Zurück   Trojaner-Board > Malware entfernen > Plagegeister aller Art und deren Bekämpfung
Paranoid vielleicht :)

Paranoid vielleicht :)


Plagegeister aller Art und deren Bekämpfung: Paranoid vielleicht :)

Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen.

Antwort
Alt 13.12.2010, 14:43   #1
doc
 
Paranoid vielleicht :) - Standard

Paranoid vielleicht :)


Hallo,
ich habe jetzt seid etwas mehr als einem Monat ein Problem. Es ist etwas schwer beschreiben aber ich probiere es mal

Immer wenn ich den PC anschalte kommt die normale Boot-Prozedure.
Aber kurz nachdem die Bootprozedure abgeschlossen ist und Windows geladen werden sollte, kommt eine unsichtbare Zeile wo nichts angezeigt wird (erkennbar an einem Blikenden prompt) Dieser Propmt wandert insgesamt 2mal nach unten, ohne eine ausgabe zu machen.
Ich habe schon fast alle mir bekannten virenscanner und Rootkit-Detectoren drüber gejagt und fast immer ohne erkenntnis.
Nur catchme hat folgendes ausgespuckt:
detected NTDLL code modification:
Code:
ATTFilter
detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error

ich verwende windows7 32 bit.

Abgesehen von dem mystriösen Windows Prompt, ist mir aufgefallen dass Ports und Verbindungen aufgebaut werden , wo ich selbst nicht rausbekommen konnte wofür die gut sein könnte.
Code:
ATTFilter
Aktive Verbindungen

  Proto  Lokale Adresse         Remoteadresse          Status
  TCP    0.0.0.0:135            admin-PC:0             ABH™REN
  TCP    0.0.0.0:445            admin-PC:0             ABH™REN
  TCP    0.0.0.0:1025           admin-PC:0             ABH™REN
  TCP    0.0.0.0:1026           admin-PC:0             ABH™REN
  TCP    0.0.0.0:1027           admin-PC:0             ABH™REN
  TCP    0.0.0.0:1028           admin-PC:0             ABH™REN
  TCP    0.0.0.0:1030           admin-PC:0             ABH™REN
  TCP    0.0.0.0:1031           admin-PC:0             ABH™REN
  TCP    0.0.0.0:3389           admin-PC:0             ABH™REN
  TCP    127.0.0.1:1074         admin-PC:1075          HERGESTELLT
  TCP    127.0.0.1:1075         admin-PC:1074          HERGESTELLT
  TCP    127.0.0.1:1076         admin-PC:1077          HERGESTELLT
  TCP    127.0.0.1:1077         admin-PC:1076          HERGESTELLT
  TCP    127.0.0.1:6083         admin-PC:0             ABH™REN
  TCP    127.0.0.1:31595        admin-PC:0             ABH™REN
  TCP    192.168.0.156:139      admin-PC:0             ABH™REN
  TCP    192.168.0.156:1040     admin-PC:17310         HERGESTELLT
  TCP    192.168.0.156:1061     216.163.188.45:http    SCHLIESSEN_WARTEN
  TCP    192.168.0.156:1655     194.30.77.11:http      HERGESTELLT
  TCP    192.168.0.156:1952     194.30.77.11:http      HERGESTELLT
  TCP    192.168.0.156:1953     194.30.77.11:http      HERGESTELLT
  TCP    192.168.0.156:2165     208.50.223.244:http    SCHLIESSEN_WARTEN
  TCP    192.168.0.156:17310    admin-PC:0             ABH™REN
  TCP    192.168.0.156:17310    admin-PC:1040          HERGESTELLT
  TCP    [::]:135               admin-PC:0             ABH™REN
  TCP    [::]:445               admin-PC:0             ABH™REN
  TCP    [::]:1025              admin-PC:0             ABH™REN
  TCP    [::]:1026              admin-PC:0             ABH™REN
  TCP    [::]:1027              admin-PC:0             ABH™REN
  TCP    [::]:1028              admin-PC:0             ABH™REN
  TCP    [::]:1030              admin-PC:0             ABH™REN
  TCP    [::]:1031              admin-PC:0             ABH™REN
  TCP    [::]:3389              admin-PC:0             ABH™REN
  UDP    0.0.0.0:500            *:*                    
  UDP    0.0.0.0:4500           *:*                    
  UDP    0.0.0.0:5355           *:*                    
  UDP    0.0.0.0:17310          *:*                    
  UDP    0.0.0.0:49152          *:*                    
  UDP    127.0.0.1:18001        *:*                    
  UDP    127.0.0.1:18002        *:*                    
  UDP    127.0.0.1:56551        *:*                    
  UDP    192.168.0.156:137      *:*                    
  UDP    192.168.0.156:138      *:*                    
  UDP    [::]:500               *:*                    
  UDP    [::]:4500              *:*                    
  UDP    [::]:5355              *:*                    
  UDP    [fe80::c5f0:bf73:7c5f:fb5d%11]:546  *:*
Ich wäre für jede Hilfe dankbar und entschuldige mich vorab für die etwas verquere schilderung meine Problems.


gruß

doc


P.S. Das selbe Problem mit dem Prompt habe ich seit gestern auf meinem Laptop festgestellt, nachdem er sich wie von geisterhand selbst gebootet hat.
Auffällig dort: Es erscheint für eine millisekunde irgendeine nachricht bevor das grub menü erscheint. Dies finde ich deswegen merwürdig weil ich keine updates oder änliches vorgenommen habe.

Alt 13.12.2010, 14:48   #2
doc
 
Paranoid vielleicht :) - Standard

Paranoid vielleicht :)


Anbei noch ein Gmer-scan

Code:
ATTFilter
GMER 1.0.15.15530 - hxxp://www.gmer.net
Rootkit scan 2010-12-13 14:44:29
Windows 6.1.7600  Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T1L0-4 WDC_WD740ADFD-00NLR5 rev.21.07QR5
Running: test.exe.exe; Driver: C:\Users\admin\AppData\Local\Temp\aglcrpod.sys


---- System - GMER 1.0.15 ----

SSDT            \??\C:\Windows\system32\DRIVERS\PavProc.sys                                                                         ZwTerminateProcess [0xA00F04FE]
SSDT            \??\C:\Windows\system32\PavSRK.sys                                                                                  ZwWriteVirtualMemory [0x97EE3C30]

---- Kernel code sections - GMER 1.0.15 ----

.text           ntkrnlpa.exe!ZwSaveKeyEx + 13AD                                                                                     82A43599 1 Byte  [06]
.text           ntkrnlpa.exe!KiDispatchInterrupt + 5A2                                                                              82A67F52 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text           ntkrnlpa.exe!RtlSidHashLookup + 7B8                                                                                 82A6FCC8 4 Bytes  [FE, 04, 0F, A0]
.text           ntkrnlpa.exe!RtlSidHashLookup + 82C                                                                                 82A6FD3C 4 Bytes  [30, 3C, EE, 97] {XOR [ESI+EBP*8], BH; XCHG EDI, EAX}
.text           C:\Windows\system32\DRIVERS\atikmdag.sys                                                                            section is writeable [0x90E3A000, 0x349D76, 0xE8000020]
?               C:\Windows\system32\PavTPK.sys                                                                                      Das System kann die angegebene Datei nicht finden. !
?               C:\Windows\system32\PavSRK.sys                                                                                      Das System kann die angegebene Datei nicht finden. !
?               system32\drivers\av5flt.sys                                                                                         Das System kann den angegebenen Pfad nicht finden. !
?               C:\Users\admin\AppData\Local\Temp\mbr.sys                                                                           Das System kann die angegebene Datei nicht finden. !

