasks\COMODO
2014-04-02 22:31 - 2013-04-01 21:05 - 00001838 _____ () C:\Users\Public\Desktop\COMODO Internet Security.lnk
2014-03-31 01:35 - 2014-03-31 01:35 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-03-26 10:25 - 2014-03-26 10:25 - 00000000 ____D () C:\Windows\SolidWorks
2014-03-26 10:25 - 2014-03-26 10:25 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\SolidWorks
2014-03-25 21:22 - 2013-01-24 22:43 - 00453680 _____ (COMODO) C:\Windows\system32\guard64.dll
2014-03-25 21:22 - 2013-01-24 22:43 - 00363504 _____ (COMODO) C:\Windows\SysWOW64\guard32.dll
2014-03-25 21:22 - 2013-01-24 22:43 - 00043216 _____ (COMODO) C:\Windows\system32\cmdcsr.dll
2014-03-25 21:22 - 2013-01-24 22:42 - 00352984 _____ (COMODO) C:\Windows\system32\cmdvrt64.dll
2014-03-25 21:22 - 2013-01-24 22:42 - 00284888 _____ (COMODO) C:\Windows\SysWOW64\cmdvrt32.dll
2014-03-25 21:22 - 2013-01-24 22:42 - 00045784 _____ (COMODO) C:\Windows\system32\cmdkbd64.dll
2014-03-25 21:22 - 2013-01-24 22:42 - 00040664 _____ (COMODO) C:\Windows\SysWOW64\cmdkbd32.dll
2014-03-25 21:22 - 2013-01-16 19:51 - 00738472 _____ (COMODO) C:\Windows\system32\Drivers\cmdguard.sys
2014-03-25 21:22 - 2013-01-16 19:51 - 00105552 _____ (COMODO) C:\Windows\system32\Drivers\inspect.sys
2014-03-25 21:22 - 2013-01-16 19:51 - 00048360 _____ (COMODO) C:\Windows\system32\Drivers\cmdhlp.sys
2014-03-25 21:22 - 2013-01-16 19:51 - 00023168 _____ (COMODO) C:\Windows\system32\Drivers\cmderd.sys
2014-03-25 12:32 - 2014-03-25 12:30 - 00000000 ____D () C:\Users\Tobselo\Documents\Werzi
2014-03-23 14:19 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\rescache
2014-03-23 00:42 - 2014-03-23 00:41 - 01950720 _____ () C:\Users\Tobselo\Downloads\adwcleaner_3.022.exe
2014-03-22 18:56 - 2014-03-22 18:56 - 00000512 __RSH () C:\ProgramData\ntuser.pol
2014-03-22 18:56 - 2009-07-14 05:20 - 00000000 ___HD () C:\Windows\system32\GroupPolicy
2014-03-22 18:56 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\SysWOW64\GroupPolicy

Some content of TEMP:
====================
C:\Users\Tobselo\AppData\Local\Temp\Quarantine.exe


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-04-11 13:36

==================== End Of Log ============================
         
--- --- ---

Alt 19.04.2014, 12:28   #10
schrauber
/// the machine
/// TB-Ausbilder
 

Umleitung zu fake java-update - Standard

Umleitung zu fake java-update




ESET Online Scanner

  • Hier findest du eine bebilderte Anleitung zu ESET Online Scanner
  • Lade und starte Eset Online Scanner
  • Setze einen Haken bei Ja, ich bin mit den Nutzungsbedingungen einverstanden und klicke auf Starten.
  • Aktiviere die "Erkennung von eventuell unerwünschten Anwendungen" und wähle folgende Einstellungen.
  • Klicke auf Starten.
  • Die Signaturen werden heruntergeladen, der Scan beginnt automatisch.
  • Klicke am Ende des Suchlaufs auf Fertig stellen.
  • Schließe das Fenster von ESET.
  • Explorer öffnen.
  • C:\Programme\Eset\EsetOnlineScanner\log.txt (bei 64 Bit auch C:\Programme (x86)\Eset\EsetOnlineScanner\log.txt) suchen und mit Deinem Editor öffnen (bebildert).
  • Logfile hier posten.
  • Deinstallation: Systemsteuerung => Software / Programme deinstallieren => Eset Online Scanner V3 entfernen.
  • Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset


Downloade Dir bitte SecurityCheck und:

  • Speichere es auf dem Desktop.
  • Starte SecurityCheck.exe und folge den Anweisungen in der DOS-Box.
  • Wenn der Scan beendet wurde sollte sich ein Textdokument (checkup.txt) öffnen.
Poste den Inhalt bitte hier.

und ein frisches FRST log bitte. Noch Probleme?
__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Alt 19.04.2014, 20:57   #11
Tobselo
 
Umleitung zu fake java-update - Standard

Umleitung zu fake java-update



Hey,

Problem existiert nach wie vor!
Frohe Ostern!

