Zurück   Trojaner-Board > Malware entfernen > Plagegeister aller Art und deren Bekämpfung
Browser Highjacker

Browser Highjacker


Plagegeister aller Art und deren Bekämpfung: Browser Highjacker

Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen.

Antwort
Seite 1 von 3 1 23
Alt 12.03.2013, 17:53   #1
Linschko
 
Browser Highjacker - Standard

Browser Highjacker


Also ich hab mir wie es scheint einige (viele) Browser Highjacker eingefangen. Darunter das gute alte monstermarketplace (+safersurf4free). Auf jeden Fall schickt mich das Virus nicht automatisch auf die Seite, sondern wenn ich nach etwas suche erscheint oben z.b. "looking for ......?" von monstermarketplace. Aber auch das nicht IMMER. Und wenn ich speciel für Viren bezogene Sachen suche kommen seit 2 tagen auch avira, antivirus.fsecure und seit heute fake Norton und Kaspary seiten. Es gibt auch noch einige mehr . Gott sei dank aber werden diese Gelb eingekastelt, so das ich weis das das Virus mich fehlleiten will. Mein problem ist aber, ich werde die Dinger einfach nicht mehr los. Ich benutze Chrome.
Norton findet nichts. (2013, im Laden gekauft und kompleter Systemscan)
Ich hab auch die schritte bei http://www.trojaner-board.de/129825-...anfaenger.html (sorry, aber irgendwie krieg ich keinen externen Link her) befolgt. Jetzt hab ich gelesen das man das nicht machen sollte, aber jetzt sind die Informationen die ich vorhin bei diesen ganzen Programmen erhalten habe weg....
Aber ich glaube ich weis wo einige Viren sind. Wenn ich auf meinen C:/ Ordner geh sind die ersten Ergebnis folgende Ordner;
C:\0ff57a5930f400f0c8d2cf7b33ce5a12
C:\1a7b77b06d99019d190e61
C:\1a7b77b06d99019d190e61 (mit mrtstub)
C:\8c39e961136a2721fbb77b5032
und C:\890281e2f5e911f3940d
Löschen hilft da nichts.
Ich denke das dass eigentliche Problem war das ich Norton während den Scanns an hatte...
Außerdem hab ich dieses "Malewarebites-Anti Maleware" Programm benutzt und drei Sachen löschen/isolieren lassen. Hab gelesen das man auch das nicht sollte.
Was soll ich jetzt machen? Kann man diese Drecksdinger noch irgendwie loswerden? Oder muss ich den PC neu aufsetzen? Ich denke nämlich das dass eigentliche Problem war das ich Norton während den Scanns an hatte... Könnte mir da bitte irgendwer helfen? Ich kenne mich nicht aus, und bin schon total am verzweifeln.


Ach ja, hier noch die logfiles vom ZWEITEN mal durchscannen;
ADWCleaner
Code:
ATTFilter
# AdwCleaner v2.114 - Datei am 11/03/2013 um 18:47:14 erstellt
# Aktualisiert am 05/03/2013 von Xplode
# Betriebssystem : Windows 7 Home Premium Service Pack 1 (64 bits)
# Benutzer : Lino - LINOS-HP-SCHATZ
# Bootmodus : Normal
# Ausgeführt unter : C:\Users\Lino\Downloads\AdwCleaner.exe
# Option [Löschen]


**** [Dienste] ****


***** [Dateien / Ordner] *****


***** [Registrierungsdatenbank] *****


***** [Internet Browser] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Die Registrierungsdatenbank ist sauber.

-\\ Mozilla Firefox v [Version kann nicht ermittelt werden]

Datei : C:\Users\Lino\AppData\Roaming\Mozilla\Firefox\Profiles\jq11owgg.default\prefs.js

[OK] Die Datei ist sauber.

-\\ Google Chrome v25.0.1364.152

Datei : C:\Users\Lino\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] Die Datei ist sauber.

-\\ Opera v [Version kann nicht ermittelt werden]

Datei : C:\Users\Lino\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] Die Datei ist sauber.

*************************

AdwCleaner[S1].txt - [1058 octets] - [11/03/2013 18:47:14]