---- User code sections - GMER 1.0.15 ----

.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtClose                                                                     77684930 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtClose + 4                                                                 77684934 2 Bytes  [4A, 5F] {DEC EDX; POP EDI}
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtCreateFile                                                                77684A30 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtCreateFile + 4                                                            77684A34 2 Bytes  [6B, 5F]
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtCreateKey                                                                 77684A70 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtCreateKey + 4                                                             77684A74 2 Bytes  [4D, 5F] {DEC EBP; POP EDI}
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtDeleteFile                                                                77684C70 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtDeleteFile + 4                                                            77684C74 2 Bytes  [6E, 5F] {OUTSB ; POP EDI}
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtDeleteKey                                                                 77684C80 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtDeleteKey + 4                                                             77684C84 2 Bytes  [50, 5F] {PUSH EAX; POP EDI}
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtDeleteValueKey                                                            77684CB0 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtDeleteValueKey + 4                                                        77684CB4 2 Bytes  [53, 5F] {PUSH EBX; POP EDI}
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtDuplicateObject                                                           77684D00 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtDuplicateObject + 4                                                       77684D04 2 Bytes  [56, 5F] {PUSH ESI; POP EDI}
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtEnumerateKey                                                              77684D50 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtEnumerateKey + 4                                                          77684D54 2 Bytes  [59, 5F] {POP ECX; POP EDI}
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtEnumerateValueKey                                                         77684D80 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtEnumerateValueKey + 4                                                     77684D84 2 Bytes  [5C, 5F] {POP ESP; POP EDI}
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtLoadDriver                                                                77684FC0 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtLoadDriver + 4                                                            77684FC4 2 Bytes  [83, 5F]
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtOpenFile                                                                  77685140 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtOpenFile + 4                                                              77685144 2 Bytes  [71, 5F] {JNO 0x61}
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtQueryMultipleValueKey                                                     77685570 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtQueryMultipleValueKey + 4                                                 77685574 2 Bytes  [5F, 5F] {POP EDI; POP EDI}
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtQueryValueKey                                                             776856B0 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtQueryValueKey + 4                                                         776856B4 2 Bytes  [62, 5F]
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtReadFile                                                                  77685720 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtReadFile + 4                                                              77685724 2 Bytes  [74, 5F] {JZ 0x61}
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtSetContextThread                                                          776859D0 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtSetContextThread + 4                                                      776859D4 2 Bytes  [80, 5F]
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtSetInformationFile                                                        77685AA0 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtSetInformationFile + 4                                                    77685AA4 2 Bytes  [77, 5F] {JA 0x61}
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtSetValueKey                                                               77685C70 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtSetValueKey + 4                                                           77685C74 2 Bytes  [65, 5F]
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtUnloadKey                                                                 77685DD0 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtUnloadKey + 4                                                             77685DD4 2 Bytes  [68, 5F]
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtWriteFile                                                                 77685ED0 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtWriteFile + 4                                                             77685ED4 2 Bytes  [7A, 5F] {JP 0x61}
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtWriteVirtualMemory                                                        77685F00 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\Explorer.EXE[1772] ntdll.dll!NtWriteVirtualMemory + 4                                                    77685F04 2 Bytes  [7D, 5F] {JGE 0x61}
.text           C:\Windows\Explorer.EXE[1772] kernel32.dll!CopyFileExW                                                              774D07BB 6 Bytes  JMP 5F3D0F5A 
.text           C:\Windows\Explorer.EXE[1772] kernel32.dll!CreateFileMappingW                                                       774D3A51 6 Bytes  JMP 5F400F5A 
.text           C:\Windows\Explorer.EXE[1772] kernel32.dll!TerminateProcess                                                         774D509B 6 Bytes  JMP 5F310F5A 
.text           C:\Windows\Explorer.EXE[1772] kernel32.dll!MoveFileWithProgressW                                                    774DBF04 6 Bytes  JMP 5F460F5A 
.text           C:\Windows\Explorer.EXE[1772] kernel32.dll!MapViewOfFile                                                            774DC0D4 6 Bytes  JMP 5F3A0F5A 
.text           C:\Windows\Explorer.EXE[1772] kernel32.dll!CreateFileMappingA                                                       774DCCD1 6 Bytes  JMP 5F370F5A 
.text           C:\Windows\Explorer.EXE[1772] kernel32.dll!MapViewOfFileEx                                                          774E17B6 6 Bytes  JMP 5F340F5A 
.text           C:\Windows\Explorer.EXE[1772] kernel32.dll!CreateRemoteThread                                                       7751F4DB 6 Bytes  JMP 5F430F5A 
.text           C:\Windows\Explorer.EXE[1772] ADVAPI32.dll!StartServiceW                                                            76AE8A9B 6 Bytes  JMP 5F280F5A 
.text           C:\Windows\Explorer.EXE[1772] ADVAPI32.dll!OpenServiceW                                                             76AED20D 6 Bytes  JMP 5F220F5A 
.text           C:\Windows\Explorer.EXE[1772] ADVAPI32.dll!OpenServiceA                                                             76AF3B15 6 Bytes  JMP 5F1F0F5A 
.text           C:\Windows\Explorer.EXE[1772] ADVAPI32.dll!CloseServiceHandle                                                       76AF9A61 6 Bytes  JMP 5F100F5A 
.text           C:\Windows\Explorer.EXE[1772] ADVAPI32.dll!CreateServiceW                                                           76B0DBC1 6 Bytes  JMP 5F190F5A 
.text           C:\Windows\Explorer.EXE[1772] ADVAPI32.dll!ControlService                                                           76B0DC74 6 Bytes  JMP 5F130F5A 
.text           C:\Windows\Explorer.EXE[1772] ADVAPI32.dll!DeleteService                                                            76B0DC8C 6 Bytes  JMP 5F1C0F5A 
.text           C:\Windows\Explorer.EXE[1772] ADVAPI32.dll!StartServiceA                                                            76B0F217 6 Bytes  JMP 5F250F5A 
.text           C:\Windows\Explorer.EXE[1772] ADVAPI32.dll!ChangeServiceConfig2A                                                    76B22090 6 Bytes  JMP 5F0A0F5A 
.text           C:\Windows\Explorer.EXE[1772] ADVAPI32.dll!ChangeServiceConfig2W                                                    76B220A0 6 Bytes  JMP 5F0D0F5A 
.text           C:\Windows\Explorer.EXE[1772] ADVAPI32.dll!ChangeServiceConfigA                                                     76B220B0 6 Bytes  JMP 5F040F5A 
.text           C:\Windows\Explorer.EXE[1772] ADVAPI32.dll!ChangeServiceConfigW                                                     76B220C0 6 Bytes  JMP 5F070F5A 
.text           C:\Windows\Explorer.EXE[1772] ADVAPI32.dll!CreateServiceA                                                           76B22120 6 Bytes  JMP 5F160F5A 
.text           C:\Windows\Explorer.EXE[1772] ADVAPI32.dll!LsaAddAccountRights                                                      76B277D1 6 Bytes  JMP 5F2B0F5A 
.text           C:\Windows\Explorer.EXE[1772] ADVAPI32.dll!LsaRemoveAccountRights                                                   76B27869 6 Bytes  JMP 5F2E0F5A 
.text           C:\Windows\Explorer.EXE[1772] USER32.dll!CreateAcceleratorTableW                                                    75B0AC6C 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\Explorer.EXE[1772] USER32.dll!CreateAcceleratorTableW + 4                                                75B0AC70 2 Bytes  [B0, 5F] {MOV AL, 0x5f}
.text           C:\Windows\Explorer.EXE[1772] USER32.dll!GetAsyncKeyState                                                           75B0C09A 6 Bytes  JMP 5F970F5A 
.text           C:\Windows\Explorer.EXE[1772] USER32.dll!BeginDeferWindowPos                                                        75B0C316 6 Bytes  JMP 5F8E0F5A 
.text           C:\Windows\Explorer.EXE[1772] USER32.dll!AttachThreadInput                                                          75B0CBBD 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\Explorer.EXE[1772] USER32.dll!AttachThreadInput + 4                                                      75B0CBC1 2 Bytes  [9B, 5F] {WAIT ; POP EDI}
.text           C:\Windows\Explorer.EXE[1772] USER32.dll!PostMessageA                                                               75B0D656 6 Bytes  JMP 5FA90F5A 
.text           C:\Windows\Explorer.EXE[1772] USER32.dll!SetWindowsHookExW                                                          75B1210A 6 Bytes  JMP 5FB20F5A 
.text           C:\Windows\Explorer.EXE[1772] USER32.dll!DispatchMessageA                                                           75B13569 6 Bytes  JMP 5F910F5A 
.text           C:\Windows\Explorer.EXE[1772] USER32.dll!GetKeyState                                                                75B14FDA 6 Bytes  JMP 5FA00F5A 
.text           C:\Windows\Explorer.EXE[1772] USER32.dll!SetWinEventHook                                                            75B1507E 6 Bytes  JMP 5FAC0F5A 
.text           C:\Windows\Explorer.EXE[1772] USER32.dll!PostMessageW                                                               75B16225 6 Bytes  JMP 5FA60F5A 
.text           C:\Windows\Explorer.EXE[1772] USER32.dll!DispatchMessageW                                                           75B18E8D 6 Bytes  JMP 5FB50F5A 
.text           C:\Windows\Explorer.EXE[1772] USER32.dll!TranslateMessage                                                           75B1910F 6 Bytes  JMP 5F940F5A 
.text           C:\Windows\Explorer.EXE[1772] USER32.dll!SetClipboardData                                                           75B24979 6 Bytes  JMP 5FB80F5A 
.text           C:\Windows\Explorer.EXE[1772] USER32.dll!GetKeyboardState                                                           75B36B3E 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\Explorer.EXE[1772] USER32.dll!GetKeyboardState + 4                                                       75B36B42 2 Bytes  [9E, 5F] {SAHF ; POP EDI}
.text           C:\Windows\Explorer.EXE[1772] USER32.dll!SetWindowsHookExA                                                          75B36DFA 6 Bytes  JMP 5F8B0F5A 
.text           C:\Windows\Explorer.EXE[1772] USER32.dll!DdeConnect                                                                 75B4EB83 6 Bytes  JMP 5FA30F5A 
.text           C:\Windows\Explorer.EXE[1772] ole32.dll!CLSIDFromProgIDEx                                                           7705F8B4 6 Bytes  JMP 5F850F5A 
.text           C:\Windows\Explorer.EXE[1772] ole32.dll!CLSIDFromProgID                                                             77074FD8 6 Bytes  JMP 5F880F5A 
.text           C:\Windows\Explorer.EXE[1772] WS2_32.dll!sendto                                                                     77823AED 6 Bytes  JMP 5FC70F5A 
.text           C:\Windows\Explorer.EXE[1772] WS2_32.dll!closesocket                                                                77823BED 6 Bytes  JMP 5FD90F5A 
.text           C:\Windows\Explorer.EXE[1772] WS2_32.dll!WSARecvFrom                                                                7782418D 6 Bytes  JMP 5FD00F5A 
.text           C:\Windows\Explorer.EXE[1772] WS2_32.dll!recv                                                                       778247DF 6 Bytes  JMP 5FBE0F5A 
.text           C:\Windows\Explorer.EXE[1772] WS2_32.dll!connect                                                                    778248BE 6 Bytes  JMP 5FBB0F5A 
.text           C:\Windows\Explorer.EXE[1772] WS2_32.dll!WSASend                                                                    778268A7 6 Bytes  JMP 5FD30F5A 
.text           C:\Windows\Explorer.EXE[1772] WS2_32.dll!WSAConnect                                                                 7782BB9B 6 Bytes  JMP 5FCA0F5A 
.text           C:\Windows\Explorer.EXE[1772] WS2_32.dll!recvfrom                                                                   7782BF39 6 Bytes  JMP 5FC10F5A 
.text           C:\Windows\Explorer.EXE[1772] WS2_32.dll!WSARecv                                                                    7782C29F 6 Bytes  JMP 5FCD0F5A 
.text           C:\Windows\Explorer.EXE[1772] WS2_32.dll!send                                                                       7782C4C8 6 Bytes  JMP 5FC40F5A 
.text           C:\Windows\Explorer.EXE[1772] WS2_32.dll!WSASendTo                                                                  7783ADC4 6 Bytes  JMP 5FD60F5A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[2196] ws2_32.DLL!sendto                                  77823AED 6 Bytes  JMP 5F100F5A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[2196] ws2_32.DLL!closesocket                             77823BED 6 Bytes  JMP 5F220F5A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[2196] ws2_32.DLL!WSARecvFrom                             7782418D 6 Bytes  JMP 5F190F5A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[2196] ws2_32.DLL!recv                                    778247DF 6 Bytes  JMP 5F070F5A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[2196] ws2_32.DLL!connect                                 778248BE 6 Bytes  JMP 5F040F5A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[2196] ws2_32.DLL!WSASend                                 778268A7 6 Bytes  JMP 5F1C0F5A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[2196] ws2_32.DLL!WSAConnect                              7782BB9B 6 Bytes  JMP 5F130F5A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[2196] ws2_32.DLL!recvfrom                                7782BF39 6 Bytes  JMP 5F0A0F5A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[2196] ws2_32.DLL!WSARecv                                 7782C29F 6 Bytes  JMP 5F160F5A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[2196] ws2_32.DLL!send                                    7782C4C8 6 Bytes  JMP 5F0D0F5A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[2196] ws2_32.DLL!WSASendTo                               7783ADC4 6 Bytes  JMP 5F1F0F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtClose                                                77684930 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtClose + 4                                            77684934 2 Bytes  [4A, 5F] {DEC EDX; POP EDI}
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtCreateFile                                           77684A30 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtCreateFile + 4                                       77684A34 2 Bytes  [6B, 5F]
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtCreateKey                                            77684A70 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtCreateKey + 4                                        77684A74 2 Bytes  [4D, 5F] {DEC EBP; POP EDI}
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtDeleteFile                                           77684C70 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtDeleteFile + 4                                       77684C74 2 Bytes  [6E, 5F] {OUTSB ; POP EDI}
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtDeleteKey                                            77684C80 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtDeleteKey + 4                                        77684C84 2 Bytes  [50, 5F] {PUSH EAX; POP EDI}
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtDeleteValueKey                                       77684CB0 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtDeleteValueKey + 4                                   77684CB4 2 Bytes  [53, 5F] {PUSH EBX; POP EDI}
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtDuplicateObject                                      77684D00 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtDuplicateObject + 4                                  77684D04 2 Bytes  [56, 5F] {PUSH ESI; POP EDI}
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtEnumerateKey                                         77684D50 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtEnumerateKey + 4                                     77684D54 2 Bytes  [59, 5F] {POP ECX; POP EDI}
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtEnumerateValueKey                                    77684D80 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtEnumerateValueKey + 4                                77684D84 2 Bytes  [5C, 5F] {POP ESP; POP EDI}
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtLoadDriver                                           77684FC0 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtLoadDriver + 4                                       77684FC4 2 Bytes  [83, 5F]
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtOpenFile                                             77685140 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtOpenFile + 4                                         77685144 2 Bytes  [71, 5F] {JNO 0x61}
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtQueryMultipleValueKey                                77685570 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtQueryMultipleValueKey + 4                            77685574 2 Bytes  [5F, 5F] {POP EDI; POP EDI}
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtQueryValueKey                                        776856B0 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtQueryValueKey + 4                                    776856B4 2 Bytes  [62, 5F]
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtReadFile                                             77685720 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtReadFile + 4                                         77685724 2 Bytes  [74, 5F] {JZ 0x61}
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtSetContextThread                                     776859D0 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtSetContextThread + 4                                 776859D4 2 Bytes  [80, 5F]
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtSetInformationFile                                   77685AA0 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtSetInformationFile + 4                               77685AA4 2 Bytes  [77, 5F] {JA 0x61}
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtSetValueKey                                          77685C70 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtSetValueKey + 4                                      77685C74 2 Bytes  [65, 5F]
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtUnloadKey                                            77685DD0 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtUnloadKey + 4                                        77685DD4 2 Bytes  [68, 5F]
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtWriteFile                                            77685ED0 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtWriteFile + 4                                        77685ED4 2 Bytes  [7A, 5F] {JP 0x61}
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtWriteVirtualMemory                                   77685F00 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ntdll.dll!NtWriteVirtualMemory + 4                               77685F04 2 Bytes  [7D, 5F] {JGE 0x61}
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] KERNEL32.dll!CopyFileExW                                         774D07BB 6 Bytes  JMP 5F3D0F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] KERNEL32.dll!CreateFileMappingW                                  774D3A51 6 Bytes  JMP 5F400F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] KERNEL32.dll!TerminateProcess                                    774D509B 6 Bytes  JMP 5F310F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] KERNEL32.dll!MoveFileWithProgressW                               774DBF04 6 Bytes  JMP 5F460F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] KERNEL32.dll!MapViewOfFile                                       774DC0D4 6 Bytes  JMP 5F3A0F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] KERNEL32.dll!CreateFileMappingA                                  774DCCD1 6 Bytes  JMP 5F370F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] KERNEL32.dll!MapViewOfFileEx                                     774E17B6 6 Bytes  JMP 5F340F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] KERNEL32.dll!CreateRemoteThread                                  7751F4DB 6 Bytes  JMP 5F430F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] USER32.dll!CreateAcceleratorTableW                               75B0AC6C 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] USER32.dll!CreateAcceleratorTableW + 4                           75B0AC70 2 Bytes  [B6, 5F] {MOV DH, 0x5f}
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] USER32.dll!GetAsyncKeyState                                      75B0C09A 6 Bytes  JMP 5F9D0F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] USER32.dll!BeginDeferWindowPos                                   75B0C316 6 Bytes  JMP 5F940F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] USER32.dll!AttachThreadInput                                     75B0CBBD 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] USER32.dll!AttachThreadInput + 4                                 75B0CBC1 2 Bytes  [A1, 5F]
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] USER32.dll!PostMessageA                                          75B0D656 6 Bytes  JMP 5FAF0F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] USER32.dll!SetWindowsHookExW                                     75B1210A 6 Bytes  JMP 5FB80F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] USER32.dll!DispatchMessageA                                      75B13569 6 Bytes  JMP 5F970F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] USER32.dll!GetKeyState                                           75B14FDA 6 Bytes  JMP 5FA60F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] USER32.dll!SetWinEventHook                                       75B1507E 6 Bytes  JMP 5FB20F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] USER32.dll!PostMessageW                                          75B16225 6 Bytes  JMP 5FAC0F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] USER32.dll!DispatchMessageW                                      75B18E8D 6 Bytes  JMP 5FBB0F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] USER32.dll!TranslateMessage                                      75B1910F 6 Bytes  JMP 5F9A0F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] USER32.dll!SetClipboardData                                      75B24979 6 Bytes  JMP 5FBE0F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] USER32.dll!GetKeyboardState                                      75B36B3E 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] USER32.dll!GetKeyboardState + 4                                  75B36B42 2 Bytes  [A4, 5F] {MOVSB ; POP EDI}
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] USER32.dll!SetWindowsHookExA                                     75B36DFA 6 Bytes  JMP 5F910F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] USER32.dll!DdeConnect                                            75B4EB83 6 Bytes  JMP 5FA90F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ADVAPI32.dll!StartServiceW                                       76AE8A9B 6 Bytes  JMP 5F280F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ADVAPI32.dll!OpenServiceW                                        76AED20D 6 Bytes  JMP 5F220F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ADVAPI32.dll!OpenServiceA                                        76AF3B15 6 Bytes  JMP 5F1F0F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ADVAPI32.dll!CloseServiceHandle                                  76AF9A61 6 Bytes  JMP 5F100F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ADVAPI32.dll!CreateServiceW                                      76B0DBC1 6 Bytes  JMP 5F190F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ADVAPI32.dll!ControlService                                      76B0DC74 6 Bytes  JMP 5F130F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ADVAPI32.dll!DeleteService                                       76B0DC8C 6 Bytes  JMP 5F1C0F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ADVAPI32.dll!StartServiceA                                       76B0F217 6 Bytes  JMP 5F250F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ADVAPI32.dll!ChangeServiceConfig2A                               76B22090 6 Bytes  JMP 5F0A0F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ADVAPI32.dll!ChangeServiceConfig2W                               76B220A0 6 Bytes  JMP 5F0D0F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ADVAPI32.dll!ChangeServiceConfigA                                76B220B0 6 Bytes  JMP 5F040F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ADVAPI32.dll!ChangeServiceConfigW                                76B220C0 6 Bytes  JMP 5F070F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ADVAPI32.dll!CreateServiceA                                      76B22120 6 Bytes  JMP 5F160F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ADVAPI32.dll!LsaAddAccountRights                                 76B277D1 6 Bytes  JMP 5F2B0F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ADVAPI32.dll!LsaRemoveAccountRights                              76B27869 6 Bytes  JMP 5F2E0F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ole32.dll!CLSIDFromProgIDEx                                      7705F8B4 6 Bytes  JMP 5F850F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ole32.dll!CLSIDFromProgID                                        77074FD8 6 Bytes  JMP 5F880F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ole32.dll!CoGetClassObject                                       7708A394 6 Bytes  JMP 5F8B0F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe[2496] ole32.dll!CoCreateInstanceEx                                     770A594F 6 Bytes  JMP 5F8E0F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtClose                                                            77684930 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtClose + 4                                                        77684934 2 Bytes  [4A, 5F] {DEC EDX; POP EDI}
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtCreateFile                                                       77684A30 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtCreateFile + 4                                                   77684A34 2 Bytes  [6B, 5F]
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtCreateKey                                                        77684A70 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtCreateKey + 4                                                    77684A74 2 Bytes  [4D, 5F] {DEC EBP; POP EDI}
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtDeleteFile                                                       77684C70 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtDeleteFile + 4                                                   77684C74 2 Bytes  [6E, 5F] {OUTSB ; POP EDI}
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtDeleteKey                                                        77684C80 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtDeleteKey + 4                                                    77684C84 2 Bytes  [50, 5F] {PUSH EAX; POP EDI}
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtDeleteValueKey                                                   77684CB0 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtDeleteValueKey + 4                                               77684CB4 2 Bytes  [53, 5F] {PUSH EBX; POP EDI}
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtDuplicateObject                                                  77684D00 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtDuplicateObject + 4                                              77684D04 2 Bytes  [56, 5F] {PUSH ESI; POP EDI}
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtEnumerateKey                                                     77684D50 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtEnumerateKey + 4                                                 77684D54 2 Bytes  [59, 5F] {POP ECX; POP EDI}
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtEnumerateValueKey                                                77684D80 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtEnumerateValueKey + 4                                            77684D84 2 Bytes  [5C, 5F] {POP ESP; POP EDI}
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtLoadDriver                                                       77684FC0 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtLoadDriver + 4                                                   77684FC4 2 Bytes  [83, 5F]
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtOpenFile                                                         77685140 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtOpenFile + 4                                                     77685144 2 Bytes  [71, 5F] {JNO 0x61}
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtQueryMultipleValueKey                                            77685570 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtQueryMultipleValueKey + 4                                        77685574 2 Bytes  [5F, 5F] {POP EDI; POP EDI}
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtQueryValueKey                                                    776856B0 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtQueryValueKey + 4                                                776856B4 2 Bytes  [62, 5F]
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtReadFile                                                         77685720 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtReadFile + 4                                                     77685724 2 Bytes  [74, 5F] {JZ 0x61}
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtSetContextThread                                                 776859D0 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtSetContextThread + 4                                             776859D4 2 Bytes  [80, 5F]
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtSetInformationFile                                               77685AA0 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtSetInformationFile + 4                                           77685AA4 2 Bytes  [77, 5F] {JA 0x61}
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtSetValueKey                                                      77685C70 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtSetValueKey + 4                                                  77685C74 2 Bytes  [65, 5F]
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtUnloadKey                                                        77685DD0 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtUnloadKey + 4                                                    77685DD4 2 Bytes  [68, 5F]
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtWriteFile                                                        77685ED0 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtWriteFile + 4                                                    77685ED4 2 Bytes  [7A, 5F] {JP 0x61}
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtWriteVirtualMemory                                               77685F00 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!NtWriteVirtualMemory + 4                                           77685F04 2 Bytes  [7D, 5F] {JGE 0x61}
