Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung

Log-Analyse und Auswertung: Win32.downloader.gen nach Systemwiederherstellung noch auf System?

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.

Antwort
Alt 14.08.2013, 19:57   #1
TobiT
 
Win32.downloader.gen nach Systemwiederherstellung noch auf System? - Standard

Win32.downloader.gen nach Systemwiederherstellung noch auf System?



Hallo,

vorab möchte ich mich herzlich dafür bedanken, dass man hier die Möglichkeit hat, sich mit Virus-Problemen an Euch zu wenden!

Ich hatte mir vor einigen Tagen offensichtlich einen Virus eingefangen. Symptome waren, dass meine Dropbox und mein Internetradio keine Verbindung mehr zum Netz hatten und die Echtzeitscanner meiner Antivirus-Programme (Avira Antivir und Avast) ausgeschaltet waren und nicht mehr eingeschaltet werden konnten.

Nachdem beide Antivirusprogramme auch bei einem Systemcheck nichts erkannt hatten, habe ich meinen PC auf einen Systemwiederherstellungspunkt vor Auftreten der o.g. Symptome gesetzt. Die Symptome waren dann weg. Erst nach dieser Systemwiederherstellung ist mir eingefallen, dass ich auch noch Spybot S&D habe, und ließ dieses Programm auch noch mal einen Check machen. Dort wurde tatsächlich als Virus win32.downloader.gen gefunden, welches ich dann in Quarantäne setzen ließ.

Nun frage ich mich, ob mein Vorgehen der Systemwiederherstellung geeignet war und nunmehr tatsächlich alles weg ist, oder aber ob der Virus dennoch im Hintergrund irgendwie arbeitet. Aus diesem Grund wäre ich Euch sehr dankbar, wenn jemand sich meiner Log-Files annehmen könnte.

Da dieser Post zu lang wurde, habe ich die Log-Files (Addition, Defogger, FRST, GMER, sowie Spybot Search&Destroy mit dem Virusfund) angehängt.


Besten Dank und viele Grüße,
Tobias

Alt 14.08.2013, 20:03   #2
schrauber
/// the machine
/// TB-Ausbilder
 

Win32.downloader.gen nach Systemwiederherstellung noch auf System? - Standard

Win32.downloader.gen nach Systemwiederherstellung noch auf System?



hi,

poste die logs bitte einzeln in Codetags.

So funktioniert es:
Posten in CODE-Tags
Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
  • Markiere das gesamte Logfile (geht meist mit STRG+A) und kopiere es in die Zwischenablage mit STRG+C.
  • Klicke im Editor auf das #-Symbol. Es erscheinen zwei Klammerausdrücke [CODE] [/CODE].
  • Setze den Curser zwischen die CODE-Tags und drücke STRG+V.
  • Klicke auf Erweitert/Vorschau, um so prüfen, ob du es richtig gemacht hast. Wenn alles stimmt ... auf Antworten.
__________________

__________________

Alt 14.08.2013, 21:58   #3
TobiT
 
Win32.downloader.gen nach Systemwiederherstellung noch auf System? - Standard

Win32.downloader.gen nach Systemwiederherstellung noch auf System?



Hallo Schrauber,

danke für die schnelle Rückmeldung. Ich hatte dies zunächst versucht die logs direkt einzubetten, jedoch die Fehlermeldung erhalten, dass der Text zu lang würde. Anbei die Logs (voraussichtlich in mehreren Posts):

Defogger:

Code:
ATTFilter
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 18:36 on 14/08/2013 (*****)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-
         

FRST:

FRST Logfile:

FRST Logfile:
Code:
ATTFilter
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 14-08-2013 01
Ran by ***** (administrator) on 14-08-2013 18:38:29
Running from C:\Users\*****\Desktop
Windows 7 Home Premium Service Pack 1 (X64) OS Language: German Standard
Internet Explorer Version 10
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(AMD) C:\Windows\system32\atiesrxx.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(AVM Berlin) C:\Program Files (x86)\avmwlanstick\WlanNetService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco VPN Client\cvpnd.exe
(Acer Incorporated) C:\Program Files (x86)\Acer\Registration\GregHSRW.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe
(pdfforge GbR) C:\Program Files (x86)\PDF Architect\HelperService.exe
(pdfforge GbR) C:\Program Files (x86)\PDF Architect\ConversionService.exe
() C:\Program Files (x86)\Cyberlink\Shared files\RichVideo.exe
(Acer Group) C:\Program Files\Acer\Acer Updater\UpdaterService.exe
() C:\OEM\USBDECTION\USBS3S4Detection.exe
(Safer Networking Ltd.) C:\Program Files (x86)\Spybot\SDWinSec.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
(AMD) C:\Windows\system32\atieclxx.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot\TeaTimer.exe
(Miranda Fusion Team) C:\Program Files (x86)\MirandaFusion\fusiontools\mfstart.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe
() C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe
(CyberLink Corp.) C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe
(AVM Berlin) C:\Program Files (x86)\avmwlanstick\WLanGUI.exe
(Huawei Technologies Co., Ltd.) C:\Program Files (x86)\T-Mobile\web'n'walk Manager\DataCardMonitor.exe
(modified by Miranda Fusion Team) C:\Program Files (x86)\MirandaFusion\miranda32.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
() C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Nero AG) C:\Program Files (x86)\Nero\Update\NASvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office10\WINWORD.EXE
(Microsoft Corporation) C:\Windows\splwow64.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(VideoLAN) C:\Program Files (x86)\VideoLAN\VLC\vlc.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [mwlDaemon] - C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe [349552 2010-02-01] (Egis Technology Inc.)
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [9642528 2010-02-24] (Realtek Semiconductor)
HKCU\...\Run: [SpybotSD TeaTimer] - C:\Program Files (x86)\Spybot\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKCU\...\Run: [Miranda Fusion] - C:\Program Files (x86)\MirandaFusion\fusiontools\mfstart.exe [1122241 2012-06-12] (Miranda Fusion Team)
MountPoints2: {29dd3d41-1552-11e1-9d74-00040ecdc758} - F:\AutoRun.exe
MountPoints2: {29dd3d53-1552-11e1-9d74-00040ecdc758} - F:\AutoRun.exe
MountPoints2: {6934a817-04e2-11e1-a98b-00040ecdc758} - K:\autorun.exe
MountPoints2: {a21bcb20-7028-11e0-b5f7-4487fcf2d3f2} - M:\pushinst.exe
HKLM-x32\...\Run: [SuiteTray] - C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe [337264 2010-02-01] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisUpdate] - C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe [201512 2009-12-25] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisTecPMMUpdate] - C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe [401192 2009-12-25] (Egis Technology Inc.)
HKLM-x32\...\Run: [Hotkey Utility] - C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe [611872 2010-08-04] ()
HKLM-x32\...\Run: [MDS_Menu] - C:\Program Files (x86)\Acer Arcade Deluxe\MediaShow Espresso\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [ArcadeMovieService] - C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe [124136 2010-02-05] (CyberLink Corp.)
HKLM-x32\...\Run: [AVMWlanClient] - C:\Program Files (x86)\avmwlanstick\wlangui.exe [2105344 2010-10-22] (AVM Berlin)
HKLM-x32\...\Run: [DataCardMonitor] - C:\Program Files (x86)\T-Mobile\web'n'walk Manager\DataCardMonitor.exe [253952 2011-11-22] (Huawei Technologies Co., Ltd.)
HKLM-x32\...\Run: [avgnt] - C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [348664 2012-08-08] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [avast] - C:\Program Files\AVAST Software\Avast\avastUI.exe [4767304 2013-03-07] (AVAST Software)
HKLM-x32\...\Run: [DivXMediaServer] - C:\Program Files (x86)\DivX\DivX Media Server\DivXMediaServer.exe [450560 2013-03-28] (DivX, LLC)
HKLM-x32\...\Run: [StartCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642808 2012-12-19] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [DivXUpdate] - C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe [1263952 2013-02-13] ()
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-05-11] (Adobe Systems Incorporated)
HKU\Default\...\RunOnce: [ScrSav] - C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe [154144 2010-01-15] ()
HKU\Default User\...\RunOnce: [ScrSav] - C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe [154144 2010-01-15] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\vpngui.exe.lnk
ShortcutTarget: vpngui.exe.lnk -> C:\Windows\Installer\{5FDC06BF-3D3D-4367-8FFB-4FAFCB61972D}\Icon09DB8A851.exe ()
Startup: C:\Users\*****\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\*****\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=aspire_m5910&r=17360411c106pe475v105w6751u50q
URLSearchHook: (No Name) - {09152f0b-739c-4dec-a245-1aa8a37594f1} -  No File
SearchScopes: HKLM-x32 - DefaultScope {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3197087
SearchScopes: HKLM-x32 - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3197087
SearchScopes: HKCU - DefaultScope {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3197087
SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3197087
BHO: avast! WebRep - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
BHO-x32: DivX Plus Web Player HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
BHO-x32: PDF Architect Helper - {3A2D5EBA-F86D-4BD3-A177-019765996711} - C:\Program Files (x86)\PDF Architect\PDFIEHelper.dll (pdfforge GbR)
BHO-x32: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\Spybot\SDHelper.dll (Safer Networking Limited)
BHO-x32: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  No File
BHO-x32: SwissAcademic.Citavi.Picker.IEPicker - {609D670F-B735-4da7-AC6D-F3BD358E325E} - C:\Windows\\SysWOW64\mscoree.dll (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO-x32: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - avast! WebRep - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
Toolbar: HKLM-x32 - avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
Toolbar: HKLM-x32 - PDF Architect Toolbar - {25A3A431-30BB-47C8-AD6A-E1063801134F} - C:\Program Files (x86)\PDF Architect\PDFIEPlugin.dll (pdfforge GbR)
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Handler: msdaipp - No CLSID Value - 
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation)
Handler-x32: msdaipp - No CLSID Value - 
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
Winsock: Catalog9 01 bmnet.dll File Not found ()
Winsock: Catalog9 02 bmnet.dll File Not found ()
Winsock: Catalog9 03 bmnet.dll File Not found ()
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1

FireFox:
========
FF ProfilePath: C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\kx6q9p3p.default
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_8_800_94.dll ()
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_94.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @divx.com/DivX Browser Plugin,version=1.0.0 - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF Plugin-x32: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin-x32: @java.com/DTPlugin,version=10.25.2 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.25.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeLive,version=1.5 - C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8081.0709 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.8 - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: No Name - C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\kx6q9p3p.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF Extension: Default - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF HKLM-x32\...\Firefox\Extensions: [{8AA36F4F-6DC7-4c06-77AF-5035170634FE}] C:\ProgramData\Swiss Academic Software\Citavi Picker\Firefox
FF Extension: Citavi Picker - C:\ProgramData\Swiss Academic Software\Citavi Picker\Firefox
FF HKLM-x32\...\Firefox\Extensions: [{23fcfd51-4958-4f00-80a3-ae97e717ed8b}] C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5
FF Extension: DivX Plus Web Player HTML5 &lt;video&gt; - C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: avast! WebRep - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF HKLM-x32\...\Firefox\Extensions: [FFPDFArchitectConverter@pdfarchitect.com] C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt
FF Extension: PDF Architect Converter For Firefox - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt

==================== Services (Whitelisted) =================

R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [86224 2012-05-08] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [110032 2012-05-08] (Avira Operations GmbH & Co. KG)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [45248 2013-03-07] (AVAST Software)
R2 AVM WLAN Connection Service; C:\Program Files (x86)\avmwlanstick\WlanNetService.exe [376832 2010-10-22] (AVM Berlin)
R2 CVPND; C:\Program Files (x86)\Cisco VPN Client\cvpnd.exe [1529856 2011-03-04] (Cisco Systems, Inc.)
R2 MWLService; C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe [305520 2010-02-01] (Egis Technology Inc.)
R2 PDF Architect Helper Service; C:\Program Files (x86)\PDF Architect\HelperService.exe [1324104 2013-01-09] (pdfforge GbR)
R2 PDF Architect Service; C:\Program Files (x86)\PDF Architect\ConversionService.exe [795208 2013-01-09] (pdfforge GbR)
R2 RichVideo; C:\Program Files (x86)\Cyberlink\Shared files\RichVideo.exe [244904 2010-02-03] ()
R2 SBSDWSCService; C:\Program Files (x86)\Spybot\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
R2 USBS3S4Detection; C:\OEM\USBDECTION\USBS3S4Detection.exe [76320 2009-12-09] ()

==================== Drivers (Whitelisted) ====================

R2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [33400 2013-03-07] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [80816 2013-03-07] (AVAST Software)
R1 aswRdr; C:\Windows\System32\Drivers\aswrdr2.sys [70992 2013-03-07] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65336 2013-03-07] ()
R1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [1025808 2013-03-07] (AVAST Software)
R1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [377920 2013-03-07] (AVAST Software)
R1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [68920 2013-03-07] (AVAST Software)
S3 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [178624 2013-03-07] ()
R2 atksgt; C:\Windows\System32\DRIVERS\atksgt.sys [314016 2011-04-26] ()
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [98848 2012-05-08] (Avira GmbH)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [132832 2012-05-08] (Avira GmbH)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [27760 2011-09-16] (Avira GmbH)
S3 avmeject; C:\Windows\System32\drivers\avmeject.sys [14120 2010-10-22] (AVM Berlin)
R3 CVPNDRVA; C:\Windows\system32\Drivers\CVPNDRVA.sys [306536 2011-03-04] ()
R3 CVPNDRVA; C:\Windows\system32\Drivers\CVPNDRVA.sys [306536 2011-03-04] ()
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [270912 2011-11-02] (DT Soft Ltd)
R3 FWLANUSB; C:\Windows\System32\DRIVERS\fwlanusb.sys [460800 2010-10-22] (AVM GmbH)
R2 lirsgt; C:\Windows\System32\DRIVERS\lirsgt.sys [43680 2011-04-26] ()
S1 tcpipBM; No ImagePath

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-08-14 18:37 - 2013-08-14 18:37 - 01575570 _____ (Farbar) C:\Users\*****\Desktop\FRST64.exe
2013-08-14 18:36 - 2013-08-14 18:36 - 00000480 _____ C:\Users\*****\Desktop\defogger_disable.log
2013-08-14 18:36 - 2013-08-14 18:36 - 00000000 _____ C:\Users\*****\defogger_reenable
2013-08-14 18:34 - 2013-08-14 18:34 - 00050477 _____ C:\Users\*****\Desktop\Defogger.exe
2013-08-14 18:23 - 2013-08-14 18:23 - 00001070 _____ C:\Users\Public\Desktop\VLC media player.lnk
2013-08-14 18:16 - 2013-08-14 18:29 - 00025088 ____H C:\Users\*****\Desktop\~WRL0004.tmp
2013-08-14 18:16 - 2013-08-14 18:16 - 00024576 ____H C:\Users\*****\Desktop\~WRL0002.tmp
2013-08-14 18:12 - 2013-07-26 07:13 - 02241024 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-08-14 18:12 - 2013-07-26 07:13 - 01365504 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-08-14 18:12 - 2013-07-26 07:13 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2013-08-14 18:12 - 2013-07-26 07:12 - 19239424 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-08-14 18:12 - 2013-07-26 07:12 - 15405056 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-08-14 18:12 - 2013-07-26 07:12 - 03958784 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-08-14 18:12 - 2013-07-26 07:12 - 02647040 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-08-14 18:12 - 2013-07-26 07:12 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-08-14 18:12 - 2013-07-26 07:12 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-08-14 18:12 - 2013-07-26 07:12 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-08-14 18:12 - 2013-07-26 07:12 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2013-08-14 18:12 - 2013-07-26 07:12 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2013-08-14 18:12 - 2013-07-26 07:12 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-08-14 18:12 - 2013-07-26 07:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2013-08-14 18:12 - 2013-07-26 05:35 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-08-14 18:12 - 2013-07-26 05:13 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-08-14 18:12 - 2013-07-26 05:13 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-08-14 18:12 - 2013-07-26 05:12 - 14329344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-08-14 18:12 - 2013-07-26 05:12 - 02877440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-08-14 18:12 - 2013-07-26 05:12 - 02048512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-08-14 18:12 - 2013-07-26 05:12 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-08-14 18:12 - 2013-07-26 05:12 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-08-14 18:12 - 2013-07-26 05:12 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-08-14 18:12 - 2013-07-26 05:12 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-08-14 18:12 - 2013-07-26 05:12 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-08-14 18:12 - 2013-07-26 05:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-08-14 18:12 - 2013-07-26 05:11 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-08-14 18:12 - 2013-07-26 05:11 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-08-14 18:12 - 2013-07-26 04:49 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-08-14 18:12 - 2013-07-26 04:39 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2013-08-14 18:12 - 2013-07-26 03:59 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-08-14 18:03 - 2013-08-14 18:03 - 23003252 _____ C:\Users\*****\Downloads\vlc-2.0.8-win32.exe
2013-08-14 17:59 - 2013-08-14 17:59 - 00002023 _____ C:\Users\Public\Desktop\Adobe Reader XI.lnk
2013-08-14 17:37 - 2013-07-09 07:52 - 00224256 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll
2013-08-14 17:37 - 2013-07-09 07:46 - 01472512 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2013-08-14 17:37 - 2013-07-09 07:46 - 00184320 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll
2013-08-14 17:37 - 2013-07-09 07:46 - 00139776 _____ (Microsoft Corporation) C:\Windows\system32\cryptnet.dll
2013-08-14 17:37 - 2013-07-09 06:52 - 00175104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2013-08-14 17:37 - 2013-07-09 06:46 - 01166848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-08-14 17:37 - 2013-07-09 06:46 - 00140288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-08-14 17:37 - 2013-07-09 06:46 - 00103936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-08-14 17:36 - 2013-07-25 11:25 - 01888768 _____ (Microsoft Corporation) C:\Windows\system32\WMVDECOD.DLL
2013-08-14 17:36 - 2013-07-25 10:57 - 01620992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2013-08-14 17:36 - 2013-07-19 03:58 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2013-08-14 17:36 - 2013-07-19 03:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2013-08-14 17:36 - 2013-07-09 08:03 - 05550528 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2013-08-14 17:36 - 2013-07-09 07:54 - 01732032 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2013-08-14 17:36 - 2013-07-09 07:53 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2013-08-14 17:36 - 2013-07-09 07:51 - 01217024 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2013-08-14 17:36 - 2013-07-09 07:03 - 03968960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-08-14 17:36 - 2013-07-09 07:03 - 03913664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-08-14 17:36 - 2013-07-09 06:53 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2013-08-14 17:36 - 2013-07-09 06:52 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2013-08-14 17:36 - 2013-07-09 06:52 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-08-14 17:36 - 2013-07-09 04:49 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-08-14 17:36 - 2013-07-09 04:49 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-08-14 17:36 - 2013-07-09 04:49 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-08-14 17:36 - 2013-07-09 04:49 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-08-14 17:36 - 2013-07-06 08:03 - 01910208 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2013-08-14 17:36 - 2013-06-15 06:32 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tssecsrv.sys
2013-08-13 18:08 - 2013-08-13 18:08 - 00002077 _____ C:\Users\*****\Desktop\Entfernen des Avira DE-Cleaners.lnk
2013-08-13 18:08 - 2013-08-13 18:08 - 00002006 _____ C:\Users\*****\Desktop\Avira DE-Cleaner.lnk
2013-08-13 14:45 - 2013-08-13 18:06 - 00000000 ____D C:\ProgramData\Kaspersky Lab
2013-08-13 13:53 - 2013-08-13 13:54 - 00883840 _____ C:\Users\*****\Downloads\Avira-DE100-Cleaner.exe
2013-08-13 13:52 - 2013-08-13 13:54 - 78816192 _____ (                                                            ) C:\Users\*****\Downloads\de_cleaner_kaspersky.exe
2013-08-12 22:18 - 2013-08-14 18:06 - 00000000 ____D C:\Windows\system32\MRT
2013-08-06 19:53 - 2013-08-06 19:53 - 00000000 ____D C:\Users\*****\AppData\Roaming\Avira
2013-07-30 14:50 - 2013-07-30 14:52 - 00000000 ____D C:\Users\*****\Desktop***** tasse
2013-07-24 10:27 - 2013-07-24 10:27 - 01069944 _____ (Solid State Networks) C:\Users\*****\Downloads\install_reader11_de_mssd_aaa_aih.exe
2013-07-23 14:35 - 2013-07-23 15:48 - 00013824 _____ C:\Users\*****\Documents\Gebfeier 2013_Teilnahmeliste.xls