Gruß,
Tobi

ESET:
Code:
ATTFilter
ESETSmartInstaller@High as downloader log:
Can not open internetESETSmartInstaller@High as downloader log:
Can not open internet# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=9ea26bf10d6ccf4fa5882f060fae21aa
# engine=17955
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2014-04-19 07:38:29
# local_time=2014-04-19 09:38:29 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=3074 16777213 100 84 27612 43558131 0 0
# compatibility_mode=5893 16776574 100 94 24220636 149566159 0 0
# scanned=153294
# found=5
# cleaned=0
# scan_time=11825
sh=AB3A1E36ECBB52F2666380331A42FF1EBAE91454 ft=1 fh=fe256c697b32839a vn="a variant of Win32/AdWare.BetterSurf.C application" ac=I fn="C:\ProgramData\Comodo\Cis\Quarantine\data\{857D07C5-A12B-43AC-AFEB-6B92E3B089B3}"
sh=8C5EB12AF1A9EB8E8DB08B95B3459E002D9D6EF5 ft=1 fh=8ec3e6ab7109e42f vn="a variant of Win32/AdWare.BetterSurf.C application" ac=I fn="C:\ProgramData\Comodo\Cis\Quarantine\data\{BCF3B375-DA63-4610-87B9-18AB270E8395}"
sh=AB3A1E36ECBB52F2666380331A42FF1EBAE91454 ft=1 fh=fe256c697b32839a vn="a variant of Win32/AdWare.BetterSurf.C application" ac=I fn="C:\Users\All Users\Comodo\Cis\Quarantine\data\{857D07C5-A12B-43AC-AFEB-6B92E3B089B3}"
sh=8C5EB12AF1A9EB8E8DB08B95B3459E002D9D6EF5 ft=1 fh=8ec3e6ab7109e42f vn="a variant of Win32/AdWare.BetterSurf.C application" ac=I fn="C:\Users\All Users\Comodo\Cis\Quarantine\data\{BCF3B375-DA63-4610-87B9-18AB270E8395}"
sh=143436581F74658DC6A67F39CEDFD9EC1D1D52B7 ft=1 fh=a0d842eed01264c5 vn="a variant of Win32/Packed.VMProtect.ABD trojan" ac=I fn="C:\Users\Tobselo\Tools\X-Ways WinHex 17.3 SR-5\X-Ways WinHex 17.3 SR-5\keygen\keygen.exe"
         
SecurityCheck:
Code:
ATTFilter
 Results of screen317's Security Check version 0.99.81  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
COMODO Antivirus   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:````````` 
 Java version out of Date! 
 Adobe Flash Player 12.0.0.77  
 Adobe Reader XI  
 Mozilla Firefox (28.0) 
````````Process Check: objlist.exe by Laurent````````  
 Comodo Firewall cmdagent.exe 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  
````````````````````End of Log``````````````````````
         

FRST Logfile:

FRST Logfile:

FRST Logfile:
Code:
ATTFilter
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 19-04-2014
Ran by Tobselo (administrator) on TOBSELO-PC on 19-04-2014 21:51:31
Running from C:\Users\Tobselo\Desktop
Windows 7 Professional Service Pack 1 (X64) OS Language: German Standard
Internet Explorer Version 11
Boot Mode: Normal



==================== Processes (Whitelisted) =================

(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cistray.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Samsung) C:\Program Files (x86)\Samsung\Kies\Kies.exe
(Tobit.Software) E:\Tobit Radio.fx\Client\rfx-tray.exe
(Intel Corporation) C:\Windows\system32\igfxsrvc.exe
(Dropbox, Inc.) C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
(Elaborate Bytes AG) C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cis.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
() E:\Tobit Radio.fx\Server\rfx-server.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [COMODO Internet Security] => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [1275608 2014-03-25] (COMODO)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1808168 2009-06-18] (Synaptics Incorporated)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [108144 2012-11-05] (Microsoft Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [444904 2012-09-20] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-09-05] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe [3478392 2013-09-05] (Adobe Systems Inc.)
HKLM-x32\...\Run: [VirtualCloneDrive] => C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [88984 2013-03-10] (Elaborate Bytes AG)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [224128 2014-03-04] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3576753261-1654559635-1618898191-1000\...\Run: [BatteryMon] => C:\Program Files (x86)\BatteryMon\BatteryMon.exe [1344960 2012-06-15] (PassMark (R) Software)
HKU\S-1-5-21-3576753261-1654559635-1618898191-1000\...\Run: [KiesPreload] => C:\Program Files (x86)\Samsung\Kies\Kies.exe [1561968 2013-05-23] (Samsung)
HKU\S-1-5-21-3576753261-1654559635-1618898191-1000\...\Run: [rfxsrvtray] => E:\Tobit Radio.fx\Client\rfx-tray.exe [1838872 2013-02-07] (Tobit.Software)
HKU\S-1-5-21-3576753261-1654559635-1618898191-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [20922016 2014-02-10] (Skype Technologies S.A.)
Startup: C:\Users\Tobselo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Tobselo\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xCC1D71950A2FCE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre8\bin\ssv.dll (Oracle Corporation)
BHO: Adobe Acrobat Create PDF Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre8\bin\jp2ssv.dll (Oracle Corporation)
BHO: Adobe Acrobat Create PDF from Selection - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Adobe Acrobat Create PDF Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Adobe Acrobat Create PDF from Selection - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1