.text           D:\Programme\Firefox\firefox.exe[2684] ntdll.dll!LdrLoadDll                                                         7769F625 5 Bytes  JMP 00C413F0 D:\Programme\Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text           D:\Programme\Firefox\firefox.exe[2684] kernel32.dll!CopyFileExW                                                     774D07BB 6 Bytes  JMP 5F3D0F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] kernel32.dll!CreateFileMappingW                                              774D3A51 6 Bytes  JMP 5F400F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] kernel32.dll!TerminateProcess                                                774D509B 6 Bytes  JMP 5F310F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] kernel32.dll!MoveFileWithProgressW                                           774DBF04 6 Bytes  JMP 5F460F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] kernel32.dll!MapViewOfFile                                                   774DC0D4 6 Bytes  JMP 5F3A0F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] kernel32.dll!CreateFileMappingA                                              774DCCD1 6 Bytes  JMP 5F370F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] kernel32.dll!MapViewOfFileEx                                                 774E17B6 6 Bytes  JMP 5F340F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] kernel32.dll!CreateRemoteThread                                              7751F4DB 6 Bytes  JMP 5F430F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] ADVAPI32.dll!StartServiceW                                                   76AE8A9B 6 Bytes  JMP 5F280F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] ADVAPI32.dll!OpenServiceW                                                    76AED20D 6 Bytes  JMP 5F220F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] ADVAPI32.dll!OpenServiceA                                                    76AF3B15 6 Bytes  JMP 5F1F0F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] ADVAPI32.dll!CloseServiceHandle                                              76AF9A61 6 Bytes  JMP 5F100F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] ADVAPI32.dll!CreateServiceW                                                  76B0DBC1 6 Bytes  JMP 5F190F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] ADVAPI32.dll!ControlService                                                  76B0DC74 6 Bytes  JMP 5F130F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] ADVAPI32.dll!DeleteService                                                   76B0DC8C 6 Bytes  JMP 5F1C0F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] ADVAPI32.dll!StartServiceA                                                   76B0F217 6 Bytes  JMP 5F250F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] ADVAPI32.dll!ChangeServiceConfig2A                                           76B22090 6 Bytes  JMP 5F0A0F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] ADVAPI32.dll!ChangeServiceConfig2W                                           76B220A0 6 Bytes  JMP 5F0D0F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] ADVAPI32.dll!ChangeServiceConfigA                                            76B220B0 6 Bytes  JMP 5F040F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] ADVAPI32.dll!ChangeServiceConfigW                                            76B220C0 6 Bytes  JMP 5F070F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] ADVAPI32.dll!CreateServiceA                                                  76B22120 6 Bytes  JMP 5F160F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] ADVAPI32.dll!LsaAddAccountRights                                             76B277D1 6 Bytes  JMP 5F2B0F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] ADVAPI32.dll!LsaRemoveAccountRights                                          76B27869 6 Bytes  JMP 5F2E0F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] WS2_32.dll!sendto                                                            77823AED 6 Bytes  JMP 5FCD0F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] WS2_32.dll!closesocket                                                       77823BED 6 Bytes  JMP 5FDF0F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] WS2_32.dll!WSARecvFrom                                                       7782418D 6 Bytes  JMP 5FD60F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] WS2_32.dll!recv                                                              778247DF 6 Bytes  JMP 5FC40F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] WS2_32.dll!connect                                                           778248BE 6 Bytes  JMP 5FC10F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] WS2_32.dll!WSASend                                                           778268A7 6 Bytes  JMP 5FD90F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] WS2_32.dll!WSAConnect                                                        7782BB9B 6 Bytes  JMP 5FD00F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] WS2_32.dll!recvfrom                                                          7782BF39 6 Bytes  JMP 5FC70F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] WS2_32.dll!WSARecv                                                           7782C29F 6 Bytes  JMP 5FD30F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] WS2_32.dll!send                                                              7782C4C8 6 Bytes  JMP 5FCA0F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] WS2_32.dll!WSASendTo                                                         7783ADC4 6 Bytes  JMP 5FDC0F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] USER32.dll!CreateAcceleratorTableW                                           75B0AC6C 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\Firefox\firefox.exe[2684] USER32.dll!CreateAcceleratorTableW + 4                                       75B0AC70 2 Bytes  [B6, 5F] {MOV DH, 0x5f}
.text           D:\Programme\Firefox\firefox.exe[2684] USER32.dll!GetAsyncKeyState                                                  75B0C09A 6 Bytes  JMP 5F9D0F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] USER32.dll!BeginDeferWindowPos                                               75B0C316 6 Bytes  JMP 5F940F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] USER32.dll!AttachThreadInput                                                 75B0CBBD 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\Firefox\firefox.exe[2684] USER32.dll!AttachThreadInput + 4                                             75B0CBC1 2 Bytes  [A1, 5F]
.text           D:\Programme\Firefox\firefox.exe[2684] USER32.dll!PostMessageA                                                      75B0D656 6 Bytes  JMP 5FAF0F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] USER32.dll!SetWindowsHookExW                                                 75B1210A 6 Bytes  JMP 5FB80F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] USER32.dll!DispatchMessageA                                                  75B13569 6 Bytes  JMP 5F970F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] USER32.dll!GetKeyState                                                       75B14FDA 6 Bytes  JMP 5FA60F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] USER32.dll!SetWinEventHook                                                   75B1507E 6 Bytes  JMP 5FB20F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] USER32.dll!PostMessageW                                                      75B16225 6 Bytes  JMP 5FAC0F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] USER32.dll!DispatchMessageW                                                  75B18E8D 6 Bytes  JMP 5FBB0F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] USER32.dll!TranslateMessage                                                  75B1910F 6 Bytes  JMP 5F9A0F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] USER32.dll!SetClipboardData                                                  75B24979 6 Bytes  JMP 5FBE0F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] USER32.dll!GetKeyboardState                                                  75B36B3E 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\Firefox\firefox.exe[2684] USER32.dll!GetKeyboardState + 4                                              75B36B42 2 Bytes  [A4, 5F] {MOVSB ; POP EDI}
.text           D:\Programme\Firefox\firefox.exe[2684] USER32.dll!SetWindowsHookExA                                                 75B36DFA 6 Bytes  JMP 5F910F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] USER32.dll!DdeConnect                                                        75B4EB83 6 Bytes  JMP 5FA90F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] ole32.dll!CLSIDFromProgIDEx                                                  7705F8B4 6 Bytes  JMP 5F850F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] ole32.dll!CLSIDFromProgID                                                    77074FD8 6 Bytes  JMP 5F880F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] ole32.dll!CoGetClassObject                                                   7708A394 6 Bytes  JMP 5F8B0F5A 
.text           D:\Programme\Firefox\firefox.exe[2684] ole32.dll!CoCreateInstanceEx                                                 770A594F 6 Bytes  JMP 5F8E0F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtClose                                                77684930 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtClose + 4                                            77684934 2 Bytes  [4A, 5F] {DEC EDX; POP EDI}
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtCreateFile                                           77684A30 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtCreateFile + 4                                       77684A34 2 Bytes  [6B, 5F]
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtCreateKey                                            77684A70 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtCreateKey + 4                                        77684A74 2 Bytes  [4D, 5F] {DEC EBP; POP EDI}
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtDeleteFile                                           77684C70 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtDeleteFile + 4                                       77684C74 2 Bytes  [6E, 5F] {OUTSB ; POP EDI}
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtDeleteKey                                            77684C80 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtDeleteKey + 4                                        77684C84 2 Bytes  [50, 5F] {PUSH EAX; POP EDI}
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtDeleteValueKey                                       77684CB0 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtDeleteValueKey + 4                                   77684CB4 2 Bytes  [53, 5F] {PUSH EBX; POP EDI}
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtDuplicateObject                                      77684D00 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtDuplicateObject + 4                                  77684D04 2 Bytes  [56, 5F] {PUSH ESI; POP EDI}
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtEnumerateKey                                         77684D50 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtEnumerateKey + 4                                     77684D54 2 Bytes  [59, 5F] {POP ECX; POP EDI}
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtEnumerateValueKey                                    77684D80 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtEnumerateValueKey + 4                                77684D84 2 Bytes  [5C, 5F] {POP ESP; POP EDI}
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtLoadDriver                                           77684FC0 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtLoadDriver + 4                                       77684FC4 2 Bytes  [83, 5F]
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtOpenFile                                             77685140 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtOpenFile + 4                                         77685144 2 Bytes  [71, 5F] {JNO 0x61}
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtQueryMultipleValueKey                                77685570 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtQueryMultipleValueKey + 4                            77685574 2 Bytes  [5F, 5F] {POP EDI; POP EDI}
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtQueryValueKey                                        776856B0 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtQueryValueKey + 4                                    776856B4 2 Bytes  [62, 5F]
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtReadFile                                             77685720 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtReadFile + 4                                         77685724 2 Bytes  [74, 5F] {JZ 0x61}
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtSetContextThread                                     776859D0 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtSetContextThread + 4                                 776859D4 2 Bytes  [80, 5F]
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtSetInformationFile                                   77685AA0 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtSetInformationFile + 4                               77685AA4 2 Bytes  [77, 5F] {JA 0x61}
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtSetValueKey                                          77685C70 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtSetValueKey + 4                                      77685C74 2 Bytes  [65, 5F]
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtUnloadKey                                            77685DD0 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtUnloadKey + 4                                        77685DD4 2 Bytes  [68, 5F]
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtWriteFile                                            77685ED0 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtWriteFile + 4                                        77685ED4 2 Bytes  [7A, 5F] {JP 0x61}
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtWriteVirtualMemory                                   77685F00 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ntdll.dll!NtWriteVirtualMemory + 4                               77685F04 2 Bytes  [7D, 5F] {JGE 0x61}
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] KERNEL32.dll!CopyFileExW                                         774D07BB 6 Bytes  JMP 5F3D0F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] KERNEL32.dll!CreateFileMappingW                                  774D3A51 6 Bytes  JMP 5F400F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] KERNEL32.dll!TerminateProcess                                    774D509B 6 Bytes  JMP 5F310F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] KERNEL32.dll!MoveFileWithProgressW                               774DBF04 6 Bytes  JMP 5F460F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] KERNEL32.dll!MapViewOfFile                                       774DC0D4 6 Bytes  JMP 5F3A0F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] KERNEL32.dll!CreateFileMappingA                                  774DCCD1 6 Bytes  JMP 5F370F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] KERNEL32.dll!MapViewOfFileEx                                     774E17B6 6 Bytes  JMP 5F340F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] KERNEL32.dll!CreateRemoteThread                                  7751F4DB 6 Bytes  JMP 5F430F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ADVAPI32.dll!StartServiceW                                       76AE8A9B 6 Bytes  JMP 5F280F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ADVAPI32.dll!OpenServiceW                                        76AED20D 6 Bytes  JMP 5F220F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ADVAPI32.dll!OpenServiceA                                        76AF3B15 6 Bytes  JMP 5F1F0F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ADVAPI32.dll!CloseServiceHandle                                  76AF9A61 6 Bytes  JMP 5F100F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ADVAPI32.dll!CreateServiceW                                      76B0DBC1 6 Bytes  JMP 5F190F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ADVAPI32.dll!ControlService                                      76B0DC74 6 Bytes  JMP 5F130F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ADVAPI32.dll!DeleteService                                       76B0DC8C 6 Bytes  JMP 5F1C0F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ADVAPI32.dll!StartServiceA                                       76B0F217 6 Bytes  JMP 5F250F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ADVAPI32.dll!ChangeServiceConfig2A                               76B22090 6 Bytes  JMP 5F0A0F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ADVAPI32.dll!ChangeServiceConfig2W                               76B220A0 6 Bytes  JMP 5F0D0F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ADVAPI32.dll!ChangeServiceConfigA                                76B220B0 6 Bytes  JMP 5F040F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ADVAPI32.dll!ChangeServiceConfigW                                76B220C0 6 Bytes  JMP 5F070F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ADVAPI32.dll!CreateServiceA                                      76B22120 6 Bytes  JMP 5F160F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ADVAPI32.dll!LsaAddAccountRights                                 76B277D1 6 Bytes  JMP 5F2B0F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ADVAPI32.dll!LsaRemoveAccountRights                              76B27869 6 Bytes  JMP 5F2E0F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] USER32.dll!CreateAcceleratorTableW                               75B0AC6C 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] USER32.dll!CreateAcceleratorTableW + 4                           75B0AC70 2 Bytes  [B6, 5F] {MOV DH, 0x5f}
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] USER32.dll!GetAsyncKeyState                                      75B0C09A 6 Bytes  JMP 5F9D0F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] USER32.dll!BeginDeferWindowPos                                   75B0C316 6 Bytes  JMP 5F940F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] USER32.dll!AttachThreadInput                                     75B0CBBD 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] USER32.dll!AttachThreadInput + 4                                 75B0CBC1 2 Bytes  [A1, 5F]
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] USER32.dll!PostMessageA                                          75B0D656 6 Bytes  JMP 5FAF0F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] USER32.dll!SetWindowsHookExW                                     75B1210A 6 Bytes  JMP 5FB80F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] USER32.dll!DispatchMessageA                                      75B13569 6 Bytes  JMP 5F970F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] USER32.dll!GetKeyState                                           75B14FDA 6 Bytes  JMP 5FA60F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] USER32.dll!SetWinEventHook                                       75B1507E 6 Bytes  JMP 5FB20F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] USER32.dll!PostMessageW                                          75B16225 6 Bytes  JMP 5FAC0F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] USER32.dll!DispatchMessageW                                      75B18E8D 6 Bytes  JMP 5FBB0F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] USER32.dll!TranslateMessage                                      75B1910F 6 Bytes  JMP 5F9A0F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] USER32.dll!SetClipboardData                                      75B24979 6 Bytes  JMP 5FBE0F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] USER32.dll!GetKeyboardState                                      75B36B3E 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] USER32.dll!GetKeyboardState + 4                                  75B36B42 2 Bytes  [A4, 5F] {MOVSB ; POP EDI}
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] USER32.dll!SetWindowsHookExA                                     75B36DFA 6 Bytes  JMP 5F910F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] USER32.dll!DdeConnect                                            75B4EB83 6 Bytes  JMP 5FA90F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ole32.dll!CLSIDFromProgIDEx                                      7705F8B4 6 Bytes  JMP 5F850F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ole32.dll!CLSIDFromProgID                                        77074FD8 6 Bytes  JMP 5F880F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ole32.dll!CoGetClassObject                                       7708A394 6 Bytes  JMP 5F8B0F5A 
.text           D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe[3852] ole32.dll!CoCreateInstanceEx                                     770A594F 6 Bytes  JMP 5F8E0F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtClose                          77684930 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtClose + 4                      77684934 2 Bytes  [4A, 5F] {DEC EDX; POP EDI}
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtCreateFile                     77684A30 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtCreateFile + 4                 77684A34 2 Bytes  [6B, 5F]
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtCreateKey                      77684A70 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtCreateKey + 4                  77684A74 2 Bytes  [4D, 5F] {DEC EBP; POP EDI}
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtDeleteFile                     77684C70 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtDeleteFile + 4                 77684C74 2 Bytes  [6E, 5F] {OUTSB ; POP EDI}
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtDeleteKey                      77684C80 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtDeleteKey + 4                  77684C84 2 Bytes  [50, 5F] {PUSH EAX; POP EDI}
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtDeleteValueKey                 77684CB0 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtDeleteValueKey + 4             77684CB4 2 Bytes  [53, 5F] {PUSH EBX; POP EDI}
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtDuplicateObject                77684D00 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtDuplicateObject + 4            77684D04 2 Bytes  [56, 5F] {PUSH ESI; POP EDI}
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtEnumerateKey                   77684D50 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtEnumerateKey + 4               77684D54 2 Bytes  [59, 5F] {POP ECX; POP EDI}
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtEnumerateValueKey              77684D80 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtEnumerateValueKey + 4          77684D84 2 Bytes  [5C, 5F] {POP ESP; POP EDI}
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtLoadDriver                     77684FC0 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtLoadDriver + 4                 77684FC4 2 Bytes  [83, 5F]
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtOpenFile                       77685140 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtOpenFile + 4                   77685144 2 Bytes  [71, 5F] {JNO 0x61}
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtQueryInformationProcess        776854B0 5 Bytes  JMP 01195C70 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtQueryMultipleValueKey          77685570 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtQueryMultipleValueKey + 4      77685574 2 Bytes  [5F, 5F] {POP EDI; POP EDI}
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtQueryValueKey                  776856B0 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtQueryValueKey + 4              776856B4 2 Bytes  [62, 5F]
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtReadFile                       77685720 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtReadFile + 4                   77685724 2 Bytes  [74, 5F] {JZ 0x61}
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtSetContextThread               776859D0 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtSetContextThread + 4           776859D4 2 Bytes  [80, 5F]
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtSetInformationFile             77685AA0 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtSetInformationFile + 4         77685AA4 2 Bytes  [77, 5F] {JA 0x61}
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtSetValueKey                    77685C70 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtSetValueKey + 4                77685C74 2 Bytes  [65, 5F]
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtUnloadKey                      77685DD0 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtUnloadKey + 4                  77685DD4 2 Bytes  [68, 5F]
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtWriteFile                      77685ED0 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtWriteFile + 4                  77685ED4 2 Bytes  [7A, 5F] {JP 0x61}
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtWriteVirtualMemory             77685F00 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ntdll.dll!NtWriteVirtualMemory + 4         77685F04 2 Bytes  [7D, 5F] {JGE 0x61}
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] kernel32.dll!CopyFileExW                   774D07BB 6 Bytes  JMP 5F3D0F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] kernel32.dll!CreateFileMappingW            774D3A51 6 Bytes  JMP 5F400F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] kernel32.dll!TerminateProcess              774D509B 6 Bytes  JMP 5F310F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] kernel32.dll!WriteConsoleW + 35            774DB020 6 Bytes  JMP 012A1080 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] kernel32.dll!MoveFileWithProgressW         774DBF04 6 Bytes  JMP 5F460F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] kernel32.dll!MapViewOfFile                 774DC0D4 6 Bytes  JMP 5F3A0F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] kernel32.dll!CreateFileMappingA            774DCCD1 6 Bytes  JMP 5F370F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] kernel32.dll!DeviceIoControl               774DEBDD 5 Bytes  JMP 01195FB0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] kernel32.dll!CreateFileW                   774E0B7D 5 Bytes  JMP 01195E90 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] kernel32.dll!MapViewOfFileEx               774E17B6 6 Bytes  JMP 5F340F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] kernel32.dll!CreateFileA                   774E291C 1 Byte  [E9]
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] kernel32.dll!CreateFileA                   774E291C 5 Bytes  JMP 01195D20 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] kernel32.dll!CreateRemoteThread            7751F4DB 6 Bytes  JMP 5F430F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] USER32.dll!CreateAcceleratorTableW         75B0AC6C 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] USER32.dll!CreateAcceleratorTableW + 4     75B0AC70 2 Bytes  [B6, 5F] {MOV DH, 0x5f}
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] USER32.dll!GetAsyncKeyState                75B0C09A 6 Bytes  JMP 5F9D0F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] USER32.dll!BeginDeferWindowPos             75B0C316 6 Bytes  JMP 5F940F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] USER32.dll!AttachThreadInput               75B0CBBD 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] USER32.dll!AttachThreadInput + 4           75B0CBC1 2 Bytes  [A1, 5F]
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] USER32.dll!PostMessageA                    75B0D656 6 Bytes  JMP 5FAF0F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] USER32.dll!SetWindowsHookExW               75B1210A 6 Bytes  JMP 5FB80F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] USER32.dll!DispatchMessageA                75B13569 6 Bytes  JMP 5F970F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] USER32.dll!GetKeyState                     75B14FDA 6 Bytes  JMP 5FA60F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] USER32.dll!SetWinEventHook                 75B1507E 6 Bytes  JMP 5FB20F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] USER32.dll!PostMessageW                    75B16225 6 Bytes  JMP 5FAC0F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] USER32.dll!DispatchMessageW                75B18E8D 6 Bytes  JMP 5FBB0F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] USER32.dll!TranslateMessage                75B1910F 6 Bytes  JMP 5F9A0F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] USER32.dll!SetClipboardData                75B24979 6 Bytes  JMP 5FBE0F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] USER32.dll!ChangeDisplaySettingsExA        75B281B7 5 Bytes  JMP 0119AD70 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] USER32.dll!GetKeyboardState                75B36B3E 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] USER32.dll!GetKeyboardState + 4            75B36B42 2 Bytes  [A4, 5F] {MOVSB ; POP EDI}
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] USER32.dll!SetWindowsHookExA               75B36DFA 6 Bytes  JMP 5F910F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] USER32.dll!DdeConnect                      75B4EB83 6 Bytes  JMP 5FA90F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] USER32.dll!ChangeDisplaySettingsExW        75B4FA61 5 Bytes  JMP 0119ADA0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!RegFlushKey                   76AE89EF 5 Bytes  JMP 01138EE0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!StartServiceW                 76AE8A9B 6 Bytes  JMP 5F280F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!OpenServiceW                  76AED20D 6 Bytes  JMP 5F220F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!RegOpenKeyA                   76AED2ED 5 Bytes  JMP 01139110 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!RegCreateKeyA                 76AED3C1 5 Bytes  JMP 01138F10 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!RegQueryValueA                76AED403 7 Bytes  JMP 01139210 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!RegDeleteValueW               76AED521 5 Bytes  JMP 01139020 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!RegEnumValueA                 76AED539 5 Bytes  JMP 011390B0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!RegDeleteValueA               76AF194E 5 Bytes  JMP 01138FF0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!RegQueryInfoKeyA              76AF1966 5 Bytes  JMP 011391B0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!RegDeleteKeyW                 76AF197E 7 Bytes  JMP 01138FC0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!RegCreateKeyExA               76AF1B71 5 Bytes  JMP 01138F50 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!RegEnumKeyExA                 76AF1B89 5 Bytes  JMP 01139050 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!RegSetValueExA                76AF1B96 5 Bytes  JMP 01139330 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!RegSetValueExW                76AF1C82 5 Bytes  JMP 01139360 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!RegCreateKeyW                 76AF1CC0 5 Bytes  JMP 01138F30 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!RegOpenKeyW                   76AF3129 5 Bytes  JMP 01139130 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!OpenServiceA                  76AF3B15 6 Bytes  JMP 5F1F0F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!CloseServiceHandle            76AF9A61 6 Bytes  JMP 5F100F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!RegCreateKeyExW               76AFB946 5 Bytes  JMP 01138F70 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!RegQueryValueW                76AFB96B 7 Bytes  JMP 01139240 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!RegQueryInfoKeyW              76AFBB42 5 Bytes  JMP 011391E0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!RegEnumKeyExW                 76AFBB65 5 Bytes  JMP 01139080 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!RegEnumValueW                 76AFBB72 5 Bytes  JMP 011390E0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!RegOpenKeyExA                 76AFBC0D 5 Bytes  JMP 01139150 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!RegQueryValueExA              76AFBC25 5 Bytes  JMP 01139270 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!RegQueryValueExW              76AFBCD5 5 Bytes  JMP 011392A0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!RegOpenKeyExW                 76AFBEC4 5 Bytes  JMP 01139180 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!RegCloseKey                   76AFBED4 5 Bytes  JMP 01138EB0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!CreateServiceW                76B0DBC1 6 Bytes  JMP 5F190F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!ControlService                76B0DC74 6 Bytes  JMP 5F130F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!DeleteService                 76B0DC8C 6 Bytes  JMP 5F1C0F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!StartServiceA                 76B0F217 6 Bytes  JMP 5F250F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!RegSetValueW                  76B0FA72 5 Bytes  JMP 01139300 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!RegDeleteKeyA                 76B10499 5 Bytes  JMP 01138F90 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!ChangeServiceConfig2A         76B22090 6 Bytes  JMP 5F0A0F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!ChangeServiceConfig2W         76B220A0 6 Bytes  JMP 5F0D0F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!ChangeServiceConfigA          76B220B0 6 Bytes  JMP 5F040F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!ChangeServiceConfigW          76B220C0 6 Bytes  JMP 5F070F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!CreateServiceA                76B22120 6 Bytes  JMP 5F160F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!LsaAddAccountRights           76B277D1 6 Bytes  JMP 5F2B0F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!LsaRemoveAccountRights        76B27869 6 Bytes  JMP 5F2E0F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ADVAPI32.dll!RegSetValueA                  76B3F529 5 Bytes  JMP 011392D0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ole32.dll!CLSIDFromProgIDEx                7705F8B4 6 Bytes  JMP 5F850F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ole32.dll!CLSIDFromProgID                  77074FD8 6 Bytes  JMP 5F880F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ole32.dll!CoGetClassObject                 7708A394 6 Bytes  JMP 5F8B0F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ole32.dll!CoCreateInstance                 770A590C 5 Bytes  JMP 01139500 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe (Media Player Classic - Home Cinema/MPC-HC Team)
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] ole32.dll!CoCreateInstanceEx               770A594F 6 Bytes  JMP 5F8E0F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] WS2_32.dll!sendto                          77823AED 6 Bytes  JMP 5FCD0F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] WS2_32.dll!closesocket                     77823BED 6 Bytes  JMP 5FDF0F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] WS2_32.dll!WSARecvFrom                     7782418D 6 Bytes  JMP 5FD60F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] WS2_32.dll!recv                            778247DF 6 Bytes  JMP 5FC40F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] WS2_32.dll!connect                         778248BE 6 Bytes  JMP 5FC10F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] WS2_32.dll!WSASend                         778268A7 6 Bytes  JMP 5FD90F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] WS2_32.dll!WSAConnect                      7782BB9B 6 Bytes  JMP 5FD00F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] WS2_32.dll!recvfrom                        7782BF39 6 Bytes  JMP 5FC70F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] WS2_32.dll!WSARecv                         7782C29F 6 Bytes  JMP 5FD30F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] WS2_32.dll!send                            7782C4C8 6 Bytes  JMP 5FCA0F5A 
.text           C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[4336] WS2_32.dll!WSASendTo                       7783ADC4 6 Bytes  JMP 5FDC0F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtClose                                                              77684930 3 Bytes  [FF, 25, 1E]
__________________
Alt 13.12.2010, 14:48   #3
doc
 