########## EOF - C:\AdwCleaner[S1].txt - [1118 octets] ##########
Checkup
Code:
ATTFilter
 Results of screen317's Security Check version 0.99.61  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 8 Out of date! 
``````````````Antivirus/Firewall Check:`````````````` 
Norton Internet Security   
 WMI entry may not exist for antivirus; attempting automatic update. 
`````````Anti-malware/Other Utilities Check:````````` 
 Java(TM) 6 Update 22  
 Java(TM) 6 Update 31  
 Java 7 Update 9  
 Java version out of Date! 
 Adobe Flash Player 11.6.602.171  
 Adobe Reader 10.1.6 Adobe Reader out of Date!  
 Google Chrome 25.0.1364.152  
 Google Chrome 25.0.1364.97  
````````Process Check: objlist.exe by Laurent````````  
 Norton ccSvcHst.exe 
 Symantec Norton Online Backup NOBuAgent.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  
````````````````````End of Log``````````````````````
attach
Code:
ATTFilter
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium 
Boot Device: \Device\HarddiskVolume1
Install Date: 19.03.2011 19:22:54
System Uptime: 11.03.2013 18:57:20 (1 hours ago)
.
Motherboard: MSI |  | 2A9C
Processor: Intel(R) Core(TM) i7 CPU         870  @ 2.93GHz | CPU 1 | 2376/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 1384 GiB total, 805,294 GiB free.
D: is FIXED (NTFS) - 14 GiB total, 1,673 GiB free.
E: is CDROM (CDFS)
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1504: 11.03.2013 17:54:57 - Ende der Bereinigung
RP1505: 11.03.2013 18:07:00 - Removed Java(TM) 7 (64-bit)
RP1506: 11.03.2013 18:08:29 - Removed Java(TM) 6 Update 31
RP1507: 11.03.2013 18:09:28 - Removed Java(TM) 6 Update 22
RP1508: 11.03.2013 18:10:28 - Removed Java 7 Update 9
RP1509: 11.03.2013 18:13:05 - Removed Skype™ 5.10
RP1510: 11.03.2013 18:15:37 - Konfiguriert Power2Go
RP1511: 11.03.2013 18:28:31 - Removed DisplayLink Core Software
RP1512: 11.03.2013 18:32:18 - Removed DisplayLink Core Software
RP1513: 11.03.2013 18:36:03 - Removed Skype™ 5.10
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Download Assistant
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Flash Professional CS6
Adobe Help Manager
Adobe Reader X (10.1.6) - Deutsch
Agatha Christie - Death on the Nile
Amnesia: The Dark Descent
aonFTP
aonUpdate
ARMA 2
Arma 2 Army of The Czech Republic (LITE) Uninstall
ARMA 2: British Armed Forces
ARMA 2: British Armed Forces - Data cache removal
ARMA 2: Operation Arrowhead
ARMA 2: Operation Arrowhead Beta
ARMA 2: Private Military Company
ARMA 2: Private Military Company - Data cache removal
µTorrent
AVS Screen Capture version 2.0.1
AVS Update Manager 1.0
AVS Video Editor 6
AVS Video Recorder 2.4
AVS4YOU Software Navigator 1.4
Battle Mages: Sign of Darkness
Battlefield 1918
Battlefield 1942
Battlefield 1942: Secret Weapons of WWII
Battlefield 2(TM)
Battlefield Heroes (Lino)
BattlEye (A2Free) Uninstall
BattlEye for OA Uninstall
Bejeweled 2 Deluxe
CDBurnerXP
Chivalry: Medieval Warfare
Chuzzle Deluxe
Controller
Corel Graphics - Windows Shell Extension
Corel Graphics - Windows Shell Extension 64 Bit
CorelDRAW Graphics Suite X6
CorelDRAW Graphics Suite X6 - Capture
CorelDRAW Graphics Suite X6 - Common
CorelDRAW Graphics Suite X6 - Connect
CorelDRAW Graphics Suite X6 - Custom Data
CorelDRAW Graphics Suite X6 - DE
CorelDRAW Graphics Suite X6 - Draw
CorelDRAW Graphics Suite X6 - Filters
CorelDRAW Graphics Suite X6 - FontNav
CorelDRAW Graphics Suite X6 - IPM
CorelDRAW Graphics Suite X6 - PHOTO-PAINT
CorelDRAW Graphics Suite X6 - Photozoom Plugin
CorelDRAW Graphics Suite X6 - Redist
CorelDRAW Graphics Suite X6 - Setup Files
CorelDRAW Graphics Suite X6 - VBA
CorelDRAW Graphics Suite X6 - VideoBrowser
CorelDRAW Graphics Suite X6 - VSTA
CorelDRAW Graphics Suite X6 - Writing Tools
Counter-Strike: Source
Creation Kit
CyberLink DVD Suite Deluxe
D3DX10
DayZ Commander
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
DesertCombat  0.7
Die Gilde 2 - Gold Edition
Die Schlacht um Mittelerde™ II
Die Sims™ 3
Die Sims™ 3 "Erstelle eine Welt"-Tool - Beta
Die Sims™ 3 Einfach tierisch
Die Sims™ 3 Erstelle ein Muster-Tool
Die Sims™ 3 Jahreszeiten
Die Sims™ 3 Late Night
Die Sims™ 3 Lebensfreude
Die Sims™ 3 Traumkarrieren
Diner Dash 2 Restaurant Rescue
DVD Menu Pack for HP MediaSmart Video
FATE
Fire Department
Flight Simulator X
Flight Simulator X Service Pack 1
Fraps (remove only)
Free YouTube Download version 3.1.42.1212
GameSpy Arcade
GIMP 2.8.4
Google Chrome
Google Update Helper
Grand Ages Rome 1.11
Grand Theft Auto IV
Grand Theft Auto San Andreas
Grand Theft Auto: Episodes from Liberty City
Half-Life 2
Half-Life 2: Episode One
Half-Life 2: Episode Two
Haunt 1.0 64bit
Hewlett-Packard ACLM.NET v1.2.1.1
Hi-Rez Studios Authenticate and Update Service
Highspeed-Internet-Installation
Hotfix für Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947789)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946040)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946308)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946344)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947540)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947789)
HP Advisor
HP Customer Experience Enhancements
HP Game Console
HP Games
HP MediaSmart DVD
HP MediaSmart Music
HP MediaSmart Photo
HP MediaSmart SmartMenu
HP MediaSmart Video
HP Odometer
HP Setup
HP Support Assistant
HP Support Information
HP Update
HP Vision Hardware Diagnostics
Hunting Unlimited 2010
Imperium Romanum 1.04 Gold Edition
Insaniquarium Deluxe
Intel(R) Management Engine Components
Jewel Quest II
Jewel Quest Solitaire
John Deere Drive Green
Junk Mail filter update
Just Cause 2
LabelPrint
Left 4 Dead 2
LEGO® Star Wars™: Die Komplette Saga
LEGO® Star Wars™: The Complete Saga
LightScribe System Software
LIMBO
LIMBO Demo
Mafia
Mafia II
Magic Desktop
Mesh Runtime
Messenger Companion
Metro 2033
Microsoft .NET Framework 1.1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile DEU Language Pack
Microsoft .NET Framework 4 Extended
Microsoft .NET Framework 4 Extended DEU Language Pack
Microsoft Application Error Reporting
Microsoft Chart Controls for Microsoft .NET Framework 3.5 (KB2500170)
Microsoft Flight Simulator X
Microsoft Flight Simulator X: Acceleration
Microsoft Games for Windows - LIVE Redistributable
Microsoft Games for Windows Marketplace
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (German) 2010
Microsoft Office Excel MUI (German) 2010
Microsoft Office File Validation Add-In
Microsoft Office Home and Student 2010
Microsoft Office Office 64-bit Components 2010
Microsoft Office OneNote MUI (German) 2010
Microsoft Office Outlook MUI (German) 2010
Microsoft Office PowerPoint MUI (German) 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (German) 2010
Microsoft Office Proof (Italian) 2010
Microsoft Office Proofing (German) 2010
Microsoft Office Publisher MUI (German) 2010
Microsoft Office Shared 64-bit MUI (German) 2010
Microsoft Office Shared MUI (German) 2010
Microsoft Office Single Image 2010
Microsoft Office Word MUI (German) 2010
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual Basic for Applications 7.1 (x86)
Microsoft Visual Basic for Applications 7.1 (x86) German
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable (x64)
Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Microsoft Visual Studio Tools for Applications 2.0 - ENU
Microsoft Visual Studio Tools for Applications 2.0 Language Pack - DEU
Microsoft Visual Studio Tools for Applications 2.0 Runtime
Microsoft Visual Studio Tools for Applications 2.0 Runtime Language Pack - DEU
Microsoft WSE 3.0 Runtime
Microsoft_VC80_CRT_x86
Microsoft_VC90_CRT_x86
Mirror's Edge™
Morrowind
Movie Theme Pack for HP MediaSmart Video
MSVCRT
MSVCRT Redists
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MyTools
NehrimUninstaller
Nexus Mod Manager
Norton Internet Security
Norton Online Backup
NVIDIA 3D Vision Controller-Treiber 306.97
NVIDIA 3D Vision Treiber 306.97
NVIDIA Display Control Panel
NVIDIA Grafiktreiber 306.97
NVIDIA HD-Audiotreiber 1.3.18.0
NVIDIA Install Application
NVIDIA PhysX
NVIDIA Stereoscopic 3D Driver
NVIDIA Systemsteuerung 306.97
NVIDIA Update 1.10.8
NVIDIA Update Components
Oblivion
OpenAL
Origin
Pando Media Booster
PARANORMAL - BETA 4
PAYDAY: The Heist
PDF Complete Special Edition
PDF Settings CS6
Penguins!
Penumbra
PhotoNow!
PlanetSide 2
Plants vs. Zombies
Play withSIX
PlayReady PC Runtime amd64
Polar Bowler
POSTAL 2 Complete
Postal 2 Demo
Power2Go
PowerDirector
PunkBuster Services
Realtek High Definition Audio Driver
Recovery Manager
Red Orchestra 2: Heroes of Stalingrad
Republic at War - Deutsch 1.1
Republic at War 1.1
RollerCoaster Tycoon 3
S.T.A.L.K.E.R.: Shadow of Chernobyl
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft Excel 2010 (KB2597126) 32-Bit Edition
Security Update for Microsoft InfoPath 2010 (KB2687417) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553096)
Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2597986) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687501) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687510) 32-Bit Edition
Security Update for Microsoft Visio Viewer 2010 (KB2598287) 32-Bit Edition
Security Update for Microsoft Word 2010 (KB2760410) 32-Bit Edition
Slingo Deluxe
SPORE™
Star Wars Empire at War
Star Wars Empire at War Forces of Corruption
Star Wars: Knights of the Old Republic
Steam
Stronghold 2 Deluxe
TeamSpeak 3 Client
TES Construction Set
The Elder Scrolls V: Skyrim
The Simpsons Hit & Run(TM)
The Ultimate DOOM
Thief: Deadly Shadows
Tropico 4 1.00
Universe Sandbox
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553378) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2687277) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2597090) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2598240) 32-Bit Edition
Update for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit Edition
Vegas Pro 10.0
Virtual Villagers - The Secret City
Wedding Dash
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Fotogalerie
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Language Selector
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX control for remote connections
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live Remote Client
Windows Live Remote Client Resources
Windows Live Remote Service
Windows Live Remote Service Resources
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
WinRAR 4.11 (64-Bit)
WinZip 16.0
Xfire (remove only)
Zuma Deluxe
.
==== End Of File ===========================
dds
Code:
ATTFilter
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 8.0.7601.17514
Run by Lino at 19:07:07 on 2013-03-11
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.43.1031.18.12247.9822 [GMT 1:00]
.
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe
C:\Windows\system32\taskhost.exe
c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Norton Internet Security\Engine\20.1.0.24\ccSvcHst.exe
C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
C:\Program Files (x86)\PDF Complete\pdfsvc.exe
C:\Windows\SysWOW64\PnkBstrA.exe
c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Norton Internet Security\Engine\20.1.0.24\ccSvcHst.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uWindow Title = A1 Telekom Austria TA AG
uSearch Page = hxxp://www.telekom.at/suche
mStart Page = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - <orphaned>
mWinlogon: Userinit = userinit.exe
BHO: {0931BD3F-547E-45C1-B133-D0E995645DBA} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\20.1.0.24\CoIEPlg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\20.1.0.24\IPS\IPSBHO.dll
BHO: Windows Live ID-Anmelde-Hilfsprogramm: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: HP Network Check Helper: {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\20.1.0.24\CoIEPlg.dll
uRun: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe
uRun: [msnmsgr] ~"C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [Steam] "C:\Program Files (x86)\Stam\steam.exe" -silent
uRun: [EADM] "C:\Program Files (x86)\Origin\Origin.exe" -AutoStart
uRun: [AdobeBridge] <no file>
mRun: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe
mRun: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun: [Easybits Recovery] C:\Program Files (x86)\EasyBits For Kids\ezRecover.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
StartupFolder: C:\Users\Lino\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-Explorer: EnableShellExecuteHooks = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: HideFastUserSwitching = dword:0
mPolicies-System: EnableSecureUIAPath = dword:1
IE: An OneNote s&enden - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: Free YouTube Download - C:\Users\Lino\AppData\Roaming\DVDVideoSoftIEHelpers\freeytvdownloader.htm
IE: Nach Microsoft E&xcel exportieren - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Nach Microsoft E&xel exportieren - <no file>
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_5.0.110.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {C8BC46C7-921C-4102-B67D-F1F7E65FB0BE} - hxxps://battlefield.play4free.com/static/updater/BP4FUpdater_1.0.53.2.cab
DPF: {CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
TCP: NameServer = 10.0.0.138
TCP: Interfaces\{7D5A217E-9DD0-4168-BBE9-01BEE99BA879} : DHCPNameServer = 10.0.0.138
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs=     
SSODL: WebCheck - <orphaned>
SEH: EasyBits ShellExecute Hook - {E54729E8-BB3D-4270-9D49-7389EA579090} - C:\Windows\SysWOW64\ezUPBHook.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\25.0.1364.152\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - 
x64-Run: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
x64-Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 SMR210;Symantec SMR Utility Service 2.1.0;C:\Windows\System32\drivers\SMR210.SYS [2011-9-15 96376]
R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\NISx64\1401000.018\SymDS64.sys [2013-3-10 493216]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\NISx64\1401000.018\SymEFA64.sys [2013-3-10 1132192]
R1 acedrv09;acedrv09;C:\Windows\System32\drivers\acedrv09.sys [2011-4-1 134880]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\Definitions\BASHDefs\20130301.001\BHDrvx64.sys [2013-3-1 1388120]
R1 ccSet_NIS;Norton Internet Security Settings Manager;C:\Windows\System32\drivers\NISx64\1401000.018\ccSetx64.sys [2013-3-10 168096]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\Definitions\IPSDefs\20130308.001\IDSviA64.sys [2013-3-8 513184]
R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\NISx64\1401000.018\Ironx64.sys [2013-3-10 224416]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\System32\drivers\NISx64\1401000.018\symnets.sys [2013-3-10 432800]
R2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [2012-7-15 8704]
R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2012-9-27 86528]
R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\20.1.0.24\ccSvcHst.exe [2013-3-10 143928]
R2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2010-6-2 2804568]
R2 pdfcDispatcher;PDF Document Manager;C:\Program Files (x86)\PDF Complete\pdfsvc.exe [2010-11-17 635416]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-10-2 382824]
R2 UNS;Intel(R) Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-11-17 2320920]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2013-3-9 138912]
R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2010-11-17 56344]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2012-1-29 250984]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-1-29 413800]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 ezSharedSvc;Easybits Services for Windows; [x]
S3 BEService;BattlEye Service;C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [2013-1-16 45056]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2012-5-29 48488]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2012-3-8 1492840]
S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-3-28 59392]
S3 WatAdminSvc;Windows-Aktivierungstechnologieservice;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-3-23 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2013-03-11 16:51:51	--------	d-----w-	C:\Windows\ERUNT
2013-03-11 15:53:41	--------	d-----w-	C:\Users\Lino\AppData\Local\{5C9DE9FB-2E16-422A-A4E7-ECA448DC5651}
2013-03-10 18:18:42	776352	----a-r-	C:\Windows\System32\drivers\NISx64\1401000.018\srtsp64.sys
2013-03-10 18:18:42	493216	----a-r-	C:\Windows\System32\drivers\NISx64\1401000.018\SymDS64.sys
2013-03-10 18:18:42	432800	----a-r-	C:\Windows\System32\drivers\NISx64\1401000.018\symnets.sys
2013-03-10 18:18:42	37496	----a-r-	C:\Windows\System32\drivers\NISx64\1401000.018\srtspx64.sys
2013-03-10 18:18:42	23448	----a-r-	C:\Windows\System32\drivers\NISx64\1401000.018\SymELAM.sys
2013-03-10 18:18:42	1132192	----a-r-	C:\Windows\System32\drivers\NISx64\1401000.018\SymEFA64.sys
2013-03-10 18:18:41	224416	----a-r-	C:\Windows\System32\drivers\NISx64\1401000.018\Ironx64.sys
2013-03-10 18:18:41	168096	----a-r-	C:\Windows\System32\drivers\NISx64\1401000.018\ccSetx64.sys
2013-03-10 18:18:09	--------	d-----w-	C:\Windows\System32\drivers\NISx64\1401000.018
2013-03-09 18:51:48	--------	d-----w-	C:\Users\Lino\AppData\Roaming\Canneverbe Limited
2013-03-09 18:51:48	--------	d-----w-	C:\ProgramData\Canneverbe Limited
2013-03-09 18:27:16	--------	d-----w-	C:\Users\Lino\AppData\Local\{B1DEADA7-E94A-441F-A68D-30173C3A784E}
2013-03-08 17:23:44	--------	d-----w-	C:\Windows\System32\MpEngineStore
2013-03-08 17:22:43	--------	d-----w-	C:\4c3afa1d91612de34882800ac3
2013-03-08 14:54:52	--------	d-----w-	C:\Program Files\Enigma Software Group
2013-03-08 12:30:44	--------	d-----w-	C:\Users\Lino\AppData\Local\{149EA161-2A33-4314-AC1B-81AAAF070AE0}
2013-03-07 14:12:18	--------	d-----w-	C:\Users\Lino\AppData\Local\{85C8BF14-428F-478E-8B3F-B52BD4F0C234}
2013-03-06 12:16:22	--------	d-----w-	C:\Users\Lino\AppData\Local\{7058F9E1-F903-4530-ADC5-75E11F447050}
2013-03-05 11:48:25	--------	d-----w-	C:\Users\Lino\AppData\Local\{B4D70CB2-ED6D-4140-9D98-72030A45CAB8}
2013-03-04 13:53:05	--------	d-----w-	C:\Users\Lino\AppData\Local\fontconfig
2013-03-04 13:53:04	--------	d-----w-	C:\Users\Lino\.gimp-2.8
2013-03-04 13:53:03	--------	d-----w-	C:\Users\Lino\AppData\Local\gegl-0.2
2013-03-04 13:52:05	--------	d-----w-	C:\Program Files\GIMP 2
2013-03-04 12:20:32	--------	d-----w-	C:\Users\Lino\AppData\Local\{66FF07BC-D205-4BA7-80C4-8B09FD86DBAD}
2013-03-03 15:38:40	--------	d-----w-	C:\Users\Lino\AppData\Roaming\SPORE
2013-03-03 15:26:38	--------	d-----w-	C:\Users\Lino\AppData\Local\{B76E4004-006B-4336-97B5-ABE7C24A223F}
2013-03-01 11:58:18	--------	d-----w-	C:\Users\Lino\AppData\Local\{24AFC32A-7E3D-4982-9D7C-0CA2B8E3DA84}
2013-02-28 20:38:58	--------	d-----w-	C:\ProgramData\Bohemia Interactive Studio
2013-02-28 16:53:47	--------	d-----w-	C:\Users\Lino\AppData\Local\{12A5F638-08D9-41F9-AA7D-2299FA91DE0F}
2013-02-27 14:52:14	--------	d-----w-	C:\Users\Lino\AppData\Local\{4864A5B0-9F3F-48A8-9A00-4B36A3C85D25}
2013-02-26 16:54:11	--------	d-----w-	C:\Users\Lino\AppData\Local\{8057300A-0F4D-45D2-A8E9-BB2449B0D05B}
2013-02-25 16:12:00	--------	d-----w-	C:\Users\Lino\AppData\Local\{E9C8E65D-CF1C-45CA-BAA8-E64510E48A45}
2013-02-22 06:24:18	--------	d-----w-	C:\Users\Lino\AppData\Local\{0D73410A-6760-4166-9895-F95A5208F285}
2013-02-21 06:25:29	--------	d-----w-	C:\Users\Lino\AppData\Local\{6CDEA75C-7CE4-49AC-A92D-F5E01D9BC959}
2013-02-20 12:02:23	--------	d-----w-	C:\Users\Lino\AppData\Local\{08F1B97E-2DC3-4B5C-9AF1-A44EF6D14213}
2013-02-20 06:20:26	--------	d-----w-	C:\Users\Lino\AppData\Local\{B6F1BCC8-7925-471A-AD88-DE5089BF3E93}
2013-02-19 16:36:33	--------	d-----w-	C:\Users\Lino\AppData\Local\Programs
2013-02-19 16:23:25	--------	d-----w-	C:\Users\Lino\AppData\Local\{C61C8DD9-2876-4C9C-A25C-E3240A5E268A}
2013-02-17 12:21:20	--------	d-----w-	C:\Users\Lino\AppData\Local\{423ECC5B-3AE2-4380-BC6D-59E9A025A3CA}
2013-02-14 20:07:01	--------	d-----w-	C:\Users\Lino\AppData\Local\{35943C4E-4601-49F1-A501-9FAA047F9721}
2013-02-14 11:48:39	--------	d-----w-	C:\Users\Lino\AppData\Local\{A1BDC52E-CF53-4A48-88B2-95AF06227116}
2013-02-13 11:55:48	7680	----a-w-	C:\Windows\SysWow64\instnm.exe
2013-02-13 11:55:48	5120	----a-w-	C:\Windows\SysWow64\wow32.dll
2013-02-13 11:55:48	25600	----a-w-	C:\Windows\SysWow64\setup16.exe
2013-02-13 11:55:48	215040	----a-w-	C:\Windows\System32\winsrv.dll
2013-02-13 11:55:48	2048	----a-w-	C:\Windows\SysWow64\user.exe
2013-02-13 11:55:48	14336	----a-w-	C:\Windows\SysWow64\ntvdm64.dll
2013-02-13 11:55:47	288088	----a-w-	C:\Windows\System32\drivers\FWPKCLNT.SYS
2013-02-13 11:55:47	1913192	----a-w-	C:\Windows\System32\drivers\tcpip.sys
2013-02-13 11:55:46	760320	----a-w-	C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-13 11:55:46	1111040	----a-w-	C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-13 11:43:39	--------	d-----w-	C:\Users\Lino\AppData\Local\{6D886194-3B14-481B-B0BA-A593A6625E37}
2013-02-12 11:06:22	--------	d-----w-	C:\Users\Lino\AppData\Local\{C7E06E8B-A378-432B-837F-5B126EC28CC2}
2013-02-10 12:13:22	--------	d-----w-	C:\Users\Lino\AppData\Local\{C1A5C915-7B6B-4889-AD27-9D3D924E673A}
.
==================== Find3M  ====================
.
2013-03-10 18:22:36	177312	----a-w-	C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2013-02-27 20:45:09	71024	----a-w-	C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-02-27 20:45:09	691568	----a-w-	C:\Windows\SysWow64\FlashPlayerApp.exe
2013-02-24 11:02:35	280792	----a-w-	C:\Windows\SysWow64\PnkBstrB.xtr
2013-02-24 11:02:35	280792	----a-w-	C:\Windows\SysWow64\PnkBstrB.exe
2013-02-24 11:01:09	281032	----a-w-	C:\Windows\SysWow64\PnkBstrB.ex0
2013-01-13 21:17:03	9728	---ha-w-	C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-01-13 21:17:02	2560	---ha-w-	C:\Windows\SysWow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-01-13 21:16:42	10752	---ha-w-	C:\Windows\SysWow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-01-13 21:12:46	3584	---ha-w-	C:\Windows\SysWow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-01-13 21:11:21	4096	---ha-w-	C:\Windows\SysWow64\api-ms-win-downlevel-user32-l1-1-0.dll
2013-01-13 21:11:08	5632	---ha-w-	C:\Windows\SysWow64\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-01-13 21:11:07	5632	---ha-w-	C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-01-13 21:11:07	3072	---ha-w-	C:\Windows\SysWow64\api-ms-win-downlevel-version-l1-1-0.dll
2013-01-13 21:11:07	3072	---ha-w-	C:\Windows\SysWow64\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-01-13 20:35:31	9728	---ha-w-	C:\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-01-13 20:35:31	2560	---ha-w-	C:\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-01-13 20:35:18	10752	---ha-w-	C:\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-01-13 20:32:07	3584	---ha-w-	C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-01-13 20:31:48	4096	---ha-w-	C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
2013-01-13 20:31:41	5632	---ha-w-	C:\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-01-13 20:31:40	5632	---ha-w-	C:\Windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-01-13 20:31:40	3072	---ha-w-	C:\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
2013-01-13 20:31:40	3072	---ha-w-	C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-01-13 20:31:00	1247744	----a-w-	C:\Windows\SysWow64\DWrite.dll
2013-01-13 20:22:22	1988096	----a-w-	C:\Windows\SysWow64\d3d10warp.dll
2013-01-13 20:20:31	293376	----a-w-	C:\Windows\SysWow64\dxgi.dll
2013-01-13 20:09:00	249856	----a-w-	C:\Windows\SysWow64\d3d10_1core.dll
2013-01-13 20:08:43	220160	----a-w-	C:\Windows\SysWow64\d3d10core.dll
2013-01-13 20:08:35	1504768	----a-w-	C:\Windows\SysWow64\d3d11.dll
2013-01-13 19:59:04	1643520	----a-w-	C:\Windows\System32\DWrite.dll
2013-01-13 19:58:28	1175552	----a-w-	C:\Windows\System32\FntCache.dll
2013-01-13 19:54:01	604160	----a-w-	C:\Windows\SysWow64\d3d10level9.dll
2013-01-13 19:53:58	207872	----a-w-	C:\Windows\SysWow64\WindowsCodecsExt.dll
2013-01-13 19:53:14	187392	----a-w-	C:\Windows\SysWow64\UIAnimation.dll
2013-01-13 19:51:30	2565120	----a-w-	C:\Windows\System32\d3d10warp.dll
2013-01-13 19:49:17	363008	----a-w-	C:\Windows\System32\dxgi.dll
2013-01-13 19:48:47	161792	----a-w-	C:\Windows\SysWow64\d3d10_1.dll
2013-01-13 19:46:25	1080832	----a-w-	C:\Windows\SysWow64\d3d10.dll
2013-01-13 19:43:21	1230336	----a-w-	C:\Windows\SysWow64\WindowsCodecs.dll
2013-01-13 19:38:39	333312	----a-w-	C:\Windows\System32\d3d10_1core.dll
2013-01-13 19:38:32	1887232	----a-w-	C:\Windows\System32\d3d11.dll
2013-01-13 19:38:21	296960	----a-w-	C:\Windows\System32\d3d10core.dll
2013-01-13 19:37:57	3419136	----a-w-	C:\Windows\SysWow64\d2d1.dll
2013-01-13 19:25:04	245248	----a-w-	C:\Windows\System32\WindowsCodecsExt.dll
2013-01-13 19:24:33	648192	----a-w-	C:\Windows\System32\d3d10level9.dll
2013-01-13 19:24:30	221184	----a-w-	C:\Windows\System32\UIAnimation.dll
2013-01-13 19:20:42	194560	----a-w-	C:\Windows\System32\d3d10_1.dll
2013-01-13 19:20:04	1238528	----a-w-	C:\Windows\System32\d3d10.dll
2013-01-13 19:15:40	1424384	----a-w-	C:\Windows\System32\WindowsCodecs.dll
2013-01-13 19:10:36	3928064	----a-w-	C:\Windows\System32\d2d1.dll
2013-01-13 19:02:06	417792	----a-w-	C:\Windows\SysWow64\WMPhoto.dll
2013-01-13 18:34:58	364544	----a-w-	C:\Windows\SysWow64\XpsGdiConverter.dll
2013-01-13 18:32:43	465920	----a-w-	C:\Windows\System32\WMPhoto.dll
2013-01-13 18:09:52	522752	----a-w-	C:\Windows\System32\XpsGdiConverter.dll
2013-01-13 17:26:42	1158144	----a-w-	C:\Windows\SysWow64\XpsPrint.dll
2013-01-13 17:05:09	1682432	----a-w-	C:\Windows\System32\XpsPrint.dll
2013-01-05 05:53:43	5553512	----a-w-	C:\Windows\System32\ntoskrnl.exe
2013-01-05 05:00:15	3967848	----a-w-	C:\Windows\SysWow64\ntkrnlpa.exe
2013-01-05 05:00:11	3913064	----a-w-	C:\Windows\SysWow64\ntoskrnl.exe
2013-01-04 06:11:21	2284544	----a-w-	C:\Windows\SysWow64\msmpeg2vdec.dll
2013-01-04 06:11:13	2776576	----a-w-	C:\Windows\System32\msmpeg2vdec.dll
2013-01-04 04:43:21	44032	----a-w-	C:\Windows\apppatch\acwow64.dll
2013-01-04 03:26:48	3153408	----a-w-	C:\Windows\System32\win32k.sys
2012-12-20 13:59:36	1188864	----a-w-	C:\Windows\System32\wininet.dll
2012-12-20 12:53:51	981504	----a-w-	C:\Windows\SysWow64\wininet.dll
2012-12-20 12:02:26	1638912	----a-w-	C:\Windows\System32\mshtml.tlb
2012-12-20 11:20:29	1638912	----a-w-	C:\Windows\SysWow64\mshtml.tlb
2012-12-16 17:11:22	46080	----a-w-	C:\Windows\System32\atmlib.dll
2012-12-16 14:45:03	367616	----a-w-	C:\Windows\System32\atmfd.dll
2012-12-16 14:13:28	295424	----a-w-	C:\Windows\SysWow64\atmfd.dll
2012-12-16 14:13:20	34304	----a-w-	C:\Windows\SysWow64\atmlib.dll
.
============= FINISH: 19:08:56,11 ===============

