|  | 
| 
 | |||||||
| Log-Analyse und Auswertung: System hängt immer wieder, seit kurzem wechsel des antivirus programmsWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. | 
|  | 
|  28.05.2013, 10:32 | #1 | 
|  |   System hängt immer wieder, seit kurzem wechsel des antivirus programms Hi Ich habe vorkurzem das bei mir installierte Norton 360 ausgeschaltet und avira installiert, weil der Verdacht bestand das Norton mir in meinen Programmen rumpfuscht (was allerdings nicht so war). Jetzt hab ich zwar Avira wieder runter und Norton wieder drauf, nur hängt mein PC jetzt immer wieder mal komplett. Nicht mal der Task Manager geht auf. 15-30 min nach system start verschwindet der effekt allerdings fast gänzlich. Sowohl CPU als auch Arbeitspeicher sind noch ein gutes Stück unter Max allerdings habe ich den Eindruck habe das mehr Arbeitsspeicher belegt ist als normal. Avira hat einen trojaner gefunden den ich gelöscht habe. Bedauerlicherweise hab ich die Logfiles nicht gespeichert und Avira ist schon runter. Dazu kommt das bei diesem Benuter der Prozess AdobeARM autraucht. Sogar noch nach Löschen der Datei des Programms. Bei Administrator Konto kommt das aber nicht. Soviel zu dem was ich beobachtet habe. Beim schließen von OTL hab ich diesen Fehler bekommen: Excaption EAcesddViolation in module OTL.exe at 00012C42. Access violation at address 00412C42 in module OTL.exe. Read of address 42ECFC00. OTL Code: 
  ATTFilter OTL logfile created on: 26.05.2013 15:39:46 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\xxx\Desktop 64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 5,96 Gb Total Physical Memory | 3,40 Gb Available Physical Memory | 57,00% Memory free 11,92 Gb Paging File | 9,36 Gb Available in Paging File | 78,50% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 455,45 Gb Total Space | 299,60 Gb Free Space | 65,78% Space Free | Partition Type: NTFS Drive D: | 455,96 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: NTFS Drive E: | 6,24 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: UDF Computer Name: xxx-PC | User Name: xxx_2 | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013.05.20 14:12:28 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\xxx\Desktop\OTL.exe PRC - [2012.12.24 05:33:29 | 000,144,520 | R--- | M] (Symantec Corporation) -- C:\Program Files (x86)\Norton 360\Engine\20.3.1.22\ccSvcHst.exe PRC - [2011.01.17 18:50:34 | 011,322,880 | ---- | M] (OpenOffice.org) -- C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe PRC - [2011.01.17 18:50:34 | 011,314,688 | ---- | M] (OpenOffice.org) -- C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin PRC - [2009.12.09 11:24:16 | 000,076,320 | ---- | M] () -- C:\OEM\USBDECTION\USBS3S4Detection.exe PRC - [2009.09.30 20:34:22 | 002,314,240 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe PRC - [2009.09.30 20:33:08 | 000,262,144 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe PRC - [2009.09.10 15:42:46 | 000,305,448 | ---- | M] (Egis Technology Inc.) -- C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\MWLService.exe PRC - [2009.09.10 15:42:30 | 000,349,480 | ---- | M] (Egis Technology Inc.) -- C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe PRC - [2009.08.28 11:38:58 | 001,150,496 | ---- | M] (Acer Incorporated) -- C:\Program Files (x86)\Acer\Registration\GregHSRW.exe PRC - [2009.08.13 01:04:44 | 000,062,208 | ---- | M] (NewTech Infosystems, Inc.) -- C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe PRC - [2009.08.13 00:58:28 | 000,261,888 | ---- | M] (NewTech Infosystems, Inc.) -- C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe PRC - [2009.08.04 07:09:34 | 000,199,464 | ---- | M] (Egis Technology Inc.) -- C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe PRC - [2009.07.04 04:47:12 | 000,240,160 | ---- | M] (Acer) -- C:\Programme\Acer\Acer Updater\UpdaterService.exe PRC - [2009.04.16 00:52:06 | 000,091,432 | ---- | M] (CyberLink Corp.) -- C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe ========== Modules (No Company Name) ========== MOD - [2012.05.30 08:51:08 | 000,699,280 | R--- | M] () -- C:\PROGRAM FILES (X86)\NORTON 360\ENGINE\20.3.1.22\wincfi39.dll MOD - [2011.09.06 20:56:32 | 000,985,088 | ---- | M] () -- C:\Program Files (x86)\OpenOffice.org 3\program\libxml2.dll MOD - [2009.02.03 03:33:56 | 000,460,199 | ---- | M] () -- C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\sqlite3.dll ========== Services (SafeList) ========== SRV:64bit: - [2009.10.19 15:17:42 | 000,202,752 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility) SRV - [2013.05.15 21:09:14 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2013.04.29 12:46:20 | 004,233,088 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe -- (NOBU) SRV - [2013.04.19 23:10:50 | 000,543,656 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service) SRV - [2013.02.28 18:45:16 | 000,161,384 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate) SRV - [2013.01.02 13:30:50 | 000,018,360 | ---- | M] (Overwolf Ltd) [On_Demand | Stopped] -- C:\Program Files (x86)\Overwolf\OverwolfUpdater.exe -- (OverwolfUpdaterService) SRV - [2012.12.24 05:33:29 | 000,144,520 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Norton 360\Engine\20.3.1.22\ccSvcHst.exe -- (N360) SRV - [2012.07.09 01:40:10 | 000,104,912 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32) SRV - [2009.12.09 11:24:16 | 000,076,320 | ---- | M] () [Auto | Running] -- C:\OEM\USBDECTION\USBS3S4Detection.exe -- (USBS3S4Detection) SRV - [2009.09.30 20:34:22 | 002,314,240 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe -- (UNS) SRV - [2009.09.30 20:33:08 | 000,262,144 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe -- (LMS) SRV - [2009.09.10 15:42:46 | 000,305,448 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\\MWLService.exe -- (MWLService) SRV - [2009.08.28 11:38:58 | 001,150,496 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files (x86)\Acer\Registration\GregHSRW.exe -- (Greg_Service) SRV - [2009.08.25 20:38:06 | 000,935,208 | ---- | M] (Nero AG) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0) SRV - [2009.08.13 01:04:44 | 000,062,208 | ---- | M] (NewTech Infosystems, Inc.) [Auto | Running] -- C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe -- (NTI IScheduleSvc) SRV - [2009.08.06 15:17:46 | 000,118,672 | ---- | M] (Intel(R) Corporation) [On_Demand | Stopped] -- C:\Programme\Intel\TurboBoost\TurboBoost.exe -- (TurboBoost) SRV - [2009.07.21 02:42:38 | 000,061,976 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Programme\Microsoft SQL Server\100\Shared\sqladhlp.exe -- (MSSQLServerADHelper100) SRV - [2009.07.04 04:47:12 | 000,240,160 | ---- | M] (Acer) [Auto | Running] -- C:\Programme\Acer\Acer Updater\UpdaterService.exe -- (Updater Service) SRV - [2009.06.10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32) SRV - [2009.03.30 04:02:56 | 057,617,752 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Programme\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS) SRV - [2009.03.30 04:01:06 | 000,427,880 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Programme\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE -- (SQLAgent$SQLEXPRESS) SRV - [2008.07.10 05:31:10 | 000,157,720 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter) ========== Driver Services (SafeList) ========== DRV:64bit: - [2013.05.20 14:40:26 | 000,177,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS -- (SymEvent) DRV:64bit: - [2013.02.27 20:54:59 | 000,303,616 | ---- | M] () [Kernel | Auto | Stopped] -- C:\Windows\SysNative\drivers\atksgt.sys -- (atksgt) DRV:64bit: - [2013.02.27 20:54:58 | 000,035,328 | ---- | M] () [Kernel | Auto | Stopped] -- C:\Windows\SysNative\drivers\lirsgt.sys -- (lirsgt) DRV:64bit: - [2013.01.31 05:18:18 | 000,432,800 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\N360x64\1403010.016\symnets.sys -- (SymNetS) DRV:64bit: - [2013.01.31 05:18:06 | 001,139,800 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\N360x64\1403010.016\symefa64.sys -- (SymEFA) DRV:64bit: - [2013.01.29 03:45:19 | 000,796,248 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\N360x64\1403010.016\srtsp64.sys -- (SRTSP) DRV:64bit: - [2013.01.29 03:45:19 | 000,036,952 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\N360x64\1403010.016\srtspx64.sys -- (SRTSPX) DRV:64bit: - [2013.01.22 04:15:33 | 000,493,656 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\N360x64\1403010.016\symds64.sys -- (SymDS) DRV:64bit: - [2012.11.16 04:22:01 | 000,224,416 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\N360x64\1403010.016\ironx64.sys -- (SymIRON) DRV:64bit: - [2012.11.16 04:18:04 | 000,168,096 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\N360x64\1403010.016\ccsetx64.sys -- (ccSet_N360) DRV:64bit: - [2012.03.01 08:54:38 | 000,022,896 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec) DRV:64bit: - [2011.03.11 08:22:41 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata) DRV:64bit: - [2011.03.11 08:22:40 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata) DRV:64bit: - [2009.12.09 11:39:52 | 000,537,624 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor) DRV:64bit: - [2009.11.18 12:30:56 | 000,123,408 | ---- | M] (ATI Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtiHdmi.sys -- (AtiHdmiService) DRV:64bit: - [2009.10.19 15:50:12 | 006,098,432 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag) DRV:64bit: - [2009.09.23 11:11:04 | 000,283,824 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\e1k62x64.sys -- (e1kexpress) DRV:64bit: - [2009.09.17 06:54:54 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (HECIx64) DRV:64bit: - [2009.08.06 15:17:34 | 000,013,784 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\TurboB.sys -- (TurboB) DRV:64bit: - [2009.07.14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs) DRV:64bit: - [2009.07.14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2) DRV:64bit: - [2009.07.14 03:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD) DRV:64bit: - [2009.07.14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor) DRV:64bit: - [2009.07.14 03:39:46 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\svchost.exe -- (1394hub) DRV:64bit: - [2009.06.10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv) DRV:64bit: - [2009.06.10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv) DRV:64bit: - [2009.06.10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a) DRV:64bit: - [2009.06.10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir) DRV:64bit: - [2009.06.02 13:15:30 | 000,060,464 | ---- | M] (Egis Technology Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\mwlPSDVDisk.sys -- (mwlPSDVDisk) DRV:64bit: - [2009.06.02 13:15:30 | 000,022,576 | ---- | M] (Egis Technology Inc.) [File_System | System | Running] -- C:\Windows\SysNative\drivers\mwlPSDFilter.sys -- (mwlPSDFilter) DRV:64bit: - [2009.06.02 13:15:30 | 000,020,016 | ---- | M] (Egis Technology Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\mwlPSDNserv.sys -- (mwlPSDNServ) DRV:64bit: - [2009.05.06 02:46:08 | 000,018,432 | ---- | M] (NewTech Infosystems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NTIDrvr.sys -- (NTIDrvr) DRV:64bit: - [2009.05.06 02:46:08 | 000,016,896 | ---- | M] (NewTech Infosystems Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\UBHelper.sys -- (UBHelper) DRV:64bit: - [2009.03.18 18:35:42 | 000,033,856 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hamachi.sys -- (hamachi) DRV - [2013.05.22 07:42:15 | 002,098,776 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\VirusDefs\20130525.006\ex64.sys -- (NAVEX15) DRV - [2013.05.22 07:42:11 | 000,126,040 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\VirusDefs\20130525.006\eng64.sys -- (NAVENG) DRV - [2013.05.19 17:36:07 | 000,484,512 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys -- (eeCtrl) DRV - [2013.05.19 17:36:07 | 000,138,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv) DRV - [2013.05.17 15:30:54 | 000,513,184 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\IPSDefs\20130524.001\IDSviA64.sys -- (IDSVia64) DRV - [2013.05.03 00:16:48 | 001,390,680 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\Definitions\BASHDefs\20130515.001\BHDrvx64.sys -- (BHDrvx64) DRV - [2009.07.14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=aspire_m5811&r=17361210m005pe446v115w68n1u49o IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=aspire_m5811&r=17361210m005pe446v115w68n1u49o IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990} IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE:64bit: - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=aspire_m5811&r=17361210m005pe446v115w68n1u49o IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=aspire_m5811&r=17361210m005pe446v115w68n1u49o IE - HKLM\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACAW IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=aspire_m5811&r=17361210m005pe446v115w68n1u49o IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=aspire_m5811&r=17361210m005pe446v115w68n1u49o IE - HKCU\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - No CLSID value found IE - HKCU\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKCU\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACAW_deDE411DE412 IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7 IE - HKCU\..\SearchScopes\{E24DBF2D-F9F4-4BFB-A0D3-7078A8357211}: "URL" = hxxp://websearch.ask.com/redirect?client=ie&tb=AVR-4&o=APN10261&src=kw&q={searchTerms}&locale=&apn_ptnrs=^AGS&apn_dtid=^YYYYYY^YY^DE&apn_uid=cb60a469-860c-4b30-b4d6-702aeacd7eb6&apn_sauid=B12575B5-01EE-4210-966E-7BE4A95F9DA4 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - user.js - File not found FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_202.dll File not found FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.13.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation) FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.13.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_202.dll () FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google) FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.11.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8081.0709: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\IPSFFPlgn\ [2013.05.20 14:41:05 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.0.36\coFFPlgn\ [2013.05.26 15:07:40 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011.12.13 18:54:08 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2013.03.07 08:25:03 | 000,000,000 | ---D | M] [2012.05.18 23:13:17 | 000,000,000 | ---D | M] (No name found) -- C:\Users\x_2\AppData\Roaming\mozilla\Extensions [2013.04.27 19:17:38 | 000,000,000 | ---D | M] (No name found) -- C:\Users\x_2\AppData\Roaming\mozilla\Firefox\Profiles\cid2e4dx.default\extensions [2013.04.27 19:17:47 | 000,000,000 | ---D | M] (Avira SearchFree Toolbar plus Web Protection) -- C:\Users\xxx_2\AppData\Roaming\mozilla\Firefox\Profiles\cid2e4dx.default\extensions\toolbar@ask.com [2013.04.01 12:57:30 | 000,002,333 | ---- | M] () -- C:\Users\xxx_2\AppData\Roaming\mozilla\firefox\profiles\cid2e4dx.default\searchplugins\askcom.xml [2013.01.31 18:04:50 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions [2011.12.13 18:54:07 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll [2011.12.03 16:57:07 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml [2011.12.03 16:57:07 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml [2011.12.03 16:57:07 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml [2011.12.03 16:57:07 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml [2011.12.03 16:57:07 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml [2011.12.03 16:57:07 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml ========== Chrome ========== CHR - default_search_provider: Google (Enabled) CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding} CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms} CHR - homepage: hxxp://www.google.com/ CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer CHR - plugin: Native Client (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\25.0.1364.152\ppGoogleNaClPluginChrome.dll CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\25.0.1364.152\pdf.dll CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\25.0.1364.152\gcswf32.dll CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_262.dll CHR - plugin: Skype Toolbars (Enabled) = C:\Users\Niklas G\u00F6bel_2\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.9.0.9216_0\npSkypeChromePlugin.dll CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll CHR - plugin: Java Deployment Toolkit 6.0.220.4 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll CHR - plugin: Windows Live\u00AE Photo Gallery (Enabled) = C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll CHR - Extension: YouTube = C:\Users\xxx_2\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_1\ CHR - Extension: Google-Suche = C:\Users\xxx_2\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_1\ CHR - Extension: Google Mail = C:\Users\xxx_2\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1\ O1 HOSTS File: ([2009.06.10 23:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O2:64bit: - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre7\bin\ssv.dll (Oracle Corporation) O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.) O2:64bit: - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (Norton Identity Protection) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360\Engine\20.3.1.22\coIEPlg.dll (Symantec Corporation) O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton 360\Engine\20.3.1.22\IPS\IPSBHO.DLL (Symantec Corporation) O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.) O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\20.3.1.22\coIEPlg.dll (Symantec Corporation) O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O3:64bit: - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.) O4:64bit: - HKLM..