Paranoid vielleicht :) - Standard

Paranoid vielleicht :)


2ter Teil Gmer-scan

Code:
ATTFilter
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtClose                                                              77684930 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtClose + 4                                                          77684934 2 Bytes  [4A, 5F] {DEC EDX; POP EDI}
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtCreateFile                                                         77684A30 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtCreateFile + 4                                                     77684A34 2 Bytes  [6B, 5F]
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtCreateKey                                                          77684A70 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtCreateKey + 4                                                      77684A74 2 Bytes  [4D, 5F] {DEC EBP; POP EDI}
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtDeleteFile                                                         77684C70 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtDeleteFile + 4                                                     77684C74 2 Bytes  [6E, 5F] {OUTSB ; POP EDI}
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtDeleteKey                                                          77684C80 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtDeleteKey + 4                                                      77684C84 2 Bytes  [50, 5F] {PUSH EAX; POP EDI}
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtDeleteValueKey                                                     77684CB0 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtDeleteValueKey + 4                                                 77684CB4 2 Bytes  [53, 5F] {PUSH EBX; POP EDI}
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtDuplicateObject                                                    77684D00 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtDuplicateObject + 4                                                77684D04 2 Bytes  [56, 5F] {PUSH ESI; POP EDI}
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtEnumerateKey                                                       77684D50 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtEnumerateKey + 4                                                   77684D54 2 Bytes  [59, 5F] {POP ECX; POP EDI}
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtEnumerateValueKey                                                  77684D80 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtEnumerateValueKey + 4                                              77684D84 2 Bytes  [5C, 5F] {POP ESP; POP EDI}
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtLoadDriver                                                         77684FC0 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtLoadDriver + 4                                                     77684FC4 2 Bytes  [83, 5F]
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtOpenFile                                                           77685140 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtOpenFile + 4                                                       77685144 2 Bytes  [71, 5F] {JNO 0x61}
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtQueryMultipleValueKey                                              77685570 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtQueryMultipleValueKey + 4                                          77685574 2 Bytes  [5F, 5F] {POP EDI; POP EDI}
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtQueryValueKey                                                      776856B0 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtQueryValueKey + 4                                                  776856B4 2 Bytes  [62, 5F]
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtReadFile                                                           77685720 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtReadFile + 4                                                       77685724 2 Bytes  [74, 5F] {JZ 0x61}
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtSetContextThread                                                   776859D0 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtSetContextThread + 4                                               776859D4 2 Bytes  [80, 5F]
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtSetInformationFile                                                 77685AA0 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtSetInformationFile + 4                                             77685AA4 2 Bytes  [77, 5F] {JA 0x61}
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtSetValueKey                                                        77685C70 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtSetValueKey + 4                                                    77685C74 2 Bytes  [65, 5F]
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtUnloadKey                                                          77685DD0 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtUnloadKey + 4                                                      77685DD4 2 Bytes  [68, 5F]
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtWriteFile                                                          77685ED0 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtWriteFile + 4                                                      77685ED4 2 Bytes  [7A, 5F] {JP 0x61}
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtWriteVirtualMemory                                                 77685F00 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\winrar\WinRAR.exe[4572] ntdll.dll!NtWriteVirtualMemory + 4                                             77685F04 2 Bytes  [7D, 5F] {JGE 0x61}
.text           D:\Programme\winrar\WinRAR.exe[4572] kernel32.dll!CopyFileExW                                                       774D07BB 6 Bytes  JMP 5F3D0F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] kernel32.dll!CreateFileMappingW                                                774D3A51 6 Bytes  JMP 5F400F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] kernel32.dll!TerminateProcess                                                  774D509B 6 Bytes  JMP 5F310F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] kernel32.dll!MoveFileWithProgressW                                             774DBF04 6 Bytes  JMP 5F460F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] kernel32.dll!MapViewOfFile                                                     774DC0D4 6 Bytes  JMP 5F3A0F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] kernel32.dll!CreateFileMappingA                                                774DCCD1 6 Bytes  JMP 5F370F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] kernel32.dll!MapViewOfFileEx                                                   774E17B6 6 Bytes  JMP 5F340F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] kernel32.dll!CreateRemoteThread                                                7751F4DB 6 Bytes  JMP 5F430F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] USER32.dll!CreateAcceleratorTableW                                             75B0AC6C 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\winrar\WinRAR.exe[4572] USER32.dll!CreateAcceleratorTableW + 4                                         75B0AC70 2 Bytes  [B6, 5F] {MOV DH, 0x5f}
.text           D:\Programme\winrar\WinRAR.exe[4572] USER32.dll!GetAsyncKeyState                                                    75B0C09A 6 Bytes  JMP 5F9D0F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] USER32.dll!BeginDeferWindowPos                                                 75B0C316 6 Bytes  JMP 5F940F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] USER32.dll!AttachThreadInput                                                   75B0CBBD 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\winrar\WinRAR.exe[4572] USER32.dll!AttachThreadInput + 4                                               75B0CBC1 2 Bytes  [A1, 5F]
.text           D:\Programme\winrar\WinRAR.exe[4572] USER32.dll!PostMessageA                                                        75B0D656 6 Bytes  JMP 5FAF0F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] USER32.dll!SetWindowsHookExW                                                   75B1210A 6 Bytes  JMP 5FB80F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] USER32.dll!DispatchMessageA                                                    75B13569 6 Bytes  JMP 5F970F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] USER32.dll!GetKeyState                                                         75B14FDA 6 Bytes  JMP 5FA60F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] USER32.dll!SetWinEventHook                                                     75B1507E 6 Bytes  JMP 5FB20F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] USER32.dll!PostMessageW                                                        75B16225 6 Bytes  JMP 5FAC0F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] USER32.dll!DispatchMessageW                                                    75B18E8D 6 Bytes  JMP 5FBB0F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] USER32.dll!TranslateMessage                                                    75B1910F 6 Bytes  JMP 5F9A0F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] USER32.dll!SetClipboardData                                                    75B24979 6 Bytes  JMP 5FBE0F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] USER32.dll!GetKeyboardState                                                    75B36B3E 3 Bytes  [FF, 25, 1E]
.text           D:\Programme\winrar\WinRAR.exe[4572] USER32.dll!GetKeyboardState + 4                                                75B36B42 2 Bytes  [A4, 5F] {MOVSB ; POP EDI}
.text           D:\Programme\winrar\WinRAR.exe[4572] USER32.dll!SetWindowsHookExA                                                   75B36DFA 6 Bytes  JMP 5F910F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] USER32.dll!DdeConnect                                                          75B4EB83 6 Bytes  JMP 5FA90F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] ADVAPI32.dll!StartServiceW                                                     76AE8A9B 6 Bytes  JMP 5F280F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] ADVAPI32.dll!OpenServiceW                                                      76AED20D 6 Bytes  JMP 5F220F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] ADVAPI32.dll!OpenServiceA                                                      76AF3B15 6 Bytes  JMP 5F1F0F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] ADVAPI32.dll!CloseServiceHandle                                                76AF9A61 6 Bytes  JMP 5F100F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] ADVAPI32.dll!CreateServiceW                                                    76B0DBC1 6 Bytes  JMP 5F190F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] ADVAPI32.dll!ControlService                                                    76B0DC74 6 Bytes  JMP 5F130F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] ADVAPI32.dll!DeleteService                                                     76B0DC8C 6 Bytes  JMP 5F1C0F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] ADVAPI32.dll!StartServiceA                                                     76B0F217 6 Bytes  JMP 5F250F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] ADVAPI32.dll!ChangeServiceConfig2A                                             76B22090 6 Bytes  JMP 5F0A0F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] ADVAPI32.dll!ChangeServiceConfig2W                                             76B220A0 6 Bytes  JMP 5F0D0F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] ADVAPI32.dll!ChangeServiceConfigA                                              76B220B0 6 Bytes  JMP 5F040F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] ADVAPI32.dll!ChangeServiceConfigW                                              76B220C0 6 Bytes  JMP 5F070F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] ADVAPI32.dll!CreateServiceA                                                    76B22120 6 Bytes  JMP 5F160F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] ADVAPI32.dll!LsaAddAccountRights                                               76B277D1 6 Bytes  JMP 5F2B0F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] ADVAPI32.dll!LsaRemoveAccountRights                                            76B27869 6 Bytes  JMP 5F2E0F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] ole32.dll!CLSIDFromProgIDEx                                                    7705F8B4 6 Bytes  JMP 5F850F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] ole32.dll!CLSIDFromProgID                                                      77074FD8 6 Bytes  JMP 5F880F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] ole32.dll!CoGetClassObject                                                     7708A394 6 Bytes  JMP 5F8B0F5A 
.text           D:\Programme\winrar\WinRAR.exe[4572] ole32.dll!CoCreateInstanceEx                                                   770A594F 6 Bytes  JMP 5F8E0F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtClose                                                         77684930 3 Bytes  [FF, 25, 1E]
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtClose + 4                                                     77684934 2 Bytes  [4A, 5F] {DEC EDX; POP EDI}
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtCreateFile                                                    77684A30 3 Bytes  [FF, 25, 1E]
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtCreateFile + 4                                                77684A34 2 Bytes  [6B, 5F]
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtCreateKey                                                     77684A70 3 Bytes  [FF, 25, 1E]
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtCreateKey + 4                                                 77684A74 2 Bytes  [4D, 5F] {DEC EBP; POP EDI}
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtDeleteFile                                                    77684C70 3 Bytes  [FF, 25, 1E]
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtDeleteFile + 4                                                77684C74 2 Bytes  [6E, 5F] {OUTSB ; POP EDI}
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtDeleteKey                                                     77684C80 3 Bytes  [FF, 25, 1E]
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtDeleteKey + 4                                                 77684C84 2 Bytes  [50, 5F] {PUSH EAX; POP EDI}
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtDeleteValueKey                                                77684CB0 3 Bytes  [FF, 25, 1E]
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtDeleteValueKey + 4                                            77684CB4 2 Bytes  [53, 5F] {PUSH EBX; POP EDI}
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtDuplicateObject                                               77684D00 3 Bytes  [FF, 25, 1E]
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtDuplicateObject + 4                                           77684D04 2 Bytes  [56, 5F] {PUSH ESI; POP EDI}
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtEnumerateKey                                                  77684D50 3 Bytes  [FF, 25, 1E]
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtEnumerateKey + 4                                              77684D54 2 Bytes  [59, 5F] {POP ECX; POP EDI}
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtEnumerateValueKey                                             77684D80 3 Bytes  [FF, 25, 1E]
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtEnumerateValueKey + 4                                         77684D84 2 Bytes  [5C, 5F] {POP ESP; POP EDI}
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtLoadDriver                                                    77684FC0 3 Bytes  [FF, 25, 1E]
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtLoadDriver + 4                                                77684FC4 2 Bytes  [83, 5F]
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtOpenFile                                                      77685140 3 Bytes  [FF, 25, 1E]
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtOpenFile + 4                                                  77685144 2 Bytes  [71, 5F] {JNO 0x61}
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtQueryMultipleValueKey                                         77685570 3 Bytes  [FF, 25, 1E]
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtQueryMultipleValueKey + 4                                     77685574 2 Bytes  [5F, 5F] {POP EDI; POP EDI}
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtQueryValueKey                                                 776856B0 3 Bytes  [FF, 25, 1E]
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtQueryValueKey + 4                                             776856B4 2 Bytes  [62, 5F]
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtReadFile                                                      77685720 3 Bytes  [FF, 25, 1E]
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtReadFile + 4                                                  77685724 2 Bytes  [74, 5F] {JZ 0x61}
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtSetContextThread                                              776859D0 3 Bytes  [FF, 25, 1E]
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtSetContextThread + 4                                          776859D4 2 Bytes  [80, 5F]
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtSetInformationFile                                            77685AA0 3 Bytes  [FF, 25, 1E]
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtSetInformationFile + 4                                        77685AA4 2 Bytes  [77, 5F] {JA 0x61}
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtSetValueKey                                                   77685C70 3 Bytes  [FF, 25, 1E]
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtSetValueKey + 4                                               77685C74 2 Bytes  [65, 5F]
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtUnloadKey                                                     77685DD0 3 Bytes  [FF, 25, 1E]
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtUnloadKey + 4                                                 77685DD4 2 Bytes  [68, 5F]
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtWriteFile                                                     77685ED0 3 Bytes  [FF, 25, 1E]
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtWriteFile + 4                                                 77685ED4 2 Bytes  [7A, 5F] {JP 0x61}
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtWriteVirtualMemory                                            77685F00 3 Bytes  [FF, 25, 1E]
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ntdll.dll!NtWriteVirtualMemory + 4                                        77685F04 2 Bytes  [7D, 5F] {JGE 0x61}
.text           C:\Users\admin\Desktop\test.exe.exe[4616] kernel32.dll!CopyFileExW                                                  774D07BB 6 Bytes  JMP 5F3D0F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] kernel32.dll!CreateFileMappingW                                           774D3A51 6 Bytes  JMP 5F400F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] kernel32.dll!TerminateProcess                                             774D509B 6 Bytes  JMP 5F310F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] kernel32.dll!MoveFileWithProgressW                                        774DBF04 6 Bytes  JMP 5F460F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] kernel32.dll!MapViewOfFile                                                774DC0D4 6 Bytes  JMP 5F3A0F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] kernel32.dll!CreateFileMappingA                                           774DCCD1 6 Bytes  JMP 5F370F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] kernel32.dll!MapViewOfFileEx                                              774E17B6 6 Bytes  JMP 5F340F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] kernel32.dll!CreateRemoteThread                                           7751F4DB 6 Bytes  JMP 5F430F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] USER32.dll!CreateAcceleratorTableW                                        75B0AC6C 3 Bytes  [FF, 25, 1E]
.text           C:\Users\admin\Desktop\test.exe.exe[4616] USER32.dll!CreateAcceleratorTableW + 4                                    75B0AC70 2 Bytes  [B6, 5F] {MOV DH, 0x5f}
.text           C:\Users\admin\Desktop\test.exe.exe[4616] USER32.dll!GetAsyncKeyState                                               75B0C09A 6 Bytes  JMP 5F9D0F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] USER32.dll!BeginDeferWindowPos                                            75B0C316 6 Bytes  JMP 5F940F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] USER32.dll!AttachThreadInput                                              75B0CBBD 3 Bytes  [FF, 25, 1E]
.text           C:\Users\admin\Desktop\test.exe.exe[4616] USER32.dll!AttachThreadInput + 4                                          75B0CBC1 2 Bytes  [A1, 5F]
.text           C:\Users\admin\Desktop\test.exe.exe[4616] USER32.dll!PostMessageA                                                   75B0D656 6 Bytes  JMP 5FAF0F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] USER32.dll!SetWindowsHookExW                                              75B1210A 6 Bytes  JMP 5FB80F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] USER32.dll!DispatchMessageA                                               75B13569 6 Bytes  JMP 5F970F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] USER32.dll!GetKeyState                                                    75B14FDA 6 Bytes  JMP 5FA60F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] USER32.dll!SetWinEventHook                                                75B1507E 6 Bytes  JMP 5FB20F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] USER32.dll!PostMessageW                                                   75B16225 6 Bytes  JMP 5FAC0F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] USER32.dll!DispatchMessageW                                               75B18E8D 6 Bytes  JMP 5FBB0F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] USER32.dll!TranslateMessage                                               75B1910F 6 Bytes  JMP 5F9A0F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] USER32.dll!SetClipboardData                                               75B24979 6 Bytes  JMP 5FBE0F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] USER32.dll!GetKeyboardState                                               75B36B3E 3 Bytes  [FF, 25, 1E]
.text           C:\Users\admin\Desktop\test.exe.exe[4616] USER32.dll!GetKeyboardState + 4                                           75B36B42 2 Bytes  [A4, 5F] {MOVSB ; POP EDI}
.text           C:\Users\admin\Desktop\test.exe.exe[4616] USER32.dll!SetWindowsHookExA                                              75B36DFA 6 Bytes  JMP 5F910F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] USER32.dll!DdeConnect                                                     75B4EB83 6 Bytes  JMP 5FA90F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ADVAPI32.dll!StartServiceW                                                76AE8A9B 6 Bytes  JMP 5F280F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ADVAPI32.dll!OpenServiceW                                                 76AED20D 6 Bytes  JMP 5F220F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ADVAPI32.dll!OpenServiceA                                                 76AF3B15 6 Bytes  JMP 5F1F0F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ADVAPI32.dll!CloseServiceHandle                                           76AF9A61 6 Bytes  JMP 5F100F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ADVAPI32.dll!CreateServiceW                                               76B0DBC1 6 Bytes  JMP 5F190F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ADVAPI32.dll!ControlService                                               76B0DC74 6 Bytes  JMP 5F130F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ADVAPI32.dll!DeleteService                                                76B0DC8C 6 Bytes  JMP 5F1C0F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ADVAPI32.dll!StartServiceA                                                76B0F217 6 Bytes  JMP 5F250F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ADVAPI32.dll!ChangeServiceConfig2A                                        76B22090 6 Bytes  JMP 5F0A0F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ADVAPI32.dll!ChangeServiceConfig2W                                        76B220A0 6 Bytes  JMP 5F0D0F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ADVAPI32.dll!ChangeServiceConfigA                                         76B220B0 6 Bytes  JMP 5F040F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ADVAPI32.dll!ChangeServiceConfigW                                         76B220C0 6 Bytes  JMP 5F070F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ADVAPI32.dll!CreateServiceA                                               76B22120 6 Bytes  JMP 5F160F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ADVAPI32.dll!LsaAddAccountRights                                          76B277D1 6 Bytes  JMP 5F2B0F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ADVAPI32.dll!LsaRemoveAccountRights                                       76B27869 6 Bytes  JMP 5F2E0F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ole32.dll!CLSIDFromProgIDEx                                               7705F8B4 6 Bytes  JMP 5F850F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ole32.dll!CLSIDFromProgID                                                 77074FD8 6 Bytes  JMP 5F880F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ole32.dll!CoGetClassObject                                                7708A394 6 Bytes  JMP 5F8B0F5A 
.text           C:\Users\admin\Desktop\test.exe.exe[4616] ole32.dll!CoCreateInstanceEx                                              770A594F 6 Bytes  JMP 5F8E0F5A 
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtClose                                                                 77684930 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtClose + 4                                                             77684934 2 Bytes  [4A, 5F] {DEC EDX; POP EDI}
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtCreateFile                                                            77684A30 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtCreateFile + 4                                                        77684A34 2 Bytes  [6B, 5F]
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtCreateKey                                                             77684A70 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtCreateKey + 4                                                         77684A74 2 Bytes  [4D, 5F] {DEC EBP; POP EDI}
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtDeleteFile                                                            77684C70 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtDeleteFile + 4                                                        77684C74 2 Bytes  [6E, 5F] {OUTSB ; POP EDI}
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtDeleteKey                                                             77684C80 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtDeleteKey + 4                                                         77684C84 2 Bytes  [50, 5F] {PUSH EAX; POP EDI}
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtDeleteValueKey                                                        77684CB0 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtDeleteValueKey + 4                                                    77684CB4 2 Bytes  [53, 5F] {PUSH EBX; POP EDI}
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtDuplicateObject                                                       77684D00 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtDuplicateObject + 4                                                   77684D04 2 Bytes  [56, 5F] {PUSH ESI; POP EDI}
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtEnumerateKey                                                          77684D50 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtEnumerateKey + 4                                                      77684D54 2 Bytes  [59, 5F] {POP ECX; POP EDI}
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtEnumerateValueKey                                                     77684D80 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtEnumerateValueKey + 4                                                 77684D84 2 Bytes  [5C, 5F] {POP ESP; POP EDI}
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtLoadDriver                                                            77684FC0 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtLoadDriver + 4                                                        77684FC4 2 Bytes  [83, 5F]
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtOpenFile                                                              77685140 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtOpenFile + 4                                                          77685144 2 Bytes  [71, 5F] {JNO 0x61}
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtQueryMultipleValueKey                                                 77685570 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtQueryMultipleValueKey + 4                                             77685574 2 Bytes  [5F, 5F] {POP EDI; POP EDI}
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtQueryValueKey                                                         776856B0 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtQueryValueKey + 4                                                     776856B4 2 Bytes  [62, 5F]
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtReadFile                                                              77685720 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtReadFile + 4                                                          77685724 2 Bytes  [74, 5F] {JZ 0x61}
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtSetContextThread                                                      776859D0 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtSetContextThread + 4                                                  776859D4 2 Bytes  [80, 5F]
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtSetInformationFile                                                    77685AA0 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtSetInformationFile + 4                                                77685AA4 2 Bytes  [77, 5F] {JA 0x61}
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtSetValueKey                                                           77685C70 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtSetValueKey + 4                                                       77685C74 2 Bytes  [65, 5F]
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtUnloadKey                                                             77685DD0 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtUnloadKey + 4                                                         77685DD4 2 Bytes  [68, 5F]
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtWriteFile                                                             77685ED0 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtWriteFile + 4                                                         77685ED4 2 Bytes  [7A, 5F] {JP 0x61}
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtWriteVirtualMemory                                                    77685F00 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\cmd.exe[5032] ntdll.dll!NtWriteVirtualMemory + 4                                                77685F04 2 Bytes  [7D, 5F] {JGE 0x61}
.text           C:\Windows\System32\cmd.exe[5032] kernel32.dll!CopyFileExW                                                          774D07BB 6 Bytes  JMP 5F3D0F5A 
.text           C:\Windows\System32\cmd.exe[5032] kernel32.dll!CreateFileMappingW                                                   774D3A51 6 Bytes  JMP 5F400F5A 
.text           C:\Windows\System32\cmd.exe[5032] kernel32.dll!TerminateProcess                                                     774D509B 6 Bytes  JMP 5F310F5A 
.text           C:\Windows\System32\cmd.exe[5032] kernel32.dll!MoveFileWithProgressW                                                774DBF04 6 Bytes  JMP 5F460F5A 
.text           C:\Windows\System32\cmd.exe[5032] kernel32.dll!MapViewOfFile                                                        774DC0D4 6 Bytes  JMP 5F3A0F5A 
.text           C:\Windows\System32\cmd.exe[5032] kernel32.dll!CreateFileMappingA                                                   774DCCD1 6 Bytes  JMP 5F370F5A 
.text           C:\Windows\System32\cmd.exe[5032] kernel32.dll!MapViewOfFileEx                                                      774E17B6 6 Bytes  JMP 5F340F5A 
.text           C:\Windows\System32\cmd.exe[5032] kernel32.dll!CreateRemoteThread                                                   7751F4DB 6 Bytes  JMP 5F430F5A 
.text           C:\Windows\System32\cmd.exe[5032] USER32.dll!CreateAcceleratorTableW                                                75B0AC6C 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\cmd.exe[5032] USER32.dll!CreateAcceleratorTableW + 4                                            75B0AC70 2 Bytes  [B0, 5F] {MOV AL, 0x5f}
.text           C:\Windows\System32\cmd.exe[5032] USER32.dll!GetAsyncKeyState                                                       75B0C09A 6 Bytes  JMP 5F970F5A 
.text           C:\Windows\System32\cmd.exe[5032] USER32.dll!BeginDeferWindowPos                                                    75B0C316 6 Bytes  JMP 5F8E0F5A 
.text           C:\Windows\System32\cmd.exe[5032] USER32.dll!AttachThreadInput                                                      75B0CBBD 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\cmd.exe[5032] USER32.dll!AttachThreadInput + 4                                                  75B0CBC1 2 Bytes  [9B, 5F] {WAIT ; POP EDI}
.text           C:\Windows\System32\cmd.exe[5032] USER32.dll!PostMessageA                                                           75B0D656 6 Bytes  JMP 5FA90F5A 
.text           C:\Windows\System32\cmd.exe[5032] USER32.dll!SetWindowsHookExW                                                      75B1210A 6 Bytes  JMP 5FB20F5A 
.text           C:\Windows\System32\cmd.exe[5032] USER32.dll!DispatchMessageA                                                       75B13569 6 Bytes  JMP 5F910F5A 
.text           C:\Windows\System32\cmd.exe[5032] USER32.dll!GetKeyState                                                            75B14FDA 6 Bytes  JMP 5FA00F5A 
.text           C:\Windows\System32\cmd.exe[5032] USER32.dll!SetWinEventHook                                                        75B1507E 6 Bytes  JMP 5FAC0F5A 
.text           C:\Windows\System32\cmd.exe[5032] USER32.dll!PostMessageW                                                           75B16225 6 Bytes  JMP 5FA60F5A 
.text           C:\Windows\System32\cmd.exe[5032] USER32.dll!DispatchMessageW                                                       75B18E8D 6 Bytes  JMP 5FB50F5A 
.text           C:\Windows\System32\cmd.exe[5032] USER32.dll!TranslateMessage                                                       75B1910F 6 Bytes  JMP 5F940F5A 
.text           C:\Windows\System32\cmd.exe[5032] USER32.dll!SetClipboardData                                                       75B24979 6 Bytes  JMP 5FB80F5A 
.text           C:\Windows\System32\cmd.exe[5032] USER32.dll!GetKeyboardState                                                       75B36B3E 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\cmd.exe[5032] USER32.dll!GetKeyboardState + 4                                                   75B36B42 2 Bytes  [9E, 5F] {SAHF ; POP EDI}
.text           C:\Windows\System32\cmd.exe[5032] USER32.dll!SetWindowsHookExA                                                      75B36DFA 6 Bytes  JMP 5F8B0F5A 
.text           C:\Windows\System32\cmd.exe[5032] USER32.dll!DdeConnect                                                             75B4EB83 6 Bytes  JMP 5FA30F5A 
.text           C:\Windows\System32\cmd.exe[5032] ADVAPI32.dll!StartServiceW                                                        76AE8A9B 6 Bytes  JMP 5F280F5A 
.text           C:\Windows\System32\cmd.exe[5032] ADVAPI32.dll!OpenServiceW                                                         76AED20D 6 Bytes  JMP 5F220F5A 
.text           C:\Windows\System32\cmd.exe[5032] ADVAPI32.dll!OpenServiceA                                                         76AF3B15 6 Bytes  JMP 5F1F0F5A 
.text           C:\Windows\System32\cmd.exe[5032] ADVAPI32.dll!CloseServiceHandle                                                   76AF9A61 6 Bytes  JMP 5F100F5A 
.text           C:\Windows\System32\cmd.exe[5032] ADVAPI32.dll!CreateServiceW                                                       76B0DBC1 6 Bytes  JMP 5F190F5A 
.text           C:\Windows\System32\cmd.exe[5032] ADVAPI32.dll!ControlService                                                       76B0DC74 6 Bytes  JMP 5F130F5A 
.text           C:\Windows\System32\cmd.exe[5032] ADVAPI32.dll!DeleteService                                                        76B0DC8C 6 Bytes  JMP 5F1C0F5A 
.text           C:\Windows\System32\cmd.exe[5032] ADVAPI32.dll!StartServiceA                                                        76B0F217 6 Bytes  JMP 5F250F5A 
.text           C:\Windows\System32\cmd.exe[5032] ADVAPI32.dll!ChangeServiceConfig2A                                                76B22090 6 Bytes  JMP 5F0A0F5A 
.text           C:\Windows\System32\cmd.exe[5032] ADVAPI32.dll!ChangeServiceConfig2W                                                76B220A0 6 Bytes  JMP 5F0D0F5A 
.text           C:\Windows\System32\cmd.exe[5032] ADVAPI32.dll!ChangeServiceConfigA                                                 76B220B0 6 Bytes  JMP 5F040F5A 
.text           C:\Windows\System32\cmd.exe[5032] ADVAPI32.dll!ChangeServiceConfigW                                                 76B220C0 6 Bytes  JMP 5F070F5A 
.text           C:\Windows\System32\cmd.exe[5032] ADVAPI32.dll!CreateServiceA                                                       76B22120 6 Bytes  JMP 5F160F5A 
.text           C:\Windows\System32\cmd.exe[5032] ADVAPI32.dll!LsaAddAccountRights                                                  76B277D1 6 Bytes  JMP 5F2B0F5A 
.text           C:\Windows\System32\cmd.exe[5032] ADVAPI32.dll!LsaRemoveAccountRights                                               76B27869 6 Bytes  JMP 5F2E0F5A 
.text           C:\Windows\System32\cmd.exe[5032] ole32.dll!CLSIDFromProgIDEx                                                       7705F8B4 6 Bytes  JMP 5F850F5A 
.text           C:\Windows\System32\cmd.exe[5032] ole32.dll!CLSIDFromProgID                                                         77074FD8 6 Bytes  JMP 5F880F5A 
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtClose                                                                     77684930 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtClose + 4                                                                 77684934 2 Bytes  [4A, 5F] {DEC EDX; POP EDI}
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtCreateFile                                                                77684A30 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtCreateFile + 4                                                            77684A34 2 Bytes  [6B, 5F]
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtCreateKey                                                                 77684A70 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtCreateKey + 4                                                             77684A74 2 Bytes  [4D, 5F] {DEC EBP; POP EDI}
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtDeleteFile                                                                77684C70 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtDeleteFile + 4                                                            77684C74 2 Bytes  [6E, 5F] {OUTSB ; POP EDI}
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtDeleteKey                                                                 77684C80 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtDeleteKey + 4                                                             77684C84 2 Bytes  [50, 5F] {PUSH EAX; POP EDI}
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtDeleteValueKey                                                            77684CB0 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtDeleteValueKey + 4                                                        77684CB4 2 Bytes  [53, 5F] {PUSH EBX; POP EDI}
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtDuplicateObject                                                           77684D00 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtDuplicateObject + 4                                                       77684D04 2 Bytes  [56, 5F] {PUSH ESI; POP EDI}
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtEnumerateKey                                                              77684D50 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtEnumerateKey + 4                                                          77684D54 2 Bytes  [59, 5F] {POP ECX; POP EDI}
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtEnumerateValueKey                                                         77684D80 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtEnumerateValueKey + 4                                                     77684D84 2 Bytes  [5C, 5F] {POP ESP; POP EDI}
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtLoadDriver                                                                77684FC0 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtLoadDriver + 4                                                            77684FC4 2 Bytes  [83, 5F]
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtOpenFile                                                                  77685140 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtOpenFile + 4                                                              77685144 2 Bytes  [71, 5F] {JNO 0x61}
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtQueryMultipleValueKey                                                     77685570 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtQueryMultipleValueKey + 4                                                 77685574 2 Bytes  [5F, 5F] {POP EDI; POP EDI}
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtQueryValueKey                                                             776856B0 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtQueryValueKey + 4                                                         776856B4 2 Bytes  [62, 5F]
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtReadFile                                                                  77685720 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtReadFile + 4                                                              77685724 2 Bytes  [74, 5F] {JZ 0x61}
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtSetContextThread                                                          776859D0 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtSetContextThread + 4                                                      776859D4 2 Bytes  [80, 5F]
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtSetInformationFile                                                        77685AA0 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtSetInformationFile + 4                                                    77685AA4 2 Bytes  [77, 5F] {JA 0x61}
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtSetValueKey                                                               77685C70 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtSetValueKey + 4                                                           77685C74 2 Bytes  [65, 5F]
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtUnloadKey                                                                 77685DD0 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtUnloadKey + 4                                                             77685DD4 2 Bytes  [68, 5F]
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtWriteFile                                                                 77685ED0 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtWriteFile + 4                                                             77685ED4 2 Bytes  [7A, 5F] {JP 0x61}
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtWriteVirtualMemory                                                        77685F00 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\explorer.exe[5940] ntdll.dll!NtWriteVirtualMemory + 4                                                    77685F04 2 Bytes  [7D, 5F] {JGE 0x61}
.text           C:\Windows\explorer.exe[5940] kernel32.dll!CopyFileExW                                                              774D07BB 6 Bytes  JMP 5F3D0F5A 
.text           C:\Windows\explorer.exe[5940] kernel32.dll!CreateFileMappingW                                                       774D3A51 6 Bytes  JMP 5F400F5A 
.text           C:\Windows\explorer.exe[5940] kernel32.dll!TerminateProcess                                                         774D509B 6 Bytes  JMP 5F310F5A 
.text           C:\Windows\explorer.exe[5940] kernel32.dll!MoveFileWithProgressW                                                    774DBF04 6 Bytes  JMP 5F460F5A 
.text           C:\Windows\explorer.exe[5940] kernel32.dll!MapViewOfFile                                                            774DC0D4 6 Bytes  JMP 5F3A0F5A 
.text           C:\Windows\explorer.exe[5940] kernel32.dll!CreateFileMappingA                                                       774DCCD1 6 Bytes  JMP 5F370F5A 
.text           C:\Windows\explorer.exe[5940] kernel32.dll!MapViewOfFileEx                                                          774E17B6 6 Bytes  JMP 5F340F5A 
.text           C:\Windows\explorer.exe[5940] kernel32.dll!CreateRemoteThread                                                       7751F4DB 6 Bytes  JMP 5F430F5A 
.text           C:\Windows\explorer.exe[5940] ADVAPI32.dll!StartServiceW                                                            76AE8A9B 6 Bytes  JMP 5F280F5A 
.text           C:\Windows\explorer.exe[5940] ADVAPI32.dll!OpenServiceW                                                             76AED20D 6 Bytes  JMP 5F220F5A 
.text           C:\Windows\explorer.exe[5940] ADVAPI32.dll!OpenServiceA                                                             76AF3B15 6 Bytes  JMP 5F1F0F5A 
.text           C:\Windows\explorer.exe[5940] ADVAPI32.dll!CloseServiceHandle                                                       76AF9A61 6 Bytes  JMP 5F100F5A 
.text           C:\Windows\explorer.exe[5940] ADVAPI32.dll!CreateServiceW                                                           76B0DBC1 6 Bytes  JMP 5F190F5A 
.text           C:\Windows\explorer.exe[5940] ADVAPI32.dll!ControlService                                                           76B0DC74 6 Bytes  JMP 5F130F5A 
.text           C:\Windows\explorer.exe[5940] ADVAPI32.dll!DeleteService                                                            76B0DC8C 6 Bytes  JMP 5F1C0F5A 
.text           C:\Windows\explorer.exe[5940] ADVAPI32.dll!StartServiceA                                                            76B0F217 6 Bytes  JMP 5F250F5A 
.text           C:\Windows\explorer.exe[5940] ADVAPI32.dll!ChangeServiceConfig2A                                                    76B22090 6 Bytes  JMP 5F0A0F5A 
.text           C:\Windows\explorer.exe[5940] ADVAPI32.dll!ChangeServiceConfig2W                                                    76B220A0 6 Bytes  JMP 5F0D0F5A 
.text           C:\Windows\explorer.exe[5940] ADVAPI32.dll!ChangeServiceConfigA                                                     76B220B0 6 Bytes  JMP 5F040F5A 
.text           C:\Windows\explorer.exe[5940] ADVAPI32.dll!ChangeServiceConfigW                                                     76B220C0 6 Bytes  JMP 5F070F5A 
.text           C:\Windows\explorer.exe[5940] ADVAPI32.dll!CreateServiceA                                                           76B22120 6 Bytes  JMP 5F160F5A 
.text           C:\Windows\explorer.exe[5940] ADVAPI32.dll!LsaAddAccountRights                                                      76B277D1 6 Bytes  JMP 5F2B0F5A 
.text           C:\Windows\explorer.exe[5940] ADVAPI32.dll!LsaRemoveAccountRights                                                   76B27869 6 Bytes  JMP 5F2E0F5A 
.text           C:\Windows\explorer.exe[5940] USER32.dll!CreateAcceleratorTableW                                                    75B0AC6C 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\explorer.exe[5940] USER32.dll!CreateAcceleratorTableW + 4                                                75B0AC70 2 Bytes  [B0, 5F] {MOV AL, 0x5f}
.text           C:\Windows\explorer.exe[5940] USER32.dll!GetAsyncKeyState                                                           75B0C09A 6 Bytes  JMP 5F970F5A 
.text           C:\Windows\explorer.exe[5940] USER32.dll!BeginDeferWindowPos                                                        75B0C316 6 Bytes  JMP 5F8E0F5A 
.text           C:\Windows\explorer.exe[5940] USER32.dll!AttachThreadInput                                                          75B0CBBD 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\explorer.exe[5940] USER32.dll!AttachThreadInput + 4                                                      75B0CBC1 2 Bytes  [9B, 5F] {WAIT ; POP EDI}
.text           C:\Windows\explorer.exe[5940] USER32.dll!PostMessageA                                                               75B0D656 6 Bytes  JMP 5FA90F5A 
.text           C:\Windows\explorer.exe[5940] USER32.dll!SetWindowsHookExW                                                          75B1210A 6 Bytes  JMP 5FB20F5A 
.text           C:\Windows\explorer.exe[5940] USER32.dll!DispatchMessageA                                                           75B13569 6 Bytes  JMP 5F910F5A 
.text           C:\Windows\explorer.exe[5940] USER32.dll!GetKeyState                                                                75B14FDA 6 Bytes  JMP 5FA00F5A 
.text           C:\Windows\explorer.exe[5940] USER32.dll!SetWinEventHook                                                            75B1507E 6 Bytes  JMP 5FAC0F5A 
.text           C:\Windows\explorer.exe[5940] USER32.dll!PostMessageW                                                               75B16225 6 Bytes  JMP 5FA60F5A 
.text           C:\Windows\explorer.exe[5940] USER32.dll!DispatchMessageW                                                           75B18E8D 6 Bytes  JMP 5FB50F5A 
.text           C:\Windows\explorer.exe[5940] USER32.dll!TranslateMessage                                                           75B1910F 6 Bytes  JMP 5F940F5A 
.text           C:\Windows\explorer.exe[5940] USER32.dll!SetClipboardData                                                           75B24979 6 Bytes  JMP 5FB80F5A 
.text           C:\Windows\explorer.exe[5940] USER32.dll!GetKeyboardState                                                           75B36B3E 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\explorer.exe[5940] USER32.dll!GetKeyboardState + 4                                                       75B36B42 2 Bytes  [9E, 5F] {SAHF ; POP EDI}
.text           C:\Windows\explorer.exe[5940] USER32.dll!SetWindowsHookExA                                                          75B36DFA 6 Bytes  JMP 5F8B0F5A 
.text           C:\Windows\explorer.exe[5940] USER32.dll!DdeConnect                                                                 75B4EB83 6 Bytes  JMP 5FA30F5A 
.text           C:\Windows\explorer.exe[5940] ole32.dll!CLSIDFromProgIDEx                                                           7705F8B4 6 Bytes  JMP 5F850F5A 
.text           C:\Windows\explorer.exe[5940] ole32.dll!CLSIDFromProgID                                                             77074FD8 6 Bytes  JMP 5F880F5A 

---- Devices - GMER 1.0.15 ----

Device                                                                                                                              ShlDrv51.sys (PandaShield driver/Panda Security, S.L.)
Device                                                                                                                              Ntfs.sys (NT-Dateisystemtreiber/Microsoft Corporation)
Device                                                                                                                              fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice  \Driver\tdx \Device\Tcp                                                                                             NETFLTDI.SYS
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1                                                                              fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2                                                                              fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume3                                                                              fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume4                                                                              fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume5                                                                              fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device          \Driver\ACPI_HAL \Device\0000005b                                                                                   halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice  \Driver\tdx \Device\Udp                                                                                             NETFLTDI.SYS
AttachedDevice                                                                                                                      fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                                    
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                 C:\Users\admin\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                 0x00 0x00 0x00 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                 0
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                              0x59 0x28 0xBD 0xAD ...
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001                           
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                        0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                     0x32 0x9D 0x34 0xD9 ...
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0                      
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                0x9D 0xF8 0xB9 0xFA ...
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                     C:\Users\admin\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                     0x00 0x00 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                     0
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                  0x59 0x28 0xBD 0xAD ...
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)       
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                            0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                         0x32 0x9D 0x34 0xD9 ...
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                    0x9D 0xF8 0xB9 0xFA ...