Alt 13.03.2013, 13:38   #2
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Browser Highjacker - Standard

Browser Highjacker


Hallo und

Zitat:
Außerdem hab ich dieses "Malewarebites-Anti Maleware" Programm benutzt und drei Sachen löschen/isolieren lassen.
Schön und wo sind die Logs dazu?

Solche Angaben reichen nicht, bitte poste die vollständigen Angaben/Logs der Virenscanner siehe http://www.trojaner-board.de/125889-...tml#post941520


Bitte alles nach Möglichkeit hier in CODE-Tags posten.

Lesestoff:
Posten in CODE-Tags
Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
  • Markiere das gesamte Logfile (geht meist mit STRG+A) und kopiere es in die Zwischenablage mit STRG+C.
  • Klicke im Editor auf das #-Symbol. Es erscheinen zwei Klammerausdrücke [CODE] [/CODE].
  • Setze den Curser zwischen die CODE-Tags und drücke STRG+V.
  • Klicke auf Erweitert/Vorschau, um so prüfen, ob du es richtig gemacht hast. Wenn alles stimmt ... auf Antworten.
__________________

__________________
Alt 15.03.2013, 15:51   #3
Linschko
 
Browser Highjacker - Standard

Browser Highjacker


Hallo cosinus, und danke für die schnelle Antwort.
Entschuldige das die Antwort so lang gedauert hat.
Zu den CODE-Tags, ich hab doch CODE-Tags gepostet, oder zumindest genau das gemacht was dort angegeben wird.