FireFox:
========
FF ProfilePath: C:\Users\Tobselo\AppData\Roaming\Mozilla\Firefox\Profiles\ktk825x4.default
FF SelectedSearchEngine: Google
FF Homepage: hxxp://www.google.com
FF NetworkProxy: "autoconfig_url", "https://secure.premiumize.me/b14557dbbd9013ae2f69facd9bd86bff/proxy.pac"
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_12_0_0_77.dll ()
FF Plugin: @java.com/DTPlugin,version=11.0.2 - C:\Program Files\Java\jre8\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.0.2 - C:\Program Files\Java\jre8\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.0.5 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.1 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.2 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: adobe.com/AdobeAAMDetect - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @nullsoft.com/winampDetector;version=1 - C:\Program Files (x86)\Winamp Detect\npwachk.dll (Nullsoft, Inc.)
FF Plugin-x32: Adobe Acrobat - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems)
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\amazondotcom-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\eBay-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\leo_ende_de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\yahoo-de.xml
FF Extension: FireShot - C:\Users\Tobselo\AppData\Roaming\Mozilla\Firefox\Profiles\ktk825x4.default\Extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba} [2014-03-14]
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [2013-12-13]

==================== Services (Whitelisted) =================

R2 cmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [6812400 2014-03-25] (COMODO)
S3 cmdvirth; C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [2264280 2014-03-25] (COMODO)
R2 Radio.fx; E:\Tobit Radio.fx\Server\rfx-server.exe [3999512 2013-06-03] ()