---- EOF - GMER 1.0.15 ----
__________________
Alt 13.12.2010, 16:13   #4
doc
 
Paranoid vielleicht :) - Standard

Paranoid vielleicht :)


OTL LOG

Code:
ATTFilter
OTL logfile created on: 13.12.2010 15:57:08 - Run 2
OTL by OldTimer - Version 3.2.17.3     Folder = C:\Users\Public\Desktop\MFtools
 An unknown product  (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 69,00% Memory free
6,00 Gb Paging File | 5,00 Gb Available in Paging File | 79,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 24,32 Gb Total Space | 5,16 Gb Free Space | 21,21% Space Free | Partition Type: NTFS
Drive D: | 44,83 Gb Total Space | 10,23 Gb Free Space | 22,82% Space Free | Partition Type: NTFS
 
Computer Name: ADMIN-PC | User Name: admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2010.12.13 14:52:22 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Public\Desktop\MFtools\OTL.exe
PRC - [2010.12.12 01:10:33 | 000,050,477 | ---- | M] () -- C:\Users\Public\Desktop\MFtools\Defogger.exe
PRC - [2010.12.12 00:37:57 | 000,912,344 | ---- | M] (Mozilla Corporation) -- D:\Programme\Firefox\firefox.exe
PRC - [2010.09.29 10:11:07 | 000,157,504 | ---- | M] (Panda Security, S.L.) -- C:\Programme\Panda Security\Panda Global Protection 2011\TPSrv.exe
PRC - [2010.09.29 02:51:26 | 000,380,928 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
PRC - [2010.09.29 02:50:58 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
PRC - [2010.09.13 10:11:00 | 000,202,048 | ---- | M] (Panda Security, S.L.) -- C:\Programme\Panda Security\Panda Global Protection 2011\PavFnSvr.exe
PRC - [2010.08.26 12:52:15 | 000,988,480 | ---- | M] (Panda Security, S.L.) -- C:\Programme\Panda Security\Panda Global Protection 2011\ApVxdWin.exe
PRC - [2010.08.16 14:54:45 | 000,028,992 | ---- | M] (Panda Security, S.L.) -- C:\Programme\Panda Security\Panda Global Protection 2011\psksvc.exe
PRC - [2010.06.04 10:37:50 | 000,314,176 | ---- | M] (Panda Security, S.L.) -- C:\Programme\Panda Security\Panda Global Protection 2011\pavsrvx86.exe
PRC - [2010.05.28 13:42:32 | 000,225,600 | ---- | M] (Panda Security, S.L.) -- C:\Programme\Panda Security\Panda Global Protection 2011\AVENGINE.EXE
PRC - [2010.04.22 18:29:12 | 000,107,776 | ---- | M] (Panda Security, S.L.) -- C:\Programme\Panda Security\Panda Global Protection 2011\WebProxy.exe
PRC - [2010.02.23 12:09:34 | 000,111,872 | ---- | M] (Panda Security, S.L.) -- C:\Programme\Panda Security\Panda Global Protection 2011\PavBckPT.exe
PRC - [2009.11.26 17:03:56 | 000,226,560 | ---- | M] (Panda Security International) -- c:\Programme\Panda Security\Panda Global Protection 2011\FIREWALL\PSHost.exe
PRC - [2009.10.31 06:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009.08.10 14:46:08 | 000,173,312 | ---- | M] (Panda Security, S.L.) -- C:\Programme\Panda Security\Panda Global Protection 2011\PsCtrlS.exe
PRC - [2009.07.14 02:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009.07.14 02:14:15 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2009.04.22 17:38:50 | 000,065,536 | ---- | M] (Advanced Micro Devices Inc.) -- D:\Programme\ati\ATI.ACE\Core-Static\MOM.exe
PRC - [2009.04.22 17:37:16 | 000,065,536 | ---- | M] (ATI Technologies Inc.) -- D:\Programme\ati\ATI.ACE\Core-Static\CCC.exe
PRC - [2008.06.27 13:23:00 | 000,091,392 | ---- | M] (Panda Security, S.L.) -- C:\Programme\Panda Security\Panda Global Protection 2011\SrvLoad.exe
PRC - [2008.06.19 12:59:50 | 000,108,288 | ---- | M] (Panda Security S.L.) -- C:\Programme\Panda Security\Panda Global Protection 2011\PsImSvc.exe
PRC - [2008.02.04 17:26:48 | 000,062,768 | ---- | M] (Panda Security, S.L.) -- C:\Programme\Common Files\Panda Security\PavShld\PavPrSrv.exe
 
 
========== Modules (SafeList) ==========
 
MOD - [2010.12.13 14:52:22 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Public\Desktop\MFtools\OTL.exe
MOD - [2010.08.21 06:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll
MOD - [2009.08.10 13:45:54 | 000,095,488 | ---- | M] (Panda Security, S.L.) -- C:\Programme\Panda Security\Panda Global Protection 2011\PavOEpl.dll
MOD - [2009.07.14 02:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009.07.14 02:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009.07.14 02:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009.07.14 02:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009.07.14 02:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009.07.14 02:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009.07.14 02:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009.07.14 02:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009.07.14 02:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009.07.14 02:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009.03.30 18:22:58 | 000,518,400 | ---- | M] (Panda Security, S.L.) -- C:\Windows\System32\PavSHook.dll
MOD - [2007.02.08 10:53:40 | 000,107,568 | ---- | M] (Panda Software) -- C:\Windows\System32\SYSTOOLS.DLL
 
 
========== Win32 Services (SafeList) ==========
 
SRV - File not found [On_Demand | Stopped] -- C:\Users\admin\AppData\Local\Temp\URNRGY.exe -- (URNRGY)
SRV - File not found [On_Demand | Stopped] -- C:\Users\admin\AppData\Local\Temp\OIBL.exe -- (OIBL)
SRV - File not found [On_Demand | Stopped] -- C:\Users\admin\AppData\Local\Temp\INOIAXYXO.exe -- (INOIAXYXO)
SRV - File not found [On_Demand | Stopped] -- C:\Users\admin\AppData\Local\Temp\BPPIXUQB.exe -- (BPPIXUQB)
SRV - [2010.09.29 10:11:07 | 000,157,504 | ---- | M] (Panda Security, S.L.) [Auto | Running] -- C:\Program Files\Panda Security\Panda Global Protection 2011\TPSrv.exe -- (TPSrv)
SRV - [2010.09.29 02:50:58 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2010.09.13 10:11:00 | 000,202,048 | ---- | M] (Panda Security, S.L.) [Auto | Running] -- C:\Program Files\Panda Security\Panda Global Protection 2011\PavFnSvr.exe -- (PAVFNSVR)
SRV - [2010.08.16 14:54:45 | 000,028,992 | ---- | M] (Panda Security, S.L.) [Auto | Running] -- C:\Program Files\Panda Security\Panda Global Protection 2011\PskSvc.exe -- (PskSvcRetail)
SRV - [2010.06.04 10:37:50 | 000,314,176 | ---- | M] (Panda Security, S.L.) [Auto | Running] -- C:\Program Files\Panda Security\Panda Global Protection 2011\pavsrvx86.exe -- (PAVSRV)
SRV - [2010.03.18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009.11.26 17:03:56 | 000,226,560 | ---- | M] (Panda Security International) [Auto | Running] -- c:\program files\panda security\panda global protection 2011\firewall\PSHOST.EXE -- (PSHost)
SRV - [2009.08.10 14:46:08 | 000,173,312 | ---- | M] (Panda Security, S.L.) [Auto | Running] -- C:\Program Files\Panda Security\Panda Global Protection 2011\PsCtrls.exe -- (Panda Software Controller)
SRV - [2009.07.14 02:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009.07.14 02:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009.07.14 02:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009.07.14 02:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009.07.14 02:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009.07.14 02:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009.07.14 02:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009.07.14 02:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009.07.14 02:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009.07.14 02:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009.07.14 02:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009.07.14 02:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009.07.14 02:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009.07.14 02:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009.07.14 02:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009.07.14 02:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009.07.14 02:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009.07.14 02:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009.07.14 02:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009.07.14 02:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX-Installer (AxInstSV)
SRV - [2009.07.14 02:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009.07.14 02:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2008.06.19 12:59:50 | 000,108,288 | ---- | M] (Panda Security S.L.) [Auto | Running] -- C:\Program Files\Panda Security\Panda Global Protection 2011\PsImSvc.exe -- (PSIMSVC)
SRV - [2008.02.04 17:26:48 | 000,062,768 | ---- | M] (Panda Security, S.L.) [Auto | Running] -- C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe -- (PavPrSrv)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\doc\AppData\Local\Temp\Rar$EX00.058\sdthlpr.sys -- (SDTHelper)
DRV - File not found [Kernel | On_Demand | Running] -- C:\Windows\System32\PavTPK.sys -- (PavTPK.sys)
DRV - File not found [Kernel | On_Demand | Running] -- C:\Windows\System32\PavSRK.sys -- (PavSRK.sys)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\7A10.tmp -- (MEMSWEEP2)
DRV - File not found [File_System | Auto | Stopped] -- C:\Windows\System32\DRIVERS\eamonm.sys -- (eamonm)
DRV - File not found [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\av5flt.sys -- (AvFlt)
DRV - [2010.12.13 13:40:45 | 000,013,880 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\System32\drivers\COMFiltr.sys -- (ComFiltr)
DRV - [2010.12.13 11:32:09 | 000,011,264 | ---- | M] () [Kernel | System | Running] -- C:\Windows\System32\drivers\uzmznti4.sys -- (uzmznti4)
DRV - [2010.12.06 21:27:49 | 000,038,976 | ---- | M] (microOLAP Technologies LTD) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\pssdk42.sys -- (PSSDK42)
DRV - [2010.09.29 03:25:14 | 006,472,192 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (amdkmdag)
DRV - [2010.09.29 02:14:30 | 000,228,352 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmpag.sys -- (amdkmdap)
DRV - [2010.08.16 11:41:54 | 000,101,904 | ---- | M] (ATI Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AtihdW73.sys -- (AtiHDAudioService)
DRV - [2010.06.22 18:13:00 | 000,026,696 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\Windows\system32\Drivers\pavboot.sys -- (pavboot)
DRV - [2010.05.21 13:50:40 | 000,054,344 | ---- | M] (Panda Security, S.L.) [File_System | Auto | Running] -- C:\Windows\System32\drivers\amm8660.sys -- (AmFSM)
DRV - [2010.05.10 19:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Programme\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010.02.18 19:31:20 | 000,199,688 | ---- | M] (Panda Security, S.L.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\neti1642.sys -- (NETIMFLT01060042)
DRV - [2010.02.18 19:31:18 | 000,076,296 | ---- | M] (Panda Security, S.L.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\APPFLT.SYS -- (APPFLT)
DRV - [2010.02.17 19:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Programme\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009.12.11 08:44:02 | 000,133,720 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\ksecpkg.sys -- (KSecPkg)
DRV - [2009.10.27 12:07:42 | 000,037,896 | ---- | M] (Panda Security, S.L.) [Kernel | System | Running] -- C:\Windows\System32\drivers\ShlDrv51.sys -- (ShldDrv)
DRV - [2009.09.25 14:54:08 | 000,046,856 | ---- | M] (Panda Security, S.L.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\wnmflt.sys -- (WNMFLT)
DRV - [2009.09.25 14:54:06 | 000,159,112 | ---- | M] (Panda Security, S.L.) [TDI Layer] [Kernel | Auto | Running] -- C:\Windows\System32\drivers\NETFLTDI.SYS -- (NETFLTDI)
DRV - [2009.09.25 14:54:04 | 000,193,800 | ---- | M] (Panda Security, S.L.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\idsflt.sys -- (IDSFLT)
DRV - [2009.09.25 14:54:04 | 000,022,024 | ---- | M] (Panda Security, S.L.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\fnetmon.sys -- (FNETMON)
DRV - [2009.09.25 14:54:02 | 000,053,256 | ---- | M] (Panda Security, S.L.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\dsaflt.sys -- (DSAFLT)
DRV - [2009.09.14 16:18:22 | 000,163,336 | ---- | M] (Panda Security, S.L.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\PavProc.sys -- (PavProc)
DRV - [2009.07.14 02:26:21 | 000,015,952 | ---- | M] (CMD Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\cmdide.sys -- (cmdide)
DRV - [2009.07.14 02:26:17 | 000,297,552 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpahci.sys -- (adpahci)
DRV - [2009.07.14 02:26:15 | 000,422,976 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adp94xx.sys -- (adp94xx)
DRV - [2009.07.14 02:26:15 | 000,159,312 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsbs.sys -- (amdsbs)
DRV - [2009.07.14 02:26:15 | 000,146,512 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpu320.sys -- (adpu320)
DRV - [2009.07.14 02:26:15 | 000,086,608 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arcsas.sys -- (arcsas)
DRV - [2009.07.14 02:26:15 | 000,079,952 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsata.sys -- (amdsata)
DRV - [2009.07.14 02:26:15 | 000,076,368 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arc.sys -- (arc)
DRV - [2009.07.14 02:26:15 | 000,023,616 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdxata.sys -- (amdxata)
DRV - [2009.07.14 02:26:15 | 000,014,400 | ---- | M] (Acer Laboratories Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\aliide.sys -- (aliide)
DRV - [2009.07.14 02:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvstor.sys -- (nvstor)
DRV - [2009.07.14 02:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvraid.sys -- (nvraid)
DRV - [2009.07.14 02:20:44 | 000,044,624 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nfrd960.sys -- (nfrd960)
DRV - [2009.07.14 02:20:37 | 000,089,168 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas.sys -- (LSI_SAS)
DRV - [2009.07.14 02:20:36 | 000,332,352 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iaStorV.sys -- (iaStorV)
DRV - [2009.07.14 02:20:36 | 000,235,584 | ---- | M] (LSI Corporation, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MegaSR.sys -- (MegaSR)
DRV - [2009.07.14 02:20:36 | 000,096,848 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2009.07.14 02:20:36 | 000,095,824 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_fc.sys -- (LSI_FC)
DRV - [2009.07.14 02:20:36 | 000,054,864 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2)
DRV - [2009.07.14 02:20:36 | 000,041,040 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iirsp.sys -- (iirsp)
DRV - [2009.07.14 02:20:36 | 000,030,800 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\megasas.sys -- (megasas)
DRV - [2009.07.14 02:20:36 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\hwpolicy.sys -- (hwpolicy)
DRV - [2009.07.14 02:20:28 | 000,453,712 | ---- | M] (Emulex) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\elxstor.sys -- (elxstor)
DRV - [2009.07.14 02:20:28 | 000,070,720 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\djsvs.sys -- (aic78xx)
DRV - [2009.07.14 02:20:28 | 000,067,152 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD)
DRV - [2009.07.14 02:20:28 | 000,046,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\fsdepends.sys -- (FsDepends)
DRV - [2009.07.14 02:19:11 | 000,141,904 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vsmraid.sys -- (vsmraid)
DRV - [2009.07.14 02:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vmbus.sys -- (vmbus)
DRV - [2009.07.14 02:19:10 | 000,159,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vhdmp.sys -- (vhdmp)
DRV - [2009.07.14 02:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vmstorfl.sys -- (storflt)
DRV - [2009.07.14 02:19:10 | 000,032,832 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vdrvroot.sys -- (vdrvroot)
DRV - [2009.07.14 02:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\storvsc.sys -- (storvsc)
DRV - [2009.07.14 02:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\wimmount.sys -- (WIMMount)
DRV - [2009.07.14 02:19:10 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\viaide.sys -- (viaide)
DRV - [2009.07.14 02:19:04 | 001,383,488 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql2300.sys -- (ql2300)
DRV - [2009.07.14 02:19:04 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\rdyboost.sys -- (rdyboost)
DRV - [2009.07.14 02:19:04 | 000,106,064 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql40xx.sys -- (ql40xx)
DRV - [2009.07.14 02:19:04 | 000,077,888 | ---- | M] (Silicon Integrated Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\sisraid4.sys -- (SiSRaid4)
DRV - [2009.07.14 02:19:04 | 000,043,088 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\pcw.sys -- (pcw)
DRV - [2009.07.14 02:19:04 | 000,040,016 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\SiSRaid2.sys -- (SiSRaid2)
DRV - [2009.07.14 02:19:04 | 000,021,072 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\stexstor.sys -- (stexstor)
DRV - [2009.07.14 02:17:54 | 000,369,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\cng.sys -- (CNG)
DRV - [2009.07.14 01:57:25 | 000,272,128 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\Brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2009.07.14 01:02:41 | 000,018,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rdpbus.sys -- (rdpbus)
DRV - [2009.07.14 01:01:41 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\RDPREFMP.sys -- (RDPREFMP)
DRV - [2009.07.14 00:55:00 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2)
DRV - [2009.07.14 00:53:51 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf)
DRV - [2009.07.14 00:52:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ndiscap.sys -- (NdisCap)
DRV - [2009.07.14 00:52:02 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifibus.sys -- (vwifibus)
DRV - [2009.07.14 00:52:00 | 000,163,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\1394ohci.sys -- (1394ohci)
DRV - [2009.07.14 00:51:35 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\umpass.sys -- (UmPass)
DRV - [2009.07.14 00:51:23 | 000,080,640 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\USBAUDIO.sys -- (usbaudio) USB-Audiotreiber (WDM)
DRV - [2009.07.14 00:51:08 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf)
DRV - [2009.07.14 00:46:55 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MTConfig.sys -- (MTConfig)
DRV - [2009.07.14 00:45:26 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CompositeBus.sys -- (CompositeBus)
DRV - [2009.07.14 00:36:52 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\appid.sys -- (AppID)
DRV - [2009.07.14 00:33:50 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\scfilter.sys -- (scfilter)
DRV - [2009.07.14 00:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vms3cap.sys -- (s3cap)
DRV - [2009.07.14 00:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\VMBusHID.sys -- (VMBusHID)
DRV - [2009.07.14 00:24:05 | 000,032,256 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\discache.sys -- (discache)
DRV - [2009.07.14 00:16:36 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\acpipmi.sys -- (AcpiPmi)
DRV - [2009.07.14 00:11:04 | 000,052,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\amdppm.sys -- (AmdPPM)
DRV - [2009.07.13 23:54:14 | 000,026,624 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009.07.13 23:53:33 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm)
DRV - [2009.07.13 23:53:33 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbSer.sys -- (BrUsbSer)
DRV - [2009.07.13 23:53:32 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrSerWdm.sys -- (BrSerWdm)
DRV - [2009.07.13 23:53:28 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltLo.sys -- (BrFiltLo)
DRV - [2009.07.13 23:53:28 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltUp.sys -- (BrFiltUp)
DRV - [2009.07.13 23:02:53 | 000,311,296 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\yk62x86.sys -- (yukonw7)
DRV - [2009.07.13 23:02:49 | 000,229,888 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
DRV - [2009.07.13 23:02:48 | 003,100,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\evbdx.sys -- (ebdrv)
DRV - [2009.07.13 23:02:48 | 000,430,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\bxvbdx.sys -- (b06bdrv)
DRV - [2004.08.13 08:56:20 | 000,005,810 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ASACPI.sys -- (MTsensor)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D5 8E F0 C7 97 68 CB 01  [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.2.6
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.0.7
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.2
 
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Components: D:\Programme\Firefox\components [2010.12.12 00:38:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Plugins: D:\Programme\Firefox\plugins [2010.12.12 00:38:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird
 
[2010.10.10 17:27:55 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\mozilla\Extensions
[2010.12.13 13:54:52 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\mozilla\Firefox\Profiles\vm998rj7.default\extensions
[2010.12.13 13:54:41 | 000,000,000 | ---D | M] (FlashGot) -- C:\Users\admin\AppData\Roaming\mozilla\Firefox\Profiles\vm998rj7.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2010.12.13 13:54:41 | 000,000,000 | ---D | M] (NoScript) -- C:\Users\admin\AppData\Roaming\mozilla\Firefox\Profiles\vm998rj7.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2010.12.13 13:54:41 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\admin\AppData\Roaming\mozilla\Firefox\Profiles\vm998rj7.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
 
O1 HOSTS File: ([2009.06.10 22:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - D:\Programme\Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Programme\Java\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [APVXDWIN] C:\Program Files\Panda Security\Panda Global Protection 2011\APVXDWIN.EXE (Panda Security, S.L.)
O4 - HKLM..\Run: [ATICustomerCare] C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SCANINICIO] C:\Program Files\Panda Security\Panda Global Protection 2011\Inicio.exe (Panda Security, S.L.)
O4 - HKLM..\Run: [StartCCC] D:\Programme\ati\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Programme\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8 - Extra context menu item: An OneNote s&enden - D:\Programme\Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O8 - Extra context menu item: Nach Microsoft E&xcel exportieren - D:\Programme\Office\Office14\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Programme\Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Programme\Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - D:\Programme\Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - D:\Programme\Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807573E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O20 - Winlogon\Notify\avldr: DllName - avldr.dll - C:\Windows\System32\avldr.dll (On-Access Anti-Malware Scanner Sync)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.06.10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
NetSvcs: FastUserSwitchingCompatibility -  File not found
NetSvcs: Ias -  File not found
NetSvcs: Nla -  File not found
NetSvcs: Ntmssvc -  File not found
NetSvcs: NWCWorkstation -  File not found
NetSvcs: Nwsapagent -  File not found
NetSvcs: SRService -  File not found
NetSvcs: WmdmPmSp -  File not found
NetSvcs: LogonHours -  File not found
NetSvcs: PCAudit -  File not found
NetSvcs: helpsvc -  File not found
NetSvcs: uploadmgr -  File not found
NetSvcs: Themes - C:\Windows\System32\themeservice.dll (Microsoft Corporation)
NetSvcs: BDESVC - C:\Windows\System32\bdesvc.dll (Microsoft Corporation)
 
MsConfig - StartUpReg: Adobe ARM - hkey= - key= - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - D:\Programme\acrobat reader\Reader\Reader_sl.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: DAEMON Tools Lite - hkey= - key= - C:\Users\admin\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
MsConfig - StartUpReg: LanzarP2006 - hkey= - key= - C:\Users\admin\AppData\Local\Temp\P2006tmp\Install.exe File not found
MsConfig - StartUpReg: Sidebar - hkey= - key= - C:\Program Files\Windows Sidebar\sidebar.exe (Microsoft Corporation)
MsConfig - State: "startup" - 2
 