So, ich hab jetzt Malewarebytes noch 2 mal nen Komplettscan machen lassen, bei beiden malen ist der PC in diesem Blauen Bildschirm abgestürtz.
Dann hab ich das alte log gefunden, also von meinem ersten mal durchscannen. Ein zweites mal gibt es nicht.

Code:
ATTFilter
 Malwarebytes Anti-Malware  (Test) 1.70.0.1100
www.malwarebytes.org

Datenbank Version: v2013.03.11.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Lino :: LINOS-HP-SCHATZ [Administrator]

Schutz: Aktiviert

11.03.2013 19:16:27
mbam-log-2013-03-11 (19-16-27).txt

Art des Suchlaufs: Quick-Scan
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 270075
Laufzeit: 6 Minute(n), 1 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Keine Aktion durchgeführt.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011221158} (Adware.GamePlayLab) -> Erfolgreich gelöscht und in Quarantäne gestellt.
HKCR\AppID\{186E19A3-B909-4F48-B687-BB81EB8BC7CE} (Trojan.BHO) -> Erfolgreich gelöscht und in Quarantäne gestellt.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011221158} (Adware.GamePlayLab) -> Erfolgreich gelöscht und in Quarantäne gestellt.

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 6
C:\Users\Lino\Downloads\installer_call_of_duty_black_ops (3).exe (PUP.BundleInstaller.BEN) -> Keine Aktion durchgeführt.
C:\Users\Lino\Downloads\installer_call_of_duty_black_ops.exe (PUP.BundleInstaller.BEN) -> Keine Aktion durchgeführt.
C:\Users\Lino\Downloads\ADLSoft_UnCompressor_v2.exe (PUP.Adware.InstallCore) -> Keine Aktion durchgeführt.
C:\Users\Lino\Downloads\installer_call_of_duty_black_ops (2).exe (PUP.BundleInstaller.BEN) -> Keine Aktion durchgeführt.
C:\Users\Lino\Downloads\DownloadSetup.exe (PUP.Offerware) -> Keine Aktion durchgeführt.
C:\Users\Lino\Downloads\installer_call_of_duty_black_ops (1).exe (PUP.BundleInstaller.BEN) -> Keine Aktion durchgeführt.

(Ende)
So, und hier hab ich noch mal Norton einen Kompletscann durchgehen lassen. 3 Cookies wurden entdeckt. Typischerweise waren genau diese drei Dinger nicht der Ursprung meines problems.

Code:
ATTFilter
Scan-Informationen:
  Version der Virendefinitionen: 2013.03.14.004
  Sequ.-ID der Virendefinitionen: 142519

Scanstatistiken:
  Scanstart:
   Lokal: 14.03.2013 18:03
   UTC: 14.03.2013 17:03
  Scanzeit: 11.665 Sekunden
  Scanziele: Gesamter Computer
  Zähler:
Gescannte Elemente insgesamt: 1.292.655
– Dateien und Laufwerke: 1.285.910
– Registrierungseinträge: 780
– Prozesse und Elemente beim Start: 5.133
– Netzwerk- und Browser-Elemente: 822
– Sonstiges: 5
– Vertrauenswürdige Dateien: 0
– Übersprungene Dateien: 0

Erkannte Sicherheitsrisiken insgesamt: 3
Behobene Elemente insgesamt: 3
Elemente insgesamt, die Aufmerksamkeit erfordern: 0

Behobene Bedrohungen:
3 Tracking Cookies
 Typ: Anomalie
 Risiko: Gering (Gering Verbergen, Gering Entfernen, Gering Leistung, Gering Datenschutz)  
 Kategorien: Tracking Cookies
 Status: Vollständig behoben
 -----------
 3 Tracking Cookies
Cookie:lino@atdmt.com/ - Gelöscht
Cookie:lino@atdmt.com/ - Gelöscht
 - Gelöscht




Nicht behobene Bedrohungen:
Keine nicht behobenen Risiken
Das ist alles was ich noch habe.

Wenn du noch etwas brauchst, lass es mich bitte wissen.
__________________
Alt 15.03.2013, 17:24   #4
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Browser Highjacker - Standard

Browser Highjacker


Bevor wir uns an die Arbeit machen, möchte ich dich bitten, folgende Punkte vollständig und aufmerksam zu lesen.
  • Lies dir meine Anleitungen, die ich im Laufe dieses Strangs hier posten werde, aufmerksam durch. Frag umgehend nach, wenn dir irgendetwas unklar sein sollte, bevor du anfängst meine Anleitungen umzusetzen.

  • Solltest du bei einem Schritt Probleme haben, stoppe dort und beschreib mir das Problem so gut du kannst. Manchmal erfordert ein Schritt den vorhergehenden.

  • Bitte nur Scans durchführen zu denen du von einem Helfer aufgefordert wurdest! Installiere / Deinstalliere keine Software ohne Aufforderung!

  • Poste die Logfiles direkt in deinen Thread (bitte in CODE-Tags) und nicht als Anhang, ausser du wurdest dazu aufgefordert. Logs in Anhängen erschweren mir das Auswerten!

  • Die Logs der aufgegebenen Tools wie zB Malwarebytes sind immer zu posten - egal ob ein Fund dabei war oder nicht!

  • Beachte bitte auch => Löschen von Logfiles und andere Anfragen

Note:
Sollte ich drei Tage nichts von mir hören lassen, so melde dich bitte in diesem Strang => Erinnerung an meinem Thread.
Nervige "Wann geht es weiter" Nachrichten enden mit Schließung deines Themas. Auch ich habe ein Leben abseits des Trojaner-Boards.


Rootkitscan mit GMER

Bitte lade dir GMER Rootkit Scanner GMER herunter: (Dateiname zufällig)
  • Schließe alle anderen Programme, deaktiviere deinen Virenscanner und trenne den Rechner vom Internet bevor du GMER startest.
  • Sollte sich nach dem Start ein Fenster mit folgender Warnung öffnen:
    WARNING !!!
    GMER has found system modification, which might have been caused by ROOTKIT activity.
    Do you want to fully scan your system ?
    Unbedingt auf "No" klicken.
  • Entferne rechts den Haken bei: IAT/EAT und Show All
  • Setze den Haken bei Quickscan und entferne ihn bei allen anderen Laufwerken.
  • Starte den Scan mit "Scan".
  • Mache nichts am Computer während der Scan läuft.
  • Wenn der Scan fertig ist klicke auf Save und speichere die Logfile unter Gmer.txt auf deinem Desktop. Mit "Ok" wird GMER beendet.
Antiviren-Programm und sonstige Scanner wieder einschalten, bevor Du ins Netz gehst!


Tauchen Probleme auf?
  • Probiere alternativ den abgesicherten Modus.
  • Erhältst du einen Bluescreen, dann entferne den Haken vor Devices.


Anschließend bitte MBAR ausführen:

Malwarebytes Anti-Rootkit (MBAR)

Downloade dir bitte Malwarebytes Anti-Rootkit Malwarebytes Anti-Rootkit und speichere es auf deinem Desktop.
  • Starte bitte die mbar.exe.
  • Folge den Anweisungen auf deinem Bildschirm gemäß Anleitung zu Malwarebytes Anti-Rootkit
  • Aktualisiere unbedingt die Datenbank und erlaube dem Tool, dein System zu scannen.
  • Klicke auf den CleanUp Button und erlaube den Neustart.
  • Während dem Neustart wird MBAR die gefundenen Objekte entfernen, also bleib geduldig.
  • Nach dem Neustart starte die mbar.exe erneut.
  • Sollte nochmal was gefunden werden, wiederhole den CleanUp Prozess.
Das Tool wird im erstellten Ordner eine Logfile ( mbar-log-<Jahr-Monat-Tag>.txt ) erzeugen. Bitte poste diese hier.

Starte keine andere Datei in diesem Ordner ohne Anweisung eines Helfers
__________________
Logfiles bitte immer in CODE-Tags posten

Alt 16.03.2013, 16:44   #5
Linschko
 
Browser Highjacker - Standard

Browser Highjacker


Ok, das mit dem GMAR scan hab ich jetzt gemacht.

Code:
ATTFilter
GMER 2.1.19155 - hxxp://www.gmer.net
Rootkit scan 2013-03-16 12:38:54
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD15 rev.01.0 1397,27GB
Running: tgmdu7dm.exe; Driver: C:\Users\Lino\AppData\Local\Temp\pxairfob.sys


---- Kernel code sections - GMER 2.1 ----

.text   C:\Windows\system32\drivers\USBPORT.SYS!DllUnload                                                                                                              fffff88005228d64 12 bytes {MOV RAX, 0xfffffa800e1fb2a0; JMP RAX}