==================== One Month Modified Files and Folders =======

2013-08-14 18:37 - 2013-08-14 18:37 - 01575570 _____ (Farbar) C:\Users\*****\Desktop\FRST64.exe
2013-08-14 18:36 - 2013-08-14 18:36 - 00000480 _____ C:\Users\*****\Desktop\defogger_disable.log
2013-08-14 18:36 - 2013-08-14 18:36 - 00000000 _____ C:\Users\*****\defogger_reenable
2013-08-14 18:36 - 2011-04-26 18:53 - 00000000 ____D C:\Users\*****
2013-08-14 18:34 - 2013-08-14 18:34 - 00050477 _____ C:\Users\*****\Desktop\Defogger.exe
2013-08-14 18:29 - 2013-08-14 18:16 - 00025088 ____H C:\Users\*****\Desktop\~WRL0004.tmp
2013-08-14 18:26 - 2013-03-23 12:52 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-08-14 18:26 - 2009-07-14 06:45 - 00009696 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-08-14 18:26 - 2009-07-14 06:45 - 00009696 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-08-14 18:25 - 2011-04-27 04:23 - 00654150 _____ C:\Windows\system32\perfh007.dat
2013-08-14 18:25 - 2011-04-27 04:23 - 00130022 _____ C:\Windows\system32\perfc007.dat
2013-08-14 18:25 - 2009-07-14 07:13 - 01498742 _____ C:\Windows\system32\PerfStringBackup.INI
2013-08-14 18:23 - 2013-08-14 18:23 - 00001070 _____ C:\Users\Public\Desktop\VLC media player.lnk
2013-08-14 18:21 - 2011-04-26 20:17 - 00148856 _____ C:\Windows\wininit.ini
2013-08-14 18:20 - 2011-05-22 14:18 - 00001106 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-08-14 18:20 - 2011-04-26 20:02 - 00000000 ____D C:\Users\*****\AppData\Roaming\Dropbox
2013-08-14 18:19 - 2009-07-14 07:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-08-14 18:18 - 2012-03-24 01:03 - 00096628 _____ C:\Windows\PFRO.log
2013-08-14 18:18 - 2011-12-14 19:59 - 00052555 _____ C:\Windows\setupact.log
2013-08-14 18:16 - 2013-08-14 18:16 - 00024576 ____H C:\Users\*****\Desktop\~WRL0002.tmp
2013-08-14 18:16 - 2011-04-26 21:53 - 00000000 ____D C:\Users\*****\AppData\Roaming\vlc
2013-08-14 18:16 - 2011-04-26 18:40 - 01293521 _____ C:\Windows\WindowsUpdate.log
2013-08-14 18:08 - 2013-08-12 22:18 - 00000000 ____D C:\Windows\system32\MRT
2013-08-14 18:06 - 2011-04-29 12:04 - 78161360 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2013-08-14 18:04 - 2011-05-22 14:18 - 00001110 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-08-14 18:03 - 2013-08-14 18:03 - 23003252 _____ C:\Users\*****\Downloads\vlc-2.0.8-win32.exe
2013-08-14 18:02 - 2011-04-26 19:41 - 00000000 ____D C:\Users\*****~1\AppData\Local\Adobe
2013-08-14 17:59 - 2013-08-14 17:59 - 00002023 _____ C:\Users\Public\Desktop\Adobe Reader XI.lnk
2013-08-14 17:58 - 2010-05-12 14:25 - 00000000 ____D C:\ProgramData\Adobe
2013-08-14 17:58 - 2010-05-12 14:25 - 00000000 ____D C:\Program Files (x86)\Adobe
2013-08-13 23:22 - 2011-09-12 21:30 - 00003958 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{E0CB425A-65F4-4C06-90FA-73791B2C1B6D}
2013-08-13 18:08 - 2013-08-13 18:08 - 00002077 _____ C:\Users\*****\Desktop\Entfernen des Avira DE-Cleaners.lnk
2013-08-13 18:08 - 2013-08-13 18:08 - 00002006 _____ C:\Users\*****\Desktop\Avira DE-Cleaner.lnk
2013-08-13 18:08 - 2011-04-26 18:57 - 00000000 ___RD C:\Users\*****\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-08-13 18:06 - 2013-08-13 14:45 - 00000000 ____D C:\ProgramData\Kaspersky Lab
2013-08-13 13:54 - 2013-08-13 13:53 - 00883840 _____ C:\Users\*****\Downloads\Avira-DE100-Cleaner.exe
2013-08-13 13:54 - 2013-08-13 13:52 - 78816192 _____ (                                                            ) C:\Users\*****\Downloads\de_cleaner_kaspersky.exe
2013-08-13 07:28 - 2011-04-26 20:02 - 00000000 ____D C:\Users\*****\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2013-08-13 07:28 - 2011-04-26 19:50 - 00000000 ____D C:\Program Files (x86)\MirandaFusion
2013-08-13 07:28 - 2011-04-26 19:32 - 00000000 ____D C:\Program Files (x86)\Spybot
2013-08-13 07:28 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\registration
2013-08-13 07:28 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\AppCompat
2013-08-13 07:27 - 2012-03-24 01:05 - 00000000 ____D C:\ProgramData\Avira
2013-08-13 07:27 - 2012-03-24 01:05 - 00000000 ____D C:\Program Files (x86)\Avira
2013-08-13 07:27 - 2011-04-26 20:05 - 00000000 ___RD C:\Users\*****\Dropbox
2013-08-12 21:32 - 2012-08-31 14:38 - 00003924 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2013-08-12 21:32 - 2012-08-31 14:38 - 00001926 _____ C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2013-08-12 21:32 - 2011-07-06 08:26 - 00000000 _____ C:\Windows\SysWOW64\config.nt
2013-08-12 21:31 - 2011-04-26 19:32 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-08-08 19:09 - 2012-06-25 22:21 - 00016896 _____ C:\Users\*****\Documents\Festivalmitnahmeliste.xls
2013-08-06 22:08 - 2012-02-06 17:26 - 00000000 ____D C:\Users\*****\Documents\CVs
2013-08-06 19:53 - 2013-08-06 19:53 - 00000000 ____D C:\Users\*****\AppData\Roaming\Avira
2013-08-01 21:49 - 2013-07-14 13:39 - 00000000 ____D C:\Users\*****\Documents\Orte
2013-08-01 12:36 - 2012-03-30 15:26 - 00002272 ____H C:\Users\*****\Documents\Default.rdp
2013-07-30 14:52 - 2013-07-30 14:50 - 00000000 ____D C:\Users\*****\Desktop\***** tasse
2013-07-27 12:39 - 2011-05-09 22:02 - 00000000 ____D C:\Users\*****\Documents\Finanzen
2013-07-26 07:13 - 2013-08-14 18:12 - 02241024 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-07-26 07:13 - 2013-08-14 18:12 - 01365504 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-07-26 07:13 - 2013-08-14 18:12 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2013-07-26 07:12 - 2013-08-14 18:12 - 19239424 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-07-26 07:12 - 2013-08-14 18:12 - 15405056 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-07-26 07:12 - 2013-08-14 18:12 - 03958784 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-07-26 07:12 - 2013-08-14 18:12 - 02647040 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-07-26 07:12 - 2013-08-14 18:12 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-07-26 07:12 - 2013-08-14 18:12 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-07-26 07:12 - 2013-08-14 18:12 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-07-26 07:12 - 2013-08-14 18:12 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2013-07-26 07:12 - 2013-08-14 18:12 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2013-07-26 07:12 - 2013-08-14 18:12 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-07-26 07:12 - 2013-08-14 18:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2013-07-26 05:35 - 2013-08-14 18:12 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-07-26 05:13 - 2013-08-14 18:12 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-07-26 05:13 - 2013-08-14 18:12 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-07-26 05:12 - 2013-08-14 18:12 - 14329344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-07-26 05:12 - 2013-08-14 18:12 - 02877440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-07-26 05:12 - 2013-08-14 18:12 - 02048512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-07-26 05:12 - 2013-08-14 18:12 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-07-26 05:12 - 2013-08-14 18:12 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-07-26 05:12 - 2013-08-14 18:12 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-07-26 05:12 - 2013-08-14 18:12 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-07-26 05:12 - 2013-08-14 18:12 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-07-26 05:12 - 2013-08-14 18:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-07-26 05:11 - 2013-08-14 18:12 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-07-26 05:11 - 2013-08-14 18:12 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-07-26 04:49 - 2013-08-14 18:12 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-07-26 04:39 - 2013-08-14 18:12 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2013-07-26 03:59 - 2013-08-14 18:12 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-07-25 11:25 - 2013-08-14 17:36 - 01888768 _____ (Microsoft Corporation) C:\Windows\system32\WMVDECOD.DLL
2013-07-25 10:57 - 2013-08-14 17:36 - 01620992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2013-07-24 10:27 - 2013-07-24 10:27 - 01069944 _____ (Solid State Networks) C:\Users\*****\Downloads\install_reader11_de_mssd_aaa_aih.exe
2013-07-23 15:48 - 2013-07-23 14:35 - 00013824 _____ C:\Users\*****\Documents\Gebfeier 2013_Teilnahmeliste.xls
2013-07-19 03:58 - 2013-08-14 17:36 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2013-07-19 03:41 - 2013-08-14 17:36 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2013-07-16 23:44 - 2013-03-23 12:52 - 00003822 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-07-16 23:44 - 2012-03-31 10:07 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-07-16 23:44 - 2011-05-19 09:00 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-07-16 11:49 - 2009-07-14 07:08 - 00032632 _____ C:\Windows\Tasks\SCHEDLGU.TXT

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2013-08-13 01:45

==================== End Of Log ============================
         
--- --- ---

--- --- ---


Addition:
Code:
ATTFilter
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 14-08-2013 01
Ran by ***** at 2013-08-14 18:39:16
Running from C:\Users\*****\Desktop
Boot Mode: Normal
==========================================================