Drivers32: aux - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: aux1 - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: aux2 - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi1 - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi2 - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - C:\Windows\System32\midimap.dll (Microsoft Corporation)
Drivers32: mixer - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: mixer1 - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: mixer2 - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: msacm.ac3acm - C:\Windows\System32\ac3acm.acm (fccHandler)
Drivers32: msacm.imaadpcm - C:\Windows\System32\imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lameacm - C:\Windows\System32\lameACM.acm (hxxp://www.mp3dev.org/)
Drivers32: msacm.msadpcm - C:\Windows\System32\msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - C:\Windows\System32\msg711.acm (Microsoft Corporation)
Drivers32: msacm.msgsm610 - C:\Windows\System32\msgsm32.acm (Microsoft Corporation)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.FFDS - C:\Windows\System32\ff_vfw.dll ()
Drivers32: vidc.i420 - C:\Windows\System32\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.iyuv - C:\Windows\System32\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.mrle - C:\Windows\System32\msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - C:\Windows\System32\msvidc32.dll (Microsoft Corporation)
Drivers32: vidc.uyvy - C:\Windows\System32\msyuv.dll (Microsoft Corporation)
Drivers32: VIDC.XVID - C:\Windows\System32\xvidvfw.dll ()
Drivers32: vidc.yuy2 - C:\Windows\System32\msyuv.dll (Microsoft Corporation)
Drivers32: VIDC.YV12 - C:\Windows\System32\yv12vfw.dll (www.helixcommunity.org)
Drivers32: vidc.yvu9 - C:\Windows\System32\tsbyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvyu - C:\Windows\System32\msyuv.dll (Microsoft Corporation)
Drivers32: wave - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wave1 - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wave2 - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wavemapper - C:\Windows\System32\msacm32.drv (Microsoft Corporation)

 
========== Files/Folders - Created Within 30 Days ==========
 
[2010.12.13 15:01:43 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010.12.13 15:01:15 | 000,000,000 | ---D | C] -- C:\Programme\ERUNT
[2010.12.13 14:53:57 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010.12.13 14:53:49 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010.12.13 14:53:49 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware
[2010.12.13 14:50:42 | 000,000,000 | ---D | C] -- C:\Users\Public\Desktop\MFtools
[2010.12.13 13:56:03 | 000,472,064 | ---- | C] ( ) -- C:\Users\admin\Desktop\RootRepeal.exe
[2010.12.13 13:42:41 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Local\Panda Security
[2010.12.13 13:40:31 | 000,193,800 | ---- | C] (Panda Security, S.L.) -- C:\Windows\System32\drivers\idsflt.sys
[2010.12.13 13:40:31 | 000,053,256 | ---- | C] (Panda Security, S.L.) -- C:\Windows\System32\drivers\dsaflt.sys
[2010.12.13 13:40:31 | 000,046,856 | ---- | C] (Panda Security, S.L.) -- C:\Windows\System32\drivers\wnmflt.sys
[2010.12.13 13:40:27 | 000,159,112 | ---- | C] (Panda Security, S.L.) -- C:\Windows\System32\drivers\NETFLTDI.SYS
[2010.12.13 13:40:27 | 000,076,296 | ---- | C] (Panda Security, S.L.) -- C:\Windows\System32\drivers\APPFLT.SYS
[2010.12.13 13:40:27 | 000,022,024 | ---- | C] (Panda Security, S.L.) -- C:\Windows\System32\drivers\fnetmon.sys
[2010.12.13 13:40:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Backup
[2010.12.13 13:40:25 | 000,026,696 | ---- | C] (Panda Security, S.L.) -- C:\Windows\System32\drivers\pavboot.sys
[2010.12.13 13:40:18 | 000,054,832 | ---- | C] (Panda Software) -- C:\Windows\System32\pavcpl.cpl
[2010.12.13 13:40:11 | 000,446,464 | ---- | C] (eHelp Corporation.) -- C:\Windows\System32\HHActiveX.dll
[2010.12.13 13:40:10 | 000,518,400 | ---- | C] (Panda Security, S.L.) -- C:\Windows\System32\PavSHook.dll
[2010.12.13 13:40:10 | 000,199,688 | ---- | C] (Panda Security, S.L.) -- C:\Windows\System32\drivers\neti1642.sys
[2010.12.13 13:40:10 | 000,193,792 | ---- | C] (Panda Security, S.L.) -- C:\Windows\System32\TpUtil.dll
[2010.12.13 13:40:10 | 000,107,568 | ---- | C] (Panda Software) -- C:\Windows\System32\SYSTOOLS.DLL
[2010.12.13 13:40:10 | 000,087,296 | ---- | C] (Panda Security, S.L.) -- C:\Windows\System32\PavLspHook.dll
[2010.12.13 13:40:10 | 000,055,552 | ---- | C] (Panda Security, S.L.) -- C:\Windows\System32\pavipc.dll
[2010.12.13 13:40:10 | 000,055,552 | ---- | C] (On-Access Anti-Malware Scanner Sync) -- C:\Windows\System32\avldr.dll
[2010.12.13 13:40:10 | 000,054,344 | ---- | C] (Panda Security, S.L.) -- C:\Windows\System32\drivers\amm8660.sys
[2010.12.13 13:40:10 | 000,000,000 | -H-D | C] -- C:\Programme\InstallShield Installation Information
[2010.12.13 13:40:10 | 000,000,000 | ---D | C] -- C:\Windows\System32\PAV
[2010.12.13 13:37:15 | 000,163,336 | ---- | C] (Panda Security, S.L.) -- C:\Windows\System32\drivers\PavProc.sys
[2010.12.13 13:37:15 | 000,037,896 | ---- | C] (Panda Security, S.L.) -- C:\Windows\System32\drivers\ShlDrv51.sys
[2010.12.13 13:35:55 | 000,000,000 | ---D | C] -- C:\Programme\Common Files\Panda Security
[2010.12.13 10:58:05 | 000,000,000 | ---D | C] -- C:\Programme\trend micro
[2010.12.13 10:58:05 | 000,000,000 | ---D | C] -- C:\rsit
[2010.12.12 16:39:39 | 000,000,000 | ---D | C] -- C:\Programme\Alwil Software
[2010.12.12 16:39:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Alwil Software
[2010.12.12 16:37:36 | 000,000,000 | ---D | C] -- C:\Windows\System32\appmgmt
[2010.12.12 01:05:49 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\SUPERAntiSpyware.com
[2010.12.12 01:05:49 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2010.12.12 01:05:42 | 000,000,000 | ---D | C] -- C:\Programme\SUPERAntiSpyware
[2010.12.11 12:56:54 | 000,000,000 | ---D | C] -- C:\Users\admin\Desktop\GooredFix Backups
[2010.12.06 21:27:49 | 000,038,976 | ---- | C] (microOLAP Technologies LTD) -- C:\Windows\System32\drivers\pssdk42.sys
[2010.12.06 21:27:22 | 000,000,000 | ---D | C] -- C:\Programme\Tenable
[2010.12.06 21:14:13 | 000,000,000 | ---D | C] -- C:\Programme\F-Secure
[2010.12.06 21:13:40 | 000,000,000 | ---D | C] -- C:\ProgramData\fssg
[2010.12.06 21:11:56 | 000,000,000 | ---D | C] -- C:\ProgramData\f-secure
[2010.12.05 14:04:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab Setup Files
[2010.12.05 13:48:40 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Local\Secunia PSI
[2010.12.05 13:48:32 | 000,000,000 | ---D | C] -- C:\Programme\Secunia
[2010.12.05 13:31:40 | 000,019,248 | ---- | C] (Resplendence Software Projects Sp.) -- C:\Windows\System32\drivers\rspsc32.sys
[2010.12.05 13:31:40 | 000,000,000 | ---D | C] -- C:\Programme\RootKit Hook Analyzer
[2010.12.04 23:57:03 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\Panda Security
[2010.12.04 23:56:30 | 000,000,000 | ---D | C] -- C:\Programme\Panda Security
[2010.12.04 23:56:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Panda Security
[2010.12.02 22:50:08 | 000,000,000 | ---D | C] -- C:\Programme\Common Files\InstallShield
[2010.12.02 22:12:10 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Local\CrashDumps
[2010.12.02 21:29:40 | 000,000,000 | ---D | C] -- C:\Programme\Sophos
[2010.12.01 22:42:47 | 000,000,000 | ---D | C] -- C:\Windows\System32\DRVSTORE
[2010.12.01 22:42:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Norton
[2010.12.01 22:42:08 | 000,000,000 | ---D | C] -- C:\ProgramData\NortonInstaller
[2010.12.01 22:28:21 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\Media Player Classic
[2010.11.30 22:20:24 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\AVG10
[2010.11.30 22:17:00 | 000,000,000 | -H-D | C] -- C:\ProgramData\Common Files
[2010.11.30 22:16:30 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG10
[2010.11.30 22:16:23 | 000,000,000 | ---D | C] -- C:\Programme\AVG
[2010.11.30 22:10:53 | 000,000,000 | ---D | C] -- C:\Users\admin\.zenmap
[2010.11.30 21:59:29 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\Malwarebytes
[2010.11.30 21:58:17 | 000,000,000 | ---D | C] -- C:\ProgramData\MFAData
[2010.11.30 21:58:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010.11.30 21:53:42 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\ATI
[2010.11.30 21:53:42 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Local\ATI
[2010.11.30 21:50:59 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Local\Adobe
[2010.11.16 14:24:40 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\Miranda
[2010.11.15 12:20:11 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Local\ElevatedDiagnostics
 
========== Files - Modified Within 30 Days ==========
 
[2010.12.13 15:55:06 | 000,001,132 | ---- | M] () -- C:\Windows\System32\drivers\APPFLTR.CFG.bck
[2010.12.13 15:55:06 | 000,001,132 | ---- | M] () -- C:\Windows\System32\drivers\APPFLTR.CFG
[2010.12.13 15:55:06 | 000,000,252 | ---- | M] () -- C:\Windows\System32\drivers\etc\IdsFlt.cfg.bck
[2010.12.13 15:55:06 | 000,000,252 | ---- | M] () -- C:\Windows\System32\drivers\etc\IdsFlt.cfg
[2010.12.13 15:55:06 | 000,000,080 | ---- | M] () -- C:\Windows\System32\drivers\etc\NetLoc.wlt.bck
[2010.12.13 15:55:06 | 000,000,080 | ---- | M] () -- C:\Windows\System32\drivers\etc\NetLoc.wlt
[2010.12.13 15:55:06 | 000,000,068 | ---- | M] () -- C:\Windows\System32\drivers\etc\NetFlt.cfg.bck
[2010.12.13 15:55:06 | 000,000,068 | ---- | M] () -- C:\Windows\System32\drivers\etc\NetFlt.cfg
[2010.12.13 15:55:06 | 000,000,056 | ---- | M] () -- C:\Windows\System32\drivers\etc\WnmFlt.cfg.bck
[2010.12.13 15:55:06 | 000,000,056 | ---- | M] () -- C:\Windows\System32\drivers\etc\WnmFlt.cfg
[2010.12.13 15:55:06 | 000,000,056 | ---- | M] () -- C:\Windows\System32\drivers\etc\DsaFlt.cfg.bck
[2010.12.13 15:55:06 | 000,000,056 | ---- | M] () -- C:\Windows\System32\drivers\etc\DsaFlt.cfg
[2010.12.13 15:54:56 | 000,000,120 | ---- | M] () -- C:\Windows\System32\drivers\etc\NetAdapt.cfg.bck
[2010.12.13 15:54:56 | 000,000,120 | ---- | M] () -- C:\Windows\System32\drivers\etc\NetAdapt.cfg
[2010.12.13 15:06:18 | 000,013,248 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010.12.13 15:06:17 | 000,013,248 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010.12.13 15:01:22 | 000,001,078 | ---- | M] () -- C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010.12.13 15:01:16 | 000,000,898 | ---- | M] () -- C:\Users\admin\Desktop\NTREGOPT.lnk
[2010.12.13 15:01:16 | 000,000,879 | ---- | M] () -- C:\Users\admin\Desktop\ERUNT.lnk
[2010.12.13 15:00:35 | 000,418,468 | ---- | M] () -- C:\Windows\System32\drivers\etc\DsaFlt.rls.bck
[2010.12.13 15:00:35 | 000,418,468 | ---- | M] () -- C:\Windows\System32\drivers\etc\DsaFlt.rls
[2010.12.13 14:59:17 | 000,000,068 | ---- | M] () -- C:\Windows\System32\drivers\etc\NetAR.wlt.bck
[2010.12.13 14:59:17 | 000,000,068 | ---- | M] () -- C:\Windows\System32\drivers\etc\NetAR.wlt
[2010.12.13 14:58:57 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010.12.13 14:58:56 | 2616,696,832 | -HS- | M] () -- C:\hiberfil.sys
[2010.12.13 14:53:57 | 000,001,071 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.12.13 14:50:58 | 000,288,107 | ---- | M] () -- C:\Users\admin\Desktop\Gmer.zip
[2010.12.13 14:39:49 | 000,003,067 | ---- | M] () -- C:\ports
[2010.12.13 14:01:50 | 000,089,088 | ---- | M] () -- C:\mbr.exe
[2010.12.13 13:57:16 | 000,167,268 | ---- | M] () -- C:\Users\admin\Desktop\RootRepeal.dmp
[2010.12.13 13:57:04 | 000,000,015 | ---- | M] () -- C:\Users\admin\Desktop\settings.dat
[2010.12.13 13:55:20 | 000,159,476 | ---- | M] () -- C:\Windows\System32\drivers\APPFCONT.DAT.bck
[2010.12.13 13:55:20 | 000,159,476 | ---- | M] () -- C:\Windows\System32\drivers\APPFCONT.DAT
[2010.12.13 13:47:57 | 000,655,562 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2010.12.13 13:47:57 | 000,617,444 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010.12.13 13:47:57 | 000,130,674 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2010.12.13 13:47:57 | 000,107,064 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010.12.13 13:47:47 | 000,008,627 | ---- | M] () -- C:\Windows\System32\PAV_FOG.OPC
[2010.12.13 13:40:45 | 000,013,880 | ---- | M] () -- C:\Windows\System32\drivers\COMFiltr.sys
[2010.12.13 13:40:37 | 000,000,262 | ---- | M] () -- C:\Windows\System32\PavCPL.dat
[2010.12.13 13:10:21 | 000,109,477 | ---- | M] () -- C:\Users\admin\Desktop\avz_sysinfo.htm
[2010.12.13 13:10:21 | 000,059,552 | ---- | M] () -- C:\Users\admin\Desktop\avz_sysinfo.xml
[2010.12.13 11:32:09 | 000,011,264 | ---- | M] () -- C:\Windows\System32\drivers\uzmznti4.sys
[2010.12.13 10:59:18 | 000,089,088 | ---- | M] () -- C:\Windows\System32\mbr.exe
[2010.12.12 16:40:02 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2010.12.12 01:11:19 | 000,000,020 | ---- | M] () -- C:\Users\admin\defogger_reenable
[2010.12.12 01:05:44 | 000,001,965 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010.12.06 22:43:15 | 000,007,625 | ---- | M] () -- C:\Users\admin\AppData\Local\Resmon.ResmonCfg
[2010.12.06 21:47:16 | 000,001,024 | ---- | M] () -- C:\.rnd
[2010.12.06 21:27:49 | 000,038,976 | ---- | M] (microOLAP Technologies LTD) -- C:\Windows\System32\drivers\pssdk42.sys
[2010.11.29 17:42:18 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010.11.29 17:42:06 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010.11.16 14:24:24 | 000,000,635 | ---- | M] () -- C:\Users\admin\Desktop\Miranda IM.lnk
 
========== Files Created - No Company Name ==========
 
[2010.12.13 15:08:57 | 000,296,448 | ---- | C] () -- C:\Users\admin\Desktop\gmer.exe
[2010.12.13 15:01:22 | 000,001,078 | ---- | C] () -- C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010.12.13 15:01:16 | 000,000,898 | ---- | C] () -- C:\Users\admin\Desktop\NTREGOPT.lnk
[2010.12.13 15:01:16 | 000,000,879 | ---- | C] () -- C:\Users\admin\Desktop\ERUNT.lnk
[2010.12.13 14:53:57 | 000,001,071 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.12.13 14:50:58 | 000,288,107 | ---- | C] () -- C:\Users\admin\Desktop\Gmer.zip
[2010.12.13 14:39:26 | 000,003,067 | ---- | C] () -- C:\ports
[2010.12.13 14:10:03 | 000,296,448 | ---- | C] () -- C:\Users\admin\Desktop\test.exe.exe
[2010.12.13 13:57:16 | 000,167,268 | ---- | C] () -- C:\Users\admin\Desktop\RootRepeal.dmp
[2010.12.13 13:56:13 | 000,000,015 | ---- | C] () -- C:\Users\admin\Desktop\settings.dat
[2010.12.13 13:47:47 | 000,008,627 | ---- | C] () -- C:\Windows\System32\PAV_FOG.OPC
[2010.12.13 13:40:45 | 000,013,880 | ---- | C] () -- C:\Windows\System32\drivers\COMFiltr.sys
[2010.12.13 13:40:37 | 000,000,262 | ---- | C] () -- C:\Windows\System32\PavCPL.dat
[2010.12.13 13:40:34 | 000,159,476 | ---- | C] () -- C:\Windows\System32\drivers\APPFCONT.DAT.bck
[2010.12.13 13:40:34 | 000,159,476 | ---- | C] () -- C:\Windows\System32\drivers\APPFCONT.DAT
[2010.12.13 13:40:34 | 000,001,132 | ---- | C] () -- C:\Windows\System32\drivers\APPFLTR.CFG.bck
[2010.12.13 13:40:34 | 000,001,132 | ---- | C] () -- C:\Windows\System32\drivers\APPFLTR.CFG
[2010.12.13 13:10:21 | 000,109,477 | ---- | C] () -- C:\Users\admin\Desktop\avz_sysinfo.htm
[2010.12.13 13:10:21 | 000,059,552 | ---- | C] () -- C:\Users\admin\Desktop\avz_sysinfo.xml
[2010.12.13 11:31:32 | 000,011,264 | ---- | C] () -- C:\Windows\System32\drivers\uzmznti4.sys
[2010.12.13 11:11:44 | 000,089,088 | ---- | C] () -- C:\mbr.exe
[2010.12.13 11:09:13 | 000,089,088 | ---- | C] () -- C:\Windows\System32\mbr.exe
[2010.12.12 01:11:06 | 000,000,020 | ---- | C] () -- C:\Users\admin\defogger_reenable
[2010.12.12 01:05:44 | 000,001,965 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010.12.06 21:27:49 | 000,001,024 | ---- | C] () -- C:\.rnd
[2010.12.06 00:01:35 | 000,007,625 | ---- | C] () -- C:\Users\admin\AppData\Local\Resmon.ResmonCfg
[2010.11.16 14:24:24 | 000,000,635 | ---- | C] () -- C:\Users\admin\Desktop\Miranda IM.lnk
[2010.11.09 11:46:40 | 000,165,376 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2010.11.09 11:46:39 | 000,000,038 | ---- | C] () -- C:\Windows\avisplitter.ini
[2010.11.09 11:46:36 | 000,790,528 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2010.11.09 11:46:36 | 000,134,144 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2010.11.09 11:46:35 | 000,108,032 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2009.07.14 00:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009.07.14 00:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2004.08.13 08:56:20 | 000,005,810 | ---- | C] () -- C:\Windows\System32\drivers\ASACPI.sys
 
========== LOP Check ==========
 
[2010.11.30 22:20:24 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\AVG10
[2010.11.13 13:28:39 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\DAEMON Tools Lite
[2010.11.16 14:24:40 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Miranda
[2010.12.13 13:40:09 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Panda Security
[2010.10.10 17:57:24 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\TrueCrypt
[2009.07.14 05:53:46 | 000,022,552 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 
 
========== Custom Scans ==========
 
 
< %SYSTEMDRIVE%\*.* >
[2010.12.06 21:47:16 | 000,001,024 | ---- | M] () -- C:\.rnd
[2009.06.10 22:42:20 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
[2009.06.10 22:42:20 | 000,000,010 | ---- | M] () -- C:\config.sys
[2010.12.13 14:58:56 | 2616,696,832 | -HS- | M] () -- C:\hiberfil.sys
[2010.12.13 14:01:50 | 000,089,088 | ---- | M] () -- C:\mbr.exe
[2010.12.13 14:03:14 | 000,000,793 | ---- | M] () -- C:\mbr.log
[2010.12.13 14:58:55 | 3488,931,840 | -HS- | M] () -- C:\pagefile.sys
[2010.12.13 14:39:49 | 000,003,067 | ---- | M] () -- C:\ports
 
< %systemroot%\system32\*.wt >
 
< %systemroot%\system32\*.ruy >
 
< %systemroot%\Fonts\*.com >
[2009.07.14 05:52:25 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
[2009.07.14 05:52:25 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
[2009.07.14 05:52:25 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
[2009.07.14 05:52:25 | 000,043,318 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont
 
< %systemroot%\Fonts\*.dll >
 
< %systemroot%\Fonts\*.ini >
[2009.06.10 22:31:19 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini
 
< %systemroot%\Fonts\*.ini2 >
 
< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2009.07.14 02:15:26 | 000,090,624 | ---- | M] (Hewlett-Packard Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\HPZPPWN7.DLL
[2009.07.14 02:15:35 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\jnwppr.dll
[2009.07.14 02:16:19 | 000,029,696 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\winprint.dll
 
< %systemroot%\REPAIR\*.bak1 >
 
< %systemroot%\REPAIR\*.ini >
 
< %systemroot%\system32\*.jpg >
 
< %systemroot%\*.scr >
 
< %systemroot%\*._sy >
 
< %APPDATA%\Adobe\Update\*.* >
 
< %ALLUSERSPROFILE%\Favorites\*.* >
 
< %APPDATA%\Microsoft\*.* >
 
< %PROGRAMFILES%\*.* >
[2009.07.14 05:41:57 | 000,000,174 | -HS- | M] () -- C:\Programme\desktop.ini
 
< %APPDATA%\Update\*.* >
 
< %systemroot%\*. /mp /s >
 
< %systemroot%\system32\*.dll /lockedfiles >
 
< %systemroot%\Tasks\*.job /lockedfiles >
 
< %systemroot%\System32\config\*.sav >
 
< %systemroot%\system32\user32.dll /md5 >
[2009.07.14 02:16:17 | 000,811,520 | ---- | M] (Microsoft Corporation) MD5=34B7E222E81FAFA885F0C5F2CFA56861 -- C:\Windows\System32\user32.dll
 
< %systemroot%\system32\ws2_32.dll /md5 >
[2009.07.14 02:16:20 | 000,206,336 | ---- | M] (Microsoft Corporation) MD5=DAAE8A9B8C0ACC7F858454132553C30D -- C:\Windows\System32\ws2_32.dll
 
< %systemroot%\system32\ws2help.dll /md5 >
[2009.07.14 02:11:26 | 000,004,608 | ---- | M] (Microsoft Corporation) MD5=808AABDF9337312195CAFF76D1804786 -- C:\Windows\System32\ws2help.dll
 
 
< MD5 for: EXPLORER.EXE  >
[2009.07.14 02:14:20 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=15BC38A7492BEFE831966ADB477CF76F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe
[2009.10.31 06:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=2626FC9755BE22F805D3CFA0CE3EE727 -- C:\Windows\explorer.exe
[2009.10.31 06:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=2626FC9755BE22F805D3CFA0CE3EE727 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_51a66d6ddafc2ed1\explorer.exe
[2009.08.03 06:49:47 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=9FF6C4C91A3711C0A3B18F87B08B518D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_526619d4f3f142e6\explorer.exe
[2009.08.03 06:35:50 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=B95EEB0F4E5EFBF1038A35B3351CF047 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_51e07e31dad00878\explorer.exe
[2009.10.31 07:00:51 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=C76153C7ECA00FA852BB0C193378F917 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe
 
< MD5 for: WININIT.EXE  >
[2009.07.14 02:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\System32\wininit.exe
[2009.07.14 02:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\wininit.exe
 