---- User code sections - GMER 2.1 ----

.text   C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[964] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                      000000007786fc90 5 bytes JMP 00000001001c091c
.text   C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[964] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                    000000007786fdf4 5 bytes JMP 00000001001c0048
.text   C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[964] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                             000000007786fe88 5 bytes JMP 00000001001c02ee
.text   C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[964] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                          000000007786ffe4 5 bytes JMP 00000001001c04b2
.text   C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[964] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                  0000000077870018 5 bytes JMP 00000001001c09fe
.text   C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[964] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                          0000000077870048 5 bytes JMP 00000001001c0ae0
.text   C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[964] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                       0000000077870064 5 bytes JMP 000000010002004c
.text   C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[964] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                          000000007787077c 5 bytes JMP 00000001001c012a
.text   C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[964] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                              000000007787086c 5 bytes JMP 00000001001c0758
.text   C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[964] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                        0000000077870884 5 bytes JMP 00000001001c0676
.text   C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[964] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                            0000000077870dd4 5 bytes JMP 00000001001c03d0
.text   C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[964] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                      0000000077871900 5 bytes JMP 00000001001c0594
.text   C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[964] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                  0000000077871bc4 5 bytes JMP 00000001001c083a
.text   C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[964] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                         0000000077871d50 5 bytes JMP 00000001001c020c
.text   C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[964] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                        000000007696524f 7 bytes JMP 00000001001c0f52
.text   C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[964] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                            00000000769653d0 7 bytes JMP 00000001001d0210
.text   C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[964] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                           0000000076965677 1 byte JMP 00000001001d0048
.text   C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[964] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                           0000000076965679 5 bytes {JMP 0xffffffff8986a9d1}
.text   C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[964] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                  000000007696589a 7 bytes JMP 00000001001c0ca6
.text   C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[964] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                  0000000076965a1d 7 bytes JMP 00000001001d03d8
.text   C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[964] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                             0000000076965c9b 7 bytes JMP 00000001001d012c
.text   C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[964] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                               0000000076965d87 7 bytes JMP 00000001001d02f4
.text   C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[964] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123              0000000076967240 7 bytes JMP 00000001001c0e6e
.text   C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[964] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                             0000000075471492 7 bytes JMP 00000001001d04bc
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                            000000007786fc90 5 bytes JMP 00000001000e091c
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                          000000007786fdf4 5 bytes JMP 00000001000e0048
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                   000000007786fe88 5 bytes JMP 00000001000e02ee
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                000000007786ffe4 5 bytes JMP 00000001000e04b2
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                        0000000077870018 5 bytes JMP 00000001000e09fe
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                0000000077870048 5 bytes JMP 00000001000e0ae0
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                             0000000077870064 5 bytes JMP 000000010002004c
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                000000007787077c 5 bytes JMP 00000001000e012a
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                    000000007787086c 5 bytes JMP 00000001000e0758
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                              0000000077870884 5 bytes JMP 00000001000e0676
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                  0000000077870dd4 5 bytes JMP 00000001000e03d0
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                            0000000077871900 5 bytes JMP 00000001000e0594
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                        0000000077871bc4 5 bytes JMP 00000001000e083a
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                               0000000077871d50 5 bytes JMP 00000001000e020c
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                   0000000075471492 7 bytes JMP 00000001000f059e
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                              000000007696524f 7 bytes JMP 00000001000e0f52
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                  00000000769653d0 7 bytes JMP 00000001000f0210
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                 0000000076965677 1 byte JMP 00000001000f0048
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                 0000000076965679 5 bytes {JMP 0xffffffff8978a9d1}
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                        000000007696589a 7 bytes JMP 00000001000e0ca6
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                        0000000076965a1d 7 bytes JMP 00000001000f03d8
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                   0000000076965c9b 7 bytes JMP 00000001000f012c
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                     0000000076965d87 7 bytes JMP 00000001000f02f4
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1916] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                    0000000076967240 7 bytes JMP 00000001000e0e6e
.text   c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1236] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                              000000007786fc90 5 bytes JMP 000000010026091c
.text   c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1236] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                            000000007786fdf4 5 bytes JMP 0000000100260048
.text   c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1236] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                     000000007786fe88 5 bytes JMP 00000001002602ee
.text   c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1236] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                  000000007786ffe4 5 bytes JMP 00000001002604b2
.text   c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1236] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                          0000000077870018 5 bytes JMP 00000001002609fe
.text   c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1236] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                  0000000077870048 5 bytes JMP 0000000100260ae0
.text   c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1236] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                               0000000077870064 5 bytes JMP 000000010024004c
.text   c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1236] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                  000000007787077c 5 bytes JMP 000000010026012a
.text   c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1236] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                      000000007787086c 5 bytes JMP 0000000100260758
.text   c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1236] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                0000000077870884 5 bytes JMP 0000000100260676
.text   c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1236] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                    0000000077870dd4 5 bytes JMP 00000001002603d0
.text   c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1236] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                              0000000077871900 5 bytes JMP 0000000100260594
.text   c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1236] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                          0000000077871bc4 5 bytes JMP 000000010026083a
.text   c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1236] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                 0000000077871d50 5 bytes JMP 000000010026020c
.text   c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1236] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                000000007696524f 7 bytes JMP 0000000100260f52
.text   c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1236] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                    00000000769653d0 7 bytes JMP 00000001003c0210
.text   c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1236] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                   0000000076965677 1 byte JMP 00000001003c0048
.text   c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1236] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                   0000000076965679 5 bytes {JMP 0xffffffff89a5a9d1}
.text   c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1236] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                          000000007696589a 7 bytes JMP 0000000100260ca6
.text   c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1236] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                          0000000076965a1d 7 bytes JMP 00000001003c03d8
.text   c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1236] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                     0000000076965c9b 7 bytes JMP 00000001003c012c
.text   c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1236] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                       0000000076965d87 7 bytes JMP 00000001003c02f4
.text   c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1236] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                      0000000076967240 7 bytes JMP 0000000100260e6e
.text   c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1236] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                     0000000075471492 7 bytes JMP 00000001003c059e
.text   c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1236] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                       0000000076b71465 2 bytes [B7, 76]
.text   c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1236] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                      0000000076b714bb 2 bytes [B7, 76]
.text   ...                                                                                                                                                            * 2
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                          000000007786fc90 5 bytes JMP 000000010028091c
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                        000000007786fdf4 5 bytes JMP 0000000100280048
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                 000000007786fe88 5 bytes JMP 00000001002802ee
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                              000000007786ffe4 5 bytes JMP 00000001002804b2
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                      0000000077870018 5 bytes JMP 00000001002809fe
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                              0000000077870048 5 bytes JMP 0000000100280ae0
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                           0000000077870064 5 bytes JMP 000000010002004c
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                              000000007787077c 5 bytes JMP 000000010028012a
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                  000000007787086c 5 bytes JMP 0000000100280758
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                            0000000077870884 5 bytes JMP 0000000100280676
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                0000000077870dd4 5 bytes JMP 00000001002803d0
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                          0000000077871900 5 bytes JMP 0000000100280594
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                      0000000077871bc4 5 bytes JMP 000000010028083a
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                             0000000077871d50 5 bytes JMP 000000010028020c
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1376] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206            000000007696524f 7 bytes JMP 0000000100280f52
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1376] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                00000000769653d0 7 bytes JMP 0000000100290210
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1376] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149               0000000076965677 1 byte JMP 0000000100290048
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1376] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151               0000000076965679 5 bytes {JMP 0xffffffff8992a9d1}
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1376] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                      000000007696589a 7 bytes JMP 0000000100280ca6
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1376] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                      0000000076965a1d 7 bytes JMP 00000001002903d8
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1376] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                 0000000076965c9b 7 bytes JMP 000000010029012c
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1376] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                   0000000076965d87 7 bytes JMP 00000001002902f4
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1376] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123  0000000076967240 7 bytes JMP 0000000100280e6e
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1376] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                 0000000075471492 7 bytes JMP 00000001002904bc
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                   0000000076b71465 2 bytes [B7, 76]
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                  0000000076b714bb 2 bytes [B7, 76]
.text   ...                                                                                                                                                            * 2
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                     000000007786fc90 5 bytes JMP 00000001000f091c
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                   000000007786fdf4 5 bytes JMP 00000001000f0048
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                            000000007786fe88 5 bytes JMP 00000001000f02ee
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                         000000007786ffe4 5 bytes JMP 00000001000f04b2
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                 0000000077870018 5 bytes JMP 00000001000f09fe
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                         0000000077870048 5 bytes JMP 00000001000f0ae0
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                      0000000077870064 5 bytes JMP 000000010009004c
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                         000000007787077c 5 bytes JMP 00000001000f012a
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                             000000007787086c 5 bytes JMP 00000001000f0758
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                       0000000077870884 5 bytes JMP 00000001000f0676
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                           0000000077870dd4 5 bytes JMP 00000001000f03d0
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                     0000000077871900 5 bytes JMP 00000001000f0594
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                 0000000077871bc4 5 bytes JMP 00000001000f083a
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                        0000000077871d50 5 bytes JMP 00000001000f020c
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1436] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                            0000000075471492 7 bytes JMP 000000010010059e
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1436] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                       000000007696524f 7 bytes JMP 00000001000f0f52
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1436] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                           00000000769653d0 7 bytes JMP 0000000100100210
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1436] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                          0000000076965677 1 byte JMP 0000000100100048
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1436] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                          0000000076965679 5 bytes {JMP 0xffffffff8979a9d1}
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1436] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                 000000007696589a 7 bytes JMP 00000001000f0ca6
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1436] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                 0000000076965a1d 7 bytes JMP 00000001001003d8
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1436] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                            0000000076965c9b 7 bytes JMP 000000010010012c
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1436] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                              0000000076965d87 7 bytes JMP 00000001001002f4
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1436] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123             0000000076967240 7 bytes JMP 00000001000f0e6e
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1384] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                       000000007786fc90 5 bytes JMP 000000010017091c
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1384] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                     000000007786fdf4 5 bytes JMP 0000000100170048
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1384] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                              000000007786fe88 5 bytes JMP 00000001001702ee
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1384] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                           000000007786ffe4 5 bytes JMP 00000001001704b2
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1384] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                   0000000077870018 5 bytes JMP 00000001001709fe
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1384] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                           0000000077870048 5 bytes JMP 0000000100170ae0
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1384] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                        0000000077870064 5 bytes JMP 000000010015004c
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1384] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                           000000007787077c 5 bytes JMP 000000010017012a
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1384] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                               000000007787086c 5 bytes JMP 0000000100170758
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1384] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                         0000000077870884 5 bytes JMP 0000000100170676
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1384] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                             0000000077870dd4 5 bytes JMP 00000001001703d0
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1384] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                       0000000077871900 5 bytes JMP 0000000100170594
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1384] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                   0000000077871bc4 5 bytes JMP 000000010017083a
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1384] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                          0000000077871d50 5 bytes JMP 000000010017020c
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1384] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                              0000000075471492 7 bytes JMP 000000010018059e
.text   C:\Program Files (x86)\PDF Complete\pdfsvc.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                          000000007786fc90 5 bytes JMP 00000001004c091c
.text   C:\Program Files (x86)\PDF Complete\pdfsvc.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                        000000007786fdf4 5 bytes JMP 00000001004c0048
.text   C:\Program Files (x86)\PDF Complete\pdfsvc.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                                 000000007786fe88 5 bytes JMP 00000001004c02ee
.text   C:\Program Files (x86)\PDF Complete\pdfsvc.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                              000000007786ffe4 5 bytes JMP 00000001004c04b2
.text   C:\Program Files (x86)\PDF Complete\pdfsvc.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                      0000000077870018 5 bytes JMP 00000001004c09fe
.text   C:\Program Files (x86)\PDF Complete\pdfsvc.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                              0000000077870048 5 bytes JMP 00000001004c0ae0
.text   C:\Program Files (x86)\PDF Complete\pdfsvc.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                           0000000077870064 5 bytes JMP 000000010002004c
.text   C:\Program Files (x86)\PDF Complete\pdfsvc.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                              000000007787077c 5 bytes JMP 00000001004c012a
.text   C:\Program Files (x86)\PDF Complete\pdfsvc.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                  000000007787086c 5 bytes JMP 00000001004c0758
.text   C:\Program Files (x86)\PDF Complete\pdfsvc.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                            0000000077870884 5 bytes JMP 00000001004c0676
.text   C:\Program Files (x86)\PDF Complete\pdfsvc.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                0000000077870dd4 5 bytes JMP 00000001004c03d0
.text   C:\Program Files (x86)\PDF Complete\pdfsvc.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                          0000000077871900 5 bytes JMP 00000001004c0594
.text   C:\Program Files (x86)\PDF Complete\pdfsvc.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                      0000000077871bc4 5 bytes JMP 00000001004c083a
.text   C:\Program Files (x86)\PDF Complete\pdfsvc.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                             0000000077871d50 5 bytes JMP 00000001004c020c
.text   C:\Program Files (x86)\PDF Complete\pdfsvc.exe[1928] C:\Windows\syswow64\user32.dll!RecordShutdownReason + 882                                                 0000000075471492 7 bytes JMP 00000001004d059e
.text   C:\Program Files (x86)\PDF Complete\pdfsvc.exe[1928] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                            000000007696524f 7 bytes JMP 00000001004c0f52
.text   C:\Program Files (x86)\PDF Complete\pdfsvc.exe[1928] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                                00000000769653d0 7 bytes JMP 00000001004d0210
.text   C:\Program Files (x86)\PDF Complete\pdfsvc.exe[1928] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                               0000000076965677 1 byte JMP 00000001004d0048
.text   C:\Program Files (x86)\PDF Complete\pdfsvc.exe[1928] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                               0000000076965679 5 bytes {JMP 0xffffffff89b6a9d1}
.text   C:\Program Files (x86)\PDF Complete\pdfsvc.exe[1928] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                                      000000007696589a 7 bytes JMP 00000001004c0ca6
.text   C:\Program Files (x86)\PDF Complete\pdfsvc.exe[1928] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                                      0000000076965a1d 7 bytes JMP 00000001004d03d8
.text   C:\Program Files (x86)\PDF Complete\pdfsvc.exe[1928] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                                 0000000076965c9b 7 bytes JMP 00000001004d012c
.text   C:\Program Files (x86)\PDF Complete\pdfsvc.exe[1928] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                                   0000000076965d87 7 bytes JMP 00000001004d02f4
.text   C:\Program Files (x86)\PDF Complete\pdfsvc.exe[1928] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                                  0000000076967240 7 bytes JMP 00000001004c0e6e
.text   C:\Windows\SysWOW64\PnkBstrA.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                        000000007786fc90 5 bytes JMP 000000010027091c
.text   C:\Windows\SysWOW64\PnkBstrA.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                                      000000007786fdf4 5 bytes JMP 0000000100270048
.text   C:\Windows\SysWOW64\PnkBstrA.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                                               000000007786fe88 5 bytes JMP 00000001002702ee
.text   C:\Windows\SysWOW64\PnkBstrA.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                            000000007786ffe4 5 bytes JMP 00000001002704b2
.text   C:\Windows\SysWOW64\PnkBstrA.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                                    0000000077870018 5 bytes JMP 00000001002709fe
.text   C:\Windows\SysWOW64\PnkBstrA.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                                            0000000077870048 5 bytes JMP 0000000100270ae0
.text   C:\Windows\SysWOW64\PnkBstrA.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                         0000000077870064 5 bytes JMP 000000010002004c
.text   C:\Windows\SysWOW64\PnkBstrA.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                            000000007787077c 5 bytes JMP 000000010027012a
.text   C:\Windows\SysWOW64\PnkBstrA.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                000000007787086c 5 bytes JMP 0000000100270758
.text   C:\Windows\SysWOW64\PnkBstrA.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                          0000000077870884 5 bytes JMP 0000000100270676
.text   C:\Windows\SysWOW64\PnkBstrA.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                              0000000077870dd4 5 bytes JMP 00000001002703d0
.text   C:\Windows\SysWOW64\PnkBstrA.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                        0000000077871900 5 bytes JMP 0000000100270594
.text   C:\Windows\SysWOW64\PnkBstrA.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                    0000000077871bc4 5 bytes JMP 000000010027083a
.text   C:\Windows\SysWOW64\PnkBstrA.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                                           0000000077871d50 5 bytes JMP 000000010027020c
.text   C:\Windows\SysWOW64\PnkBstrA.exe[2076] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                                               0000000075471492 7 bytes JMP 000000010028059e
.text   C:\Windows\SysWOW64\PnkBstrA.exe[2076] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                                          000000007696524f 7 bytes JMP 0000000100270f52
.text   C:\Windows\SysWOW64\PnkBstrA.exe[2076] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                                              00000000769653d0 7 bytes JMP 0000000100280210
.text   C:\Windows\SysWOW64\PnkBstrA.exe[2076] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                                             0000000076965677 1 byte JMP 0000000100280048
.text   C:\Windows\SysWOW64\PnkBstrA.exe[2076] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                                             0000000076965679 5 bytes {JMP 0xffffffff8991a9d1}
.text   C:\Windows\SysWOW64\PnkBstrA.exe[2076] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                                                    000000007696589a 7 bytes JMP 0000000100270ca6
.text   C:\Windows\SysWOW64\PnkBstrA.exe[2076] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                                                    0000000076965a1d 7 bytes JMP 00000001002803d8
.text   C:\Windows\SysWOW64\PnkBstrA.exe[2076] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                                               0000000076965c9b 7 bytes JMP 000000010028012c
.text   C:\Windows\SysWOW64\PnkBstrA.exe[2076] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                                                 0000000076965d87 7 bytes JMP 00000001002802f4
.text   C:\Windows\SysWOW64\PnkBstrA.exe[2076] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                                                0000000076967240 7 bytes JMP 0000000100270e6e
.text   C:\Windows\SysWOW64\PnkBstrA.exe[2076] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322                                                                        0000000071d91a22 2 bytes [D9, 71]
.text   C:\Windows\SysWOW64\PnkBstrA.exe[2076] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496                                                                        0000000071d91ad0 2 bytes [D9, 71]
.text   C:\Windows\SysWOW64\PnkBstrA.exe[2076] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552                                                                        0000000071d91b08 2 bytes [D9, 71]
.text   C:\Windows\SysWOW64\PnkBstrA.exe[2076] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730                                                                        0000000071d91bba 2 bytes [D9, 71]
.text   C:\Windows\SysWOW64\PnkBstrA.exe[2076] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762                                                                        0000000071d91bda 2 bytes [D9, 71]
.text   C:\Windows\SysWOW64\PnkBstrA.exe[2076] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                 0000000076b71465 2 bytes [B7, 76]
.text   C:\Windows\SysWOW64\PnkBstrA.exe[2076] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                0000000076b714bb 2 bytes [B7, 76]
.text   ...                                                                                                                                                            * 2
.text   c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[2116] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                           000000007786fc90 5 bytes JMP 000000010021091c
.text   c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[2116] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                         000000007786fdf4 5 bytes JMP 0000000100210048
.text   c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[2116] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                  000000007786fe88 5 bytes JMP 00000001002102ee
.text   c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[2116] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                               000000007786ffe4 5 bytes JMP 00000001002104b2
.text   c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[2116] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                       0000000077870018 5 bytes JMP 00000001002109fe