\Run: [mwlDaemon] C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe (Egis Technology Inc.) O4 - HKLM..\Run: [ArcadeDeluxeAgent] C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe (CyberLink Corp.) O4 - HKLM..\Run: [BackupManagerTray] C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe (NewTech Infosystems, Inc.) O4 - HKLM..\Run: [EgisTecLiveUpdate] C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe (Egis Technology Inc.) O4 - HKLM..\Run: [RemoteControl8] C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe (CyberLink Corp.) O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.) O4 - HKCU..\Run: [Overwolf] C:\Program Files (x86)\Overwolf\Overwolf.exe (Overwolf) O4 - HKLM..\RunOnce: [{69ec32be-d994-44de-9eae-6d86ced6f352}] C:\ProgramData\Package Cache\{69ec32be-d994-44de-9eae-6d86ced6f352}\wdexpress_full.exe (Microsoft Corporation) O4 - Startup: C:\Users\xxx_2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Psi.lnk = C:\Program Files (x86)\Psi\Psi.exe () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1 O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL (Microsoft Corporation) O1364bit: - gopher Prefix: missing O13 - gopher Prefix: missing O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9F4DDD1D-DDD8-4C38-B859-61F5A62DB645}: DhcpNameServer = 192.168.2.1 O18:64bit: - Protocol\Handler\livecall - No CLSID value found O18:64bit: - Protocol\Handler\ms-help - No CLSID value found O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found O18:64bit: - Protocol\Handler\msnim - No CLSID value found O18:64bit: - Protocol\Handler\skype4com - No CLSID value found O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation) O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies) O18:64bit: - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll File not found O18:64bit: - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll File not found O18:64bit: - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll File not found O18:64bit: - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll File not found O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll File not found O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll File not found O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - File not found O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - File not found O20 - HKLM Winlogon: Shell - (explorer.exe) - File not found O20 - HKLM Winlogon: UserInit - (userinit.exe) - File not found O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - File not found O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O29:64bit: - HKLM SecurityProviders - (credssp.dll) - File not found O29 - HKLM SecurityProviders - (credssp.dll) - File not found O32 - HKLM CDRom: AutoRun - 1 O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2013.05.25 22:53:57 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\SPReview [2013.05.25 10:17:59 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Symantec [2013.05.21 19:51:59 | 000,000,000 | ---D | C] -- C:\Users\xxx_2\Documents\EVE [2013.05.21 19:50:59 | 000,000,000 | ---D | C] -- C:\Users\xxx_2\AppData\Local\CCP [2013.05.21 14:59:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Visual Studio 2012 [2013.05.21 14:58:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Help Viewer [2013.05.21 14:54:50 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Visual Studio 11.0 [2013.05.21 14:50:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Overwolf [2013.05.20 14:56:36 | 000,432,800 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\N360x64\1403010.016\symnets.sys [2013.05.20 14:56:35 | 001,139,800 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\N360x64\1403010.016\symefa64.sys [2013.05.20 14:56:35 | 000,023,448 | R--- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\N360x64\1403010.016\symelam.sys [2013.05.20 14:56:34 | 000,796,248 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\N360x64\1403010.016\srtsp64.sys [2013.05.20 14:56:34 | 000,493,656 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\N360x64\1403010.016\symds64.sys [2013.05.20 14:56:34 | 000,036,952 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\N360x64\1403010.016\srtspx64.sys [2013.05.20 14:56:33 | 000,224,416 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\N360x64\1403010.016\ironx64.sys [2013.05.20 14:56:33 | 000,168,096 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\N360x64\1403010.016\ccsetx64.sys [2013.05.20 14:55:14 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\N360x64\1403010.016 [2013.05.20 14:40:26 | 000,177,312 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS [2013.05.20 14:40:26 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared [2013.05.20 14:40:26 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec [2013.05.20 14:38:21 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\N360x64 [2013.05.20 14:38:20 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton 360 [2013.05.20 14:38:20 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Norton 360 [2013.05.20 14:37:28 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\NortonInstaller [2013.05.16 18:03:44 | 000,000,000 | ---D | C] -- C:\Windows\pss [2013.04.29 21:06:52 | 000,000,000 | ---D | C] -- C:\Users\xxx_2\AppData\Roaming\Psi [2013.04.29 21:06:52 | 000,000,000 | ---D | C] -- C:\Users\xxx_2\AppData\Local\Psi [2013.04.29 21:06:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Psi [2013.04.29 21:06:34 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Psi [2013.04.27 19:17:22 | 000,000,000 | ---D | C] -- C:\Users\xxx_2\AppData\Local\APN [2013.04.27 19:17:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Avira [2009.11.18 23:40:11 | 000,036,136 | ---- | C] (Oberon Media) -- C:\ProgramData\FullRemove.exe ========== Files - Modified Within 30 Days ========== [2013.05.26 15:19:18 | 000,001,110 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2013.05.26 15:16:56 | 000,000,000 | ---- | M] () -- C:\Users\xxx_2\defogger_reenable [2013.05.26 15:14:41 | 000,009,696 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013.05.26 15:14:41 | 000,009,696 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013.05.26 15:09:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013.05.26 15:07:45 | 000,001,106 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2013.05.26 15:07:29 | 000,065,536 | ---- | M] () -- C:\Windows\SysNative\Ikeext.etl [2013.05.26 15:07:15 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.05.26 15:07:09 | 504,676,351 | -HS- | M] () -- C:\hiberfil.sys [2013.05.25 10:18:01 | 000,002,127 | ---- | M] () -- C:\Users\Public\Desktop\Norton Online Backup.lnk [2013.05.24 20:19:47 | 000,002,187 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk [2013.05.21 19:49:51 | 000,002,746 | ---- | M] () -- C:\Windows\wininit.ini [2013.05.21 14:54:12 | 001,776,168 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI [2013.05.21 14:54:12 | 000,764,084 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat [2013.05.21 14:54:12 | 000,719,162 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2013.05.21 14:54:12 | 000,173,870 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat [2013.05.21 14:54:12 | 000,146,654 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2013.05.21 14:54:00 | 001,776,168 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2013.05.21 14:49:48 | 000,000,680 | RHS- | M] () -- C:\Users\xxx_2\ntuser.pol [2013.05.21 11:50:41 | 000,002,323 | ---- | M] () -- C:\Users\Public\Desktop\Norton 360.lnk [2013.05.21 11:50:13 | 002,231,691 | ---- | M] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\Cat.DB [2013.05.20 14:40:26 | 000,177,312 | ---- | M] (Symantec Corporation) -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS [2013.05.20 14:40:26 | 000,007,466 | ---- | M] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.CAT [2013.05.20 14:40:26 | 000,000,855 | ---- | M] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.INF [2013.04.29 21:06:41 | 000,000,975 | ---- | M] () -- C:\Users\xxx_2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Psi.lnk [2013.04.29 