==================== Drivers (Whitelisted) ====================

R1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [23168 2014-03-25] (COMODO)
R1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [738472 2014-03-25] (COMODO)
R1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [48360 2014-03-25] (COMODO)
R1 inspect; C:\Windows\System32\DRIVERS\inspect.sys [105552 2014-03-25] (COMODO)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [119512 2014-04-18] (Malwarebytes Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-04-19 21:49 - 2014-04-19 21:49 - 00000732 _____ () C:\Users\Tobselo\Desktop\checkup.txt
2014-04-19 21:49 - 2014-04-19 21:49 - 00000000 ____D () C:\Users\Tobselo\Desktop\FRST-OlderVersion
2014-04-19 21:44 - 2014-04-19 21:44 - 00987448 _____ () C:\Users\Tobselo\Desktop\SecurityCheck.exe
2014-04-19 18:14 - 2014-04-19 18:14 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-04-19 18:12 - 2014-04-19 18:12 - 02347384 _____ (ESET) C:\Users\Tobselo\Downloads\esetsmartinstaller_enu.exe
2014-04-18 20:52 - 2014-03-06 11:32 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-04-18 20:52 - 2014-03-06 10:57 - 00548352 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-04-18 20:52 - 2014-03-06 10:32 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-04-18 20:52 - 2014-03-06 10:32 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-04-18 20:52 - 2014-03-06 10:02 - 00455168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-04-18 20:52 - 2014-03-06 09:40 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-04-18 20:51 - 2014-03-06 12:21 - 23549440 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-04-18 20:51 - 2014-03-06 11:31 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-04-18 20:51 - 2014-03-06 11:19 - 17387008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-04-18 20:51 - 2014-03-06 10:59 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-04-18 20:51 - 2014-03-06 10:57 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-04-18 20:51 - 2014-03-06 10:53 - 02767360 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-04-18 20:51 - 2014-03-06 10:40 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-04-18 20:51 - 2014-03-06 10:39 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-04-18 20:51 - 2014-03-06 10:29 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-04-18 20:51 - 2014-03-06 10:29 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-04-18 20:51 - 2014-03-06 10:28 - 00752640 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-04-18 20:51 - 2014-03-06 10:15 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-04-18 20:51 - 2014-03-06 10:11 - 05784064 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-04-18 20:51 - 2014-03-06 10:09 - 00453120 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-04-18 20:51 - 2014-03-06 10:03 - 00586240 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-04-18 20:51 - 2014-03-06 10:02 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-04-18 20:51 - 2014-03-06 10:01 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-04-18 20:51 - 2014-03-06 09:56 - 00038400 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-04-18 20:51 - 2014-03-06 09:48 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-04-18 20:51 - 2014-03-06 09:47 - 02178048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-04-18 20:51 - 2014-03-06 09:46 - 04254720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-04-18 20:51 - 2014-03-06 09:46 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-04-18 20:51 - 2014-03-06 09:45 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-04-18 20:51 - 2014-03-06 09:42 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-04-18 20:51 - 2014-03-06 09:38 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-04-18 20:51 - 2014-03-06 09:36 - 00592896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-04-18 20:51 - 2014-03-06 09:22 - 00367616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-04-18 20:51 - 2014-03-06 09:21 - 00628736 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-04-18 20:51 - 2014-03-06 09:13 - 00032256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-04-18 20:51 - 2014-03-06 09:11 - 02043904 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-04-18 20:51 - 2014-03-06 09:07 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-04-18 20:51 - 2014-03-06 09:01 - 00244224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-04-18 20:51 - 2014-03-06 08:53 - 13551104 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-04-18 20:51 - 2014-03-06 08:46 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-04-18 20:51 - 2014-03-06 08:40 - 01967104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-04-18 20:51 - 2014-03-06 08:36 - 11745792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-04-18 20:51 - 2014-03-06 08:22 - 02260480 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-04-18 20:51 - 2014-03-06 07:58 - 01400832 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-04-18 20:51 - 2014-03-06 07:50 - 00846336 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-04-18 20:51 - 2014-03-06 07:43 - 00704512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-04-18 20:51 - 2014-03-06 07:41 - 01789440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-04-18 20:51 - 2014-03-06 07:36 - 01143808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-04-18 20:45 - 2014-04-18 20:49 - 00001494 _____ () C:\Users\Tobselo\Desktop\JRT.txt
2014-04-18 19:34 - 2014-04-18 19:34 - 00000000 ____D () C:\Windows\ERUNT
2014-04-18 19:33 - 2014-04-18 19:33 - 01016261 _____ (Thisisu) C:\Users\Tobselo\Desktop\JRT.exe
2014-04-18 19:31 - 2014-04-18 19:31 - 00001480 _____ () C:\Users\Tobselo\Desktop\AdwCleaner[S4].txt
2014-04-18 19:24 - 2014-04-18 19:24 - 00001633 _____ () C:\Users\Tobselo\Desktop\Malwarebytes.txt