==================== Installed Programs =======================

   
Acer Arcade Deluxe (x32 Version: 4.1.7405)
Acer Arcade Movie (x32 Version: 9.0.6205)
Acer eRecovery Management (x32 Version: 4.05.3007)
Acer GameZone Console (x32 Version: 6.1.0.2)
Acer Registration (x32 Version: 1.02.3006)
Acer ScreenSaver (x32 Version: 1.1.0318.2010)
Acer Updater (x32 Version: 1.02.3001)
Acrobat.com (x32 Version: 1.6.65)
Adobe AIR (x32 Version: 3.7.0.2090)
Adobe Flash Player 11 ActiveX (x32 Version: 11.8.800.94)
Adobe Flash Player 11 Plugin (x32 Version: 11.8.800.94)
Adobe Reader XI (11.0.03) - Deutsch (x32 Version: 11.0.03)
Advertising Center (x32 Version: 0.0.0.2)
Amazonia (x32)
AMD Accelerated Video Transcoding (Version: 12.5.100.20928)
AMD APP SDK Runtime (Version: 10.0.1016.4)
AMD Catalyst Install Manager (Version: 8.0.903.0)
AMD Drag and Drop Transcoding (Version: 2.00.0000)
AMD Media Foundation Decoders (Version: 1.0.70928.1539)
Anno 1404 (x32 Version: 1.00.0000)
ANNO 1404 (x32 Version: 1.03.0000)
Apple Application Support (x32 Version: 2.3.4)
Apple Mobile Device Support (Version: 4.0.0.96)
Apple Software Update (x32 Version: 2.1.3.127)
ARIS EXPRESS (x32 Version: 2.4)
ATI AVIVO64 Codecs (Version: 10.12.0.00113)
Audacity 1.3.13 (Unicode) (x32)
avast! Free Antivirus (x32 Version: 8.0.1483.0)
Avira Free Antivirus (x32 Version: 13.0.0.3885)
AVM FRITZ!WLAN (x32)
Bonjour (Version: 3.0.0.10)
Cake Mania (x32)
Catalyst Control Center - Branding (x32 Version: 1.00.0000)
Catalyst Control Center (x32 Version: 2012.1219.1521.27485)
Catalyst Control Center Graphics Previews Common (x32 Version: 2012.1219.1521.27485)
Catalyst Control Center InstallProxy (x32 Version: 2010.0113.2208.39662)
Catalyst Control Center InstallProxy (x32 Version: 2012.1219.1521.27485)
Catalyst Control Center Localization All (x32 Version: 2012.1219.1521.27485)
CCC Help Chinese Standard (x32 Version: 2012.1219.1520.27485)
CCC Help Chinese Traditional (x32 Version: 2012.1219.1520.27485)
CCC Help Czech (x32 Version: 2012.1219.1520.27485)
CCC Help Danish (x32 Version: 2012.1219.1520.27485)
CCC Help Dutch (x32 Version: 2012.1219.1520.27485)
CCC Help English (x32 Version: 2012.1219.1520.27485)
CCC Help Finnish (x32 Version: 2012.1219.1520.27485)
CCC Help French (x32 Version: 2012.1219.1520.27485)
CCC Help German (x32 Version: 2012.1219.1520.27485)
CCC Help Greek (x32 Version: 2012.1219.1520.27485)
CCC Help Hungarian (x32 Version: 2012.1219.1520.27485)
CCC Help Italian (x32 Version: 2012.1219.1520.27485)
CCC Help Japanese (x32 Version: 2012.1219.1520.27485)
CCC Help Korean (x32 Version: 2012.1219.1520.27485)
CCC Help Norwegian (x32 Version: 2012.1219.1520.27485)
CCC Help Polish (x32 Version: 2012.1219.1520.27485)
CCC Help Portuguese (x32 Version: 2012.1219.1520.27485)
CCC Help Russian (x32 Version: 2012.1219.1520.27485)
CCC Help Spanish (x32 Version: 2012.1219.1520.27485)
CCC Help Swedish (x32 Version: 2012.1219.1520.27485)
CCC Help Thai (x32 Version: 2012.1219.1520.27485)
CCC Help Turkish (x32 Version: 2012.1219.1520.27485)
ccc-utility64 (Version: 2012.1219.1521.27485)
Cisco Systems VPN Client 5.0.07.0440 (Version: 5.0.7)
Citavi (x32 Version: 3.1.0.0)
DAEMON Tools Lite (x32 Version: 4.41.3.0173)
Dairy Dash (x32)
Diablo III (x32 Version: 1.0.3.10485)
DivX-Setup (x32 Version: 2.6.1.28)
Dream Day First Home (x32)
Dropbox (HKCU Version: 2.0.22)
eaner (Version: 3.19)
eBay Worldwide (x32 Version: 2.1.0901)
Farm Frenzy 2 (x32)
FLV Player 2.0 (build 25) (x32 Version: 2.0 (build 25))
Free YouTube to MP3 Converter version 3.11.17.319 (x32 Version: 3.11.17.319)
Galapago (x32)
Google Update Helper (x32 Version: 1.3.21.153)
Granny In Paradise (x32)
Haali Media Splitter (x32)
Heroes of Hellas (x32)
High-Definition Video Playback (x32 Version: 7.3.10800.5.0)
Hotkey Utility (x32 Version: 2.05.3009)
Identity Card (x32 Version: 1.00.3003)
ImagXpress (x32 Version: 7.0.74.0)
iTunes (Version: 10.5.0.142)
Java 7 Update 25 (x32 Version: 7.0.250)
Java Auto Updater (x32 Version: 2.1.9.5)
Junk Mail filter update (x32 Version: 14.0.8089.726)
LAME v3.98.3 for Audacity (x32)
Mass Effect (x32 Version: 1.00)
Mass Effect 2 (x32 Version: 1.02)
MediaShow Espresso (x32 Version: 5.5.1403_23691)
Medieval II Total War (x32 Version: 1.03.000)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft Choice Guard (x32 Version: 2.0.48.0)
Microsoft Office Live Add-in 1.5 (x32 Version: 2.0.4024.1)
Microsoft Office XP Professional mit FrontPage (x32 Version: 10.0.6626.0)
Microsoft Silverlight (Version: 5.1.20513.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (x32 Version: 3.1.0000)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (x32 Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (x32 Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (x32 Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (x32 Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (x32 Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (x32 Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (x32 Version: 9.0.30729.6161)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (Version: 10.0.30319)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (x32 Version: 10.0.40219)
Miranda Fusion 3.2.4.0 (x32 Version: 3.2.4.0)
Mozilla Firefox 22.0 (x86 de) (x32 Version: 22.0)
Mozilla Maintenance Service (x32 Version: 22.0)
MSVCRT (x32 Version: 14.0.1468.721)
MSXML 4.0 SP2 (KB954430) (x32 Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (x32 Version: 4.20.9876.0)
MyWinLocker (x32 Version: 3.1.206.0)
MyWinLocker Suite (x32 Version: 3.1.206.0)
Nero 10 Menu TemplatePack Basic (x32 Version: 10.6.10000.0.0)
Nero 10 Movie ThemePack Basic (x32 Version: 10.6.10000.1.0)
Nero 6 Demo (32-bit) (x32)
Nero 9 Essentials (x32)
Nero BackItUp 10 Help (CHM) (x32 Version: 10.6.10600)
Nero BurningROM 10 Help (CHM) (x32 Version: 10.6.10600)
Nero BurnRights 10 Help (CHM) (x32 Version: 10.6.10600)
Nero Control Center 10 (x32 Version: 10.6.12600.0.5)
Nero ControlCenter (x32 Version: 9.0.0.1)
Nero ControlCenter 10 Help (CHM) (x32 Version: 10.6.10700)
Nero Core Components 10 (x32 Version: 2.0.19800.9.10)
Nero CoverDesigner 10 Help (CHM) (x32 Version: 10.6.10600)
Nero DiscSpeed (x32 Version: 5.4.13.100)
Nero DiscSpeed 10 Help (CHM) (x32 Version: 10.6.10600)
Nero DiscSpeed Help (x32 Version: 5.4.4.100)
Nero Dolby Files 10 (x32 Version: 2.0.13000.0.10)
Nero DriveSpeed (x32 Version: 4.4.12.100)
Nero DriveSpeed Help (x32 Version: 4.4.4.100)
Nero Express 10 Help (CHM) (x32 Version: 10.6.10600)
Nero Express Help (x32 Version: 9.6.2.101)
Nero InfoTool (x32 Version: 6.4.12.100)
Nero InfoTool 10 Help (CHM) (x32 Version: 10.6.10600)
Nero InfoTool Help (x32 Version: 6.4.4.100)
Nero Installer (x32 Version: 4.4.9.0)
Nero Multimedia Suite 10 (x32 Version: 10.6.11300)
Nero Online Upgrade (x32 Version: 1.3.0.0)
Nero Recode 10 (x32 Version: 4.10.10600.4.100)
Nero Recode 10 Help (CHM) (x32 Version: 10.6.10600)
Nero RescueAgent 10 (x32 Version: 3.6.10500.3.100)
Nero RescueAgent 10 Help (CHM) (x32 Version: 10.6.10700)
Nero SoundTrax 10 (x32 Version: 4.10.10300.2.100)
Nero SoundTrax 10 Help (CHM) (x32 Version: 10.6.10600)
Nero StartSmart (x32 Version: 9.4.37.100)
Nero StartSmart 10 (x32 Version: 10.6.10400.2.100)
Nero StartSmart 10 Help (CHM) (x32 Version: 10.6.10600)
Nero StartSmart Help (x32 Version: 9.4.27.100)
Nero StartSmart OEM (x32 Version: 9.16.0.100)
Nero Update (x32 Version: 1.0.10900.31.0)
Nero Vision 10 (x32 Version: 7.4.10800.7.100)
Nero Vision 10 Help (CHM) (x32 Version: 10.6.10600)
Nero WaveEditor 10 (x32 Version: 5.10.10400.3.100)
Nero WaveEditor 10 Help (CHM) (x32 Version: 10.6.10600)
NeroExpress (x32 Version: 9.4.33.100)
NeroKwikMedia Help (CHM) (x32 Version: 10.6.10700)
neroxml (x32 Version: 1.0.0)
NVIDIA PhysX (x32 Version: 9.10.0513)
PDF Architect (x32 Version: 1.0.52.8917)
PDFCreator (x32 Version: 1.6.2)
QuickTime (x32 Version: 7.74.80.86)
Realtek Ethernet Controller Driver For Windows 7 (x32 Version: 7.17.304.2010)
Realtek High Definition Audio Driver (x32 Version: 6.0.1.5995)
REALTEK Wireless LAN Driver (x32 Version: 1.01.0094)
Recuva (Version: 1.43)
Risen (x32 Version: 1.00.0000)
Risen 2 - Dark Waters (x32)
Rome - Total War - Gold Edition (x32 Version: 1.6)
Shredder (Version: 2.0.5.0)
Shredder (x32 Version: 2.0.5.0)
Sid Meier's Civilization 4 (x32 Version: 1.00.0000)
SimCity 4 Rush Hour (x32)
Skype™ 6.0 (x32 Version: 6.0.126)
Spin & Win (x32)
Spybot - Search & Destroy (x32 Version: 1.6.2)
Steam (x32 Version: 1.0.0.0)
TrueCrypt (x32 Version: 7.0a)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939) (x32 Version: 1)
VC80CRTRedist - 8.0.50727.6195 (x32 Version: 1.2.0)
VLC media player 2.0.8 (x32 Version: 2.0.8)
VoiceOver Kit (x32 Version: 1.40.128.0)
WebMon (x32)
web'n'walk Manager (x32 Version: 11.002.03.00.108)
Welcome Center (x32 Version: 1.00.3013)
Windows Live Anmelde-Assistent (x32 Version: 5.000.818.5)
Windows Live Call (x32 Version: 14.0.8064.0206)
Windows Live Communications Platform (x32 Version: 14.0.8064.206)
Windows Live Essentials (x32 Version: 14.0.8089.0726)
Windows Live Essentials (x32 Version: 14.0.8089.726)
Windows Live Fotogalerie (x32 Version: 14.0.8081.709)
Windows Live Mail (x32 Version: 14.0.8089.0726)
Windows Live Messenger (x32 Version: 14.0.8089.0726)
Windows Live Movie Maker (x32 Version: 14.0.8091.0730)
Windows Live Sync (x32 Version: 14.0.8089.726)
Windows Live Writer (x32 Version: 14.0.8089.0726)
Windows Live-Uploadtool (x32 Version: 14.0.8014.1029)
WinRAR archiver (x32)

==================== Restore Points  =========================

05-08-2013 11:45:54 Windows-Sicherung
06-08-2013 17:38:43 Windows Update
12-08-2013 16:54:39 Windows-Sicherung
12-08-2013 19:35:59 Windows Update
12-08-2013 19:41:33 Windows-Sicherung
12-08-2013 20:11:00 Windows Update
14-08-2013 16:05:46 Windows Update

==================== Hosts content: ==========================

2009-07-14 04:34 - 2009-06-10 23:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

Task: {29CB220F-AED5-447C-BA0D-2BD406FB5C44} - System32\Tasks\Microsoft\Windows Defender\MpIdleTask => c:\program files\windows defender\MpCmdRun.exe [2009-07-14] (Microsoft Corporation)
Task: {3D229706-BB80-42B3-B6A3-ABE214549ECA} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2013-03-07] (AVAST Software)
Task: {4EB74598-67A0-4061-9397-851FE525C083} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-05-22] (Google Inc.)
Task: {5FF1BF7D-BF9E-4679-B1A2-6351EA1E69A0} - System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan => c:\program files\windows defender\MpCmdRun.exe [2009-07-14] (Microsoft Corporation)
Task: {9CFE53BF-7442-4E85-B20E-097BFB10E19D} - System32\Tasks\User_Feed_Synchronization-{E0CB425A-65F4-4C06-90FA-73791B2C1B6D} => C:\Windows\system32\msfeedssync.exe [2013-04-25] (Microsoft Corporation)
Task: {9D34EE99-7F58-4639-872C-84A77BB27AA7} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {A4A1CC63-9AD7-4214-8A6C-ECDF668A7093} - System32\Tasks\Microsoft\Windows\WindowsBackup\AutomaticBackup => C:\Windows\system32\rundll32.exe [2009-07-14] (Microsoft Corporation)
Task: {BE09A126-E2DB-4E29-B488-E256A418761A} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-05-22] (Google Inc.)
Task: {E53C9C5B-4755-47FB-A218-5982A86CCA2B} - System32\Tasks\Microsoft\Windows\WindowsBackup\Windows Backup Monitor => C:\Windows\system32\sdclt.exe [2010-11-20] (Microsoft Corporation)
Task: {F0B489B3-223F-468F-8B3C-D658DC577024} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-07-16] (Adobe Systems Incorporated)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Faulty Device Manager Devices =============

Name: Cisco Systems VPN Adapter for 64-bit Windows
Description: Cisco Systems VPN Adapter for 64-bit Windows
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Cisco Systems
Service: CVirtA
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Microsoft PS/2-Maus
Description: Microsoft PS/2-Maus
Class Guid: {4d36e96f-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.


==================== Event log errors: =========================

Application errors:
==================
Error: (08/14/2013 00:35:22 AM) (Source: SideBySide) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "assemblyIdentity1". Fehler in Manifest- oder Richtliniendatei "assemblyIdentity2" in Zeile assemblyIdentity3.
Der Wert "*" des "language"-Attributs im assemblyIdentity-Element ist ungültig.

Error: (08/14/2013 00:33:50 AM) (Source: SideBySide) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"1". Fehler in Manifest- oder Richtliniendatei "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"2" in Zeile  WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"3.
Die im Manifest gefundene Komponenten-ID stimmt nicht mit der ID der angeforderten Komponente überein.
Verweis: WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1".
Definition: WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1".
Verwenden Sie das Programm "sxstrace.exe" für eine detaillierte Diagnose.

Error: (08/13/2013 02:06:19 PM) (Source: Application Error) (User: )
Description: Name der fehlerhaften Anwendung: SpybotSD.exe, Version: 1.6.2.46, Zeitstempel: 0x2a425e19
Name des fehlerhaften Moduls: SpybotSD.exe, Version: 1.6.2.46, Zeitstempel: 0x2a425e19
Ausnahmecode: 0xc0000005
Fehleroffset: 0x000049ee
ID des fehlerhaften Prozesses: 0x678
Startzeit der fehlerhaften Anwendung: 0xSpybotSD.exe0
Pfad der fehlerhaften Anwendung: SpybotSD.exe1
Pfad des fehlerhaften Moduls: SpybotSD.exe2
Berichtskennung: SpybotSD.exe3

Error: (08/13/2013 01:48:52 AM) (Source: SideBySide) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"1". Fehler in Manifest- oder Richtliniendatei "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"2" in Zeile  WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"3.
Die im Manifest gefundene Komponenten-ID stimmt nicht mit der ID der angeforderten Komponente überein.
Verweis: WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1".
Definition: WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1".
Verwenden Sie das Programm "sxstrace.exe" für eine detaillierte Diagnose.

Error: (08/12/2013 09:45:03 PM) (Source: Windows Backup) (User: )
Description: Die Sicherung war nicht erfolgreich. Fehler: "Auf diesem Laufwerk ist nicht genügend Speicherplatz zum Speichern der Sicherung verfügbar. Löschen Sie ältere Sicherungen und nicht benötigte Daten, um Speicherplatz freizugeben, oder ändern Sie die Sicherungseinstellungen. (0x81000005)"

Error: (08/12/2013 09:35:05 PM) (Source: Application Error) (User: )
Description: Name der fehlerhaften Anwendung: svchost.exe_p2pimsvc, Version: 6.1.7600.16385, Zeitstempel: 0x4a5bc3c1
Name des fehlerhaften Moduls: ntdll.dll, Version: 6.1.7601.17725, Zeitstempel: 0x4ec4aa8e
Ausnahmecode: 0xc0000008
Fehleroffset: 0x00000000000cd7d8
ID des fehlerhaften Prozesses: 0xba4
Startzeit der fehlerhaften Anwendung: 0xsvchost.exe_p2pimsvc0
Pfad der fehlerhaften Anwendung: svchost.exe_p2pimsvc1
Pfad des fehlerhaften Moduls: svchost.exe_p2pimsvc2
Berichtskennung: svchost.exe_p2pimsvc3

Error: (08/09/2013 08:26:34 AM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Vom Kryptografiedienst konnte das VSS-Sicherungsobjekt "System Writer" nicht initialisiert werden.


Details:
Could not query the status of the EventSystem service.

System Error:
Der Computer wird heruntergefahren.
.

Error: (08/07/2013 11:52:22 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 2137760

Error: (08/07/2013 11:52:22 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 2137760

Error: (08/07/2013 11:52:22 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second


System errors:
=============
Error: (08/14/2013 06:19:21 PM) (Source: Service Control Manager) (User: )
Description: Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen: 
tcpipBM

Error: (08/14/2013 06:18:17 PM) (Source: Application Popup) (User: )
Description: Aufgrund der Inkompatibilität mit diesem System wurde \SystemRoot\SysWow64\Drivers\tcpipBM.SYS nicht geladen. Wenden Sie sich an den Softwarehersteller, um eine kompatible Version des Treibers zu erhalten.

Error: (08/14/2013 05:26:16 PM) (Source: Service Control Manager) (User: )
Description: Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen: 
tcpipBM

Error: (08/14/2013 05:25:47 PM) (Source: Application Popup) (User: )
Description: Aufgrund der Inkompatibilität mit diesem System wurde \SystemRoot\SysWow64\Drivers\tcpipBM.SYS nicht geladen. Wenden Sie sich an den Softwarehersteller, um eine kompatible Version des Treibers zu erhalten.

Error: (08/13/2013 11:19:23 PM) (Source: Service Control Manager) (User: )
Description: Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen: 
tcpipBM

Error: (08/13/2013 11:18:19 PM) (Source: Application Popup) (User: )
Description: Aufgrund der Inkompatibilität mit diesem System wurde \SystemRoot\SysWow64\Drivers\tcpipBM.SYS nicht geladen. Wenden Sie sich an den Softwarehersteller, um eine kompatible Version des Treibers zu erhalten.

Error: (08/13/2013 01:56:00 PM) (Source: FWLANUSB) (User: )
Description: AVM FRITZ!WLAN USB Stick v1.1 : Fehlfunktion des Netzwerkadapters wurde ermittelt.

Error: (08/13/2013 01:05:29 AM) (Source: Service Control Manager) (User: )
Description: Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen: 
tcpipBM

Error: (08/13/2013 01:05:19 AM) (Source: Service Control Manager) (User: )
Description: Der Dienst "Cyberlink RichVideo Service(CRVS)" wurde aufgrund folgenden Fehlers nicht gestartet: 
%%1053

Error: (08/13/2013 01:05:19 AM) (Source: Service Control Manager) (User: )
Description: Das Zeitlimit (30000 ms) wurde beim Verbindungsversuch mit dem Dienst Cyberlink RichVideo Service(CRVS) erreicht.