21:06:41 | 000,000,939 | ---- | M] () -- C:\Users\xxx_2\Desktop\Psi.lnk ========== Files Created - No Company Name ========== [2013.05.26 15:16:56 | 000,000,000 | ---- | C] () -- C:\Users\xxx_2\defogger_reenable [2013.05.21 11:49:20 | 002,231,691 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\Cat.DB [2013.05.20 14:58:21 | 000,014,818 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\VT20130115.021 [2013.05.20 14:56:35 | 000,009,670 | R--- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\symelam64.cat [2013.05.20 14:56:35 | 000,007,601 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\symnet64.cat [2013.05.20 14:56:35 | 000,007,587 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\symefa64.cat [2013.05.20 14:56:35 | 000,001,440 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\symnet.inf [2013.05.20 14:56:35 | 000,000,996 | R--- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\symelam.inf [2013.05.20 14:56:34 | 000,007,589 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\srtspx64.cat [2013.05.20 14:56:34 | 000,007,581 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\symds64.cat [2013.05.20 14:56:34 | 000,003,434 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\symefa.inf [2013.05.20 14:56:34 | 000,002,852 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\symds.inf [2013.05.20 14:56:34 | 000,001,438 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\srtsp64.inf [2013.05.20 14:56:34 | 000,001,420 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\srtspx64.inf [2013.05.20 14:56:33 | 000,007,611 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\ccsetx64.cat [2013.05.20 14:56:33 | 000,007,593 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\iron.cat [2013.05.20 14:56:33 | 000,007,585 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\srtsp64.cat [2013.05.20 14:56:33 | 000,000,853 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\ccsetx64.inf [2013.05.20 14:56:33 | 000,000,767 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\iron.inf [2013.05.20 14:55:14 | 000,000,172 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\1403010.016\isolate.ini [2013.05.20 14:40:26 | 000,007,466 | ---- | C] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.CAT [2013.05.20 14:40:26 | 000,000,855 | ---- | C] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.INF [2013.05.20 14:40:23 | 000,002,323 | ---- | C] () -- C:\Users\Public\Desktop\Norton 360.lnk [2013.05.17 20:28:59 | 000,000,975 | ---- | C] () -- C:\Users\xxx_2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Psi.lnk [2013.04.29 21:06:41 | 000,000,939 | ---- | C] () -- C:\Users\xxx_2\Desktop\Psi.lnk [2013.01.16 21:20:07 | 000,000,858 | ---- | C] () -- C:\Windows\client.config.ini [2012.05.18 23:07:12 | 000,000,680 | RHS- | C] () -- C:\Users\xxx_2\ntuser.pol [2012.01.24 21:41:38 | 001,776,168 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI ========== ZeroAccess Check ========== [2009.07.14 06:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 "" = C:\Windows\SysNative\shell32.dll -- [2012.06.09 07:30:56 | 014,165,504 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 06:46:56 | 012,868,608 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 03:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2009.07.14 03:15:20 | 000,605,696 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 03:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] ========== LOP Check ========== [2012.09.23 20:28:00 | 000,000,000 | ---D | M] -- C:\Users\xxx_2\AppData\Roaming\EVEMon [2012.07.13 21:50:41 | 000,000,000 | ---D | M] -- C:\Users\xxx_2\AppData\Roaming\Notepad++ [2012.05.18 23:08:19 | 000,000,000 | ---D | M] -- C:\Users\xxx_2\AppData\Roaming\OEM [2012.05.18 23:13:12 | 000,000,000 | ---D | M] -- C:\Users\xxx_2\AppData\Roaming\Opera [2013.04.29 21:06:52 | 000,000,000 | ---D | M] -- C:\Users\xxx_2\AppData\Roaming\Psi ========== Purity Check ========== ========== Alternate Data Streams ========== @Alternate Data Stream - 152 bytes -> C:\ProgramData\Temp:AB689DEA @Alternate Data Stream - 138 bytes -> C:\ProgramData\Temp:5D7E5A8F @Alternate Data Stream - 133 bytes -> C:\ProgramData\Temp:93DE1838 @Alternate Data Stream - 124 bytes -> C:\ProgramData\Temp:E1F04E8D @Alternate Data Stream - 122 bytes -> C:\ProgramData\Temp:444C53BA @Alternate Data Stream - 121 bytes -> C:\ProgramData\Temp:0B9176C0 < End of report > Code: 
  ATTFilter defogger_disable by jpshortstuff (23.02.10.1)
Log created at 09:35 on 28/05/2013 (xxx_2)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
-=E.O.F=-
         Code: 
  ATTFilter GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2013-05-26 16:24:29
Windows 6.1.7600  x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD10 rev.80.0 931,51GB
Running: gmer_2.1.19163.exe; Driver: C:\Users\xxx~3\AppData\Local\Temp\awriaaow.sys
---- User code sections - GMER 2.1 ----
.text         0000000075675677 1 byte JMP 0000000100290048
.text  C:\OEM\USBDECTION\USBS3S4Detection.exe[1604] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                                             0000000075675679 5 bytes {JMP 0xffffffff8ac1a9d1}
.text  C:\OEM\USBDECTION\USBS3S4Detection.exe[1604] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                                                    000000007567589a 7 bytes JMP 0000000100280ca6
.text  C:\OEM\USBDECTION\USBS3S4Detection.exe[1604] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                                                    0000000075675a1d 7 bytes JMP 00000001002903d8
.text  C:\OEM\USBDECTION\USBS3S4Detection.exe[1604] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                                               0000000075675c9b 7 bytes JMP 000000010029012c
.text  C:\OEM\USBDECTION\USBS3S4Detection.exe[1604] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                                                 0000000075675d87 7 bytes JMP 00000001002902f4
.text  C:\OEM\USBDECTION\USBS3S4Detection.exe[1604] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                                                0000000075677240 7 bytes JMP 0000000100280e6e
.text  C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                00000000773bfc40 5 bytes JMP 00000001007a091c
.text  C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                              00000000773bfda4 5 bytes JMP 00000001007a0048
.text  C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                       00000000773bfe38 5 bytes JMP 00000001007a02ee
.text  C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                    00000000773bff94 5 bytes JMP 00000001007a04b2
.text  C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                            00000000773bffc8 5 bytes JMP 00000001007a09fe
.text  C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                    00000000773bfff8 5 bytes JMP 00000001007a0ae0
.text  C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                 00000000773c0014 2 bytes JMP 000000010064004c
.text  C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3                                             00000000773c0017 2 bytes [28, 89]
.text  C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                    00000000773c072c 5 bytes JMP 00000001007a012a
.text  C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                        00000000773c081c 5 bytes JMP 00000001007a0758
.text  C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                  00000000773c0834 5 bytes JMP 00000001007a0676
.text  C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                      00000000773c0d84 5 bytes JMP 00000001007a03d0
.text  C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                00000000773c18b0 5 bytes JMP 00000001007a0594
.text  C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                            00000000773c1b74 5 bytes JMP 00000001007a083a
.text  C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                   00000000773c1d00 5 bytes JMP 00000001007a020c
.text  C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                       00000000766015ea 7 bytes JMP 00000001007b0762
.text  C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                  000000007567524f 7 bytes JMP 00000001007a0f52
.text  C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                      00000000756753d0 7 bytes JMP 00000001007b0210
.text  C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                     0000000075675677 1 byte JMP 00000001007b0048
.text  C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                     0000000075675679 5 bytes {JMP 0xffffffff8b13a9d1}