< MD5 for: WINLOGON.EXE  >
[2009.10.28 07:17:59 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=37CDB7E72EB66BA85A87CBE37E7F03FD -- C:\Windows\System32\winlogon.exe
[2009.10.28 07:17:59 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=37CDB7E72EB66BA85A87CBE37E7F03FD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_6fc699643622d177\winlogon.exe
[2009.10.28 06:52:08 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=3BABE6767C78FBF5FB8435FEED187F30 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.20560_none_703394514f56f7c2\winlogon.exe
[2009.07.14 02:14:45 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=8EC6A4AB12B8F3759E21F8E3A388F2CF -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_6f99573a36451166\winlogon.exe
 
< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
 
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-12-11 11:20:53

< End of report >

Alt 13.12.2010, 16:16   #5
doc
 
Paranoid vielleicht :) - Standard

Paranoid vielleicht :)


MBAM LOG

Code:
ATTFilter
Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Datenbank Version: 5306

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

13.12.2010 15:07:21
mbam-log-2010-12-13 (15-07-21).txt

Art des Suchlaufs: Quick-Scan
Durchsuchte Objekte: 140343
Laufzeit: 4 Minute(n), 52 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)


Alt 13.12.2010, 18:47   #6
doc
 
Paranoid vielleicht :) - Standard

Paranoid vielleicht :)


hier noch ein scan von AVZ der schmeist einiges raus ich weiss aber nicht was es bedeutet:

Code:
ATTFilter
AVZ Antiviral Toolkit log; AVZ version is 4.35
Scanning started at 13.12.2010 11:36:30
Database loaded: signatures - 283333, NN profile(s) - 2, malware removal microprograms - 56, signature database released 12.12.2010 00:10
Heuristic microprograms loaded: 386
PVS microprograms loaded: 9
Digital signatures of system files loaded: 249050
Heuristic analyzer mode: Medium heuristics mode
Malware removal mode: enabled
Windows version is: 6.1.7600,  ; AVZ is run with administrator rights
System Restore: enabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
Function advapi32.dll:AddMandatoryAce (1029) intercepted, method - ProcAddressHijack.GetProcAddress ->752B24B5->7506193A
Function advapi32.dll:I_QueryTagInformation (1361) intercepted, method - ProcAddressHijack.GetProcAddress ->752B2655->753A72D8
Function advapi32.dll:I_ScIsSecurityProcess (1362) intercepted, method - ProcAddressHijack.GetProcAddress ->752B268C->753A733F
Function advapi32.dll:I_ScPnPGetServiceName (1363) intercepted, method - ProcAddressHijack.GetProcAddress ->752B26C3->753A7C40
Function advapi32.dll:I_ScQueryServiceConfig (1364) intercepted, method - ProcAddressHijack.GetProcAddress ->752B26FA->753A5F8A
Function advapi32.dll:I_ScSendPnPMessage (1365) intercepted, method - ProcAddressHijack.GetProcAddress ->752B2732->753A5E7D
Function advapi32.dll:I_ScSendTSMessage (1366) intercepted, method - ProcAddressHijack.GetProcAddress ->752B2766->753A71C5
Function advapi32.dll:I_ScValidatePnPService (1369) intercepted, method - ProcAddressHijack.GetProcAddress ->752B2799->753A6B9D
Function advapi32.dll:IsValidRelativeSecurityDescriptor (1389) intercepted, method - ProcAddressHijack.GetProcAddress ->752B27D1->7505977E
Function advapi32.dll:PerfCreateInstance (1515) intercepted, method - ProcAddressHijack.GetProcAddress ->752B2858->745A2187
Function advapi32.dll:PerfDecrementULongCounterValue (1516) intercepted, method - ProcAddressHijack.GetProcAddress ->752B2871->745A2A1D
Function advapi32.dll:PerfDecrementULongLongCounterValue (1517) intercepted, method - ProcAddressHijack.GetProcAddress ->752B2896->745A2B3C
Function advapi32.dll:PerfDeleteInstance (1519) intercepted, method - ProcAddressHijack.GetProcAddress ->752B28BF->745A2259
Function advapi32.dll:PerfIncrementULongCounterValue (1522) intercepted, method - ProcAddressHijack.GetProcAddress ->752B28D8->745A27B9
Function advapi32.dll:PerfIncrementULongLongCounterValue (1523) intercepted, method - ProcAddressHijack.GetProcAddress ->752B28FD->745A28D6
Function advapi32.dll:PerfQueryInstance (1528) intercepted, method - ProcAddressHijack.GetProcAddress ->752B2926->745A2373
Function advapi32.dll:PerfSetCounterRefValue (1529) intercepted, method - ProcAddressHijack.GetProcAddress ->752B293E->745A2447
Function advapi32.dll:PerfSetCounterSetInfo (1530) intercepted, method - ProcAddressHijack.GetProcAddress ->752B295B->745A20B0
Function advapi32.dll:PerfSetULongCounterValue (1531) intercepted, method - ProcAddressHijack.GetProcAddress ->752B2977->745A2565
Function advapi32.dll:PerfSetULongLongCounterValue (1532) intercepted, method - ProcAddressHijack.GetProcAddress ->752B2996->745A2680
Function advapi32.dll:PerfStartProvider (1533) intercepted, method - ProcAddressHijack.GetProcAddress ->752B29B9->745A1FED
Function advapi32.dll:PerfStartProviderEx (1534) intercepted, method - ProcAddressHijack.GetProcAddress ->752B29D1->745A1F34
Function advapi32.dll:PerfStopProvider (1535) intercepted, method - ProcAddressHijack.GetProcAddress ->752B29EB->745A2026
Function advapi32.dll:SystemFunction035 (1753) intercepted, method - ProcAddressHijack.GetProcAddress ->752B2A3C->74A43EA8
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
Function netapi32.dll:DavAddConnection (1) intercepted, method - ProcAddressHijack.GetProcAddress ->73833B10->671229DD
Function netapi32.dll:DavDeleteConnection (2) intercepted, method - ProcAddressHijack.GetProcAddress ->73833B29->6712181B
Function netapi32.dll:DavFlushFile (3) intercepted, method - ProcAddressHijack.GetProcAddress ->73833B45->67121713
Function netapi32.dll:DavGetExtendedError (4) intercepted, method - ProcAddressHijack.GetProcAddress ->73833B5A->67122347
Function netapi32.dll:DavGetHTTPFromUNCPath (5) intercepted, method - ProcAddressHijack.GetProcAddress ->73833B76->6712275B
Function netapi32.dll:DavGetUNCFromHTTPPath (6) intercepted, method - ProcAddressHijack.GetProcAddress ->73833B94->6712257D
Function netapi32.dll:DsAddressToSiteNamesA (7) intercepted, method - ProcAddressHijack.GetProcAddress ->73833BB2->748A4A4D
Function netapi32.dll:DsAddressToSiteNamesExA (8) intercepted, method - ProcAddressHijack.GetProcAddress ->73833BD1->748A4D79
Function netapi32.dll:DsAddressToSiteNamesExW (9) intercepted, method - ProcAddressHijack.GetProcAddress ->73833BF2->748A5049
Function netapi32.dll:DsAddressToSiteNamesW (10) intercepted, method - ProcAddressHijack.GetProcAddress ->73833C13->748A4C29
Function netapi32.dll:DsDeregisterDnsHostRecordsA (11) intercepted, method - ProcAddressHijack.GetProcAddress ->73833C32->748A6DD9
Function netapi32.dll:DsDeregisterDnsHostRecordsW (12) intercepted, method - ProcAddressHijack.GetProcAddress ->73833C57->748A6D59
Function netapi32.dll:DsEnumerateDomainTrustsA (13) intercepted, method - ProcAddressHijack.GetProcAddress ->73833C7C->748A6771
Function netapi32.dll:DsEnumerateDomainTrustsW (14) intercepted, method - ProcAddressHijack.GetProcAddress ->73833C9E->748960BC
Function netapi32.dll:DsGetDcCloseW (15) intercepted, method - ProcAddressHijack.GetProcAddress ->73833CC0->748A495D
Function netapi32.dll:DsGetDcNameA (16) intercepted, method - ProcAddressHijack.GetProcAddress ->73833CD7->748A5BB2
Function netapi32.dll:DsGetDcNameW (17) intercepted, method - ProcAddressHijack.GetProcAddress ->73833CED->74894CA8
Function netapi32.dll:DsGetDcNameWithAccountA (18) intercepted, method - ProcAddressHijack.GetProcAddress ->73833D03->748A55E9
Function netapi32.dll:DsGetDcNameWithAccountW (19) intercepted, method - ProcAddressHijack.GetProcAddress ->73833D24->74894CD1
Function netapi32.dll:DsGetDcNextA (20) intercepted, method - ProcAddressHijack.GetProcAddress ->73833D45->748A4896
Function netapi32.dll:DsGetDcNextW (21) intercepted, method - ProcAddressHijack.GetProcAddress ->73833D5B->748A47ED
Function netapi32.dll:DsGetDcOpenA (22) intercepted, method - ProcAddressHijack.GetProcAddress ->73833D71->748A473D
Function netapi32.dll:DsGetDcOpenW (23) intercepted, method - ProcAddressHijack.GetProcAddress ->73833D87->748A46AB
Function netapi32.dll:DsGetDcSiteCoverageA (24) intercepted, method - ProcAddressHijack.GetProcAddress ->73833D9D->748A5239
Function netapi32.dll:DsGetDcSiteCoverageW (25) intercepted, method - ProcAddressHijack.GetProcAddress ->73833DBB->748A5409
Function netapi32.dll:DsGetForestTrustInformationW (26) intercepted, method - ProcAddressHijack.GetProcAddress ->73833DD9->748A6E6F
Function netapi32.dll:DsGetSiteNameA (27) intercepted, method - ProcAddressHijack.GetProcAddress ->73833DFF->748A5B39
Function netapi32.dll:DsGetSiteNameW (28) intercepted, method - ProcAddressHijack.GetProcAddress ->73833E17->74895F24
Function netapi32.dll:DsMergeForestTrustInformationW (29) intercepted, method - ProcAddressHijack.GetProcAddress ->73833E2F->748A6F71
Function netapi32.dll:DsRoleAbortDownlevelServerUpgrade (30) intercepted, method - ProcAddressHijack.GetProcAddress ->73833E57->730E4339
Function netapi32.dll:DsRoleCancel (31) intercepted, method - ProcAddressHijack.GetProcAddress ->73833E80->730E34A9
Function netapi32.dll:DsRoleDcAsDc (32) intercepted, method - ProcAddressHijack.GetProcAddress ->73833E94->730E3EAD
Function netapi32.dll:DsRoleDcAsReplica (33) intercepted, method - ProcAddressHijack.GetProcAddress ->73833EA8->730E3F99
Function netapi32.dll:DsRoleDemoteDc (34) intercepted, method - ProcAddressHijack.GetProcAddress ->73833EC1->730E4189
Function netapi32.dll:DsRoleDnsNameToFlatName (35) intercepted, method - ProcAddressHijack.GetProcAddress ->73833ED7->730E32B5
Function netapi32.dll:DsRoleFreeMemory (36) intercepted, method - ProcAddressHijack.GetProcAddress ->73833EF6->730E19A9
Function netapi32.dll:DsRoleGetDatabaseFacts (37) intercepted, method - ProcAddressHijack.GetProcAddress ->73833F0E->730E3651
Function netapi32.dll:DsRoleGetDcOperationProgress (38) intercepted, method - ProcAddressHijack.GetProcAddress ->73833F2C->730E3351
Function netapi32.dll:DsRoleGetDcOperationResults (39) intercepted, method - ProcAddressHijack.GetProcAddress ->73833F50->730E3401
Function netapi32.dll:DsRoleGetPrimaryDomainInformation (40) intercepted, method - ProcAddressHijack.GetProcAddress ->73833F73->730E1F3D
Function netapi32.dll:DsRoleIfmHandleFree (41) intercepted, method - ProcAddressHijack.GetProcAddress ->73833F9C->730E3539
Function netapi32.dll:DsRoleServerSaveStateForUpgrade (42) intercepted, method - ProcAddressHijack.GetProcAddress ->73833FB7->730E35C9
Function netapi32.dll:DsRoleUpgradeDownlevelServer (43) intercepted, method - ProcAddressHijack.GetProcAddress ->73833FDE->730E4261
Function netapi32.dll:DsValidateSubnetNameA (44) intercepted, method - ProcAddressHijack.GetProcAddress ->73834002->748A5AF9
Function netapi32.dll:DsValidateSubnetNameW (45) intercepted, method - ProcAddressHijack.GetProcAddress ->73834021->748A49E1
Function netapi32.dll:I_BrowserDebugCall (46) intercepted, method - ProcAddressHijack.GetProcAddress ->73834040->71DC24A9
Function netapi32.dll:I_BrowserDebugTrace (47) intercepted, method - ProcAddressHijack.GetProcAddress ->7383405B->71DC2581
Function netapi32.dll:I_BrowserQueryEmulatedDomains (48) intercepted, method - ProcAddressHijack.GetProcAddress ->73834077->71DC29F9
Function netapi32.dll:I_BrowserQueryOtherDomains (49) intercepted, method - ProcAddressHijack.GetProcAddress ->7383409D->71DC22C1
Function netapi32.dll:I_BrowserQueryStatistics (50) intercepted, method - ProcAddressHijack.GetProcAddress ->738340C0->71DC2651
Function netapi32.dll:I_BrowserResetNetlogonState (51) intercepted, method - ProcAddressHijack.GetProcAddress ->738340E1->71DC23D1
Function netapi32.dll:I_BrowserResetStatistics (52) intercepted, method - ProcAddressHijack.GetProcAddress ->73834105->71DC2729
Function netapi32.dll:I_BrowserServerEnum (53) intercepted, method - ProcAddressHijack.GetProcAddress ->73834126->71DC20BF
Function netapi32.dll:I_BrowserSetNetlogonState (54) intercepted, method - ProcAddressHijack.GetProcAddress ->73834142->71DC2919
Function netapi32.dll:I_DsUpdateReadOnlyServerDnsRecords (55) intercepted, method - ProcAddressHijack.GetProcAddress ->73834164->748A5569
Function netapi32.dll:I_NetAccountDeltas (56) intercepted, method - ProcAddressHijack.GetProcAddress ->73834190->748A63AB
Function netapi32.dll:I_NetAccountSync (57) intercepted, method - ProcAddressHijack.GetProcAddress ->738341AC->748A63AB
Function netapi32.dll:I_NetChainSetClientAttributes (59) intercepted, method - ProcAddressHijack.GetProcAddress ->738341C6->748A6FA6
Function netapi32.dll:I_NetChainSetClientAttributes2 (58) intercepted, method - ProcAddressHijack.GetProcAddress ->738341ED->748A7029
Function netapi32.dll:I_NetDatabaseDeltas (60) intercepted, method - ProcAddressHijack.GetProcAddress ->73834215->748A6391
Function netapi32.dll:I_NetDatabaseRedo (61) intercepted, method - ProcAddressHijack.GetProcAddress ->73834232->748A6521
Function netapi32.dll:I_NetDatabaseSync (63) intercepted, method - ProcAddressHijack.GetProcAddress ->7383424D->748A6391
Function netapi32.dll:I_NetDatabaseSync2 (62) intercepted, method - ProcAddressHijack.GetProcAddress ->73834268->748A639E
Function netapi32.dll:I_NetDfsGetVersion (64) intercepted, method - ProcAddressHijack.GetProcAddress ->73834284->74CE7CA1
Function netapi32.dll:I_NetDfsIsThisADomainName (65) intercepted, method - ProcAddressHijack.GetProcAddress ->7383429E->71DB4E39
Function netapi32.dll:I_NetGetDCList (66) intercepted, method - ProcAddressHijack.GetProcAddress ->738342BF->748A5D9C
Function netapi32.dll:I_NetGetForestTrustInformation (67) intercepted, method - ProcAddressHijack.GetProcAddress ->738342D7->748A6EF1
Function netapi32.dll:I_NetLogonControl (69) intercepted, method - ProcAddressHijack.GetProcAddress ->738342FF->748A63B8
Function netapi32.dll:I_NetLogonControl2 (68) intercepted, method - ProcAddressHijack.GetProcAddress ->7383431A->748A6439
Function netapi32.dll:I_NetLogonGetDomainInfo (70) intercepted, method - ProcAddressHijack.GetProcAddress ->73834336->748964A4
Function netapi32.dll:I_NetLogonSamLogoff (71) intercepted, method - ProcAddressHijack.GetProcAddress ->73834357->748A6091
Function netapi32.dll:I_NetLogonSamLogon (72) intercepted, method - ProcAddressHijack.GetProcAddress ->73834374->748A5F39
Function netapi32.dll:I_NetLogonSamLogonEx (73) intercepted, method - ProcAddressHijack.GetProcAddress ->73834390->748A5FE1
Function netapi32.dll:I_NetLogonSamLogonWithFlags (74) intercepted, method - ProcAddressHijack.GetProcAddress ->738343AE->7489B22A
Function netapi32.dll:I_NetLogonSendToSam (75) intercepted, method - ProcAddressHijack.GetProcAddress ->738343D3->748A6111
Function netapi32.dll:I_NetLogonUasLogoff (76) intercepted, method - ProcAddressHijack.GetProcAddress ->738343F0->748A5EC9
Function netapi32.dll:I_NetLogonUasLogon (77) intercepted, method - ProcAddressHijack.GetProcAddress ->7383440D->748A5E53
Function netapi32.dll:I_NetServerAuthenticate (80) intercepted, method - ProcAddressHijack.GetProcAddress ->73834429->748A6191
Function netapi32.dll:I_NetServerAuthenticate2 (78) intercepted, method - ProcAddressHijack.GetProcAddress ->7383444A->748A6211
Function netapi32.dll:I_NetServerAuthenticate3 (79) intercepted, method - ProcAddressHijack.GetProcAddress ->7383446C->74896393
Function netapi32.dll:I_NetServerGetTrustInfo (81) intercepted, method - ProcAddressHijack.GetProcAddress ->7383448E->748A6C61
Function netapi32.dll:I_NetServerPasswordGet (82) intercepted, method - ProcAddressHijack.GetProcAddress ->738344AF->748A6B61
Function netapi32.dll:I_NetServerPasswordSet (84) intercepted, method - ProcAddressHijack.GetProcAddress ->738344CF->748A6291
Function netapi32.dll:I_NetServerPasswordSet2 (83) intercepted, method - ProcAddressHijack.GetProcAddress ->738344EF->748A6311
Function netapi32.dll:I_NetServerReqChallenge (85) intercepted, method - ProcAddressHijack.GetProcAddress ->73834510->74896424
Function netapi32.dll:I_NetServerSetServiceBits (86) intercepted, method - ProcAddressHijack.GetProcAddress ->73834531->74CE426D
Function netapi32.dll:I_NetServerSetServiceBitsEx (87) intercepted, method - ProcAddressHijack.GetProcAddress ->73834552->74CE6D11
Function netapi32.dll:I_NetServerTrustPasswordsGet (88) intercepted, method - ProcAddressHijack.GetProcAddress ->73834575->748A6BE1
Function netapi32.dll:I_NetlogonComputeClientDigest (89) intercepted, method - ProcAddressHijack.GetProcAddress ->7383459B->74895C20
Function netapi32.dll:I_NetlogonComputeServerDigest (90) intercepted, method - ProcAddressHijack.GetProcAddress ->738345C2->748A6AEC
Function netapi32.dll:NetAddAlternateComputerName (97) intercepted, method - ProcAddressHijack.GetProcAddress ->738345E9->73705B21
Function netapi32.dll:NetAddServiceAccount (98) intercepted, method - ProcAddressHijack.GetProcAddress ->7383460C->748A70B1
Function netapi32.dll:NetApiBufferAllocate (101) intercepted, method - ProcAddressHijack.GetProcAddress ->7383462A->73821415
Function netapi32.dll:NetApiBufferFree (102) intercepted, method - ProcAddressHijack.GetProcAddress ->73834648->738213D2
Function netapi32.dll:NetApiBufferReallocate (103) intercepted, method - ProcAddressHijack.GetProcAddress ->73834662->73823729
Function netapi32.dll:NetApiBufferSize (104) intercepted, method - ProcAddressHijack.GetProcAddress ->73834682->73823771
Function netapi32.dll:NetBrowserStatisticsGet (108) intercepted, method - ProcAddressHijack.GetProcAddress ->7383469C->71DC2801
Function netapi32.dll:NetConnectionEnum (112) intercepted, method - ProcAddressHijack.GetProcAddress ->738346BC->74CE5521
Function netapi32.dll:NetDfsAdd (113) intercepted, method - ProcAddressHijack.GetProcAddress ->738346D5->71DB78FD
Function netapi32.dll:NetDfsAddFtRoot (114) intercepted, method - ProcAddressHijack.GetProcAddress ->738346E6->71DB6859
Function netapi32.dll:NetDfsAddRootTarget (115) intercepted, method - ProcAddressHijack.GetProcAddress ->738346FD->71DB7401
Function netapi32.dll:NetDfsAddStdRoot (116) intercepted, method - ProcAddressHijack.GetProcAddress ->73834718->71DB2B1E
Function netapi32.dll:NetDfsAddStdRootForced (117) intercepted, method - ProcAddressHijack.GetProcAddress ->73834730->71DB2BB1
Function netapi32.dll:NetDfsEnum (118) intercepted, method - ProcAddressHijack.GetProcAddress ->7383474E->71DB70F9
Function netapi32.dll:NetDfsGetClientInfo (119) intercepted, method - ProcAddressHijack.GetProcAddress ->73834760->71DB3F25
Function netapi32.dll:NetDfsGetDcAddress (120) intercepted, method - ProcAddressHijack.GetProcAddress ->7383477B->71DB2C51
Function netapi32.dll:NetDfsGetFtContainerSecurity (121) intercepted, method - ProcAddressHijack.GetProcAddress ->73834795->71DB5363
Function netapi32.dll:NetDfsGetInfo (122) intercepted, method - ProcAddressHijack.GetProcAddress ->738347B9->71DB2D69
Function netapi32.dll:NetDfsGetSecurity (123) intercepted, method - ProcAddressHijack.GetProcAddress ->738347CE->71DB7741
Function netapi32.dll:NetDfsGetStdContainerSecurity (124) intercepted, method - ProcAddressHijack.GetProcAddress ->738347E7->71DB3AD5
Function netapi32.dll:NetDfsGetSupportedNamespaceVersion (125) intercepted, method - ProcAddressHijack.GetProcAddress ->7383480C->71DB5C19
Function netapi32.dll:NetDfsManagerGetConfigInfo (126) intercepted, method - ProcAddressHijack.GetProcAddress ->73834836->71DB2E9C
Function netapi32.dll:NetDfsManagerInitialize (127) intercepted, method - ProcAddressHijack.GetProcAddress ->73834858->71DB2F91
Function netapi32.dll:NetDfsManagerSendSiteInfo (128) intercepted, method - ProcAddressHijack.GetProcAddress ->73834877->71DB72C5
Function netapi32.dll:NetDfsMove (129) intercepted, method - ProcAddressHijack.GetProcAddress ->73834898->71DB5651
Function netapi32.dll:NetDfsRemove (130) intercepted, method - ProcAddressHijack.GetProcAddress ->738348AA->71DB7A19
Function netapi32.dll:NetDfsRemoveFtRoot (131) intercepted, method - ProcAddressHijack.GetProcAddress ->738348BE->71DB6A99
Function netapi32.dll:NetDfsRemoveFtRootForced (132) intercepted, method - ProcAddressHijack.GetProcAddress ->738348D8->71DB6BE5
Function netapi32.dll:NetDfsRemoveRootTarget (133) intercepted, method - ProcAddressHijack.GetProcAddress ->738348F8->71DB5879
Function netapi32.dll:NetDfsRemoveStdRoot (134) intercepted, method - ProcAddressHijack.GetProcAddress ->73834916->71DB2CE1
Function netapi32.dll:NetDfsRename (135) intercepted, method - ProcAddressHijack.GetProcAddress ->73834931->71DB2E91
Function netapi32.dll:NetDfsSetClientInfo (136) intercepted, method - ProcAddressHijack.GetProcAddress ->73834945->71DB4301
Function netapi32.dll:NetDfsSetFtContainerSecurity (137) intercepted, method - ProcAddressHijack.GetProcAddress ->73834960->71DB53AF
Function netapi32.dll:NetDfsSetInfo (138) intercepted, method - ProcAddressHijack.GetProcAddress ->73834984->71DB6D8B
Function netapi32.dll:NetDfsSetSecurity (139) intercepted, method - ProcAddressHijack.GetProcAddress ->73834999->71DB7822
Function netapi32.dll:NetDfsSetStdContainerSecurity (140) intercepted, method - ProcAddressHijack.GetProcAddress ->738349B2->71DB3B24
Function netapi32.dll:NetEnumerateComputerNames (141) intercepted, method - ProcAddressHijack.GetProcAddress ->738349D7->73705E39
Function netapi32.dll:NetEnumerateServiceAccounts (142) intercepted, method - ProcAddressHijack.GetProcAddress ->738349F8->748A7199
Function netapi32.dll:NetEnumerateTrustedDomains (143) intercepted, method - ProcAddressHijack.GetProcAddress ->73834A1D->748A652E
Function netapi32.dll:NetFileClose (147) intercepted, method - ProcAddressHijack.GetProcAddress ->73834A41->74CE5659
Function netapi32.dll:NetFileEnum (148) intercepted, method - ProcAddressHijack.GetProcAddress ->73834A55->74CE5729
Function netapi32.dll:NetFileGetInfo (149) intercepted, method - ProcAddressHijack.GetProcAddress ->73834A68->74CE5859
Function netapi32.dll:NetGetAnyDCName (150) intercepted, method - ProcAddressHijack.GetProcAddress ->73834A7E->748A496D
Function netapi32.dll:NetGetDCName (151) intercepted, method - ProcAddressHijack.GetProcAddress ->73834A97->748A5913
Function netapi32.dll:NetGetDisplayInformationIndex (152) intercepted, method - ProcAddressHijack.GetProcAddress ->73834AAD->736F4117
Function netapi32.dll:NetGetJoinInformation (153) intercepted, method - ProcAddressHijack.GetProcAddress ->73834AD2->73702DC7
Function netapi32.dll:NetGetJoinableOUs (154) intercepted, method - ProcAddressHijack.GetProcAddress ->73834AEF->737059D1
Function netapi32.dll:NetGroupAdd (155) intercepted, method - ProcAddressHijack.GetProcAddress ->73834B08->736F71C3
Function netapi32.dll:NetGroupAddUser (156) intercepted, method - ProcAddressHijack.GetProcAddress ->73834B1B->736F73AD
Function netapi32.dll:NetGroupDel (157) intercepted, method - ProcAddressHijack.GetProcAddress ->73834B32->736F73CB
Function netapi32.dll:NetGroupDelUser (158) intercepted, method - ProcAddressHijack.GetProcAddress ->73834B45->736F73EB
Function netapi32.dll:NetGroupEnum (159) intercepted, method - ProcAddressHijack.GetProcAddress ->73834B5C->736F7409
Function netapi32.dll:NetGroupGetInfo (160) intercepted, method - ProcAddressHijack.GetProcAddress ->73834B70->736F78C8
Function netapi32.dll:NetGroupGetUsers (161) intercepted, method - ProcAddressHijack.GetProcAddress ->73834B87->736F7952
Function netapi32.dll:NetGroupSetInfo (162) intercepted, method - ProcAddressHijack.GetProcAddress ->73834B9F->736F7C02
Function netapi32.dll:NetGroupSetUsers (163) intercepted, method - ProcAddressHijack.GetProcAddress ->73834BB6->736F7DAE
Function netapi32.dll:NetIsServiceAccount (164) intercepted, method - ProcAddressHijack.GetProcAddress ->73834BCE->748A72D9
Function netapi32.dll:NetJoinDomain (165) intercepted, method - ProcAddressHijack.GetProcAddress ->73834BEB->737054B9
Function netapi32.dll:NetLocalGroupAdd (166) intercepted, method - ProcAddressHijack.GetProcAddress ->73834C00->736F875A
Function netapi32.dll:NetLocalGroupAddMember (167) intercepted, method - ProcAddressHijack.GetProcAddress ->73834C18->736F8886
Function netapi32.dll:NetLocalGroupAddMembers (168) intercepted, method - ProcAddressHijack.GetProcAddress ->73834C36->736F8E99
Function netapi32.dll:NetLocalGroupDel (169) intercepted, method - ProcAddressHijack.GetProcAddress ->73834C55->736F88A4
Function netapi32.dll:NetLocalGroupDelMember (170) intercepted, method - ProcAddressHijack.GetProcAddress ->73834C6D->736F8928
Function netapi32.dll:NetLocalGroupDelMembers (171) intercepted, method - ProcAddressHijack.GetProcAddress ->73834C8B->736F8EBD
Function netapi32.dll:NetLocalGroupEnum (172) intercepted, method - ProcAddressHijack.GetProcAddress ->73834CAA->736F8946
Function netapi32.dll:NetLocalGroupGetInfo (173) intercepted, method - ProcAddressHijack.GetProcAddress ->73834CC3->736F8CE4
Function netapi32.dll:NetLocalGroupGetMembers (174) intercepted, method - ProcAddressHijack.GetProcAddress ->73834CDF->736F2265
Function netapi32.dll:NetLocalGroupSetInfo (175) intercepted, method - ProcAddressHijack.GetProcAddress ->73834CFE->736F8D57
Function netapi32.dll:NetLocalGroupSetMembers (176) intercepted, method - ProcAddressHijack.GetProcAddress ->73834D1A->736F8E75
Function netapi32.dll:NetLogonGetTimeServiceParentDomain (177) intercepted, method - ProcAddressHijack.GetProcAddress ->73834D39->748A6CE9
Function netapi32.dll:NetLogonSetServiceBits (178) intercepted, method - ProcAddressHijack.GetProcAddress ->73834D65->7489603C
Function netapi32.dll:NetProvisionComputerAccount (184) intercepted, method - ProcAddressHijack.GetProcAddress ->73834D85->74B2F2D3
Function netapi32.dll:NetQueryDisplayInformation (185) intercepted, method - ProcAddressHijack.GetProcAddress ->73834DA9->736F3D87
Function netapi32.dll:NetQueryServiceAccount (186) intercepted, method - ProcAddressHijack.GetProcAddress ->73834DCB->748A7249
Function netapi32.dll:NetRemoteComputerSupports (188) intercepted, method - ProcAddressHijack.GetProcAddress ->73834DEB->73822160
Function netapi32.dll:NetRemoteTOD (189) intercepted, method - ProcAddressHijack.GetProcAddress ->73834E0E->74CE6C11
Function netapi32.dll:NetRemoveAlternateComputerName (190) intercepted, method - ProcAddressHijack.GetProcAddress ->73834E22->73705C29
Function netapi32.dll:NetRemoveServiceAccount (191) intercepted, method - ProcAddressHijack.GetProcAddress ->73834E48->748A7129
Function netapi32.dll:NetRenameMachineInDomain (192) intercepted, method - ProcAddressHijack.GetProcAddress ->73834E69->73705751
Function netapi32.dll:NetRequestOfflineDomainJoin (208) intercepted, method - ProcAddressHijack.GetProcAddress ->73834E89->74B2B52F
Function netapi32.dll:NetScheduleJobAdd (209) intercepted, method - ProcAddressHijack.GetProcAddress ->73834EAD->71DA19D1
Function netapi32.dll:NetScheduleJobDel (210) intercepted, method - ProcAddressHijack.GetProcAddress ->73834EC8->71DA1AC9
Function netapi32.dll:NetScheduleJobEnum (211) intercepted, method - ProcAddressHijack.GetProcAddress ->73834EE3->71DA1BC1
Function netapi32.dll:NetScheduleJobGetInfo (212) intercepted, method - ProcAddressHijack.GetProcAddress ->73834EFF->71DA1CE1
Function netapi32.dll:NetServerAliasAdd (213) intercepted, method - ProcAddressHijack.GetProcAddress ->73834F1E->74CE7843
Function netapi32.dll:NetServerAliasDel (214) intercepted, method - ProcAddressHijack.GetProcAddress ->73834F37->74CE7A79
Function netapi32.dll:NetServerAliasEnum (215) intercepted, method - ProcAddressHijack.GetProcAddress ->73834F50->74CE7931
Function netapi32.dll:NetServerComputerNameAdd (216) intercepted, method - ProcAddressHijack.GetProcAddress ->73834F6A->74CE7411
Function netapi32.dll:NetServerComputerNameDel (217) intercepted, method - ProcAddressHijack.GetProcAddress ->73834F8A->74CE76FB
Function netapi32.dll:NetServerDiskEnum (218) intercepted, method - ProcAddressHijack.GetProcAddress ->73834FAA->74CE6559
Function netapi32.dll:NetServerEnum (219) intercepted, method - ProcAddressHijack.GetProcAddress ->73834FC3->71DC2F61
Function netapi32.dll:NetServerEnumEx (220) intercepted, method - ProcAddressHijack.GetProcAddress ->73834FD9->71DC2C5F
Function netapi32.dll:NetServerGetInfo (221) intercepted, method - ProcAddressHijack.GetProcAddress ->73834FF1->74CE3CFA
Function netapi32.dll:NetServerSetInfo (222) intercepted, method - ProcAddressHijack.GetProcAddress ->73835009->74CE6681
Function netapi32.dll:NetServerTransportAdd (223) intercepted, method - ProcAddressHijack.GetProcAddress ->73835021->74CE6851
Function netapi32.dll:NetServerTransportAddEx (224) intercepted, method - ProcAddressHijack.GetProcAddress ->7383503E->74CE7329
Function netapi32.dll:NetServerTransportDel (225) intercepted, method - ProcAddressHijack.GetProcAddress ->7383505D->74CE6A01
Function netapi32.dll:NetServerTransportEnum (226) intercepted, method - ProcAddressHijack.GetProcAddress ->7383507A->74CE6AD9
Function netapi32.dll:NetSessionDel (231) intercepted, method - ProcAddressHijack.GetProcAddress ->73835098->74CE5941
Function netapi32.dll:NetSessionEnum (232) intercepted, method - ProcAddressHijack.GetProcAddress ->738350AD->74CE5A11
Function netapi32.dll:NetSessionGetInfo (233) intercepted, method - ProcAddressHijack.GetProcAddress ->738350C3->74CE5B41
Function netapi32.dll:NetSetPrimaryComputerName (234) intercepted, method - ProcAddressHijack.GetProcAddress ->738350DC->73705D31
Function netapi32.dll:NetShareAdd (235) intercepted, method - ProcAddressHijack.GetProcAddress ->738350FD->74CE5C81
Function netapi32.dll:NetShareCheck (236) intercepted, method - ProcAddressHijack.GetProcAddress ->73835110->74CE5E91
Function netapi32.dll:NetShareDel (237) intercepted, method - ProcAddressHijack.GetProcAddress ->73835125->74CE5F81
Function netapi32.dll:NetShareDelEx (238) intercepted, method - ProcAddressHijack.GetProcAddress ->73835138->74CE7B61
Function netapi32.dll:NetShareDelSticky (239) intercepted, method - ProcAddressHijack.GetProcAddress ->7383514D->74CE60D1
Function netapi32.dll:NetShareEnum (240) intercepted, method - ProcAddressHijack.GetProcAddress ->73835166->74CE3F91
Function netapi32.dll:NetShareEnumSticky (241) intercepted, method - ProcAddressHijack.GetProcAddress ->7383517A->74CE61C9
Function netapi32.dll:NetShareGetInfo (242) intercepted, method - ProcAddressHijack.GetProcAddress ->73835194->74CE433F
Function netapi32.dll:NetShareSetInfo (243) intercepted, method - ProcAddressHijack.GetProcAddress ->738351AB->74CE6341
Function netapi32.dll:NetUnjoinDomain (245) intercepted, method - ProcAddressHijack.GetProcAddress ->738351C2->73705641
Function netapi32.dll:NetUseAdd (247) intercepted, method - ProcAddressHijack.GetProcAddress ->738351D9->73703693
Function netapi32.dll:NetUseDel (248) intercepted, method - ProcAddressHijack.GetProcAddress ->738351EA->73705FA9
Function netapi32.dll:NetUseEnum (249) intercepted, method - ProcAddressHijack.GetProcAddress ->738351FB->73703184
Function netapi32.dll:NetUseGetInfo (250) intercepted, method - ProcAddressHijack.GetProcAddress ->7383520D->73706039
Function netapi32.dll:NetUserAdd (251) intercepted, method - ProcAddressHijack.GetProcAddress ->73835222->736F464F
Function netapi32.dll:NetUserChangePassword (252) intercepted, method - ProcAddressHijack.GetProcAddress ->73835234->736F5A06
Function netapi32.dll:NetUserDel (253) intercepted, method - ProcAddressHijack.GetProcAddress ->73835251->736F4826
Function netapi32.dll:NetUserEnum (254) intercepted, method - ProcAddressHijack.GetProcAddress ->73835263->736F49D6
Function netapi32.dll:NetUserGetGroups (255) intercepted, method - ProcAddressHijack.GetProcAddress ->73835276->736F4E01
Function netapi32.dll:NetUserGetInfo (256) intercepted, method - ProcAddressHijack.GetProcAddress ->7383528E->736F1C60
Function netapi32.dll:NetUserGetLocalGroups (257) intercepted, method - ProcAddressHijack.GetProcAddress ->738352A4->736F2875
Function netapi32.dll:NetUserModalsGet (258) intercepted, method - ProcAddressHijack.GetProcAddress ->738352C1->736F206B
Function netapi32.dll:NetUserModalsSet (259) intercepted, method - ProcAddressHijack.GetProcAddress ->738352D9->736F54AA
Function netapi32.dll:NetUserSetGroups (260) intercepted, method - ProcAddressHijack.GetProcAddress ->738352F1->736F5095
Function netapi32.dll:NetUserSetInfo (261) intercepted, method - ProcAddressHijack.GetProcAddress ->73835309->736F4D1D
Function netapi32.dll:NetValidateName (262) intercepted, method - ProcAddressHijack.GetProcAddress ->7383531F->73705859
Function netapi32.dll:NetValidatePasswordPolicy (263) intercepted, method - ProcAddressHijack.GetProcAddress ->73835336->736F9967
Function netapi32.dll:NetValidatePasswordPolicyFree (264) intercepted, method - ProcAddressHijack.GetProcAddress ->73835357->736F9B6B
Function netapi32.dll:NetWkstaTransportAdd (267) intercepted, method - ProcAddressHijack.GetProcAddress ->7383537C->73704E45
Function netapi32.dll:NetWkstaTransportDel (268) intercepted, method - ProcAddressHijack.GetProcAddress ->73835398->73704F21
Function netapi32.dll:NetWkstaTransportEnum (269) intercepted, method - ProcAddressHijack.GetProcAddress ->738353B4->73704CF9
Function netapi32.dll:NetWkstaUserEnum (270) intercepted, method - ProcAddressHijack.GetProcAddress ->738353D1->73704AD1
Function netapi32.dll:NetWkstaUserGetInfo (271) intercepted, method - ProcAddressHijack.GetProcAddress ->738353E9->73703280
Function netapi32.dll:NetWkstaUserSetInfo (272) intercepted, method - ProcAddressHijack.GetProcAddress ->73835404->73704C15
Function netapi32.dll:NetapipBufferAllocate (273) intercepted, method - ProcAddressHijack.GetProcAddress ->7383541F->738237AA
Function netapi32.dll:NetpIsRemote (289) intercepted, method - ProcAddressHijack.GetProcAddress ->7383543E->7382382D
Function netapi32.dll:NetpwNameCanonicalize (296) intercepted, method - ProcAddressHijack.GetProcAddress ->73835454->73821C30
Function netapi32.dll:NetpwNameCompare (297) intercepted, method - ProcAddressHijack.GetProcAddress ->73835473->73821F2E
Function netapi32.dll:NetpwNameValidate (298) intercepted, method - ProcAddressHijack.GetProcAddress ->7383548D->73821990
Function netapi32.dll:NetpwPathCanonicalize (299) intercepted, method - ProcAddressHijack.GetProcAddress ->738354A8->7382275D
Function netapi32.dll:NetpwPathCompare (300) intercepted, method - ProcAddressHijack.GetProcAddress ->738354C7->73824086
Function netapi32.dll:NetpwPathType (301) intercepted, method - ProcAddressHijack.GetProcAddress ->738354E1->73822533
Function netapi32.dll:NlBindingAddServerToCache (302) intercepted, method - ProcAddressHijack.GetProcAddress ->738354F8->748961F8
Function netapi32.dll:NlBindingRemoveServerFromCache (303) intercepted, method - ProcAddressHijack.GetProcAddress ->7383551B->74895D67
Function netapi32.dll:NlBindingSetAuthInfo (304) intercepted, method - ProcAddressHijack.GetProcAddress ->73835543->74896198
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=1689C0)
 Kernel ntkrnlpa.exe found in memory at address 82A00000
   SDT = 82B689C0
   KiST = 82A6F700 (401)
Function NtCreateProcessEx (50) - machine code modification Method of JmpTo. jmp 918B9BB2\SystemRoot\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtCreateSection (54) - machine code modification Method of JmpTo. jmp 918B99D6\SystemRoot\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtLoadDriver (9B) - machine code modification Method of JmpTo. jmp 918B9B10\SystemRoot\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtCreateSection (82C30D63) - machine code modification Method of JmpTo. jmp 918B99D6 \SystemRoot\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function ObMakeTemporaryObject (82C08FBF) - machine code modification Method of JmpTo. jmp 918B55D4 \SystemRoot\System32\Drivers\aswSP.SYS, driver recognized as trusted
Functions checked: 401, intercepted: 0, restored: 0
1.3 Checking IDT and SYSENTER
 Analyzing CPU 1
 Analyzing CPU 2
 Analyzing CPU 3
 Analyzing CPU 4
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Masking process with PID=260, name = ""
 >> PID substitution detected (current PID is=0, real = 260)
Masking process with PID=340, name = ""
 >> PID substitution detected (current PID is=0, real = 340)
Masking process with PID=404, name = ""
 >> PID substitution detected (current PID is=0, real = 404)
Masking process with PID=828, name = ""
 >> PID substitution detected (current PID is=0, real = 828)
Masking process with PID=1588, name = ""
 >> PID substitution detected (current PID is=0, real = 1588)
Masking process with PID=2284, name = ""
 >> PID substitution detected (current PID is=0, real = 2284)
Masking process with PID=2404, name = ""
 >> PID substitution detected (current PID is=0, real = 2404)
Masking process with PID=2600, name = ""
 >> PID substitution detected (current PID is=0, real = 2600)
Masking process with PID=2972, name = ""
 >> PID substitution detected (current PID is=0, real = 2972)
Masking process with PID=3564, name = ""
 >> PID substitution detected (current PID is=0, real = 3564)
Masking process with PID=3588, name = ""
 >> PID substitution detected (current PID is=0, real = 3588)
Masking process with PID=3828, name = ""
 >> PID substitution detected (current PID is=0, real = 3828)
Masking process with PID=2060, name = ""
 >> PID substitution detected (current PID is=0, real = 2060)
Masking process with PID=2428, name = ""
 >> PID substitution detected (current PID is=0, real = 2428)
Masking process with PID=2308, name = ""
 >> PID substitution detected (current PID is=0, real = 2308)
Masking process with PID=2960, name = ""
 >> PID substitution detected (current PID is=0, real = 2960)
Masking process with PID=3192, name = ""
 >> PID substitution detected (current PID is=0, real = 3192)
Masking process with PID=3240, name = ""
 >> PID substitution detected (current PID is=0, real = 3240)
Masking process with PID=884, name = ""
 >> PID substitution detected (current PID is=0, real = 884)
Masking process with PID=3960, name = ""
 >> PID substitution detected (current PID is=0, real = 3960)
Masking process with PID=3840, name = ""
 >> PID substitution detected (current PID is=0, real = 3840)
Masking process with PID=872, name = ""
 >> PID substitution detected (current PID is=0, real = 872)
Masking process with PID=4068, name = ""
 >> PID substitution detected (current PID is=0, real = 4068)
Masking process with PID=2132, name = ""
 >> PID substitution detected (current PID is=0, real = 2132)
Masking process with PID=3828, name = ""
 >> PID substitution detected (current PID is=0, real = 3828)
Masking process with PID=952, name = ""
 >> PID substitution detected (current PID is=0, real = 952)
Masking process with PID=3900, name = ""
 >> PID substitution detected (current PID is=0, real = 3900)
Masking process with PID=3872, name = ""
 >> PID substitution detected (current PID is=0, real = 3872)
Masking process with PID=4068, name = ""
 >> PID substitution detected (current PID is=0, real = 4068)
Masking process with PID=3160, name = ""
 >> PID substitution detected (current PID is=0, real = 3160)
Masking process with PID=3584, name = ""
 >> PID substitution detected (current PID is=0, real = 3584)
 Searching for masking processes and drivers - complete