Microsoft Office Sessions:
=========================
Error: (08/14/2013 00:35:22 AM) (Source: SideBySide)(User: )
Description: assemblyIdentitylanguage*c:\program files (x86)\Spybot\DelZip179.dllc:\program files (x86)\Spybot\DelZip179.dll8

Error: (08/14/2013 00:33:50 AM) (Source: SideBySide)(User: )
Description: WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1"c:\program files (x86)\windows live\photo gallery\MovieMaker.Exec:\program files (x86)\windows live\photo gallery\WLMFDS.DLL8

Error: (08/13/2013 02:06:19 PM) (Source: Application Error)(User: )
Description: SpybotSD.exe1.6.2.462a425e19SpybotSD.exe1.6.2.462a425e19c0000005000049ee67801ce981d8127f035C:\Program Files (x86)\Spybot\SpybotSD.exeC:\Program Files (x86)\Spybot\SpybotSD.exec2d097e4-0410-11e3-a428-00040ecdc758

Error: (08/13/2013 01:48:52 AM) (Source: SideBySide)(User: )
Description: WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1"c:\program files (x86)\windows live\photo gallery\MovieMaker.Exec:\program files (x86)\windows live\photo gallery\WLMFDS.DLL8

Error: (08/12/2013 09:45:03 PM) (Source: Windows Backup)(User: )
Description: Auf diesem Laufwerk ist nicht genügend Speicherplatz zum Speichern der Sicherung verfügbar. Löschen Sie ältere Sicherungen und nicht benötigte Daten, um Speicherplatz freizugeben, oder ändern Sie die Sicherungseinstellungen. (0x81000005)

Error: (08/12/2013 09:35:05 PM) (Source: Application Error)(User: )
Description: svchost.exe_p2pimsvc6.1.7600.163854a5bc3c1ntdll.dll6.1.7601.177254ec4aa8ec000000800000000000cd7d8ba401ce9792d5fdbc4fC:\Windows\System32\svchost.exeC:\Windows\SYSTEM32\ntdll.dll496d92bb-0386-11e3-a450-00040ecdc758

Error: (08/09/2013 08:26:34 AM) (Source: Microsoft-Windows-CAPI2)(User: )
Description: 
Details:
Could not query the status of the EventSystem service.

System Error:
Der Computer wird heruntergefahren.

Error: (08/07/2013 11:52:22 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 2137760

Error: (08/07/2013 11:52:22 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 2137760

Error: (08/07/2013 11:52:22 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second


==================== Memory info =========================== 

Percentage of memory in use: 44%
Total physical RAM: 4087.07 MB
Available physical RAM: 2281.72 MB
Total Pagefile: 8172.33 MB
Available Pagefile: 5915.02 MB
Total Virtual: 8192 MB
Available Virtual: 8191.82 MB

==================== Drives ================================

Drive c: (Acer) (Fixed) (Total:456.45 GB) (Free:123.98 GB) NTFS (Disk=0 Partition=3)
Drive d: (DATA) (Fixed) (Total:456.96 GB) (Free:0 GB) NTFS (Disk=0 Partition=4)

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 932 GB) (Disk ID: 4DA17355)
Partition 1: (Not Active) - (Size=18 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=456 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=457 GB) - (Type=07 NTFS)

==================== End Of Log ============================
         
__________________

Alt 14.08.2013, 22:03   #4
TobiT
 
Win32.downloader.gen nach Systemwiederherstellung noch auf System? - Standard

Win32.downloader.gen nach Systemwiederherstellung noch auf System?



GMER (Teil 1):
[CODE]GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2013-08-14 18:55:40
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST310005 rev.CC44 931,51GB
Running: gmer_2.1.19163.exe; Driver: C:\Users\*****~1\AppData\Local\Temp\axddqkow.sys


---- Kernel code sections - GMER 2.1 ----

INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 544 fffff80003209000 47 bytes [FF, 45, 0F, 20, C6, 44, 0F, ...]
INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 592 fffff80003209030 11 bytes [0B, C2, 44, 89, AC, 24, D0, ...]

---- User code sections - GMER 2.1 ----

.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f41360 5 bytes JMP 0000000100040470
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f413b0 5 bytes JMP 0000000100040460
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f41510 5 bytes JMP 0000000100040370
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f41560 5 bytes JMP 0000000100040480
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f41570 5 bytes JMP 00000001000403e0
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f41620 5 bytes JMP 0000000100040320
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f41650 5 bytes JMP 00000001000403b0
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f41670 5 bytes JMP 0000000100040390
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f416b0 5 bytes JMP 00000001000402e0
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f41700 5 bytes JMP 0000000100040440
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f41730 5 bytes JMP 00000001000402d0
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f41750 5 bytes JMP 0000000100040310
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f41790 5 bytes JMP 00000001000403c0
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f417e0 5 bytes JMP 00000001000403f0
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f41940 5 bytes JMP 0000000100040230
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f41b00 1 byte JMP 0000000100040490
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 0000000076f41b02 3 bytes JMP 0000000076f4a416
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f41b30 5 bytes JMP 00000001000403a0
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f41c10 5 bytes JMP 00000001000402f0
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f41c20 5 bytes JMP 0000000100040350
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f41c80 5 bytes JMP 0000000100040290
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f41d10 5 bytes JMP 00000001000402b0
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f41d30 5 bytes JMP 00000001000403d0
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f41d40 5 bytes JMP 0000000100040330
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f41db0 5 bytes JMP 0000000100040410
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f41de0 5 bytes JMP 0000000100040240
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f420a0 5 bytes JMP 00000001000401e0
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f42160 5 bytes JMP 0000000100040250
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f42190 5 bytes JMP 00000001000404a0
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f421a0 5 bytes JMP 00000001000404b0
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f421d0 5 bytes JMP 0000000100040300
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f421e0 5 bytes JMP 0000000100040360
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f42240 5 bytes JMP 00000001000402a0
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f42290 5 bytes JMP 00000001000402c0
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f422c0 5 bytes JMP 0000000100040380
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f422d0 5 bytes JMP 0000000100040340
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f425c0 1 byte JMP 0000000100040450
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 0000000076f425c2 3 bytes {JMP 0xffffffff890fde90}
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f427c0 5 bytes JMP 0000000100040260
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f427d0 5 bytes JMP 0000000100040270
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f427e0 5 bytes JMP 0000000100040400
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f429a0 5 bytes JMP 00000001000401f0
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f429b0 5 bytes JMP 0000000100040210
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f42a20 5 bytes JMP 0000000100040200
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f42a80 5 bytes JMP 0000000100040420
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f42a90 5 bytes JMP 0000000100040430
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f42aa0 5 bytes JMP 0000000100040220
.text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f42b80 5 bytes JMP 0000000100040280
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f41360 5 bytes JMP 00000000770a0470
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f413b0 5 bytes JMP 00000000770a0460
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f41510 5 bytes JMP 00000000770a0370
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f41560 5 bytes JMP 00000000770a0480
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f41570 5 bytes JMP 00000000770a03e0
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f41620 5 bytes JMP 00000000770a0320
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f41650 5 bytes JMP 00000000770a03b0
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f41670 5 bytes JMP 00000000770a0390
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f416b0 5 bytes JMP 00000000770a02e0
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f41700 5 bytes JMP 00000000770a0440
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f41730 5 bytes JMP 00000000770a02d0
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f41750 5 bytes JMP 00000000770a0310
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f41790 5 bytes JMP 00000000770a03c0
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f417e0 5 bytes JMP 00000000770a03f0
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f41940 5 bytes JMP 00000000770a0230
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f41b00 1 byte JMP 00000000770a0490
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 0000000076f41b02 3 bytes JMP 0000000076f41b1c
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f41b30 5 bytes JMP 00000000770a03a0
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f41c10 5 bytes JMP 00000000770a02f0
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f41c20 5 bytes JMP 00000000770a0350
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f41c80 5 bytes JMP 00000000770a0290
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f41d10 5 bytes JMP 00000000770a02b0
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f41d30 5 bytes JMP 00000000770a03d0
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f41d40 5 bytes JMP 00000000770a0330
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f41db0 5 bytes JMP 00000000770a0410
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f41de0 5 bytes JMP 00000000770a0240
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f420a0 5 bytes JMP 00000000770a01e0
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f42160 5 bytes JMP 00000000770a0250
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f42190 5 bytes JMP 00000000770a04a0
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f421a0 5 bytes JMP 00000000770a04b0
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f421d0 5 bytes JMP 00000000770a0300
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f421e0 5 bytes JMP 00000000770a0360
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f42240 5 bytes JMP 00000000770a02a0
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f42290 5 bytes JMP 00000000770a02c0
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f422c0 5 bytes JMP 00000000770a0380
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f422d0 5 bytes JMP 00000000770a0340
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f425c0 1 byte JMP 00000000770a0450
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 0000000076f425c2 3 bytes {JMP 0x15de90}
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f427c0 5 bytes JMP 00000000770a0260
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f427d0 5 bytes JMP 00000000770a0270
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f427e0 5 bytes JMP 00000000770a0400
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f429a0 5 bytes JMP 00000000770a01f0
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f429b0 5 bytes JMP 00000000770a0210
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f42a20 5 bytes JMP 00000000770a0200
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f42a80 5 bytes JMP 00000000770a0420
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f42a90 5 bytes JMP 00000000770a0430
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f42aa0 5 bytes JMP 00000000770a0220
.text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f42b80 5 bytes JMP 00000000770a0280
.text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62]
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f41360 5 bytes JMP 0000000149e80470
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f413b0 5 bytes JMP 0000000149e80460
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f41510 5 bytes JMP 0000000149e80370
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f41560 5 bytes JMP 0000000149e80480
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f41570 5 bytes JMP 0000000149e803e0
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f41620 5 bytes JMP 0000000149e80320
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f41650 5 bytes JMP 0000000149e803b0
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f41670 5 bytes JMP 0000000149e80390
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f416b0 5 bytes JMP 0000000149e802e0
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f41700 5 bytes JMP 0000000149e80440
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f41730 5 bytes JMP 0000000149e802d0
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f41750 5 bytes JMP 0000000149e80310
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f41790 5 bytes JMP 0000000149e803c0
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f417e0 5 bytes JMP 0000000149e803f0
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f41940 5 bytes JMP 0000000149e80230
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f41b00 1 byte JMP 0000000149e80490
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 0000000076f41b02 3 bytes JMP 0000000076f4edfa
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f41b30 5 bytes JMP 0000000149e803a0
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f41c10 5 bytes JMP 0000000149e802f0
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f41c20 5 bytes JMP 0000000149e80350
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f41c80 5 bytes JMP 0000000149e80290
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f41d10 5 bytes JMP 0000000149e802b0
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f41d30 5 bytes JMP 0000000149e803d0
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f41d40 5 bytes JMP 0000000149e80330
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f41db0 5 bytes JMP 0000000149e80410
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f41de0 5 bytes JMP 0000000149e80240
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f420a0 5 bytes JMP 0000000149e801e0
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f42160 5 bytes JMP 0000000149e80250
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f42190 5 bytes JMP 0000000149e804a0
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f421a0 5 bytes JMP 0000000149e804b0
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f421d0 5 bytes JMP 0000000149e80300
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f421e0 5 bytes JMP 0000000149e80360
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f42240 5 bytes JMP 0000000149e802a0
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f42290 5 bytes JMP 0000000149e802c0
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f422c0 5 bytes JMP 0000000149e80380
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f422d0 5 bytes JMP 0000000149e80340
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f425c0 1 byte JMP 0000000149e80450
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 0000000076f425c2 3 bytes {JMP 0xffffffffd2f3de90}
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f427c0 5 bytes JMP 0000000149e80260
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f427d0 5 bytes JMP 0000000149e80270
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f427e0 5 bytes JMP 0000000149e80400
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f429a0 5 bytes JMP 0000000149e801f0
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f429b0 5 bytes JMP 0000000149e80210
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f42a20 5 bytes JMP 0000000149e80200
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f42a80 5 bytes JMP 0000000149e80420
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f42a90 5 bytes JMP 0000000149e80430
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f42aa0 5 bytes JMP 0000000149e80220
.text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f42b80 5 bytes JMP 0000000149e80280
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f41360 5 bytes JMP 00000000770a0470
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f413b0 5 bytes JMP 00000000770a0460
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f41510 5 bytes JMP 00000000770a0370
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f41560 5 bytes JMP 00000000770a0480
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f41570 5 bytes JMP 00000000770a03e0
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f41620 5 bytes JMP 00000000770a0320
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f41650 5 bytes JMP 00000000770a03b0
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f41670 5 bytes JMP 00000000770a0390
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f416b0 5 bytes JMP 00000000770a02e0
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f41700 5 bytes JMP 00000000770a0440
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f41730 5 bytes JMP 00000000770a02d0
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f41750 5 bytes JMP 00000000770a0310
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f41790 5 bytes JMP 00000000770a03c0
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f417e0 5 bytes JMP 00000000770a03f0
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f41940 5 bytes JMP 00000000770a0230
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f41b00 1 byte JMP 00000000770a0490
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 0000000076f41b02 3 bytes JMP 0000000076f41b1c
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f41b30 5 bytes JMP 00000000770a03a0
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f41c10 5 bytes JMP 00000000770a02f0
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f41c20 5 bytes JMP 00000000770a0350
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f41c80 5 bytes JMP 00000000770a0290
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f41d10 5 bytes JMP 00000000770a02b0
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f41d30 5 bytes JMP 00000000770a03d0
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f41d40 5 bytes JMP 00000000770a0330
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f41db0 5 bytes JMP 00000000770a0410
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f41de0 5 bytes JMP 00000000770a0240
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f420a0 5 bytes JMP 00000000770a01e0
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f42160 5 bytes JMP 00000000770a0250
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f42190 5 bytes JMP 00000000770a04a0
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f421a0 5 bytes JMP 00000000770a04b0
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f421d0 5 bytes JMP 00000000770a0300
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f421e0 5 bytes JMP 00000000770a0360
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f42240 5 bytes JMP 00000000770a02a0
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f42290 5 bytes JMP 00000000770a02c0
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f422c0 5 bytes JMP 00000000770a0380
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f422d0 5 bytes JMP 00000000770a0340
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f425c0 1 byte JMP 00000000770a0450
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 0000000076f425c2 3 bytes {JMP 0x15de90}
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f427c0 5 bytes JMP 00000000770a0260
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f427d0 5 bytes JMP 00000000770a0270
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f427e0 5 bytes JMP 00000000770a0400
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f429a0 5 bytes JMP 00000000770a01f0
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f429b0 5 bytes JMP 00000000770a0210
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f42a20 5 bytes JMP 00000000770a0200
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f42a80 5 bytes JMP 00000000770a0420
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f42a90 5 bytes JMP 00000000770a0430
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f42aa0 5 bytes JMP 00000000770a0220
.text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f42b80 5 bytes JMP 00000000770a0280
.text C:\Windows\system32\services.exe[664] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62]
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f41360 5 bytes JMP 00000000770a0470
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f413b0 5 bytes JMP 00000000770a0460
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f41510 5 bytes JMP 00000000770a0370
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f41560 5 bytes JMP 00000000770a0480
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f41570 5 bytes JMP 00000000770a03e0
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f41620 5 bytes JMP 00000000770a0320
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f41650 5 bytes JMP 00000000770a03b0
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f41670 5 bytes JMP 00000000770a0390
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f416b0 5 bytes JMP 00000000770a02e0
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f41700 5 bytes JMP 00000000770a0440
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f41730 5 bytes JMP 00000000770a02d0
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f41750 5 bytes JMP 00000000770a0310
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f41790 5 bytes JMP 00000000770a03c0
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f417e0 5 bytes JMP 00000000770a03f0
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f41940 5 bytes JMP 00000000770a0230
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f41b00 1 byte JMP 00000000770a0490
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 0000000076f41b02 3 bytes JMP 0000000076f41b1c
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f41b30 5 bytes JMP 00000000770a03a0
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f41c10 5 bytes JMP 00000000770a02f0
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f41c20 5 bytes JMP 00000000770a0350
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f41c80 5 bytes JMP 00000000770a0290
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f41d10 5 bytes JMP 00000000770a02b0
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f41d30 5 bytes JMP 00000000770a03d0
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f41d40 5 bytes JMP 00000000770a0330
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f41db0 5 bytes JMP 00000000770a0410
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f41de0 5 bytes JMP 00000000770a0240
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f420a0 5 bytes JMP 00000000770a01e0
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f42160 5 bytes JMP 00000000770a0250
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f42190 5 bytes JMP 00000000770a04a0