.text  C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                            000000007567589a 7 bytes JMP 00000001007a0ca6
.text  C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                            0000000075675a1d 7 bytes JMP 00000001007b03d8
.text  C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                       0000000075675c9b 7 bytes JMP 00000001007b012c
.text  C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                         0000000075675d87 7 bytes JMP 00000001007b02f4
.text  C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe[4092] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                        0000000075677240 7 bytes JMP 00000001007a0e6e
.text  C:\Program Files (x86)\Overwolf\Overwolf.exe[2292] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69                                                           00000000752a1465 2 bytes [2A, 75]
.text  C:\Program Files (x86)\Overwolf\Overwolf.exe[2292] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155                                                          00000000752a14bb 2 bytes [2A, 75]
.text  ...                                                                                                                                                                  * 2
.text  C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                          00000000773bfc40 5 bytes JMP 000000010010091c
.text  C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                        00000000773bfda4 5 bytes JMP 0000000100100048
.text  C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                 00000000773bfe38 5 bytes JMP 00000001001002ee
.text  C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                              00000000773bff94 5 bytes JMP 00000001001004b2
.text  C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                      00000000773bffc8 5 bytes JMP 00000001001009fe
.text  C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                              00000000773bfff8 5 bytes JMP 0000000100100ae0
.text  C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                           00000000773c0014 2 bytes JMP 000000010002004c
.text  C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3                       00000000773c0017 2 bytes [C6, 88]
.text  C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                              00000000773c072c 5 bytes JMP 000000010010012a
.text  C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                  00000000773c081c 5 bytes JMP 0000000100100758
.text  C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                            00000000773c0834 5 bytes JMP 0000000100100676
.text  C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                00000000773c0d84 5 bytes JMP 00000001001003d0
.text  C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                          00000000773c18b0 5 bytes JMP 0000000100100594
.text  C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                      00000000773c1b74 5 bytes JMP 000000010010083a
.text  C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                             00000000773c1d00 5 bytes JMP 000000010010020c
.text  C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                 00000000766015ea 7 bytes JMP 000000010011059e
.text  C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206            000000007567524f 7 bytes JMP 0000000100100f52
.text  C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                00000000756753d0 7 bytes JMP 0000000100110210
.text  C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149               0000000075675677 1 byte JMP 0000000100110048
.text  C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151               0000000075675679 5 bytes {JMP 0xffffffff8aa9a9d1}
.text  C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                      000000007567589a 7 bytes JMP 0000000100100ca6
.text  C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                      0000000075675a1d 7 bytes JMP 00000001001103d8
.text  C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                 0000000075675c9b 7 bytes JMP 000000010011012c
.text  C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                   0000000075675d87 7 bytes JMP 00000001001102f4
.text  C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[2636] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123  0000000075677240 7 bytes JMP 0000000100100e6e
.text  C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                            00000000773bfc40 5 bytes JMP 000000010016091c
.text  C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                          00000000773bfda4 5 bytes JMP 0000000100160048
.text  C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                   00000000773bfe38 5 bytes JMP 00000001001602ee
.text  C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                00000000773bff94 5 bytes JMP 00000001001604b2
.text  C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                        00000000773bffc8 5 bytes JMP 00000001001609fe
.text  C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                00000000773bfff8 5 bytes JMP 0000000100160ae0
.text  C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                             00000000773c0014 2 bytes JMP 000000010003004c
.text  C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3                                         00000000773c0017 2 bytes [C7, 88]
.text  C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                00000000773c072c 5 bytes JMP 000000010016012a
.text  C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                    00000000773c081c 5 bytes JMP 0000000100160758
.text  C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                              00000000773c0834 5 bytes JMP 0000000100160676
.text  C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                  00000000773c0d84 5 bytes JMP 00000001001603d0
.text  C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                            00000000773c18b0 5 bytes JMP 0000000100160594
.text  C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                        00000000773c1b74 5 bytes JMP 000000010016083a
.text  C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                               00000000773c1d00 5 bytes JMP 000000010016020c
.text  C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                   00000000766015ea 7 bytes JMP 000000010017059e
.text  C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                              000000007567524f 7 bytes JMP 0000000100160f52
.text  C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                  00000000756753d0 7 bytes JMP 0000000100170210
.text  C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                 0000000075675677 1 byte JMP 0000000100170048
.text  C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                 0000000075675679 5 bytes {JMP 0xffffffff8aafa9d1}
.text  C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                        000000007567589a 7 bytes JMP 0000000100160ca6
.text  C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                        0000000075675a1d 7 bytes JMP 00000001001703d8
.text  C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                   0000000075675c9b 7 bytes JMP 000000010017012c
.text  C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                     0000000075675d87 7 bytes JMP 00000001001702f4
.text  C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[3324] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                    0000000075677240 7 bytes JMP 0000000100160e6e
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                      00000000773bfc40 5 bytes JMP 000000010028091c
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                    00000000773bfda4 5 bytes JMP 0000000100280048
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                             00000000773bfe38 5 bytes JMP 00000001002802ee
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                          00000000773bff94 5 bytes JMP 00000001002804b2
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                  00000000773bffc8 5 bytes JMP 00000001002809fe
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                          00000000773bfff8 5 bytes JMP 0000000100280ae0
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                       00000000773c0014 2 bytes JMP 000000010002004c