Antwort

Themen zu Paranoid vielleicht :)
127.0.0.1, 192.168.0.1, adresse, code, dll, festgestellt, file, folge, grub, keine updates, laptop, lokale, nichts, ports, scan, scanner, tcp, udp, updates, verbindungen, virenscan, virenscanner, wandert, windows


« Sparkasssentrojaner | Internet Explorer öffnet automatisch Werbung »


Ähnliche Themen: Paranoid vielleicht :)


  1. Windows 8.1: Ungewöhliches verhalten meines Computers - Virus/malware oder bin ich nur paranoid?
    Plagegeister aller Art und deren Bekämpfung - 02.02.2015 (1)
  2. BKA Trojaner (und vielleicht andere?)
    Log-Analyse und Auswertung - 07.01.2014 (18)
  3. Vielleicht gvu/bka virus
    Plagegeister aller Art und deren Bekämpfung - 02.09.2013 (3)
  4. Paranoid? suspekte Modifikationen an allen am Netzwerk angeschlossenen geräte
    Log-Analyse und Auswertung - 28.03.2013 (16)
  5. Habe ich einen Virus oder bin ich nur paranoid?
    Plagegeister aller Art und deren Bekämpfung - 25.03.2013 (8)
  6. Mein PC ist vielleicht Infiziert.
    Log-Analyse und Auswertung - 18.04.2012 (23)
  7. Vielleicht Virus?
    Log-Analyse und Auswertung - 03.05.2010 (8)
  8. Spielt vielleicht ein Trojaner mit mir ?
    Log-Analyse und Auswertung - 25.02.2009 (7)
  9. Hilfe vielleicht Virus? -.-
    Log-Analyse und Auswertung - 03.02.2009 (3)
  10. vielleicht Sasser ???
    Plagegeister aller Art und deren Bekämpfung - 18.01.2008 (0)
  11. vielleicht paranoid ??
    Log-Analyse und Auswertung - 25.10.2007 (1)
  12. Vielleicht Ad und Spyware ????
    Log-Analyse und Auswertung - 25.05.2007 (1)
  13. Findet ihr vielleicht was ungewöhnliches ?
    Log-Analyse und Auswertung - 11.02.2007 (3)
  14. paranoid od. infiziert ? BkCln.Unknown Virus
    Log-Analyse und Auswertung - 21.01.2006 (1)
  15. Trojan/Dldr.Oscaboth + Backdoor.PcClient.18 (paranoid heuristics) !!!
    Log-Analyse und Auswertung - 07.11.2005 (8)
  16. Verseucht oder Paranoid
    Plagegeister aller Art und deren Bekämpfung - 27.01.2005 (1)
Anleitungen und Tipps

- Für alle Hilfesuchenden! Was beachten?

- Anleitung: MyStartSearch.com entfernen

- Anleitung: WebSearches löschen

- Hilfe: iStartSurf entfernen – so gehts!

- Anleitung: Omiga Plus richtig entfernen

- Browser Viren entfernen


Zum Thema Paranoid vielleicht :) - Hallo, ich habe jetzt seid etwas mehr als einem Monat ein Problem. Es ist etwas schwer beschreiben aber ich probiere es mal Immer wenn ich den PC anschalte kommt die - Paranoid vielleicht :)...
Archiv
Du betrachtest: Paranoid vielleicht :) auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58