2014-04-18 18:46 - 2014-04-18 20:58 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-04-18 18:45 - 2014-04-18 18:45 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-18 18:44 - 2014-04-18 18:44 - 17305616 _____ (Malwarebytes Corporation ) C:\Users\Tobselo\Downloads\mbam-setup-2.0.1.1004.exe
2014-04-16 23:16 - 2014-04-16 23:16 - 00023752 _____ () C:\ComboFix.txt
2014-04-16 22:28 - 2014-04-18 21:04 - 00000336 _____ () C:\Windows\setupact.log
2014-04-16 22:28 - 2014-04-18 19:20 - 00002906 _____ () C:\Windows\PFRO.log
2014-04-16 22:28 - 2014-04-16 22:28 - 00000000 _____ () C:\Windows\setuperr.log
2014-04-16 22:10 - 2011-06-26 08:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-04-16 22:10 - 2010-11-07 19:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-04-16 22:10 - 2009-04-20 06:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-04-16 22:10 - 2000-08-31 02:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-04-16 22:10 - 2000-08-31 02:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-04-16 22:10 - 2000-08-31 02:00 - 00098816 _____ () C:\Windows\sed.exe
2014-04-16 22:10 - 2000-08-31 02:00 - 00080412 _____ () C:\Windows\grep.exe
2014-04-16 22:10 - 2000-08-31 02:00 - 00068096 _____ () C:\Windows\zip.exe
2014-04-16 22:09 - 2014-04-16 23:16 - 00000000 ____D () C:\Qoobox
2014-04-16 22:09 - 2014-04-16 22:30 - 00000000 ____D () C:\Windows\erdnt
2014-04-16 22:05 - 2014-04-16 22:07 - 05194807 ____R (Swearware) C:\Users\Tobselo\Desktop\ComboFix.exe
2014-04-14 21:15 - 2014-04-14 21:15 - 00002776 _____ () C:\Windows\System32\Tasks\CCleanerSkipUAC
2014-04-14 21:15 - 2014-04-14 21:15 - 00000822 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2014-04-14 21:15 - 2014-04-14 21:15 - 00000000 ____D () C:\Program Files\CCleaner
2014-04-14 21:13 - 2014-04-14 21:14 - 04765152 _____ (Piriform Ltd) C:\Users\Tobselo\Downloads\ccsetup411.exe
2014-04-14 20:59 - 2014-04-14 21:00 - 01426178 _____ () C:\Users\Tobselo\Downloads\adwcleaner3023.exe
2014-04-14 20:27 - 2014-04-14 20:27 - 00009156 _____ () C:\Users\Tobselo\Desktop\gmer.zip
2014-04-14 20:07 - 2014-04-14 20:16 - 00177488 _____ () C:\Users\Tobselo\Desktop\gmer.log
2014-04-14 19:58 - 2014-04-14 19:58 - 00380416 _____ () C:\Users\Tobselo\Desktop\Gmer-19357.exe
2014-04-14 19:56 - 2014-04-19 21:51 - 00011275 _____ () C:\Users\Tobselo\Desktop\FRST.txt
2014-04-14 19:54 - 2014-04-14 19:54 - 00000476 _____ () C:\Users\Tobselo\Desktop\defogger_disable.log
2014-04-14 19:54 - 2014-04-14 19:54 - 00000000 _____ () C:\Users\Tobselo\defogger_reenable
2014-04-14 19:53 - 2014-04-14 19:53 - 00050477 _____ () C:\Users\Tobselo\Desktop\Defogger.exe
2014-04-14 19:36 - 2014-04-19 21:51 - 00000000 ____D () C:\FRST
2014-04-14 19:33 - 2014-04-19 21:49 - 02055680 _____ (Farbar) C:\Users\Tobselo\Desktop\FRST64.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00312728 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00191384 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00190872 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00111000 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2014-04-13 21:08 - 2014-04-13 21:08 - 00000000 ____D () C:\Program Files\Java
2014-04-13 21:06 - 2014-04-13 21:07 - 34121112 _____ (Oracle Corporation) C:\Users\Tobselo\Downloads\jre-8-windows-x64.exe
2014-04-11 12:15 - 2014-03-04 11:44 - 01163264 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2014-04-11 12:15 - 2014-03-04 11:44 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2014-04-11 12:15 - 2014-03-04 11:44 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2014-04-11 12:15 - 2014-03-04 11:44 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2014-04-11 12:15 - 2014-03-04 11:44 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2014-04-11 12:15 - 2014-03-04 11:17 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2014-04-11 12:15 - 2014-03-04 11:16 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2014-04-11 12:15 - 2014-03-04 11:16 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2014-04-11 12:15 - 2014-03-04 11:16 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2014-04-11 12:15 - 2014-03-04 10:09 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2014-04-11 12:15 - 2014-03-04 10:09 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2014-04-11 12:15 - 2014-02-04 04:35 - 00274880 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\msiscsi.sys
2014-04-11 12:15 - 2014-02-04 04:35 - 00190912 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\storport.sys
2014-04-11 12:15 - 2014-02-04 04:35 - 00027584 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\Diskdump.sys
2014-04-11 12:15 - 2014-02-04 04:28 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\iologmsg.dll
2014-04-11 12:15 - 2014-02-04 04:00 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iologmsg.dll
2014-04-11 12:15 - 2014-01-24 04:37 - 01684928 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ntfs.sys
2014-04-02 22:56 - 2014-04-02 22:56 - 00000000 ____D () C:\Users\Tobselo\AppData\Local\Skype
2014-04-02 22:55 - 2014-04-02 22:55 - 00002699 _____ () C:\Users\Public\Desktop\Skype.lnk
2014-04-02 22:55 - 2014-04-02 22:55 - 00000000 ___RD () C:\Program Files (x86)\Skype
2014-03-31 01:35 - 2014-03-31 01:35 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-03-26 10:25 - 2014-03-26 10:25 - 00000000 ____D () C:\Windows\SolidWorks
2014-03-26 10:25 - 2014-03-26 10:25 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\SolidWorks
2014-03-25 12:30 - 2014-03-25 12:32 - 00000000 ____D () C:\Users\Tobselo\Documents\Werzi
2014-03-23 00:43 - 2014-04-18 19:29 - 00000000 ____D () C:\AdwCleaner
2014-03-23 00:41 - 2014-03-23 00:42 - 01950720 _____ () C:\Users\Tobselo\Downloads\adwcleaner_3.022.exe
2014-03-22 18:56 - 2014-03-22 18:56 - 00000512 __RSH () C:\ProgramData\ntuser.pol