.text   c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[2116] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                               0000000077870048 5 bytes JMP 0000000100210ae0
.text   c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[2116] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                            0000000077870064 5 bytes JMP 000000010002004c
.text   c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[2116] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                               000000007787077c 5 bytes JMP 000000010021012a
.text   c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[2116] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                   000000007787086c 5 bytes JMP 0000000100210758
.text   c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[2116] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                             0000000077870884 5 bytes JMP 0000000100210676
.text   c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[2116] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                 0000000077870dd4 5 bytes JMP 00000001002103d0
.text   c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[2116] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                           0000000077871900 5 bytes JMP 0000000100210594
.text   c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[2116] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                       0000000077871bc4 5 bytes JMP 000000010021083a
.text   c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[2116] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                              0000000077871d50 5 bytes JMP 000000010021020c
.text   c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[2116] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206             000000007696524f 7 bytes JMP 0000000100210f52
.text   c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[2116] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                 00000000769653d0 7 bytes JMP 00000001002a0210
.text   c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[2116] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                0000000076965677 1 byte JMP 00000001002a0048
.text   c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[2116] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                0000000076965679 5 bytes {JMP 0xffffffff8993a9d1}
.text   c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[2116] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                       000000007696589a 7 bytes JMP 0000000100210ca6
.text   c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[2116] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                       0000000076965a1d 7 bytes JMP 00000001002a03d8
.text   c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[2116] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                  0000000076965c9b 7 bytes JMP 00000001002a012c
.text   c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[2116] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                    0000000076965d87 7 bytes JMP 00000001002a02f4
.text   c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[2116] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123   0000000076967240 7 bytes JMP 0000000100210e6e
.text   c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[2116] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                  0000000075471492 7 bytes JMP 00000001002a04bc
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                           000000007786fc90 5 bytes JMP 000000010016091c
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                         000000007786fdf4 5 bytes JMP 0000000100160048
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                  000000007786fe88 5 bytes JMP 00000001001602ee
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                               000000007786ffe4 5 bytes JMP 00000001001604b2
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                       0000000077870018 5 bytes JMP 00000001001609fe
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                               0000000077870048 5 bytes JMP 0000000100160ae0
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                            0000000077870064 5 bytes JMP 000000010014004c
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                               000000007787077c 5 bytes JMP 000000010016012a
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                   000000007787086c 5 bytes JMP 0000000100160758
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                             0000000077870884 5 bytes JMP 0000000100160676
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                 0000000077870dd4 5 bytes JMP 00000001001603d0
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                           0000000077871900 5 bytes JMP 0000000100160594
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                       0000000077871bc4 5 bytes JMP 000000010016083a
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                              0000000077871d50 5 bytes JMP 000000010016020c
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[3744] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                  0000000075471492 7 bytes JMP 0000000100b0059e
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[3744] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                             000000007696524f 7 bytes JMP 0000000100160f52
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[3744] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                 00000000769653d0 7 bytes JMP 0000000100b00210
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[3744] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                0000000076965677 1 byte JMP 0000000100b00048
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[3744] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                0000000076965679 5 bytes {JMP 0xffffffff8a19a9d1}
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[3744] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                       000000007696589a 7 bytes JMP 0000000100160ca6
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[3744] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                       0000000076965a1d 7 bytes JMP 0000000100b003d8
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[3744] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                  0000000076965c9b 7 bytes JMP 0000000100b0012c
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[3744] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                    0000000076965d87 7 bytes JMP 0000000100b002f4
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[3744] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                   0000000076967240 7 bytes JMP 0000000100160e6e
.text   C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                         000000007786fc90 5 bytes JMP 00000001001d091c
.text   C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                       000000007786fdf4 5 bytes JMP 00000001001d0048
.text   C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                000000007786fe88 5 bytes JMP 00000001001d02ee
.text   C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                             000000007786ffe4 5 bytes JMP 00000001001d04b2
.text   C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                     0000000077870018 5 bytes JMP 00000001001d09fe
.text   C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                             0000000077870048 5 bytes JMP 00000001001d0ae0
.text   C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                          0000000077870064 5 bytes JMP 000000010002004c
.text   C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                             000000007787077c 5 bytes JMP 00000001001d012a
.text   C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                 000000007787086c 5 bytes JMP 00000001001d0758
.text   C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                           0000000077870884 5 bytes JMP 00000001001d0676
.text   C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                               0000000077870dd4 5 bytes JMP 00000001001d03d0
.text   C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                         0000000077871900 5 bytes JMP 00000001001d0594
.text   C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                     0000000077871bc4 5 bytes JMP 00000001001d083a
.text   C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                            0000000077871d50 5 bytes JMP 00000001001d020c
.text   C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe[3108] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                0000000075471492 7 bytes JMP 00000001001e04bc
.text   C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe[3108] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                           000000007696524f 7 bytes JMP 00000001001d0f52
.text   C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe[3108] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                               00000000769653d0 7 bytes JMP 00000001001e0210
.text   C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe[3108] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                              0000000076965677 1 byte JMP 00000001001e0048
.text   C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe[3108] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                              0000000076965679 5 bytes {JMP 0xffffffff8987a9d1}
.text   C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe[3108] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                     000000007696589a 7 bytes JMP 00000001001d0ca6
.text   C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe[3108] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                     0000000076965a1d 7 bytes JMP 00000001001e03d8
.text   C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe[3108] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                0000000076965c9b 7 bytes JMP 00000001001e012c
.text   C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe[3108] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                  0000000076965d87 7 bytes JMP 00000001001e02f4
.text   C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe[3108] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                 0000000076967240 7 bytes JMP 00000001001d0e6e
.text   C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                            000000007786fc90 5 bytes JMP 000000010010091c
.text   C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                          000000007786fdf4 5 bytes JMP 0000000100100048
.text   C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                   000000007786fe88 5 bytes JMP 00000001001002ee
.text   C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                000000007786ffe4 5 bytes JMP 00000001001004b2
.text   C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                        0000000077870018 5 bytes JMP 00000001001009fe
.text   C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                0000000077870048 5 bytes JMP 0000000100100ae0
.text   C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                             0000000077870064 5 bytes JMP 000000010002004c
.text   C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                000000007787077c 5 bytes JMP 000000010010012a
.text   C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                    000000007787086c 5 bytes JMP 0000000100100758
.text   C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                              0000000077870884 5 bytes JMP 0000000100100676
.text   C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                  0000000077870dd4 5 bytes JMP 00000001001003d0
.text   C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                            0000000077871900 5 bytes JMP 0000000100100594
.text   C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                        0000000077871bc4 5 bytes JMP 000000010010083a
.text   C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                               0000000077871d50 5 bytes JMP 000000010010020c
.text   C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[2488] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                   0000000075471492 7 bytes JMP 000000010011059e
.text   C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[2488] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                              000000007696524f 7 bytes JMP 0000000100100f52
.text   C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[2488] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                  00000000769653d0 7 bytes JMP 0000000100110210
.text   C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[2488] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                 0000000076965677 1 byte JMP 0000000100110048
.text   C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[2488] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                 0000000076965679 5 bytes {JMP 0xffffffff897aa9d1}
.text   C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[2488] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                        000000007696589a 7 bytes JMP 0000000100100ca6
.text   C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[2488] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                        0000000076965a1d 7 bytes JMP 00000001001103d8
.text   C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[2488] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                   0000000076965c9b 7 bytes JMP 000000010011012c
.text   C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[2488] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                     0000000076965d87 7 bytes JMP 00000001001102f4
.text   C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[2488] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                    0000000076967240 7 bytes JMP 0000000100100e6e
.text   C:\Program Files (x86)\Stam\steam.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                   000000007786fc90 5 bytes JMP 000000010014091c
.text   C:\Program Files (x86)\Stam\steam.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                                 000000007786fdf4 5 bytes JMP 0000000100140048
.text   C:\Program Files (x86)\Stam\steam.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                                          000000007786fe88 5 bytes JMP 00000001001402ee
.text   C:\Program Files (x86)\Stam\steam.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                       000000007786ffe4 5 bytes JMP 00000001001404b2
.text   C:\Program Files (x86)\Stam\steam.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                               0000000077870018 5 bytes JMP 00000001001409fe
.text   C:\Program Files (x86)\Stam\steam.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                                       0000000077870048 5 bytes JMP 0000000100140ae0
.text   C:\Program Files (x86)\Stam\steam.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                    0000000077870064 5 bytes JMP 000000010002004c
.text   C:\Program Files (x86)\Stam\steam.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                       000000007787077c 5 bytes JMP 000000010014012a
.text   C:\Program Files (x86)\Stam\steam.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                           000000007787086c 5 bytes JMP 0000000100140758
.text   C:\Program Files (x86)\Stam\steam.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                     0000000077870884 5 bytes JMP 0000000100140676
.text   C:\Program Files (x86)\Stam\steam.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                         0000000077870dd4 5 bytes JMP 00000001001403d0
.text   C:\Program Files (x86)\Stam\steam.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                   0000000077871900 5 bytes JMP 0000000100140594
.text   C:\Program Files (x86)\Stam\steam.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                               0000000077871bc4 5 bytes JMP 000000010014083a
.text   C:\Program Files (x86)\Stam\steam.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                                      0000000077871d50 5 bytes JMP 000000010014020c
.text   C:\Program Files (x86)\Stam\steam.exe[1068] C:\Windows\syswow64\KERNELBASE.dll!HeapCreate                                                                      000000007579549c 5 bytes JMP 0000000100210800
.text   C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                              000000007786fc90 5 bytes JMP 000000010028091c
.text   C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                            000000007786fdf4 5 bytes JMP 0000000100280048
.text   C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                     000000007786fe88 5 bytes JMP 00000001002802ee
.text   C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                  000000007786ffe4 5 bytes JMP 00000001002804b2
.text   C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                          0000000077870018 5 bytes JMP 00000001002809fe
.text   C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                  0000000077870048 5 bytes JMP 0000000100280ae0
.text   C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                               0000000077870064 5 bytes JMP 000000010002004c
.text   C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                  000000007787077c 5 bytes JMP 000000010028012a
.text   C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                      000000007787086c 5 bytes JMP 0000000100280758
.text   C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                0000000077870884 5 bytes JMP 0000000100280676
.text   C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                    0000000077870dd4 5 bytes JMP 00000001002803d0
.text   C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                              0000000077871900 5 bytes JMP 0000000100280594
.text   C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                          0000000077871bc4 5 bytes JMP 000000010028083a
.text   C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                 0000000077871d50 5 bytes JMP 000000010028020c
.text   C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2644] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                     0000000075471492 7 bytes JMP 000000010029059e
.text   C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2644] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                000000007696524f 7 bytes JMP 0000000100280f52
.text   C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2644] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                    00000000769653d0 7 bytes JMP 0000000100290210
.text   C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2644] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                   0000000076965677 1 byte JMP 0000000100290048
.text   C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2644] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                   0000000076965679 5 bytes {JMP 0xffffffff8992a9d1}
.text   C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2644] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                          000000007696589a 7 bytes JMP 0000000100280ca6
.text   C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2644] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                          0000000076965a1d 7 bytes JMP 00000001002903d8
.text   C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2644] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                     0000000076965c9b 7 bytes JMP 000000010029012c
.text   C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2644] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                       0000000076965d87 7 bytes JMP 00000001002902f4
.text   C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2644] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                      0000000076967240 7 bytes JMP 0000000100280e6e
.text   C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                              000000007786fc90 5 bytes JMP 000000010010091c
.text   C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                            000000007786fdf4 5 bytes JMP 0000000100100048
.text   C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                     000000007786fe88 5 bytes JMP 00000001001002ee
.text   C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                  000000007786ffe4 5 bytes JMP 00000001001004b2
.text   C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                          0000000077870018 5 bytes JMP 00000001001009fe
.text   C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                  0000000077870048 5 bytes JMP 0000000100100ae0
.text   C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                               0000000077870064 5 bytes JMP 000000010002004c
.text   C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                  000000007787077c 5 bytes JMP 000000010010012a
.text   C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                      000000007787086c 5 bytes JMP 0000000100100758
.text   C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                0000000077870884 5 bytes JMP 0000000100100676
.text   C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                    0000000077870dd4 5 bytes JMP 00000001001003d0
.text   C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                              0000000077871900 5 bytes JMP 0000000100100594
.text   C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                          0000000077871bc4 5 bytes JMP 000000010010083a
.text   C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                 0000000077871d50 5 bytes JMP 000000010010020c
.text   C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3436] C:\Windows\syswow64\KERNELBASE.dll!HeapCreate                                                 000000007579549c 5 bytes JMP 00000001001c0800
.text   C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3436] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                     0000000075471492 7 bytes JMP 000000010011059e
.text   C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3436] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                000000007696524f 7 bytes JMP 0000000100100f52
.text   C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3436] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                    00000000769653d0 7 bytes JMP 0000000100110210
.text   C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3436] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                   0000000076965677 1 byte JMP 0000000100110048
.text   C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3436] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                   0000000076965679 5 bytes {JMP 0xffffffff897aa9d1}
.text   C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3436] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                          000000007696589a 7 bytes JMP 0000000100100ca6
.text   C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3436] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                          0000000076965a1d 7 bytes JMP 00000001001103d8
.text   C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3436] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                     0000000076965c9b 7 bytes JMP 000000010011012c
.text   C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3436] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                       0000000076965d87 7 bytes JMP 00000001001102f4
.text   C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3436] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                      0000000076967240 7 bytes JMP 0000000100100e6e
.text   C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3436] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                       0000000076b71465 2 bytes [B7, 76]
.text   C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3436] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                      0000000076b714bb 2 bytes [B7, 76]
.text   ...                                                                                                                                                            * 2
.text   C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3436] C:\Windows\syswow64\urlmon.dll!URLOpenPullStreamW + 69                                        00000000773a6acb 7 bytes JMP 0000000100110680
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                          000000007786fc90 5 bytes JMP 000000010028091c
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                        000000007786fdf4 5 bytes JMP 0000000100280048
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                 000000007786fe88 5 bytes JMP 00000001002802ee
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                              000000007786ffe4 5 bytes JMP 00000001002804b2
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                      0000000077870018 5 bytes JMP 00000001002809fe
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                              0000000077870048 5 bytes JMP 0000000100280ae0
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                           0000000077870064 5 bytes JMP 000000010026004c
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                              000000007787077c 5 bytes JMP 000000010028012a
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                  000000007787086c 5 bytes JMP 0000000100280758
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                            0000000077870884 5 bytes JMP 0000000100280676
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                0000000077870dd4 5 bytes JMP 00000001002803d0
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                          0000000077871900 5 bytes JMP 0000000100280594
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                      0000000077871bc4 5 bytes JMP 000000010028083a
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                             0000000077871d50 5 bytes JMP 000000010028020c
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4948] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206            000000007696524f 7 bytes JMP 0000000100280f52
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4948] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                00000000769653d0 7 bytes JMP 0000000100290210
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4948] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149               0000000076965677 1 byte JMP 0000000100290048
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4948] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151               0000000076965679 5 bytes {JMP 0xffffffff8992a9d1}
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4948] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                      000000007696589a 7 bytes JMP 0000000100280ca6
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4948] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                      0000000076965a1d 7 bytes JMP 00000001002903d8
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4948] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                 0000000076965c9b 7 bytes JMP 000000010029012c
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4948] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                   0000000076965d87 7 bytes JMP 00000001002902f4
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4948] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123  0000000076967240 7 bytes JMP 0000000100280e6e
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4948] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                 0000000075471492 7 bytes JMP 000000010029059e
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4948] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                   0000000076b71465 2 bytes [B7, 76]
.text   C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4948] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                  0000000076b714bb 2 bytes [B7, 76]
.text   ...                                                                                                                                                            * 2
.text   C:\Users\Lino\Downloads\tgmdu7dm.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                    000000007786fc90 5 bytes JMP 000000010028091c
.text   C:\Users\Lino\Downloads\tgmdu7dm.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                                  000000007786fdf4 5 bytes JMP 0000000100280048
.text   C:\Users\Lino\Downloads\tgmdu7dm.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                                           000000007786fe88 5 bytes JMP 00000001002802ee
.text   C:\Users\Lino\Downloads\tgmdu7dm.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                        000000007786ffe4 5 bytes JMP 00000001002804b2
.text   C:\Users\Lino\Downloads\tgmdu7dm.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                                0000000077870018 5 bytes JMP 00000001002809fe
.text   C:\Users\Lino\Downloads\tgmdu7dm.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                                        0000000077870048 5 bytes JMP 0000000100280ae0
.text   C:\Users\Lino\Downloads\tgmdu7dm.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                     0000000077870064 5 bytes JMP 000000010002004c
.text   C:\Users\Lino\Downloads\tgmdu7dm.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                        000000007787077c 5 bytes JMP 000000010028012a
.text   C:\Users\Lino\Downloads\tgmdu7dm.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                            000000007787086c 5 bytes JMP 0000000100280758
.text   C:\Users\Lino\Downloads\tgmdu7dm.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                      0000000077870884 5 bytes JMP 0000000100280676
.text   C:\Users\Lino\Downloads\tgmdu7dm.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                          0000000077870dd4 5 bytes JMP 00000001002803d0
.text   C:\Users\Lino\Downloads\tgmdu7dm.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                    0000000077871900 5 bytes JMP 0000000100280594
.text   C:\Users\Lino\Downloads\tgmdu7dm.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                0000000077871bc4 5 bytes JMP 000000010028083a
.text   C:\Users\Lino\Downloads\tgmdu7dm.exe[4384] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                                       0000000077871d50 5 bytes JMP 000000010028020c
.text   C:\Users\Lino\Downloads\tgmdu7dm.exe[4384] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                                      000000007696524f 7 bytes JMP 0000000100280f52
.text   C:\Users\Lino\Downloads\tgmdu7dm.exe[4384] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                                          00000000769653d0 7 bytes JMP 0000000100290210
.text   C:\Users\Lino\Downloads\tgmdu7dm.exe[4384] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                                         0000000076965677 1 byte JMP 0000000100290048
.text   C:\Users\Lino\Downloads\tgmdu7dm.exe[4384] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                                         0000000076965679 5 bytes {JMP 0xffffffff8992a9d1}
.text   C:\Users\Lino\Downloads\tgmdu7dm.exe[4384] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                                                000000007696589a 7 bytes JMP 0000000100280ca6
.text   C:\Users\Lino\Downloads\tgmdu7dm.exe[4384] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                                                0000000076965a1d 7 bytes JMP 00000001002903d8
.text   C:\Users\Lino\Downloads\tgmdu7dm.exe[4384] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                                           0000000076965c9b 7 bytes JMP 000000010029012c
.text   C:\Users\Lino\Downloads\tgmdu7dm.exe[4384] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                                             0000000076965d87 7 bytes JMP 00000001002902f4
.text   C:\Users\Lino\Downloads\tgmdu7dm.exe[4384] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                                            0000000076967240 7 bytes JMP 0000000100280e6e
.text   C:\Users\Lino\Downloads\tgmdu7dm.exe[4384] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                                           0000000075471492 7 bytes JMP 00000001002904bc