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f421a0 5 bytes JMP 00000000770a04b0
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f421d0 5 bytes JMP 00000000770a0300
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f421e0 5 bytes JMP 00000000770a0360
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f42240 5 bytes JMP 00000000770a02a0
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f42290 5 bytes JMP 00000000770a02c0
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f422c0 5 bytes JMP 00000000770a0380
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f422d0 5 bytes JMP 00000000770a0340
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f425c0 1 byte JMP 00000000770a0450
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 0000000076f425c2 3 bytes {JMP 0x15de90}
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f427c0 5 bytes JMP 00000000770a0260
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f427d0 5 bytes JMP 00000000770a0270
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f427e0 5 bytes JMP 00000000770a0400
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f429a0 5 bytes JMP 00000000770a01f0
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f429b0 5 bytes JMP 00000000770a0210
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f42a20 5 bytes JMP 00000000770a0200
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f42a80 5 bytes JMP 00000000770a0420
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f42a90 5 bytes JMP 00000000770a0430
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f42aa0 5 bytes JMP 00000000770a0220
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f42b80 5 bytes JMP 00000000770a0280
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f41360 5 bytes JMP 00000000770a0470
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f413b0 5 bytes JMP 00000000770a0460
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f41510 5 bytes JMP 00000000770a0370
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f41560 5 bytes JMP 00000000770a0480
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f41570 5 bytes JMP 00000000770a03e0
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f41620 5 bytes JMP 00000000770a0320
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f41650 5 bytes JMP 00000000770a03b0
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f41670 5 bytes JMP 00000000770a0390
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f416b0 5 bytes JMP 00000000770a02e0
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f41700 5 bytes JMP 00000000770a0440
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f41730 5 bytes JMP 00000000770a02d0
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f41750 5 bytes JMP 00000000770a0310
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f41790 5 bytes JMP 00000000770a03c0
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f417e0 5 bytes JMP 00000000770a03f0
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f41940 5 bytes JMP 00000000770a0230
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f41b00 1 byte JMP 00000000770a0490
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 0000000076f41b02 3 bytes JMP 0000000076f41b1c
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f41b30 5 bytes JMP 00000000770a03a0
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f41c10 5 bytes JMP 00000000770a02f0
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f41c20 5 bytes JMP 00000000770a0350
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f41c80 5 bytes JMP 00000000770a0290
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f41d10 5 bytes JMP 00000000770a02b0
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f41d30 5 bytes JMP 00000000770a03d0
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f41d40 5 bytes JMP 00000000770a0330
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f41db0 5 bytes JMP 00000000770a0410
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f41de0 5 bytes JMP 00000000770a0240
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f420a0 5 bytes JMP 00000000770a01e0
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f42160 5 bytes JMP 00000000770a0250
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f42190 5 bytes JMP 00000000770a04a0
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f421a0 5 bytes JMP 00000000770a04b0
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f421d0 5 bytes JMP 00000000770a0300
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f421e0 5 bytes JMP 00000000770a0360
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f42240 5 bytes JMP 00000000770a02a0
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f42290 5 bytes JMP 00000000770a02c0
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f422c0 5 bytes JMP 00000000770a0380
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f422d0 5 bytes JMP 00000000770a0340
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f425c0 1 byte JMP 00000000770a0450
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 0000000076f425c2 3 bytes {JMP 0x15de90}
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f427c0 5 bytes JMP 00000000770a0260
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f427d0 5 bytes JMP 00000000770a0270
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f427e0 5 bytes JMP 00000000770a0400
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f429a0 5 bytes JMP 00000000770a01f0
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f429b0 5 bytes JMP 00000000770a0210
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f42a20 5 bytes JMP 00000000770a0200
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f42a80 5 bytes JMP 00000000770a0420
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f42a90 5 bytes JMP 00000000770a0430
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f42aa0 5 bytes JMP 00000000770a0220
.text C:\Windows\system32\lsm.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f42b80 5 bytes JMP 00000000770a0280
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f41360 5 bytes JMP 00000000770a0470
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f413b0 5 bytes JMP 00000000770a0460
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f41510 5 bytes JMP 00000000770a0370
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f41560 5 bytes JMP 00000000770a0480
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f41570 5 bytes JMP 00000000770a03e0
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f41620 5 bytes JMP 00000000770a0320
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f41650 5 bytes JMP 00000000770a03b0
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f41670 5 bytes JMP 00000000770a0390
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f416b0 5 bytes JMP 00000000770a02e0
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f41700 5 bytes JMP 00000000770a0440
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f41730 5 bytes JMP 00000000770a02d0
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f41750 5 bytes JMP 00000000770a0310
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f41790 5 bytes JMP 00000000770a03c0
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f417e0 5 bytes JMP 00000000770a03f0
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f41940 5 bytes JMP 00000000770a0230
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f41b00 1 byte JMP 00000000770a0490
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 0000000076f41b02 3 bytes JMP 0000000076f41b1c
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f41b30 5 bytes JMP 00000000770a03a0
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f41c10 5 bytes JMP 00000000770a02f0
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f41c20 5 bytes JMP 00000000770a0350
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f41c80 5 bytes JMP 00000000770a0290
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f41d10 5 bytes JMP 00000000770a02b0
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f41d30 5 bytes JMP 00000000770a03d0
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f41d40 5 bytes JMP 00000000770a0330
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f41db0 5 bytes JMP 00000000770a0410
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f41de0 5 bytes JMP 00000000770a0240
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f420a0 5 bytes JMP 00000000770a01e0
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f42160 5 bytes JMP 00000000770a0250
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f42190 5 bytes JMP 00000000770a04a0
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f421a0 5 bytes JMP 00000000770a04b0
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f421d0 5 bytes JMP 00000000770a0300
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f421e0 5 bytes JMP 00000000770a0360
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f42240 5 bytes JMP 00000000770a02a0
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f42290 5 bytes JMP 00000000770a02c0
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f422c0 5 bytes JMP 00000000770a0380
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f422d0 5 bytes JMP 00000000770a0340
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f425c0 1 byte JMP 00000000770a0450
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 0000000076f425c2 3 bytes {JMP 0x15de90}
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f427c0 5 bytes JMP 00000000770a0260
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f427d0 5 bytes JMP 00000000770a0270
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f427e0 5 bytes JMP 00000000770a0400
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f429a0 5 bytes JMP 00000000770a01f0
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f429b0 5 bytes JMP 00000000770a0210
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f42a20 5 bytes JMP 00000000770a0200
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f42a80 5 bytes JMP 00000000770a0420
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f42a90 5 bytes JMP 00000000770a0430
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f42aa0 5 bytes JMP 00000000770a0220
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f42b80 5 bytes JMP 00000000770a0280
.text C:\Windows\system32\winlogon.exe[764] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62]
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f41360 5 bytes JMP 00000000770a0470
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f413b0 5 bytes JMP 00000000770a0460
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f41510 5 bytes JMP 00000000770a0370
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f41560 5 bytes JMP 00000000770a0480
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f41570 5 bytes JMP 00000000770a03e0
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f41620 5 bytes JMP 00000000770a0320
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f41650 5 bytes JMP 00000000770a03b0
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f41670 5 bytes JMP 00000000770a0390
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f416b0 5 bytes JMP 00000000770a02e0
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f41700 5 bytes JMP 00000000770a0440
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f41730 5 bytes JMP 00000000770a02d0
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f41750 5 bytes JMP 00000000770a0310
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f41790 5 bytes JMP 00000000770a03c0
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f417e0 5 bytes JMP 00000000770a03f0
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f41940 5 bytes JMP 00000000770a0230
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f41b00 1 byte JMP 00000000770a0490
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 0000000076f41b02 3 bytes JMP 0000000076f41b1c
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f41b30 5 bytes JMP 00000000770a03a0
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f41c10 5 bytes JMP 00000000770a02f0
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f41c20 5 bytes JMP 00000000770a0350
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f41c80 5 bytes JMP 00000000770a0290
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f41d10 5 bytes JMP 00000000770a02b0
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f41d30 5 bytes JMP 00000000770a03d0
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f41d40 5 bytes JMP 00000000770a0330
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f41db0 5 bytes JMP 00000000770a0410
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f41de0 5 bytes JMP 00000000770a0240
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f420a0 5 bytes JMP 00000000770a01e0
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f42160 5 bytes JMP 00000000770a0250
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f42190 5 bytes JMP 00000000770a04a0
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f421a0 5 bytes JMP 00000000770a04b0
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f421d0 5 bytes JMP 00000000770a0300
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f421e0 5 bytes JMP 00000000770a0360
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f42240 5 bytes JMP 00000000770a02a0
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f42290 5 bytes JMP 00000000770a02c0
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f422c0 5 bytes JMP 00000000770a0380
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f422d0 5 bytes JMP 00000000770a0340
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f425c0 1 byte JMP 00000000770a0450
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 0000000076f425c2 3 bytes {JMP 0x15de90}
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f427c0 5 bytes JMP 00000000770a0260
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f427d0 5 bytes JMP 00000000770a0270
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f427e0 5 bytes JMP 00000000770a0400
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f429a0 5 bytes JMP 00000000770a01f0
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f429b0 5 bytes JMP 00000000770a0210
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f42a20 5 bytes JMP 00000000770a0200
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f42a80 5 bytes JMP 00000000770a0420
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f42a90 5 bytes JMP 00000000770a0430
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f42aa0 5 bytes JMP 00000000770a0220
.text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f42b80 5 bytes JMP 00000000770a0280
.text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62]
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f41360 5 bytes JMP 00000000770a0470
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f413b0 5 bytes JMP 00000000770a0460
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f41510 5 bytes JMP 00000000770a0370
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f41560 5 bytes JMP 00000000770a0480
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f41570 5 bytes JMP 00000000770a03e0
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f41620 5 bytes JMP 00000000770a0320
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f41650 5 bytes JMP 00000000770a03b0
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f41670 5 bytes JMP 00000000770a0390
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f416b0 5 bytes JMP 00000000770a02e0
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f41700 5 bytes JMP 00000000770a0440
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f41730 5 bytes JMP 00000000770a02d0
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f41750 5 bytes JMP 00000000770a0310
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f41790 5 bytes JMP 00000000770a03c0
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f417e0 5 bytes JMP 00000000770a03f0
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f41940 5 bytes JMP 00000000770a0230
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f41b00 1 byte JMP 00000000770a0490
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 0000000076f41b02 3 bytes JMP 0000000076f41b1c
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f41b30 5 bytes JMP 00000000770a03a0
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f41c10 5 bytes JMP 00000000770a02f0
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f41c20 5 bytes JMP 00000000770a0350
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f41c80 5 bytes JMP 00000000770a0290
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f41d10 5 bytes JMP 00000000770a02b0
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f41d30 5 bytes JMP 00000000770a03d0
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f41d40 5 bytes JMP 00000000770a0330
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f41db0 5 bytes JMP 00000000770a0410
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f41de0 5 bytes JMP 00000000770a0240
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f420a0 5 bytes JMP 00000000770a01e0
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f42160 5 bytes JMP 00000000770a0250
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f42190 5 bytes JMP 00000000770a04a0
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f421a0 5 bytes JMP 00000000770a04b0
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f421d0 5 bytes JMP 00000000770a0300
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f421e0 5 bytes JMP 00000000770a0360
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f42240 5 bytes JMP 00000000770a02a0
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f42290 5 bytes JMP 00000000770a02c0
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f422c0 5 bytes JMP 00000000770a0380
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f422d0 5 bytes JMP 00000000770a0340
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f425c0 1 byte JMP 00000000770a0450
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 0000000076f425c2 3 bytes {JMP 0x15de90}
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f427c0 5 bytes JMP 00000000770a0260
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f427d0 5 bytes JMP 00000000770a0270
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f427e0 5 bytes JMP 00000000770a0400
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f429a0 5 bytes JMP 00000000770a01f0
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f429b0 5 bytes JMP 00000000770a0210
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f42a20 5 bytes JMP 00000000770a0200
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f42a80 5 bytes JMP 00000000770a0420
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f42a90 5 bytes JMP 00000000770a0430
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f42aa0 5 bytes JMP 00000000770a0220
.text C:\Windows\system32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f42b80 5 bytes JMP 00000000770a0280
.text C:\Windows\system32\svchost.exe[612] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62]
.text C:\Windows\system32\atiesrxx.exe[1056] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62]
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f41360 5 bytes JMP 00000000770a0470
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f413b0 5 bytes JMP 00000000770a0460
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f41510 5 bytes JMP 00000000770a0370
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f41560 5 bytes JMP 00000000770a0480
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f41570 5 bytes JMP 00000000770a03e0
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f41620 5 bytes JMP 00000000770a0320
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f41650 5 bytes JMP 00000000770a03b0
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f41670 5 bytes JMP 00000000770a0390
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f416b0 5 bytes JMP 00000000770a02e0
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f41700 5 bytes JMP 00000000770a0440
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f41730 5 bytes JMP 00000000770a02d0
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f41750 5 bytes JMP 00000000770a0310
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f41790 5 bytes JMP 00000000770a03c0
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f417e0 5 bytes JMP 00000000770a03f0
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f41940 5 bytes JMP 00000000770a0230
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f41b00 1 byte JMP 00000000770a0490
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 0000000076f41b02 3 bytes JMP 0000000076f41b1c
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f41b30 5 bytes JMP 00000000770a03a0
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f41c10 5 bytes JMP 00000000770a02f0
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f41c20 5 bytes JMP 00000000770a0350
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f41c80 5 bytes JMP 00000000770a0290
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f41d10 5 bytes JMP 00000000770a02b0
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f41d30 5 bytes JMP 00000000770a03d0
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f41d40 5 bytes JMP 00000000770a0330
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f41db0 5 bytes JMP 00000000770a0410
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f41de0 5 bytes JMP 00000000770a0240
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f420a0 5 bytes JMP 00000000770a01e0
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f42160 5 bytes JMP 00000000770a0250
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f42190 5 bytes JMP 00000000770a04a0
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f421a0 5 bytes JMP 00000000770a04b0
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f421d0 5 bytes JMP 00000000770a0300
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f421e0 5 bytes JMP 00000000770a0360
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f42240 5 bytes JMP 00000000770a02a0
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f42290 5 bytes JMP 00000000770a02c0
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f422c0 5 bytes JMP 00000000770a0380
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f422d0 5 bytes JMP 00000000770a0340
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f425c0 1 byte JMP 00000000770a0450
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 0000000076f425c2 3 bytes {JMP 0x15de90}
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f427c0 5 bytes JMP 00000000770a0260
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f427d0 5 bytes JMP 00000000770a0270
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f427e0 5 bytes JMP 00000000770a0400
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f429a0 5 bytes JMP 00000000770a01f0
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f429b0 5 bytes JMP 00000000770a0210
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f42a20 5 bytes JMP 00000000770a0200
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f42a80 5 bytes JMP 00000000770a0420
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f42a90 5 bytes JMP 00000000770a0430
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f42aa0 5 bytes JMP 00000000770a0220
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f42b80 5 bytes JMP 00000000770a0280
.text C:\Windows\System32\svchost.exe[1116] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62]
.text C:\Windows\System32\svchost.exe[1156]