==================== One Month Modified Files and Folders =======

2014-04-19 21:51 - 2014-04-14 19:56 - 00011275 _____ () C:\Users\Tobselo\Desktop\FRST.txt
2014-04-19 21:51 - 2014-04-14 19:36 - 00000000 ____D () C:\FRST
2014-04-19 21:49 - 2014-04-19 21:49 - 00000732 _____ () C:\Users\Tobselo\Desktop\checkup.txt
2014-04-19 21:49 - 2014-04-19 21:49 - 00000000 ____D () C:\Users\Tobselo\Desktop\FRST-OlderVersion
2014-04-19 21:49 - 2014-04-14 19:33 - 02055680 _____ (Farbar) C:\Users\Tobselo\Desktop\FRST64.exe
2014-04-19 21:46 - 2013-04-01 21:05 - 01474832 _____ () C:\Windows\system32\Drivers\sfi.dat
2014-04-19 21:44 - 2014-04-19 21:44 - 00987448 _____ () C:\Users\Tobselo\Desktop\SecurityCheck.exe
2014-04-19 21:42 - 2013-03-31 19:54 - 01049348 _____ () C:\Windows\WindowsUpdate.log
2014-04-19 19:04 - 2011-04-12 09:43 - 00699682 _____ () C:\Windows\system32\perfh007.dat
2014-04-19 19:04 - 2011-04-12 09:43 - 00149790 _____ () C:\Windows\system32\perfc007.dat
2014-04-19 19:04 - 2009-07-14 07:13 - 01620684 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-04-19 18:14 - 2014-04-19 18:14 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-04-19 18:12 - 2014-04-19 18:12 - 02347384 _____ (ESET) C:\Users\Tobselo\Downloads\esetsmartinstaller_enu.exe
2014-04-18 21:11 - 2009-07-14 06:45 - 00034608 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-18 21:11 - 2009-07-14 06:45 - 00034608 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-18 21:06 - 2013-04-01 21:32 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\Skype
2014-04-18 21:05 - 2013-04-03 23:10 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\Dropbox
2014-04-18 21:04 - 2014-04-16 22:28 - 00000336 _____ () C:\Windows\setupact.log
2014-04-18 21:04 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-04-18 20:58 - 2014-04-18 18:46 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-04-18 20:57 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\PolicyDefinitions
2014-04-18 20:49 - 2014-04-18 20:45 - 00001494 _____ () C:\Users\Tobselo\Desktop\JRT.txt
2014-04-18 19:34 - 2014-04-18 19:34 - 00000000 ____D () C:\Windows\ERUNT
2014-04-18 19:33 - 2014-04-18 19:33 - 01016261 _____ (Thisisu) C:\Users\Tobselo\Desktop\JRT.exe
2014-04-18 19:31 - 2014-04-18 19:31 - 00001480 _____ () C:\Users\Tobselo\Desktop\AdwCleaner[S4].txt
2014-04-18 19:29 - 2014-03-23 00:43 - 00000000 ____D () C:\AdwCleaner
2014-04-18 19:24 - 2014-04-18 19:24 - 00001633 _____ () C:\Users\Tobselo\Desktop\Malwarebytes.txt
2014-04-18 19:20 - 2014-04-16 22:28 - 00002906 _____ () C:\Windows\PFRO.log
2014-04-18 19:19 - 2013-04-01 21:27 - 00000000 ____D () C:\Program Files (x86)\JDownloader 2
2014-04-18 18:45 - 2014-04-18 18:45 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-18 18:44 - 2014-04-18 18:44 - 17305616 _____ (Malwarebytes Corporation ) C:\Users\Tobselo\Downloads\mbam-setup-2.0.1.1004.exe
2014-04-17 00:55 - 2013-04-03 21:40 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\vlc
2014-04-16 23:16 - 2014-04-16 23:16 - 00023752 _____ () C:\ComboFix.txt
2014-04-16 23:16 - 2014-04-16 22:09 - 00000000 ____D () C:\Qoobox
2014-04-16 23:00 - 2009-07-14 04:34 - 00000215 _____ () C:\Windows\system.ini
2014-04-16 22:45 - 2009-07-14 05:20 - 00000000 __RHD () C:\Users\Default
2014-04-16 22:30 - 2014-04-16 22:09 - 00000000 ____D () C:\Windows\erdnt
2014-04-16 22:28 - 2014-04-16 22:28 - 00000000 _____ () C:\Windows\setuperr.log
2014-04-16 22:07 - 2014-04-16 22:05 - 05194807 ____R (Swearware) C:\Users\Tobselo\Desktop\ComboFix.exe
2014-04-14 21:17 - 2013-10-17 20:43 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\Winamp
2014-04-14 21:17 - 2013-05-06 00:21 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\FileZilla
2014-04-14 21:17 - 2013-03-31 20:50 - 00000000 ____D () C:\Windows\Panther
2014-04-14 21:15 - 2014-04-14 21:15 - 00002776 _____ () C:\Windows\System32\Tasks\CCleanerSkipUAC
2014-04-14 21:15 - 2014-04-14 21:15 - 00000822 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2014-04-14 21:15 - 2014-04-14 21:15 - 00000000 ____D () C:\Program Files\CCleaner
2014-04-14 21:14 - 2014-04-14 21:13 - 04765152 _____ (Piriform Ltd) C:\Users\Tobselo\Downloads\ccsetup411.exe
2014-04-14 21:00 - 2014-04-14 20:59 - 01426178 _____ () C:\Users\Tobselo\Downloads\adwcleaner3023.exe