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3                                                   00000000773c0017 2 bytes [C6, 88]
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                          00000000773c072c 5 bytes JMP 000000010028012a
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                              00000000773c081c 5 bytes JMP 0000000100280758
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                        00000000773c0834 5 bytes JMP 0000000100280676
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                            00000000773c0d84 5 bytes JMP 00000001002803d0
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                      00000000773c18b0 5 bytes JMP 0000000100280594
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                  00000000773c1b74 5 bytes JMP 000000010028083a
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                         00000000773c1d00 5 bytes JMP 000000010028020c
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                             00000000766015ea 7 bytes JMP 000000010029059e
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                        000000007567524f 7 bytes JMP 0000000100280f52
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                            00000000756753d0 7 bytes JMP 0000000100290210
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                           0000000075675677 1 byte JMP 0000000100290048
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                           0000000075675679 5 bytes {JMP 0xffffffff8ac1a9d1}
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                                  000000007567589a 7 bytes JMP 0000000100280ca6
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                                  0000000075675a1d 7 bytes JMP 00000001002903d8
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                             0000000075675c9b 7 bytes JMP 000000010029012c
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                               0000000075675d87 7 bytes JMP 00000001002902f4
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[3584] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                              0000000075677240 7 bytes JMP 0000000100280e6e
.text  C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                00000000773bfc40 5 bytes JMP 00000001002c091c
.text  C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                              00000000773bfda4 5 bytes JMP 00000001002c0048
.text  C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                       00000000773bfe38 5 bytes JMP 00000001002c02ee
.text  C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                    00000000773bff94 5 bytes JMP 00000001002c04b2
.text  C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                            00000000773bffc8 5 bytes JMP 00000001002c09fe
.text  C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                    00000000773bfff8 5 bytes JMP 00000001002c0ae0
.text  C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                 00000000773c0014 2 bytes JMP 000000010026004c
.text  C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3                             00000000773c0017 2 bytes [EA, 88]
.text  C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                    00000000773c072c 5 bytes JMP 00000001002c012a
.text  C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                        00000000773c081c 5 bytes JMP 00000001002c0758
.text  C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                  00000000773c0834 5 bytes JMP 00000001002c0676
.text  C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                      00000000773c0d84 5 bytes JMP 00000001002c03d0
.text  C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                00000000773c18b0 5 bytes JMP 00000001002c0594
.text  C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                            00000000773c1b74 5 bytes JMP 00000001002c083a
.text  C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                   00000000773c1d00 5 bytes JMP 00000001002c020c
.text  C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                  000000007567524f 7 bytes JMP 00000001002c0f52
.text  C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2776] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                      00000000756753d0 7 bytes JMP 00000001002d0210
.text  C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNSC:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                     0000000075675d87 7 bytes JMP 00000001002702f4
.text  C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe[5476] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                    0000000075677240 7 bytes JMP 0000000100160e6e
.text  C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                            00000000773bfc40 5 bytes JMP 000000010028091c
.text  C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                          00000000773bfda4 5 bytes JMP 0000000100280048
.text  C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                   00000000773bfe38 5 bytes JMP 00000001002802ee
.text  C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                00000000773bff94 5 bytes JMP 00000001002804b2
.text  C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                        00000000773bffc8 5 bytes JMP 00000001002809fe
.text  C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                00000000773bfff8 5 bytes JMP 0000000100280ae0
.text  C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                             00000000773c0014 2 bytes JMP 000000010002004c
.text  C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3                         00000000773c0017 2 bytes [C6, 88]
.text  C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                00000000773c072c 5 bytes JMP 000000010028012a
.text  C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                    00000000773c081c 5 bytes JMP 0000000100280758
.text  C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                              00000000773c0834 5 bytes JMP 0000000100280676
.text  C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                  00000000773c0d84 5 bytes JMP 00000001002803d0
.text  C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                            00000000773c18b0 5 bytes JMP 0000000100280594
.text  C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                        00000000773c1b74 5 bytes JMP 000000010028083a
.text  C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                               00000000773c1d00 5 bytes JMP 000000010028020c
.text  C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                   00000000766015ea 7 bytes JMP 000000010029059e
.text  C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206              000000007567524f 7 bytes JMP 0000000100280f52
.text  C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                  00000000756753d0 7 bytes JMP 0000000100290210
.text  C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                 0000000075675677 1 byte JMP 0000000100290048
.text  C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                 0000000075675679 5 bytes {JMP 0xffffffff8ac1a9d1}
.text  C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                        000000007567589a 7 bytes JMP 0000000100280ca6
.text  C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                        0000000075675a1d 7 bytes JMP 00000001002903d8
.text  C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                   0000000075675c9b 7 bytes JMP 000000010029012c
.text  C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                     0000000075675d87 7 bytes JMP 00000001002902f4
.text  C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[5528] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123    0000000075677240 7 bytes JMP 0000000100280e6e
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                      00000000773bfc40 5 bytes JMP 000000010028091c
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                    00000000773bfda4 5 bytes JMP 0000000100280048
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                             00000000773bfe38 5 bytes JMP 00000001002802ee
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                          00000000773bff94 5 bytes JMP 00000001002804b2