Alt 14.08.2013, 22:04   #5
TobiT
 
Win32.downloader.gen nach Systemwiederherstellung noch auf System? - Standard

Win32.downloader.gen nach Systemwiederherstellung noch auf System?



GMER (Teil 2):

Code:
ATTFilter
C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                0000000076f41360 5 bytes JMP 00000000770a0470
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                         0000000076f413b0 5 bytes JMP 00000000770a0460
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                         0000000076f41510 5 bytes JMP 00000000770a0370
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                              0000000076f41560 5 bytes JMP 00000000770a0480
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                    0000000076f41570 5 bytes JMP 00000000770a03e0
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                         0000000076f41620 5 bytes JMP 00000000770a0320
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                  0000000076f41650 5 bytes JMP 00000000770a03b0
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                     0000000076f41670 5 bytes JMP 00000000770a0390
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                           0000000076f416b0 5 bytes JMP 00000000770a02e0
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                      0000000076f41700 5 bytes JMP 00000000770a0440
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                         0000000076f41730 5 bytes JMP 00000000770a02d0
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                       0000000076f41750 5 bytes JMP 00000000770a0310
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                        0000000076f41790 5 bytes JMP 00000000770a03c0
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                     0000000076f417e0 5 bytes JMP 00000000770a03f0
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                        0000000076f41940 5 bytes JMP 00000000770a0230
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                             0000000076f41b00 1 byte JMP 00000000770a0490
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2                                                         0000000076f41b02 3 bytes JMP 0000000076f41b1c
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                            0000000076f41b30 5 bytes JMP 00000000770a03a0
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                     0000000076f41c10 5 bytes JMP 00000000770a02f0
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                  0000000076f41c20 5 bytes JMP 00000000770a0350
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                        0000000076f41c80 5 bytes JMP 00000000770a0290
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                     0000000076f41d10 5 bytes JMP 00000000770a02b0
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                      0000000076f41d30 5 bytes JMP 00000000770a03d0
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                         0000000076f41d40 5 bytes JMP 00000000770a0330
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                  0000000076f41db0 5 bytes JMP 00000000770a0410
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                     0000000076f41de0 5 bytes JMP 00000000770a0240
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                          0000000076f420a0 5 bytes JMP 00000000770a01e0
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                     0000000076f42160 5 bytes JMP 00000000770a0250
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                     0000000076f42190 5 bytes JMP 00000000770a04a0
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                            0000000076f421a0 5 bytes JMP 00000000770a04b0
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                       0000000076f421d0 5 bytes JMP 00000000770a0300
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                    0000000076f421e0 5 bytes JMP 00000000770a0360
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                          0000000076f42240 5 bytes JMP 00000000770a02a0
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                       0000000076f42290 5 bytes JMP 00000000770a02c0
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                          0000000076f422c0 5 bytes JMP 00000000770a0380
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                           0000000076f422d0 5 bytes JMP 00000000770a0340
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                    0000000076f425c0 1 byte JMP 00000000770a0450
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2                                                                0000000076f425c2 3 bytes {JMP 0x15de90}
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                   0000000076f427c0 5 bytes JMP 00000000770a0260
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                      0000000076f427d0 5 bytes JMP 00000000770a0270
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                    0000000076f427e0 5 bytes JMP 00000000770a0400
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                0000000076f429a0 5 bytes JMP 00000000770a01f0
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                 0000000076f429b0 5 bytes JMP 00000000770a0210
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                      0000000076f42a20 5 bytes JMP 00000000770a0200
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                      0000000076f42a80 5 bytes JMP 00000000770a0420
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                       0000000076f42a90 5 bytes JMP 00000000770a0430
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                  0000000076f42aa0 5 bytes JMP 00000000770a0220
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                          0000000076f42b80 5 bytes JMP 00000000770a0280
.text     C:\Windows\System32\svchost.exe[1156] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                               0000000076e2eecd 1 byte [62]
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                0000000076f41360 5 bytes JMP 00000000770a0470
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                         0000000076f413b0 5 bytes JMP 00000000770a0460
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                         0000000076f41510 5 bytes JMP 00000000770a0370
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                              0000000076f41560 5 bytes JMP 00000000770a0480
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                    0000000076f41570 5 bytes JMP 00000000770a03e0
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                         0000000076f41620 5 bytes JMP 00000000770a0320
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                  0000000076f41650 5 bytes JMP 00000000770a03b0
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                     0000000076f41670 5 bytes JMP 00000000770a0390
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                           0000000076f416b0 5 bytes JMP 00000000770a02e0
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                      0000000076f41700 5 bytes JMP 00000000770a0440
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                         0000000076f41730 5 bytes JMP 00000000770a02d0
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                       0000000076f41750 5 bytes JMP 00000000770a0310
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                        0000000076f41790 5 bytes JMP 00000000770a03c0
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                     0000000076f417e0 5 bytes JMP 00000000770a03f0
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                        0000000076f41940 5 bytes JMP 00000000770a0230
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                             0000000076f41b00 1 byte JMP 00000000770a0490
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2                                                         0000000076f41b02 3 bytes JMP 0000000076f41b1c
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                            0000000076f41b30 5 bytes JMP 00000000770a03a0
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                     0000000076f41c10 5 bytes JMP 00000000770a02f0
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                  0000000076f41c20 5 bytes JMP 00000000770a0350
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                        0000000076f41c80 5 bytes JMP 00000000770a0290
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                     0000000076f41d10 5 bytes JMP 00000000770a02b0
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                      0000000076f41d30 5 bytes JMP 00000000770a03d0
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                         0000000076f41d40 5 bytes JMP 00000000770a0330
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                  0000000076f41db0 5 bytes JMP 00000000770a0410
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                     0000000076f41de0 5 bytes JMP 00000000770a0240
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                          0000000076f420a0 5 bytes JMP 00000000770a01e0
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                     0000000076f42160 5 bytes JMP 00000000770a0250
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                     0000000076f42190 5 bytes JMP 00000000770a04a0
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                            0000000076f421a0 5 bytes JMP 00000000770a04b0
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                       0000000076f421d0 5 bytes JMP 00000000770a0300
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                    0000000076f421e0 5 bytes JMP 00000000770a0360
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                          0000000076f42240 5 bytes JMP 00000000770a02a0
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                       0000000076f42290 5 bytes JMP 00000000770a02c0
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                          0000000076f422c0 5 bytes JMP 00000000770a0380
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                           0000000076f422d0 5 bytes JMP 00000000770a0340
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                    0000000076f425c0 1 byte JMP 00000000770a0450
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2                                                                0000000076f425c2 3 bytes {JMP 0x15de90}
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                   0000000076f427c0 5 bytes JMP 00000000770a0260
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                      0000000076f427d0 5 bytes JMP 00000000770a0270
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                    0000000076f427e0 5 bytes JMP 00000000770a0400
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                0000000076f429a0 5 bytes JMP 00000000770a01f0
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                 0000000076f429b0 5 bytes JMP 00000000770a0210
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                      0000000076f42a20 5 bytes JMP 00000000770a0200
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                      0000000076f42a80 5 bytes JMP 00000000770a0420
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                       0000000076f42a90 5 bytes JMP 00000000770a0430
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                  0000000076f42aa0 5 bytes JMP 00000000770a0220
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                          0000000076f42b80 5 bytes JMP 00000000770a0280
.text     C:\Windows\system32\svchost.exe[1188] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                               0000000076e2eecd 1 byte [62]
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                0000000076f41360 5 bytes JMP 00000000770a0470
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                         0000000076f413b0 5 bytes JMP 00000000770a0460
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                         0000000076f41510 5 bytes JMP 00000000770a0370
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                              0000000076f41560 5 bytes JMP 00000000770a0480
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                    0000000076f41570 5 bytes JMP 00000000770a03e0
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                         0000000076f41620 5 bytes JMP 00000000770a0320
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                  0000000076f41650 5 bytes JMP 00000000770a03b0
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                     0000000076f41670 5 bytes JMP 00000000770a0390
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                           0000000076f416b0 5 bytes JMP 00000000770a02e0
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                      0000000076f41700 5 bytes JMP 00000000770a0440
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                         0000000076f41730 5 bytes JMP 00000000770a02d0
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                       0000000076f41750 5 bytes JMP 00000000770a0310
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                        0000000076f41790 5 bytes JMP 00000000770a03c0
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                     0000000076f417e0 5 bytes JMP 00000000770a03f0
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                        0000000076f41940 5 bytes JMP 00000000770a0230
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                             0000000076f41b00 1 byte JMP 00000000770a0490
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2                                                         0000000076f41b02 3 bytes JMP 0000000076f41b1c
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                            0000000076f41b30 5 bytes JMP 00000000770a03a0
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                     0000000076f41c10 5 bytes JMP 00000000770a02f0
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                  0000000076f41c20 5 bytes JMP 00000000770a0350
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                        0000000076f41c80 5 bytes JMP 00000000770a0290
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                     0000000076f41d10 5 bytes JMP 00000000770a02b0
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                      0000000076f41d30 5 bytes JMP 00000000770a03d0
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                         0000000076f41d40 5 bytes JMP 00000000770a0330
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                  0000000076f41db0 5 bytes JMP 00000000770a0410
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                     0000000076f41de0 5 bytes JMP 00000000770a0240
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                          0000000076f420a0 5 bytes JMP 00000000770a01e0
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                     0000000076f42160 5 bytes JMP 00000000770a0250
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                     0000000076f42190 5 bytes JMP 00000000770a04a0
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                            0000000076f421a0 5 bytes JMP 00000000770a04b0
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                       0000000076f421d0 5 bytes JMP 00000000770a0300
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                    0000000076f421e0 5 bytes JMP 00000000770a0360
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                          0000000076f42240 5 bytes JMP 00000000770a02a0
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                       0000000076f42290 5 bytes JMP 00000000770a02c0
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                          0000000076f422c0 5 bytes JMP 00000000770a0380
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                           0000000076f422d0 5 bytes JMP 00000000770a0340
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                    0000000076f425c0 1 byte JMP 00000000770a0450
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2                                                                0000000076f425c2 3 bytes {JMP 0x15de90}
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                   0000000076f427c0 5 bytes JMP 00000000770a0260
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                      0000000076f427d0 5 bytes JMP 00000000770a0270
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                    0000000076f427e0 5 bytes JMP 00000000770a0400
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                0000000076f429a0 5 bytes JMP 00000000770a01f0
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                 0000000076f429b0 5 bytes JMP 00000000770a0210
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                      0000000076f42a20 5 bytes JMP 00000000770a0200
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                      0000000076f42a80 5 bytes JMP 00000000770a0420
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                       0000000076f42a90 5 bytes JMP 00000000770a0430
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                  0000000076f42aa0 5 bytes JMP 00000000770a0220
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                          0000000076f42b80 5 bytes JMP 00000000770a0280
.text     C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                               0000000076e2eecd 1 byte [62]
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                0000000076f41360 5 bytes JMP 00000000770a0470
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                         0000000076f413b0 5 bytes JMP 00000000770a0460
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                         0000000076f41510 5 bytes JMP 00000000770a0370
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                              0000000076f41560 5 bytes JMP 00000000770a0480
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                    0000000076f41570 5 bytes JMP 00000000770a03e0
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                         0000000076f41620 5 bytes JMP 00000000770a0320
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                  0000000076f41650 5 bytes JMP 00000000770a03b0
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                     0000000076f41670 5 bytes JMP 00000000770a0390
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                           0000000076f416b0 5 bytes JMP 00000000770a02e0
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                      0000000076f41700 5 bytes JMP 00000000770a0440
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                         0000000076f41730 5 bytes JMP 00000000770a02d0
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                       0000000076f41750 5 bytes JMP 00000000770a0310
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                        0000000076f41790 5 bytes JMP 00000000770a03c0
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                     0000000076f417e0 5 bytes JMP 00000000770a03f0
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                        0000000076f41940 5 bytes JMP 00000000770a0230
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                             0000000076f41b00 1 byte JMP 00000000770a0490
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2                                                         0000000076f41b02 3 bytes JMP 0000000076f41b1c
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                            0000000076f41b30 5 bytes JMP 00000000770a03a0
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                     0000000076f41c10 5 bytes JMP 00000000770a02f0
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                  0000000076f41c20 5 bytes JMP 00000000770a0350
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                        0000000076f41c80 5 bytes JMP 00000000770a0290
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                     0000000076f41d10 5 bytes JMP 00000000770a02b0
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                      0000000076f41d30 5 bytes JMP 00000000770a03d0
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                         0000000076f41d40 5 bytes JMP 00000000770a0330
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                  0000000076f41db0 5 bytes JMP 00000000770a0410
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                     0000000076f41de0 5 bytes JMP 00000000770a0240
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                          0000000076f420a0 5 bytes JMP 00000000770a01e0
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                     0000000076f42160 5 bytes JMP 00000000770a0250
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                     0000000076f42190 5 bytes JMP 00000000770a04a0
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                            0000000076f421a0 5 bytes JMP 00000000770a04b0
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                       0000000076f421d0 5 bytes JMP 00000000770a0300
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                    0000000076f421e0 5 bytes JMP 00000000770a0360
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                          0000000076f42240 5 bytes JMP 00000000770a02a0
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                       0000000076f42290 5 bytes JMP 00000000770a02c0
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                          0000000076f422c0 5 bytes JMP 00000000770a0380
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                           0000000076f422d0 5 bytes JMP 00000000770a0340
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                    0000000076f425c0 1 byte JMP 00000000770a0450
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2                                                                0000000076f425c2 3 bytes {JMP 0x15de90}
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                   0000000076f427c0 5 bytes JMP 00000000770a0260
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                      0000000076f427d0 5 bytes JMP 00000000770a0270
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                    0000000076f427e0 5 bytes JMP 00000000770a0400
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                0000000076f429a0 5 bytes JMP 00000000770a01f0
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                 0000000076f429b0 5 bytes JMP 00000000770a0210
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                      0000000076f42a20 5 bytes JMP 00000000770a0200
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                      0000000076f42a80 5 bytes JMP 00000000770a0420
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                       0000000076f42a90 5 bytes JMP 00000000770a0430
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                  0000000076f42aa0 5 bytes JMP 00000000770a0220
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                          0000000076f42b80 5 bytes JMP 00000000770a0280
.text     C:\Windows\system32\svchost.exe[1492] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                               0000000076e2eecd 1 byte [62]
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                0000000076f41360 5 bytes JMP 00000000770a0470
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                         0000000076f413b0 5 bytes JMP 00000000770a0460
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                         0000000076f41510 5 bytes JMP 00000000770a0370
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                              0000000076f41560 5 bytes JMP 00000000770a0480
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                    0000000076f41570 5 bytes JMP 00000000770a03e0
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                         0000000076f41620 5 bytes JMP 00000000770a0320
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                  0000000076f41650 5 bytes JMP 00000000770a03b0
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                     0000000076f41670 5 bytes JMP 00000000770a0390
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                           0000000076f416b0 5 bytes JMP 00000000770a02e0
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                      0000000076f41700 5 bytes JMP 00000000770a0440
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                         0000000076f41730 5 bytes JMP 00000000770a02d0
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                       0000000076f41750 5 bytes JMP 00000000770a0310
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                        0000000076f41790 5 bytes JMP 00000000770a03c0
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                     0000000076f417e0 5 bytes JMP 00000000770a03f0
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                        0000000076f41940 5 bytes JMP 00000000770a0230
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                             0000000076f41b00 1 byte JMP 00000000770a0490
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2                                                         0000000076f41b02 3 bytes JMP 0000000076f41b1c
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                            0000000076f41b30 5 bytes JMP 00000000770a03a0
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                     0000000076f41c10 5 bytes JMP 00000000770a02f0
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                  0000000076f41c20 5 bytes JMP 00000000770a0350
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                        0000000076f41c80 5 bytes JMP 00000000770a0290
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                     0000000076f41d10 5 bytes JMP 00000000770a02b0
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                      0000000076f41d30 5 bytes JMP 00000000770a03d0
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                         0000000076f41d40 5 bytes JMP 00000000770a0330
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                  0000000076f41db0 5 bytes JMP 00000000770a0410
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                     0000000076f41de0 5 bytes JMP 00000000770a0240
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                          0000000076f420a0 5 bytes JMP 00000000770a01e0
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                     0000000076f42160 5 bytes JMP 00000000770a0250
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                     0000000076f42190 5 bytes JMP 00000000770a04a0
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                            0000000076f421a0 5 bytes JMP 00000000770a04b0
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                       0000000076f421d0 5 bytes JMP 00000000770a0300
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                    0000000076f421e0 5 bytes JMP 00000000770a0360
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                          0000000076f42240 5 bytes JMP 00000000770a02a0
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                       0000000076f42290 5 bytes JMP 00000000770a02c0
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                          0000000076f422c0 5 bytes JMP 00000000770a0380
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                           0000000076f422d0 5 bytes JMP 00000000770a0340
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                    0000000076f425c0 1 byte JMP 00000000770a0450
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2                                                                0000000076f425c2 3 bytes {JMP 0x15de90}
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                   0000000076f427c0 5 bytes JMP 00000000770a0260
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                      0000000076f427d0 5 bytes JMP 00000000770a0270
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                    0000000076f427e0 5 bytes JMP 00000000770a0400
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                0000000076f429a0 5 bytes JMP 00000000770a01f0
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                 0000000076f429b0 5 bytes JMP 00000000770a0210
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                      0000000076f42a20 5 bytes JMP 00000000770a0200
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                      0000000076f42a80 5 bytes JMP 00000000770a0420
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                       0000000076f42a90 5 bytes JMP 00000000770a0430
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                  0000000076f42aa0 5 bytes JMP 00000000770a0220
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                          0000000076f42b80 5 bytes JMP 00000000770a0280
.text     C:\Windows\System32\spoolsv.exe[1732] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                               0000000076e2eecd 1 byte [62]
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                0000000076f41360 5 bytes JMP 00000000770a0470
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                         0000000076f413b0 5 bytes JMP 00000000770a0460
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                         0000000076f41510 5 bytes JMP 00000000770a0370
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                              0000000076f41560 5 bytes JMP 00000000770a0480
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                    0000000076f41570 5 bytes JMP 00000000770a03e0
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                         0000000076f41620 5 bytes JMP 00000000770a0320
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                  0000000076f41650 5 bytes JMP 00000000770a03b0
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                     0000000076f41670 5 bytes JMP 00000000770a0390