2014-04-14 20:27 - 2014-04-14 20:27 - 00009156 _____ () C:\Users\Tobselo\Desktop\gmer.zip
2014-04-14 20:16 - 2014-04-14 20:07 - 00177488 _____ () C:\Users\Tobselo\Desktop\gmer.log
2014-04-14 20:07 - 2013-03-31 19:54 - 00000000 ____D () C:\Users\Tobselo
2014-04-14 19:58 - 2014-04-14 19:58 - 00380416 _____ () C:\Users\Tobselo\Desktop\Gmer-19357.exe
2014-04-14 19:54 - 2014-04-14 19:54 - 00000476 _____ () C:\Users\Tobselo\Desktop\defogger_disable.log
2014-04-14 19:54 - 2014-04-14 19:54 - 00000000 _____ () C:\Users\Tobselo\defogger_reenable
2014-04-14 19:53 - 2014-04-14 19:53 - 00050477 _____ () C:\Users\Tobselo\Desktop\Defogger.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00312728 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00191384 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00190872 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-04-13 21:08 - 2014-04-13 21:08 - 00111000 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2014-04-13 21:08 - 2014-04-13 21:08 - 00000000 ____D () C:\Program Files\Java
2014-04-13 21:07 - 2014-04-13 21:06 - 34121112 _____ (Oracle Corporation) C:\Users\Tobselo\Downloads\jre-8-windows-x64.exe
2014-04-13 20:34 - 2013-04-01 20:59 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-04-13 20:33 - 2014-03-12 21:30 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\TV-Browser
2014-04-13 20:30 - 2013-04-20 14:47 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-04-13 20:28 - 2013-08-02 00:17 - 00000000 ____D () C:\Windows\system32\MRT
2014-04-13 20:24 - 2013-04-04 00:01 - 90655440 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-04-13 18:49 - 2013-08-28 21:52 - 00013092 _____ () C:\Users\Tobselo\Documents\Stromzähler.xlsx
2014-04-09 21:54 - 2013-12-03 21:58 - 00000000 ____D () C:\Users\Tobselo\AppData\Local\AdTrustMedia
2014-04-02 22:56 - 2014-04-02 22:56 - 00000000 ____D () C:\Users\Tobselo\AppData\Local\Skype
2014-04-02 22:55 - 2014-04-02 22:55 - 00002699 _____ () C:\Users\Public\Desktop\Skype.lnk
2014-04-02 22:55 - 2014-04-02 22:55 - 00000000 ___RD () C:\Program Files (x86)\Skype
2014-04-02 22:55 - 2013-04-01 21:32 - 00000000 ____D () C:\ProgramData\Skype
2014-04-02 22:50 - 2013-04-01 22:04 - 00054108 _____ () C:\Windows\system32\Drivers\fvstore.dat
2014-04-02 22:32 - 2013-04-01 21:05 - 00000000 ____D () C:\Windows\System32\Tasks\COMODO
2014-04-02 22:31 - 2013-04-01 21:05 - 00001838 _____ () C:\Users\Public\Desktop\COMODO Internet Security.lnk
2014-03-31 01:35 - 2014-03-31 01:35 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-03-26 10:25 - 2014-03-26 10:25 - 00000000 ____D () C:\Windows\SolidWorks
2014-03-26 10:25 - 2014-03-26 10:25 - 00000000 ____D () C:\Users\Tobselo\AppData\Roaming\SolidWorks
2014-03-25 21:22 - 2013-01-24 22:43 - 00453680 _____ (COMODO) C:\Windows\system32\guard64.dll
2014-03-25 21:22 - 2013-01-24 22:43 - 00363504 _____ (COMODO) C:\Windows\SysWOW64\guard32.dll
2014-03-25 21:22 - 2013-01-24 22:43 - 00043216 _____ (COMODO) C:\Windows\system32\cmdcsr.dll
2014-03-25 21:22 - 2013-01-24 22:42 - 00352984 _____ (COMODO) C:\Windows\system32\cmdvrt64.dll
2014-03-25 21:22 - 2013-01-24 22:42 - 00284888 _____ (COMODO) C:\Windows\SysWOW64\cmdvrt32.dll
2014-03-25 21:22 - 2013-01-24 22:42 - 00045784 _____ (COMODO) C:\Windows\system32\cmdkbd64.dll
2014-03-25 21:22 - 2013-01-24 22:42 - 00040664 _____ (COMODO) C:\Windows\SysWOW64\cmdkbd32.dll
2014-03-25 21:22 - 2013-01-16 19:51 - 00738472 _____ (COMODO) C:\Windows\system32\Drivers\cmdguard.sys
2014-03-25 21:22 - 2013-01-16 19:51 - 00105552 _____ (COMODO) C:\Windows\system32\Drivers\inspect.sys
2014-03-25 21:22 - 2013-01-16 19:51 - 00048360 _____ (COMODO) C:\Windows\system32\Drivers\cmdhlp.sys
2014-03-25 21:22 - 2013-01-16 19:51 - 00023168 _____ (COMODO) C:\Windows\system32\Drivers\cmderd.sys
2014-03-25 12:32 - 2014-03-25 12:30 - 00000000 ____D () C:\Users\Tobselo\Documents\Werzi
2014-03-23 14:19 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\rescache
2014-03-23 00:42 - 2014-03-23 00:41 - 01950720 _____ () C:\Users\Tobselo\Downloads\adwcleaner_3.022.exe
2014-03-22 18:56 - 2014-03-22 18:56 - 00000512 __RSH () C:\ProgramData\ntuser.pol
2014-03-22 18:56 - 2009-07-14 05:20 - 00000000 ___HD () C:\Windows\system32\GroupPolicy
2014-03-22 18:56 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\SysWOW64\GroupPolicy