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                  00000000773bffc8 5 bytes JMP 00000001002809fe
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                          00000000773bfff8 5 bytes JMP 0000000100280ae0
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                       00000000773c0014 2 bytes JMP 000000010002004c
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3                                                   00000000773c0017 2 bytes [C6, 88]
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                          00000000773c072c 5 bytes JMP 000000010028012a
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                              00000000773c081c 5 bytes JMP 0000000100280758
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                        00000000773c0834 5 bytes JMP 0000000100280676
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                            00000000773c0d84 5 bytes JMP 00000001002803d0
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                      00000000773c18b0 5 bytes JMP 0000000100280594
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                  00000000773c1b74 5 bytes JMP 000000010028083a
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                         00000000773c1d00 5 bytes JMP 000000010028020c
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                             00000000766015ea 7 bytes JMP 000000010029059e
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                        000000007567524f 7 bytes JMP 0000000100280f52
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                            00000000756753d0 7 bytes JMP 0000000100290210
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                           0000000075675677 1 byte JMP 0000000100290048
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                           0000000075675679 5 bytes {JMP 0xffffffff8ac1a9d1}
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                                  000000007567589a 7 bytes JMP 0000000100280ca6
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                                  0000000075675a1d 7 bytes JMP 00000001002903d8
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                             0000000075675c9b 7 bytes JMP 000000010029012c
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                               0000000075675d87 7 bytes JMP 00000001002902f4
.text  C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe[5540] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                              0000000075677240 7 bytes JMP 0000000100280e6e
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                00000000773bfc40 5 bytes JMP 000000010010091c
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                              00000000773bfda4 5 bytes JMP 0000000100100048
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                       00000000773bfe38 5 bytes JMP 00000001001002ee
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                    00000000773bff94 5 bytes JMP 00000001001004b2
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                            00000000773bffc8 5 bytes JMP 00000001001009fe
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                    00000000773bfff8 5 bytes JMP 0000000100100ae0
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                 00000000773c0014 2 bytes JMP 000000010002004c
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3                                             00000000773c0017 2 bytes [C6, 88]
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                    00000000773c072c 5 bytes JMP 000000010010012a
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                        00000000773c081c 5 bytes JMP 0000000100100758
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                  00000000773c0834 5 bytes JMP 0000000100100676
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                      00000000773c0d84 5 bytes JMP 00000001001003d0
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                00000000773c18b0 5 bytes JMP 0000000100100594
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                            00000000773c1b74 5 bytes JMP 000000010010083a
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                   00000000773c1d00 5 bytes JMP 000000010010020c
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                  000000007567524f 7 bytes JMP 0000000100100f52
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                      00000000756753d0 7 bytes JMP 0000000100190210
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                     0000000075675677 1 byte JMP 0000000100190048
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                     0000000075675679 5 bytes {JMP 0xffffffff8ab1a9d1}
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                            000000007567589a 7 bytes JMP 0000000100100ca6
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                            0000000075675a1d 7 bytes JMP 00000001001903d8
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                       0000000075675c9b 7 bytes JMP 000000010019012c
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                         0000000075675d87 7 bytes JMP 00000001001902f4
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                        0000000075677240 7 bytes JMP 0000000100100e6e
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                       00000000766015ea 7 bytes JMP 0000000100190762
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                         00000000752a1465 2 bytes [2A, 75]
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                        00000000752a14bb 2 bytes [2A, 75]
.text  ...                                                                                                                                                                  * 2
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                   00000000773bfc40 5 bytes JMP 00000001000a091c
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                 00000000773bfda4 5 bytes JMP 00000001000a0048
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                          00000000773bfe38 5 bytes JMP 00000001000a02ee
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                       00000000773bff94 5 bytes JMP 00000001000a04b2
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                               00000000773bffc8 5 bytes JMP 00000001000a09fe
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                       00000000773bfff8 5 bytes JMP 00000001000a0ae0
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                    00000000773c0014 2 bytes JMP 000000010002004c
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3                                                00000000773c0017 2 bytes [C6, 88]
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                       00000000773c072c 5 bytes JMP 00000001000a012a
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                           00000000773c081c 5 bytes JMP 00000001000a0758
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                     00000000773c0834 5 bytes JMP 00000001000a0676
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                         00000000773c0d84 5 bytes JMP 00000001000a03d0
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                   00000000773c18b0 5 bytes JMP 00000001000a0594
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                               00000000773c1b74 5 bytes JMP 00000001000a083a
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                      00000000773c1d00 5 bytes JMP 00000001000a020c
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                          00000000766015ea 7 bytes JMP 00000001000b059e
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                     000000007567524f 7 bytes JMP 00000001000a0f52
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                         00000000756753d0 7 bytes JMP 00000001000b0210
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                        0000000075675677 1 byte JMP 00000001000b0048
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                        0000000075675679 5 bytes {JMP 0xffffffff8aa3a9d1}
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                               000000007567589a 7 bytes JMP 00000001000a0ca6