---- Devices - GMER 2.1 ----

Device  \FileSystem\Ntfs \Ntfs                                                                                                                                         fffffa800a6912c0
Device  \Driver\NetBT \Device\NetBT_Tcpip_{7D5A217E-9DD0-4168-BBE9-01BEE99BA879}                                                                                       fffffa800d5972c0
Device  \Driver\usbehci \Device\USBPDO-1                                                                                                                               fffffa80099fb2c0
Device  \Driver\cdrom \Device\CdRom0                                                                                                                                   fffffa800abb82c0
Device  \Driver\usbehci \Device\USBFDO-0                                                                                                                               fffffa80099fb2c0
Device  \Driver\NAVENG \Device\NAVENG                                                                                                                                  fffff88009634bb8
Device  \Driver\usbehci \Device\USBFDO-1                                                                                                                               fffffa80099fb2c0
Device  \Driver\IDSVia64 \Device\SymIDSCo                                                                                                                              fffff8800966c060
Device  \Driver\NetBT \Device\NetBt_Wins_Export                                                                                                                        fffffa800d5972c0
Device  \Driver\usbehci \Device\USBPDO-0                                                                                                                               fffffa80099fb2c0

---- Threads - GMER 2.1 ----

Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [4380:5072]                                                                                                 000007fefb6d2a7c
Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [4380:5000]                                                                                                 000007fef6205124
Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [4380:948]                                                                                                  000007feed5fd618

---- Registry - GMER 2.1 ----

Reg     HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                                                                               
Reg     HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                                                            0x00 0x00 0x00 0x00 ...
Reg     HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                                                            0
Reg     HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                                                         0xB6 0xDB 0xC9 0xF2 ...
Reg     HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                                                           
Reg     HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                                                                0x00 0x00 0x00 0x00 ...
Reg     HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                                                                0
Reg     HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                                                             0xB6 0xDB 0xC9 0xF2 ...