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                           0000000076f416b0 5 bytes JMP 00000000770a02e0
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                      0000000076f41700 5 bytes JMP 00000000770a0440
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                         0000000076f41730 5 bytes JMP 00000000770a02d0
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                       0000000076f41750 5 bytes JMP 00000000770a0310
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                        0000000076f41790 5 bytes JMP 00000000770a03c0
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                     0000000076f417e0 5 bytes JMP 00000000770a03f0
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                        0000000076f41940 5 bytes JMP 00000000770a0230
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                             0000000076f41b00 1 byte JMP 00000000770a0490
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2                                                         0000000076f41b02 3 bytes JMP 0000000076f41b1c
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                            0000000076f41b30 5 bytes JMP 00000000770a03a0
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                     0000000076f41c10 5 bytes JMP 00000000770a02f0
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                  0000000076f41c20 5 bytes JMP 00000000770a0350
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                        0000000076f41c80 5 bytes JMP 00000000770a0290
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                     0000000076f41d10 5 bytes JMP 00000000770a02b0
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                      0000000076f41d30 5 bytes JMP 00000000770a03d0
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                         0000000076f41d40 5 bytes JMP 00000000770a0330
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                  0000000076f41db0 5 bytes JMP 00000000770a0410
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                     0000000076f41de0 5 bytes JMP 00000000770a0240
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                          0000000076f420a0 5 bytes JMP 00000000770a01e0
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                     0000000076f42160 5 bytes JMP 00000000770a0250
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                     0000000076f42190 5 bytes JMP 00000000770a04a0
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                            0000000076f421a0 5 bytes JMP 00000000770a04b0
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                       0000000076f421d0 5 bytes JMP 00000000770a0300
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                    0000000076f421e0 5 bytes JMP 00000000770a0360
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                          0000000076f42240 5 bytes JMP 00000000770a02a0
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                       0000000076f42290 5 bytes JMP 00000000770a02c0
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                          0000000076f422c0 5 bytes JMP 00000000770a0380
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                           0000000076f422d0 5 bytes JMP 00000000770a0340
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                    0000000076f425c0 1 byte JMP 00000000770a0450
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2                                                                0000000076f425c2 3 bytes {JMP 0x15de90}
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                   0000000076f427c0 5 bytes JMP 00000000770a0260
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                      0000000076f427d0 5 bytes JMP 00000000770a0270
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                    0000000076f427e0 5 bytes JMP 00000000770a0400
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                0000000076f429a0 5 bytes JMP 00000000770a01f0
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                 0000000076f429b0 5 bytes JMP 00000000770a0210
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                      0000000076f42a20 5 bytes JMP 00000000770a0200
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                      0000000076f42a80 5 bytes JMP 00000000770a0420
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                       0000000076f42a90 5 bytes JMP 00000000770a0430
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                  0000000076f42aa0 5 bytes JMP 00000000770a0220
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                          0000000076f42b80 5 bytes JMP 00000000770a0280
.text     C:\Windows\system32\svchost.exe[1788] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                               0000000076e2eecd 1 byte [62]
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                  0000000074d7a30a 1 byte [62]
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1944] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112  0000000074d7a30a 1 byte [62]
.text     C:\Program Files (x86)\avmwlanstick\WlanNetService.exe[1992] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                        0000000074d7a30a 1 byte [62]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                     0000000076f41360 5 bytes JMP 00000000770a0470
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                              0000000076f413b0 5 bytes JMP 00000000770a0460
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                              0000000076f41510 5 bytes JMP 00000000770a0370
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                   0000000076f41560 5 bytes JMP 00000000770a0480
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                         0000000076f41570 5 bytes JMP 00000000770a03e0
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                              0000000076f41620 5 bytes JMP 00000000770a0320
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                       0000000076f41650 5 bytes JMP 00000000770a03b0
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                          0000000076f41670 5 bytes JMP 00000000770a0390
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                0000000076f416b0 5 bytes JMP 00000000770a02e0
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                           0000000076f41700 5 bytes JMP 00000000770a0440
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                              0000000076f41730 5 bytes JMP 00000000770a02d0
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                            0000000076f41750 5 bytes JMP 00000000770a0310
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                             0000000076f41790 5 bytes JMP 00000000770a03c0
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                          0000000076f417e0 5 bytes JMP 00000000770a03f0
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                             0000000076f41940 5 bytes JMP 00000000770a0230
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                  0000000076f41b00 1 byte JMP 00000000770a0490
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2                                              0000000076f41b02 3 bytes JMP 0000000076f41b1c
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                 0000000076f41b30 5 bytes JMP 00000000770a03a0
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                          0000000076f41c10 5 bytes JMP 00000000770a02f0
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                       0000000076f41c20 5 bytes JMP 00000000770a0350
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                             0000000076f41c80 5 bytes JMP 00000000770a0290
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                          0000000076f41d10 5 bytes JMP 00000000770a02b0
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                           0000000076f41d30 5 bytes JMP 00000000770a03d0
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                              0000000076f41d40 5 bytes JMP 00000000770a0330
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                       0000000076f41db0 5 bytes JMP 00000000770a0410
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                          0000000076f41de0 5 bytes JMP 00000000770a0240
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                               0000000076f420a0 5 bytes JMP 00000000770a01e0
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                          0000000076f42160 5 bytes JMP 00000000770a0250
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                          0000000076f42190 5 bytes JMP 00000000770a04a0
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                 0000000076f421a0 5 bytes JMP 00000000770a04b0
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                            0000000076f421d0 5 bytes JMP 00000000770a0300
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                         0000000076f421e0 5 bytes JMP 00000000770a0360
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                               0000000076f42240 5 bytes JMP 00000000770a02a0
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                            0000000076f42290 5 bytes JMP 00000000770a02c0
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                               0000000076f422c0 5 bytes JMP 00000000770a0380
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                0000000076f422d0 5 bytes JMP 00000000770a0340
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                         0000000076f425c0 1 byte JMP 00000000770a0450
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2                                                     0000000076f425c2 3 bytes {JMP 0x15de90}
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                        0000000076f427c0 5 bytes JMP 00000000770a0260
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                           0000000076f427d0 5 bytes JMP 00000000770a0270
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                         0000000076f427e0 5 bytes JMP 00000000770a0400
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                     0000000076f429a0 5 bytes JMP 00000000770a01f0
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                      0000000076f429b0 5 bytes JMP 00000000770a0210
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                           0000000076f42a20 5 bytes JMP 00000000770a0200
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                           0000000076f42a80 5 bytes JMP 00000000770a0420
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                            0000000076f42a90 5 bytes JMP 00000000770a0430
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                       0000000076f42aa0 5 bytes JMP 00000000770a0220
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                               0000000076f42b80 5 bytes JMP 00000000770a0280
.text     C:\Program Files (x86)\Cisco VPN Client\cvpnd.exe[1288] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                             0000000074d7a30a 1 byte [62]
.text     C:\Program Files (x86)\Acer\Registration\GregHSRW.exe[1640] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                         0000000074d7a30a 1 byte [62]
.text     C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe[1852] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                 0000000074d7a30a 1 byte [62]
.text     C:\Program Files (x86)\PDF Architect\HelperService.exe[2064] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                        0000000074d7a30a 1 byte [62]
.text     C:\Program Files (x86)\PDF Architect\ConversionService.exe[2116] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                    0000000074d7a30a 1 byte [62]
.text     C:\Program Files (x86)\Cyberlink\Shared files\RichVideo.exe[2156] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                   0000000074d7a30a 1 byte [62]
.text     C:\Windows\system32\svchost.exe[2212] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                               0000000076e2eecd 1 byte [62]
.text     C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2248] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                         0000000074d7a30a 1 byte [62]
.text     C:\OEM\USBDECTION\USBS3S4Detection.exe[2308] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                        0000000074d7a30a 1 byte [62]
.text     C:\Program Files (x86)\Spybot\SDWinSec.exe[2360] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                    0000000074d7a30a 1 byte [62]
.text     C:\Program Files (x86)\Spybot\SDWinSec.exe[2360] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69                                                  0000000075e31465 2 bytes [E3, 75]
.text     C:\Program Files (x86)\Spybot\SDWinSec.exe[2360] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155                                                 0000000075e314bb 2 bytes [E3, 75]
.text     ...                                                                                                                                                       * 2
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                          0000000076f41360 5 bytes JMP 00000000770a0470
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                   0000000076f413b0 5 bytes JMP 00000000770a0460
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                   0000000076f41510 5 bytes JMP 00000000770a0370
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                        0000000076f41560 5 bytes JMP 00000000770a0480
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                              0000000076f41570 5 bytes JMP 00000000770a03e0
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                   0000000076f41620 5 bytes JMP 00000000770a0320
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                            0000000076f41650 5 bytes JMP 00000000770a03b0
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                               0000000076f41670 5 bytes JMP 00000000770a0390
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                     0000000076f416b0 5 bytes JMP 00000000770a02e0
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                0000000076f41700 5 bytes JMP 00000000770a0440
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                   0000000076f41730 5 bytes JMP 00000000770a02d0
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                 0000000076f41750 5 bytes JMP 00000000770a0310
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                  0000000076f41790 5 bytes JMP 00000000770a03c0
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                               0000000076f417e0 5 bytes JMP 00000000770a03f0
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                  0000000076f41940 5 bytes JMP 00000000770a0230
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                       0000000076f41b00 1 byte JMP 00000000770a0490
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2                                                   0000000076f41b02 3 bytes JMP 0000000076f41b1c
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                      0000000076f41b30 5 bytes JMP 00000000770a03a0
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                               0000000076f41c10 5 bytes JMP 00000000770a02f0
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                            0000000076f41c20 5 bytes JMP 00000000770a0350
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                  0000000076f41c80 5 bytes JMP 00000000770a0290
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                               0000000076f41d10 5 bytes JMP 00000000770a02b0
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                0000000076f41d30 5 bytes JMP 00000000770a03d0
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                   0000000076f41d40 5 bytes JMP 00000000770a0330
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                            0000000076f41db0 5 bytes JMP 00000000770a0410
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                               0000000076f41de0 5 bytes JMP 00000000770a0240
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                    0000000076f420a0 5 bytes JMP 00000000770a01e0
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                               0000000076f42160 5 bytes JMP 00000000770a0250
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                               0000000076f42190 5 bytes JMP 00000000770a04a0
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                      0000000076f421a0 5 bytes JMP 00000000770a04b0
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                 0000000076f421d0 5 bytes JMP 00000000770a0300
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                              0000000076f421e0 5 bytes JMP 00000000770a0360
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                    0000000076f42240 5 bytes JMP 00000000770a02a0
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                 0000000076f42290 5 bytes JMP 00000000770a02c0
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                    0000000076f422c0 5 bytes JMP 00000000770a0380
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                     0000000076f422d0 5 bytes JMP 00000000770a0340
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                              0000000076f425c0 1 byte JMP 00000000770a0450
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2                                                          0000000076f425c2 3 bytes {JMP 0x15de90}
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                             0000000076f427c0 5 bytes JMP 00000000770a0260
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                0000000076f427d0 5 bytes JMP 00000000770a0270
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                              0000000076f427e0 5 bytes JMP 00000000770a0400
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                          0000000076f429a0 5 bytes JMP 00000000770a01f0
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                           0000000076f429b0 5 bytes JMP 00000000770a0210
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                0000000076f42a20 5 bytes JMP 00000000770a0200
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                0000000076f42a80 5 bytes JMP 00000000770a0420
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                 0000000076f42a90 5 bytes JMP 00000000770a0430
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                            0000000076f42aa0 5 bytes JMP 00000000770a0220
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                    0000000076f42b80 5 bytes JMP 00000000770a0280
.text     C:\Windows\system32\SearchIndexer.exe[2060] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                         0000000076e2eecd 1 byte [62]
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                          0000000076f13b10 5 bytes JMP 000000010023075c
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                            0000000076f17ac0 5 bytes JMP 00000001002303a4
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                0000000076f41360 5 bytes JMP 00000000770a0470
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                         0000000076f413b0 5 bytes JMP 00000000770a0460
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                                               0000000076f41430 5 bytes JMP 0000000100230b14
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                                                   0000000076f41490 5 bytes JMP 0000000100230ecc
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                         0000000076f41510 5 bytes JMP 00000000770a0370
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                              0000000076f41560 5 bytes JMP 00000000770a0480
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                    0000000076f41570 5 bytes JMP 000000010023163c
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                         0000000076f41620 5 bytes JMP 00000000770a0320
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                  0000000076f41650 5 bytes JMP 00000000770a03b0
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                     0000000076f41670 5 bytes JMP 00000000770a0390
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                           0000000076f416b0 5 bytes JMP 00000000770a02e0
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                      0000000076f41700 5 bytes JMP 00000000770a0440
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                         0000000076f41730 5 bytes JMP 00000000770a02d0
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                       0000000076f41750 5 bytes JMP 00000000770a0310
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                        0000000076f41790 5 bytes JMP 00000000770a03c0
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                                                0000000076f417b0 5 bytes JMP 0000000100231284
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                     0000000076f417e0 5 bytes JMP 00000000770a03f0
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                        0000000076f41940 5 bytes JMP 00000000770a0230
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                             0000000076f41b00 1 byte JMP 00000000770a0490
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2                                                         0000000076f41b02 3 bytes JMP 0000000076f41b1c
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                            0000000076f41b30 5 bytes JMP 00000000770a03a0
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                     0000000076f41c10 5 bytes JMP 00000000770a02f0
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                  0000000076f41c20 5 bytes JMP 00000000770a0350
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                        0000000076f41c80 5 bytes JMP 00000000770a0290
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                     0000000076f41d10 5 bytes JMP 00000000770a02b0
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                      0000000076f41d30 5 bytes JMP 00000000770a03d0
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                         0000000076f41d40 5 bytes JMP 00000000770a0330
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                  0000000076f41db0 5 bytes JMP 00000000770a0410
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                     0000000076f41de0 5 bytes JMP 00000000770a0240
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                          0000000076f420a0 5 bytes JMP 00000000770a01e0
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                     0000000076f42160 5 bytes JMP 00000000770a0250
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                     0000000076f42190 5 bytes JMP 00000000770a04a0
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                            0000000076f421a0 5 bytes JMP 00000000770a04b0
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                       0000000076f421d0 5 bytes JMP 00000000770a0300
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                    0000000076f421e0 5 bytes JMP 00000000770a0360
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                          0000000076f42240 5 bytes JMP 00000000770a02a0
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                       0000000076f42290 5 bytes JMP 00000000770a02c0
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                          0000000076f422c0 5 bytes JMP 00000000770a0380
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                           0000000076f422d0 5 bytes JMP 00000000770a0340
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                    0000000076f425c0 1 byte JMP 00000000770a0450
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2                                                                0000000076f425c2 3 bytes {JMP 0x15de90}
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                   0000000076f427c0 5 bytes JMP 00000000770a0260
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                      0000000076f427d0 5 bytes JMP 00000000770a0270
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                    0000000076f427e0 5 bytes JMP 00000001002319f4
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                0000000076f429a0 5 bytes JMP 00000000770a01f0
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                 0000000076f429b0 5 bytes JMP 00000000770a0210
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                      0000000076f42a20 5 bytes JMP 00000000770a0200
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                      0000000076f42a80 5 bytes JMP 00000000770a0420
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                       0000000076f42a90 5 bytes JMP 00000000770a0430
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                  0000000076f42aa0 5 bytes JMP 00000000770a0220
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                          0000000076f42b80 5 bytes JMP 00000000770a0280
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189                                                               0000000076e2eecd 1 byte [62]
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                                            000007fefed86e00 5 bytes JMP 000007ff7eda1dac
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                                000007fefed86f2c 5 bytes JMP 000007ff7eda0ecc
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                                000007fefed87220 5 bytes JMP 000007ff7eda1284
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                               000007fefed8739c 5 bytes JMP 000007ff7eda163c
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                               000007fefed87538 5 bytes JMP 000007ff7eda19f4
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                                      000007fefed875e8 5 bytes JMP 000007ff7eda03a4
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                                      000007fefed8790c 5 bytes JMP 000007ff7eda075c
.text     C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                                       000007fefed87ab4 5 bytes JMP 000007ff7eda0b14
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                             0000000076f13b10 5 bytes JMP 000000010048075c
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                               0000000076f17ac0 5 bytes JMP 00000001004803a4
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                   0000000076f41360 5 bytes JMP 0000000100060470
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                            0000000076f413b0 5 bytes JMP 0000000100060460
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                  0000000076f41430 5 bytes JMP 0000000100480b14
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                      0000000076f41490 5 bytes JMP 0000000100480ecc
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                            0000000076f41510 5 bytes JMP 0000000100060370
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                 0000000076f41560 5 bytes JMP 0000000100060480
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                       0000000076f41570 5 bytes JMP 000000010048163c
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                            0000000076f41620 5 bytes JMP 0000000100060320
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                     0000000076f41650 5 bytes JMP 00000001000603b0
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                        0000000076f41670 5 bytes JMP 0000000100060390
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                              0000000076f416b0 5 bytes JMP 00000001000602e0
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                         0000000076f41700 5 bytes JMP 0000000100060440
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                            0000000076f41730 5 bytes JMP 00000001000602d0
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                          0000000076f41750 5 bytes JMP 0000000100060310
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                           0000000076f41790 5 bytes JMP 00000001000603c0
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                   0000000076f417b0 5 bytes JMP 0000000100481284
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                        0000000076f417e0 5 bytes JMP 00000001000603f0
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                           0000000076f41940 5 bytes JMP 0000000100060230
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                0000000076f41b00 1 byte JMP 0000000100060490
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2                            0000000076f41b02 3 bytes JMP 0000000076f4a418
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                               0000000076f41b30 5 bytes JMP 00000001000603a0
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                        0000000076f41c10 5 bytes JMP 00000001000602f0
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                     0000000076f41c20 5 bytes JMP 0000000100060350
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                           0000000076f41c80 5 bytes JMP 0000000100060290
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                        0000000076f41d10 5 bytes JMP 00000001000602b0
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                         0000000076f41d30 5 bytes JMP 00000001000603d0
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                            0000000076f41d40 5 bytes JMP 0000000100060330
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                     0000000076f41db0 5 bytes JMP 0000000100060410
         