Some content of TEMP:
====================
C:\Users\Tobselo\AppData\Local\Temp\npp.6.5.5.Installer.exe
C:\Users\Tobselo\AppData\Local\Temp\Quarantine.exe


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-04-19 17:51

==================== End Of Log ============================
         
--- --- ---

--- --- ---

--- --- ---

Geändert von Tobselo (19.04.2014 um 21:10 Uhr)

Alt 20.04.2014, 18:08   #12
schrauber
/// the machine
/// TB-Ausbilder
 

Umleitung zu fake java-update - Standard

Umleitung zu fake java-update



Zitat:
C:\Users\Tobselo\Tools\X-Ways WinHex 17.3 SR-5\X-Ways WinHex 17.3 SR-5\keygen\keygen.exe"
Was isn das für ein Scheiss?
__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Alt 20.04.2014, 20:14   #13
Tobselo
 
Umleitung zu fake java-update - Standard

Umleitung zu fake java-update



Ist nur ein Keygenerator für ein Programm...

Alt 21.04.2014, 20:18   #14
schrauber
/// the machine
/// TB-Ausbilder
 

Umleitung zu fake java-update - Standard

Umleitung zu fake java-update



Löschen, alles gecrackte und geklaute, auch an Software, fliegt umgehend auch, oder es gibt keinen weitren Support.
__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Alt 21.04.2014, 20:28   #15
Tobselo
 
Umleitung zu fake java-update - Standard

Umleitung zu fake java-update



Ok, ist weg.

Antwort

Themen zu Umleitung zu fake java-update
bereits, browser, defogger, defogger_disable.log, fake, falsche, falschen, firefox, frst.txt, gmer.log, hacktool.agent, hilfe, java update, java-update, problem, pup.mailpassview, pup.optional.opencandy, seite, seiten, umleitung



Ähnliche Themen: Umleitung zu fake java-update


  1. Win 7: Ständige Umleitung zu Java-Fake-Updateseiten
    Log-Analyse und Auswertung - 03.06.2014 (16)
  2. Firefox befallen von Java Update, Box mit Ads, Videoplayer update
    Plagegeister aller Art und deren Bekämpfung - 22.05.2014 (13)
  3. Videos untebrochen: Umleitung auf fake Java Seiten
    Plagegeister aller Art und deren Bekämpfung - 16.05.2014 (9)
  4. Windows Vista 32Bit: Probleme nach Reparatur von Fake Java Update mit MalwareBytes
    Alles rund um Windows - 13.05.2014 (9)
  5. Videos untebrochen: Umleitung auf fake Java Seiten
    Plagegeister aller Art und deren Bekämpfung - 12.05.2014 (9)
  6. Fake-Java Update stellt sich als webserch(-virus?)oder andere nervige software heraus
    Log-Analyse und Auswertung - 04.05.2014 (10)
  7. Fake Java-Umleitung
    Log-Analyse und Auswertung - 29.04.2014 (7)
  8. Windows 8.1 64 bit: Java Update Fake in allen Browsern (z.B. von mostshinstar.com)
    Log-Analyse und Auswertung - 26.04.2014 (23)
  9. Windows 7: Fake Java Seiten
    Log-Analyse und Auswertung - 24.04.2014 (14)
  10. [Win7] Sporadische Firefox Redirects zu fake "Java Update" Seiten
    Log-Analyse und Auswertung - 22.04.2014 (10)
  11. [Win7] Browser-Redirects zu fake "Java Update"
    Log-Analyse und Auswertung - 19.04.2014 (11)
  12. Fake JAVA(.exe) setup
    Plagegeister aller Art und deren Bekämpfung - 16.04.2014 (1)
  13. Umleitung zu (vermeintlichem) java-update
    Plagegeister aller Art und deren Bekämpfung - 14.04.2014 (11)
  14. Windows XP: Auf fake links für Flash und Java reingefallen
    Plagegeister aller Art und deren Bekämpfung - 26.02.2014 (11)
  15. Windows 7: 2 Rechner mit fake-Java-update und nicht eingrenzbarer Audio-Werbung in chrome befallen
    Log-Analyse und Auswertung - 10.02.2014 (22)
  16. Umleitung zu Java Update
    Plagegeister aller Art und deren Bekämpfung - 06.01.2014 (9)
  17. Umleitung auf 'get-new-java.com'
    Log-Analyse und Auswertung - 20.11.2013 (18)

Zum Thema Umleitung zu fake java-update - Hallo, ich habe das gleiche Problem wie bereits hier beschrieben: http://www.trojaner-board.de/150274-...va-update.html Wenn ich manche Seiten im Browser (Firefox) öffne, werde ich zu einer falschen Java Update Seite umgeleitet. Vielen Dank - Umleitung zu fake java-update...
Archiv
Du betrachtest: Umleitung zu fake java-update auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.