---- Disk sectors - GMER 2.1 ----

Disk    \Device\Harddisk0\DR0                                                                                                                                          unknown MBR code

---- EOF - GMER 2.1 ----

Muss ich für den Anti-Rootkitscan aber auch alle Antivirus Programme ausschalten?


Alt 17.03.2013, 00:01   #6
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Browser Highjacker - Standard

Browser Highjacker


Ja wäre gut
__________________
--> Browser Highjacker

Alt 17.03.2013, 15:41   #7
Linschko
 
Browser Highjacker - Standard

Browser Highjacker


So, ich hab jetzt auch das Anti Rootkit teil durchgehen lassen. Jedoch wollte er beim Clean up nicht neustarten, sondern er hat es einfach ohne Neustart "ge-clean-uped", also hab ich nach dem Abschluss einfach Manuel einen Neustart gemacht.

Hier sind die logs

Code:
ATTFilter
Malwarebytes Anti-Rootkit BETA 1.01.0.1021
www.malwarebytes.org

Database version: v2013.03.17.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Lino :: LINOS-HP-SCHATZ [administrator]

17.03.2013 15:10:48
mbar-log-2013-03-17 (15-10-48).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled: 
Objects scanned: 33643
Time elapsed: 10 minute(s), 41 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 4
HKLM\SOFTWARE\CLASSES\INTERFACE\{55555555-5555-5555-5555-550055225558} (Adware.GamePlayLab) -> Delete on reboot.
HKLM\SOFTWARE\CLASSES\TypeLib\{44444444-4444-4444-4444-440044224458} (Adware.GamePlayLab) -> Delete on reboot.
HKLM\SOFTWARE\CLASSES\INTERFACE\{66666666-6666-6666-6666-660066226658} (Adware.GamePlayLab) -> Delete on reboot.
HKLM\SOFTWARE\CLASSES\INTERFACE\{77777777-7777-7777-7777-770077227758} (Adware.GamePlayLab) -> Delete on reboot.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
Beim 2. Mal hat es nichts mehr entdeckt.

Alt 17.03.2013, 17:01   #8
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Browser Highjacker - Standard

Browser Highjacker


aswMBR

Downloade dir bitte aswMBR.exe und speichere die Datei auf deinem Desktop.
  • Starte die aswMBR.exe - (aswMBR.exe Anleitung)
    Ab Windows Vista (oder höher) bitte mit Rechtsklick "als Administrator ausführen" starten".
  • Das Tool wird dich fragen, ob Du mit der aktuellen Virendefinition von AVAST! dein System scannen willst. Beantworte diese Frage bitte mit Ja. (Sollte deine Firewall fragen, bitte den Zugriff auf das Internet zulassen )
    Der Download der Definitionen kann je nach Verbindung eine Weile dauern.
  • Klicke auf Scan.
  • Warte bitte bis Scan finished successfully im DOS-Fenster steht.
  • Drücke auf Save Log und speichere diese auf dem Desktop.
Poste mir die aswMBR.txt in deiner nächsten Antwort.

Wichtig: Drücke keinesfalls einen der Fix Buttons ohne Anweisung

Hinweis: Sollte der Scan Button ausgeblendet sein, schließe das Tool und starte es erneut. Sollte der Scan abbrechen und das Programm abstürzen, dann teile mir das mit und wähle unter AV Scan die Einstellung (none).




TDSS-Killer

Downloade dir bitte TDSSKiller TDSSKiller.exe und speichere diese Datei auf dem Desktop
  • Starte die TDSSKiller.exe - Einstellen wie in der Anleitung zu TDSSKiller beschrieben.
  • Drücke Start Scan
  • Sollten infizierte Objekte gefunden werden, wähle keinesfalls Cure. Wähle Skip und klicke auf Continue.
    TDSSKiller wird eine Logfile auf deinem Systemlaufwerk speichern (Meistens C:\)
    Als Beispiel: C:\TDSSKiller.<Version_Datum_Uhrzeit>log.txt
Poste den Inhalt bitte in jedem Fall hier in deinen Thread.
__________________
Logfiles bitte immer in CODE-Tags posten

Alt 18.03.2013, 13:02   #9
Linschko
 
Browser Highjacker - Standard

Browser Highjacker


Also nur um ganz sicher zu gehen: NIEMALS das Programm die Probleme fixen lassen, außer du schreibst es und bei den Scans immer Norton ausschalten?!

Alt 18.03.2013, 13:10   #10
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Browser Highjacker - Standard

Browser Highjacker


ja genau so
__________________
Logfiles bitte immer in CODE-Tags posten

Alt 19.03.2013, 14:50   #11
Linschko
 
Browser Highjacker - Standard

Browser Highjacker


Der aseMBR scan hängt sich jedes mal auf, weil es ein Problem gibt. Nur welches wird nicht geschrieben

Alt 19.03.2013, 15:33   #12
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Browser Highjacker - Standard

Browser Highjacker


Starte aswMBR neu, wähle unten links im Drop-Down-Menü (unten links im Fenster von aswMBR) bei "AV scan" (none) aus und klick nochmal auf den Scan-Button.
__________________
Logfiles bitte immer in CODE-Tags posten

Alt 19.03.2013, 21:19   #13
Linschko
 
Browser Highjacker - Standard

Browser Highjacker


Das aswMBR Programm hängt sich während dem Scan auf. Es gibt ein "Problem". Welches, wird natürlich nicht gesagt.

Alt 20.03.2013, 13:10   #14
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Browser Highjacker - Standard

Browser Highjacker


Und das obwohl du avscan auf none gestellt hast?
__________________
Logfiles bitte immer in CODE-Tags posten

Alt 20.03.2013, 13:45   #15
Linschko
 
Browser Highjacker - Standard

Browser Highjacker


OOps, ich hab nicht gesehen das eine 2. Seite erstellt wurde und hab deshalb ausversehen 2 mal gepostet

Hier sind die logs;
(Ich weiß das der PC-name kake ist, aber mir ist einfach kein besserer PC-name eingefallen)

aswMBR

Code:
ATTFilter
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-03-20 13:24:46
-----------------------------
13:24:46.972    OS Version: Windows x64 6.1.7601 Service Pack 1
13:24:46.972    Number of processors: 8 586 0x1E05
13:24:46.973    ComputerName: LINOS-HP-SCHATZ  UserName: Lino
13:24:51.824    Initialize success
13:25:02.699    AVAST engine defs: 13031900
13:26:04.885    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
13:26:04.889    Disk 0 Vendor: WDC_WD15 01.0 Size: 1430799MB BusType: 8
13:26:05.012    Disk 0 MBR read successfully
13:26:05.016    Disk 0 MBR scan
13:26:05.024    Disk 0 unknown MBR code
13:26:05.029    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048
13:26:05.048    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS      1416783 MB offset 206848
13:26:05.087    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        13914 MB offset 2901778432
13:26:05.150    Disk 0 scanning C:\Windows\system32\drivers
13:26:16.675    Service scanning
13:26:40.249    Modules scanning
13:26:40.263    Disk 0 trace - called modules:
13:26:40.280    ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys sptd.sys hal.dll 
13:26:40.290    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800aa95790]
13:26:40.299    3 CLASSPNP.SYS[fffff8800120143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa800a7a0050]
13:26:40.305    Scan finished successfully
13:27:19.327    Disk 0 MBR has been saved successfully to "C:\Users\Lino\Desktop\MBR.dat"
13:27:19.330    The log file has been saved successfully to "C:\Users\Lino\Desktop\aswMBR.txt"
Tdsskiller (Hier musste ich Version 2.8.16.0 von Chip downloaden, weil Kaspary "umzieht")

Das Log ist zu lang... So ungefähr 1000 Zeichen.

Antwort
Seite 1 von 3 1 23

Themen zu Browser Highjacker
adobe, avira, browser, cpu, defender, enigma, error, excel, firefox, flash player, gelb, help, home, internet, internet browser, internet explorer, loswerden, monstermarketplace, mozilla, neu aufsetzen, outlook 2010, plug-in, problem, registrierungsdatenbank, security, server, svchost.exe, symantec, temp, viren, virus, visual studio, windows


« Bekomme 2 Objekte mit Malwarebytes nicht gelöscht ? | Delta Search Problem »


Ähnliche Themen: Browser Highjacker


  1. Bing vc Highjacker
    Plagegeister aller Art und deren Bekämpfung - 03.09.2015 (15)
  2. Windows 7: Browser Highjacker eingefangen?
    Log-Analyse und Auswertung - 16.10.2014 (19)
  3. Windows 8 / "Feun2Save": Nur noch Werbelinks usw. im Browser; Browser öffnet sich von alleine
    Log-Analyse und Auswertung - 06.10.2014 (18)
  4. Windows 7 (x64): ungewohntes Browser verhalten, instabile Verbindungen (Browser und Wlan)
    Log-Analyse und Auswertung - 20.09.2014 (9)
  5. Veralteter Browser erkannt: http://www.updating-your-browser.com/Firefox-DE/
    Plagegeister aller Art und deren Bekämpfung - 08.01.2014 (9)
  6. Browser von Highjacker (Certified Toolbar) befallen?
    Log-Analyse und Auswertung - 21.09.2013 (3)
  7. Ginyas Browser Companion in Chrome Browser
    Plagegeister aller Art und deren Bekämpfung - 27.03.2013 (11)
  8. Highjacker auf dem Laptop..mit HiJackThis Log-File.
    Log-Analyse und Auswertung - 25.01.2009 (1)
  9. TR/Highjacker.AE läßt hier gefundene Gegenprogramme nicht zu
    Mülltonne - 14.11.2008 (0)
  10. Browser
    Diskussionsforum - 05.09.2008 (18)
  11. Highjacker problem
    Log-Analyse und Auswertung - 12.06.2006 (4)
  12. Firefox Highjacker - finde keine Hilfe
    Plagegeister aller Art und deren Bekämpfung - 03.11.2005 (2)
  13. HighJacker Problem?
    Log-Analyse und Auswertung - 30.06.2005 (10)
  14. TV-Browser
    Alles rund um Windows - 27.03.2005 (0)
  15. bekomme highjacker nicht gefixt!bitte hilfe
    Log-Analyse und Auswertung - 21.03.2005 (3)
  16. Probleme mit highjacker
    Log-Analyse und Auswertung - 16.10.2004 (2)
  17. Neuen Highjacker eingefangen
    Log-Analyse und Auswertung - 05.08.2004 (4)
Anleitungen und Tipps

- Für alle Hilfesuchenden! Was beachten?

- Anleitung: MyStartSearch.com entfernen

- Anleitung: WebSearches löschen

- Hilfe: iStartSurf entfernen – so gehts!

- Anleitung: Omiga Plus richtig entfernen

- Browser Viren entfernen


Zum Thema Browser Highjacker - Also ich hab mir wie es scheint einige (viele) Browser Highjacker eingefangen. Darunter das gute alte monstermarketplace (+safersurf4free). Auf jeden Fall schickt mich das Virus nicht automatisch auf die Seite, - Browser Highjacker...
Archiv
Du betrachtest: Browser Highjacker auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132