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                               0000000075675a1d 7 bytes JMP 00000001000b03d8
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                          0000000075675c9b 7 bytes JMP 00000001000b012c
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                            0000000075675d87 7 bytes JMP 00000001000b02f4
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[5732] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                           0000000075677240 7 bytes JMP 00000001000a0e6e
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                   00000000773bfc40 5 bytes JMP 00000001006d091c
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                 00000000773bfda4 5 bytes JMP 00000001006d0048
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                          00000000773bfe38 5 bytes JMP 00000001006d02ee
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                       00000000773bff94 5 bytes JMP 00000001006d04b2
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                               00000000773bffc8 5 bytes JMP 00000001006d09fe
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                       00000000773bfff8 5 bytes JMP 00000001006d0ae0
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                    00000000773c0014 2 bytes JMP 00000001006a004c
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3                                                00000000773c0017 2 bytes [2E, 89]
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                       00000000773c072c 5 bytes JMP 00000001006d012a
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                           00000000773c081c 5 bytes JMP 00000001006d0758
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                     00000000773c0834 5 bytes JMP 00000001006d0676
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                         00000000773c0d84 5 bytes JMP 00000001006d03d0
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                   00000000773c18b0 5 bytes JMP 00000001006d0594
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                               00000000773c1b74 5 bytes JMP 00000001006d083a
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                      00000000773c1d00 5 bytes JMP 00000001006d020c
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                          00000000766015ea 7 bytes JMP 00000001006e059e
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                     000000007567524f 7 bytes JMP 00000001006d0f52
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                         00000000756753d0 7 bytes JMP 00000001006e0210
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                        0000000075675677 1 byte JMP 00000001006e0048
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                        0000000075675679 5 bytes {JMP 0xffffffff8b06a9d1}
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                               000000007567589a 7 bytes JMP 00000001006d0ca6
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                               0000000075675a1d 7 bytes JMP 00000001006e03d8
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                          0000000075675c9b 7 bytes JMP 00000001006e012c
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                            0000000075675d87 7 bytes JMP 00000001006e02f4
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                           0000000075677240 7 bytes JMP 00000001006d0e6e
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                            00000000752a1465 2 bytes [2A, 75]
.text  C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[5920] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                           00000000752a14bb 2 bytes [2A, 75]
.text  ...                                                                                                                                                                  * 2
.text  C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                              00000000773bfc40 5 bytes JMP 000000010039091c
.text  C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                            00000000773bfda4 5 bytes JMP 0000000100390048
.text  C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                                     00000000773bfe38 5 bytes JMP 00000001003902ee
.text  C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                  00000000773bff94 5 bytes JMP 00000001003904b2
.text  C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                          00000000773bffc8 5 bytes JMP 00000001003909fe
.text  C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                                  00000000773bfff8 5 bytes JMP 0000000100390ae0
.text  C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                               00000000773c0014 2 bytes JMP 000000010002004c
.text  C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3                                                           00000000773c0017 2 bytes [C6, 88]
.text  C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                  00000000773c072c 5 bytes JMP 000000010039012a
.text  C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                      00000000773c081c 5 bytes JMP 0000000100390758
.text  C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                00000000773c0834 5 bytes JMP 0000000100390676
.text  C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                    00000000773c0d84 5 bytes JMP 00000001003903d0
.text  C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                              00000000773c18b0 5 bytes JMP 0000000100390594
.text  C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                          00000000773c1b74 5 bytes JMP 000000010039083a
.text  C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                                 00000000773c1d00 5 bytes JMP 000000010039020c
.text  C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                                000000007567524f 7 bytes JMP 0000000100390f52
.text  C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                                    00000000756753d0 7 bytes JMP 00000001003a0210
.text  C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                                   0000000075675677 1 byte JMP 00000001003a0048
.text  C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                                   0000000075675679 5 bytes {JMP 0xffffffff8ad2a9d1}
.text  C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                                          000000007567589a 7 bytes JMP 0000000100390ca6
.text  C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                                          0000000075675a1d 7 bytes JMP 00000001003a03d8
.text  C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                                     0000000075675c9b 7 bytes JMP 00000001003a012c
.text  C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                                       0000000075675d87 7 bytes JMP 00000001003a02f4
.text  C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                                      0000000075677240 7 bytes JMP 0000000100390e6e
.text  C:\Users\xxx\Desktop\gmer_2.1.19163.exe[1068] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                                     00000000766015ea 7 bytes JMP 00000001003a04bc
---- EOF - GMER 2.1 ----
         Vielen Dank im Vorraus | 
|  01.06.2013, 18:57 | #2 | |
| /// the machine /// TB-Ausbilder         |   System hängt immer wieder, seit kurzem wechsel des antivirus programms Hi,__________________ Combofix sollte ausschließlich ausgeführt werden, wenn dies von einem Teammitglied angewiesen wurde!Downloade dir bitte Combofix vom folgenden Downloadspiegel Link 1 WICHTIG - Speichere Combofix auf deinem Desktop 
 Wenn Combofix fertig ist, wird es eine Logfile erstellen. Bitte poste die C:\Combofix.txt in deiner nächsten Antwort. Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten Zitat: 
 
				__________________ | 
|  | 
| Themen zu System hängt immer wieder, seit kurzem wechsel des antivirus programms | 
| antivirus, avira, avira searchfree toolbar, bho, cid, cpu, error, excel, fehler, firefox, flash player, format, home, hängt, ntdll.dll, plug-in, programm, prozess, registry, rojaner gefunden, rundll, scan, server, software, svchost.exe, symantec, system, system hängt, trojaner, visual studio, windows |