Alt 14.08.2013, 22:06   #6
TobiT
 
Win32.downloader.gen nach Systemwiederherstellung noch auf System? - Standard

Win32.downloader.gen nach Systemwiederherstellung noch auf System?



GMER (Teil 3):
Code:
ATTFilter
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                        0000000076f41de0 5 bytes JMP 0000000100060240
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                             0000000076f420a0 5 bytes JMP 00000001000601e0
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                        0000000076f42160 5 bytes JMP 0000000100060250
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                        0000000076f42190 5 bytes JMP 00000001000604a0
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                               0000000076f421a0 5 bytes JMP 00000001000604b0
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                          0000000076f421d0 5 bytes JMP 0000000100060300
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                       0000000076f421e0 5 bytes JMP 0000000100060360
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                             0000000076f42240 5 bytes JMP 00000001000602a0
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                          0000000076f42290 5 bytes JMP 00000001000602c0
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                             0000000076f422c0 5 bytes JMP 0000000100060380
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                              0000000076f422d0 5 bytes JMP 0000000100060340
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                       0000000076f425c0 1 byte JMP 0000000100060450
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2                                   0000000076f425c2 3 bytes {JMP 0xffffffff8911de90}
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                      0000000076f427c0 5 bytes JMP 0000000100060260
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                         0000000076f427d0 5 bytes JMP 0000000100060270
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                       0000000076f427e0 5 bytes JMP 00000001004819f4
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                   0000000076f429a0 5 bytes JMP 00000001000601f0
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                    0000000076f429b0 5 bytes JMP 0000000100060210
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                         0000000076f42a20 5 bytes JMP 0000000100060200
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                         0000000076f42a80 5 bytes JMP 0000000100060420
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                          0000000076f42a90 5 bytes JMP 0000000100060430
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                     0000000076f42aa0 5 bytes JMP 0000000100060220
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                             0000000076f42b80 5 bytes JMP 0000000100060280
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189                                  0000000076e2eecd 1 byte [62]
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                               000007fefed86e00 5 bytes JMP 000007ff7eda1dac
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                   000007fefed86f2c 5 bytes JMP 000007ff7eda0ecc
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                   000007fefed87220 5 bytes JMP 000007ff7eda1284
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                  000007fefed8739c 5 bytes JMP 000007ff7eda163c
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                  000007fefed87538 5 bytes JMP 000007ff7eda19f4
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                         000007fefed875e8 5 bytes JMP 000007ff7eda03a4
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                         000007fefed8790c 5 bytes JMP 000007ff7eda075c
.text     C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4040] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                          000007fefed87ab4 5 bytes JMP 000007ff7eda0b14
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                         0000000076f13b10 5 bytes JMP 00000001002c075c
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                           0000000076f17ac0 5 bytes JMP 00000001002c03a4
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                               0000000076f41360 5 bytes JMP 00000000770a0470
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                        0000000076f413b0 5 bytes JMP 00000000770a0460
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                                              0000000076f41430 5 bytes JMP 00000001002c0b14
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                                                  0000000076f41490 5 bytes JMP 00000001002c0ecc
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                        0000000076f41510 5 bytes JMP 00000000770a0370
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                             0000000076f41560 5 bytes JMP 00000000770a0480
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                   0000000076f41570 5 bytes JMP 00000001002c163c
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                        0000000076f41620 5 bytes JMP 00000000770a0320
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                 0000000076f41650 5 bytes JMP 00000000770a03b0
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                    0000000076f41670 5 bytes JMP 00000000770a0390
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                          0000000076f416b0 5 bytes JMP 00000000770a02e0
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                     0000000076f41700 5 bytes JMP 00000000770a0440
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                        0000000076f41730 5 bytes JMP 00000000770a02d0
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                      0000000076f41750 5 bytes JMP 00000000770a0310
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                       0000000076f41790 5 bytes JMP 00000000770a03c0
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                                               0000000076f417b0 5 bytes JMP 00000001002c1284
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                    0000000076f417e0 5 bytes JMP 00000000770a03f0
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                       0000000076f41940 5 bytes JMP 00000000770a0230
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                            0000000076f41b00 1 byte JMP 00000000770a0490
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2                                                        0000000076f41b02 3 bytes JMP 0000000076f41b1c
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                           0000000076f41b30 5 bytes JMP 00000000770a03a0
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                    0000000076f41c10 5 bytes JMP 00000000770a02f0
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                 0000000076f41c20 5 bytes JMP 00000000770a0350
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                       0000000076f41c80 5 bytes JMP 00000000770a0290
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                    0000000076f41d10 5 bytes JMP 00000000770a02b0
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                     0000000076f41d30 5 bytes JMP 00000000770a03d0
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                        0000000076f41d40 5 bytes JMP 00000000770a0330
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                 0000000076f41db0 5 bytes JMP 00000000770a0410
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                    0000000076f41de0 5 bytes JMP 00000000770a0240
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                         0000000076f420a0 5 bytes JMP 00000000770a01e0
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                    0000000076f42160 5 bytes JMP 00000000770a0250
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                    0000000076f42190 5 bytes JMP 00000000770a04a0
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                           0000000076f421a0 5 bytes JMP 00000000770a04b0
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                      0000000076f421d0 5 bytes JMP 00000000770a0300
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                   0000000076f421e0 5 bytes JMP 00000000770a0360
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                         0000000076f42240 5 bytes JMP 00000000770a02a0
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                      0000000076f42290 5 bytes JMP 00000000770a02c0
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                         0000000076f422c0 5 bytes JMP 00000000770a0380
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                          0000000076f422d0 5 bytes JMP 00000000770a0340
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                   0000000076f425c0 1 byte JMP 00000000770a0450
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2                                                               0000000076f425c2 3 bytes {JMP 0x15de90}
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                  0000000076f427c0 5 bytes JMP 00000000770a0260
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                     0000000076f427d0 5 bytes JMP 00000000770a0270
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                   0000000076f427e0 5 bytes JMP 00000001002c19f4
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                               0000000076f429a0 5 bytes JMP 00000000770a01f0
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                0000000076f429b0 5 bytes JMP 00000000770a0210
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                     0000000076f42a20 5 bytes JMP 00000000770a0200
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                     0000000076f42a80 5 bytes JMP 00000000770a0420
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                      0000000076f42a90 5 bytes JMP 00000000770a0430
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                 0000000076f42aa0 5 bytes JMP 00000000770a0220
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                         0000000076f42b80 5 bytes JMP 00000000770a0280
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                                           000007fefed86e00 5 bytes JMP 000007ff7eda1dac
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                               000007fefed86f2c 5 bytes JMP 000007ff7eda0ecc
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                               000007fefed87220 5 bytes JMP 000007ff7eda1284
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                              000007fefed8739c 5 bytes JMP 000007ff7eda163c
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                              000007fefed87538 5 bytes JMP 000007ff7eda19f4
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                                     000007fefed875e8 5 bytes JMP 000007ff7eda03a4
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                                     000007fefed8790c 5 bytes JMP 000007ff7eda075c
.text     C:\Windows\system32\atieclxx.exe[2556] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                                      000007fefed87ab4 5 bytes JMP 000007ff7eda0b14
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                         0000000076f13b10 5 bytes JMP 000000010047075c
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                           0000000076f17ac0 5 bytes JMP 00000001004703a4
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                               0000000076f41360 5 bytes JMP 0000000100060470
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                        0000000076f413b0 5 bytes JMP 0000000100060460
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                                              0000000076f41430 5 bytes JMP 0000000100470b14
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                                                  0000000076f41490 5 bytes JMP 0000000100470ecc
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                        0000000076f41510 5 bytes JMP 0000000100060370
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                             0000000076f41560 5 bytes JMP 0000000100060480
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                   0000000076f41570 5 bytes JMP 000000010047163c
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                        0000000076f41620 5 bytes JMP 0000000100060320
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                 0000000076f41650 5 bytes JMP 00000001000603b0
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                    0000000076f41670 5 bytes JMP 0000000100060390
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                          0000000076f416b0 5 bytes JMP 00000001000602e0
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                     0000000076f41700 5 bytes JMP 0000000100060440
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                        0000000076f41730 5 bytes JMP 00000001000602d0
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                      0000000076f41750 5 bytes JMP 0000000100060310
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                       0000000076f41790 5 bytes JMP 00000001000603c0
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                                               0000000076f417b0 5 bytes JMP 0000000100471284
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                    0000000076f417e0 5 bytes JMP 00000001000603f0
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                       0000000076f41940 5 bytes JMP 0000000100060230
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                            0000000076f41b00 1 byte JMP 0000000100060490
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2                                                        0000000076f41b02 3 bytes JMP 0000000076f4a418
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                           0000000076f41b30 5 bytes JMP 00000001000603a0
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                    0000000076f41c10 5 bytes JMP 00000001000602f0
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                 0000000076f41c20 5 bytes JMP 0000000100060350
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                       0000000076f41c80 5 bytes JMP 0000000100060290
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                    0000000076f41d10 5 bytes JMP 00000001000602b0
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                     0000000076f41d30 5 bytes JMP 00000001000603d0
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                        0000000076f41d40 5 bytes JMP 0000000100060330
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                 0000000076f41db0 5 bytes JMP 0000000100060410
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                    0000000076f41de0 5 bytes JMP 0000000100060240
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                         0000000076f420a0 5 bytes JMP 00000001000601e0
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                    0000000076f42160 5 bytes JMP 0000000100060250
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                    0000000076f42190 5 bytes JMP 00000001000604a0
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                           0000000076f421a0 5 bytes JMP 00000001000604b0
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                      0000000076f421d0 5 bytes JMP 0000000100060300
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                   0000000076f421e0 5 bytes JMP 0000000100060360
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                         0000000076f42240 5 bytes JMP 00000001000602a0
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                      0000000076f42290 5 bytes JMP 00000001000602c0
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                         0000000076f422c0 5 bytes JMP 0000000100060380
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                          0000000076f422d0 5 bytes JMP 0000000100060340
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                   0000000076f425c0 1 byte JMP 0000000100060450
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2                                                               0000000076f425c2 3 bytes {JMP 0xffffffff8911de90}
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                  0000000076f427c0 5 bytes JMP 0000000100060260
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                     0000000076f427d0 5 bytes JMP 0000000100060270
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                   0000000076f427e0 5 bytes JMP 00000001004719f4
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                               0000000076f429a0 5 bytes JMP 00000001000601f0
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                0000000076f429b0 5 bytes JMP 0000000100060210
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                     0000000076f42a20 5 bytes JMP 0000000100060200
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                     0000000076f42a80 5 bytes JMP 0000000100060420
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                      0000000076f42a90 5 bytes JMP 0000000100060430
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                 0000000076f42aa0 5 bytes JMP 0000000100060220
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                         0000000076f42b80 5 bytes JMP 0000000100060280
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189                                                              0000000076e2eecd 1 byte [62]
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                                           000007fefed86e00 5 bytes JMP 000007ff7eda1dac
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                               000007fefed86f2c 5 bytes JMP 000007ff7eda0ecc
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                               000007fefed87220 5 bytes JMP 000007ff7eda1284
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                              000007fefed8739c 5 bytes JMP 000007ff7eda163c
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                              000007fefed87538 5 bytes JMP 000007ff7eda19f4
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                                     000007fefed875e8 5 bytes JMP 000007ff7eda03a4
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                                     000007fefed8790c 5 bytes JMP 000007ff7eda075c
.text     C:\Windows\system32\taskhost.exe[3260] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                                      000007fefed87ab4 5 bytes JMP 000007ff7eda0b14
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                              0000000076f13b10 5 bytes JMP 00000001003a075c
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                0000000076f17ac0 5 bytes JMP 00000001003a03a4
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                    0000000076f41360 5 bytes JMP 00000000770a0470
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                             0000000076f413b0 5 bytes JMP 00000000770a0460
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                                                   0000000076f41430 5 bytes JMP 00000001003a0b14
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                                                       0000000076f41490 5 bytes JMP 00000001003a0ecc
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                             0000000076f41510 5 bytes JMP 00000000770a0370
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                  0000000076f41560 5 bytes JMP 00000000770a0480
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                        0000000076f41570 5 bytes JMP 00000001003a163c
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                             0000000076f41620 5 bytes JMP 00000000770a0320
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                      0000000076f41650 5 bytes JMP 00000000770a03b0
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                         0000000076f41670 5 bytes JMP 00000000770a0390
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                               0000000076f416b0 5 bytes JMP 00000000770a02e0
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                          0000000076f41700 5 bytes JMP 00000000770a0440
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                             0000000076f41730 5 bytes JMP 00000000770a02d0
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                           0000000076f41750 5 bytes JMP 00000000770a0310
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                            0000000076f41790 5 bytes JMP 00000000770a03c0
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                                                    0000000076f417b0 5 bytes JMP 00000001003a1284
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                         0000000076f417e0 5 bytes JMP 00000000770a03f0
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                            0000000076f41940 5 bytes JMP 00000000770a0230
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                 0000000076f41b00 1 byte JMP 00000000770a0490
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2                                                             0000000076f41b02 3 bytes JMP 0000000076f41b1c
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                0000000076f41b30 5 bytes JMP 00000000770a03a0
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                         0000000076f41c10 5 bytes JMP 00000000770a02f0
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                      0000000076f41c20 5 bytes JMP 00000000770a0350
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                            0000000076f41c80 5 bytes JMP 00000000770a0290
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                         0000000076f41d10 5 bytes JMP 00000000770a02b0
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                          0000000076f41d30 5 bytes JMP 00000000770a03d0
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                             0000000076f41d40 5 bytes JMP 00000000770a0330
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                      0000000076f41db0 5 bytes JMP 00000000770a0410
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                         0000000076f41de0 5 bytes JMP 00000000770a0240
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                              0000000076f420a0 5 bytes JMP 00000000770a01e0
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                         0000000076f42160 5 bytes JMP 00000000770a0250
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                         0000000076f42190 5 bytes JMP 00000000770a04a0
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                0000000076f421a0 5 bytes JMP 00000000770a04b0
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                           0000000076f421d0 5 bytes JMP 00000000770a0300
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                        0000000076f421e0 5 bytes JMP 00000000770a0360
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                              0000000076f42240 5 bytes JMP 00000000770a02a0
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                           0000000076f42290 5 bytes JMP 00000000770a02c0
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                              0000000076f422c0 5 bytes JMP 00000000770a0380
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                               0000000076f422d0 5 bytes JMP 00000000770a0340
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                        0000000076f425c0 1 byte JMP 00000000770a0450
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2                                                                    0000000076f425c2 3 bytes {JMP 0x15de90}
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                       0000000076f427c0 5 bytes JMP 00000000770a0260
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                          0000000076f427d0 5 bytes JMP 00000000770a0270
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                        0000000076f427e0 5 bytes JMP 00000001003a19f4
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                    0000000076f429a0 5 bytes JMP 00000000770a01f0
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                     0000000076f429b0 5 bytes JMP 00000000770a0210
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                          0000000076f42a20 5 bytes JMP 00000000770a0200
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                          0000000076f42a80 5 bytes JMP 00000000770a0420
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                           0000000076f42a90 5 bytes JMP 00000000770a0430
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                      0000000076f42aa0 5 bytes JMP 00000000770a0220
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                              0000000076f42b80 5 bytes JMP 00000000770a0280
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                                                000007fefed86e00 5 bytes JMP 000007ff7eda1dac
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                                    000007fefed86f2c 5 bytes JMP 000007ff7eda0ecc
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                                    000007fefed87220 5 bytes JMP 000007ff7eda1284
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                                   000007fefed8739c 5 bytes JMP 000007ff7eda163c
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                                   000007fefed87538 5 bytes JMP 000007ff7eda19f4
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                                          000007fefed875e8 5 bytes JMP 000007ff7eda03a4
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                                          000007fefed8790c 5 bytes JMP 000007ff7eda075c
.text     C:\Windows\system32\Dwm.exe[3660] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                                           000007fefed87ab4 5 bytes JMP 000007ff7eda0b14
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                  0000000076f13b10 5 bytes JMP 000000010017075c
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                    0000000076f17ac0 5 bytes JMP 00000001001703a4
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                        0000000076f41360 5 bytes JMP 00000000770a0470
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                 0000000076f413b0 5 bytes JMP 00000000770a0460
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                                                       0000000076f41430 5 bytes JMP 0000000100170b14
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                                                           0000000076f41490 5 bytes JMP 0000000100170ecc
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                 0000000076f41510 5 bytes JMP 00000000770a0370
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                      0000000076f41560 5 bytes JMP 00000000770a0480
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                            0000000076f41570 5 bytes JMP 000000010017163c
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                 0000000076f41620 5 bytes JMP 00000000770a0320
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                          0000000076f41650 5 bytes JMP 00000000770a03b0
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                             0000000076f41670 5 bytes JMP 00000000770a0390
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                   0000000076f416b0 5 bytes JMP 00000000770a02e0
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                              0000000076f41700 5 bytes JMP 00000000770a0440
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                 0000000076f41730 5 bytes JMP 00000000770a02d0
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                               0000000076f41750 5 bytes JMP 00000000770a0310
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                0000000076f41790 5 bytes JMP 00000000770a03c0
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                                                        0000000076f417b0 5 bytes JMP 0000000100171284
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                             0000000076f417e0 5 bytes JMP 00000000770a03f0
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                0000000076f41940 5 bytes JMP 00000000770a0230
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                     0000000076f41b00 1 byte JMP 00000000770a0490
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2                                                                 0000000076f41b02 3 bytes JMP 0000000076f41b1c
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                    0000000076f41b30 5 bytes JMP 00000000770a03a0
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                             0000000076f41c10 5 bytes JMP 00000000770a02f0
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                          0000000076f41c20 5 bytes JMP 00000000770a0350
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                0000000076f41c80 5 bytes JMP 00000000770a0290
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                             0000000076f41d10 5 bytes JMP 00000000770a02b0
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                              0000000076f41d30 5 bytes JMP 00000000770a03d0
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                 0000000076f41d40 5 bytes JMP 00000000770a0330
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                          0000000076f41db0 5 bytes JMP 00000000770a0410
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                             0000000076f41de0 5 bytes JMP 00000000770a0240
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                  0000000076f420a0 5 bytes JMP 00000000770a01e0
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                             0000000076f42160 5 bytes JMP 00000000770a0250
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                             0000000076f42190 5 bytes JMP 00000000770a04a0
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                    0000000076f421a0 5 bytes JMP 00000000770a04b0
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                               0000000076f421d0 5 bytes JMP 00000000770a0300
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                            0000000076f421e0 5 bytes JMP 00000000770a0360
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                  0000000076f42240 5 bytes JMP 00000000770a02a0
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                               0000000076f42290 5 bytes JMP 00000000770a02c0
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                  0000000076f422c0 5 bytes JMP 00000000770a0380
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                   0000000076f422d0 5 bytes JMP 00000000770a0340
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                            0000000076f425c0 1 byte JMP 00000000770a0450
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2                                                                        0000000076f425c2 3 bytes {JMP 0x15de90}
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                           0000000076f427c0 5 bytes JMP 00000000770a0260
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                              0000000076f427d0 5 bytes JMP 00000000770a0270
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                            0000000076f427e0 5 bytes JMP 00000001001719f4
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                        0000000076f429a0 5 bytes JMP 00000000770a01f0
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                         0000000076f429b0 5 bytes JMP 00000000770a0210
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                              0000000076f42a20 5 bytes JMP 00000000770a0200
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                              0000000076f42a80 5 bytes JMP 00000000770a0420
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                               0000000076f42a90 5 bytes JMP 00000000770a0430
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                          0000000076f42aa0 5 bytes JMP 00000000770a0220
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                  0000000076f42b80 5 bytes JMP 00000000770a0280
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189                                                                       0000000076e2eecd 1 byte [62]
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                                                    000007fefed86e00 5 bytes JMP 000007ff7eda1dac
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                                        000007fefed86f2c 5 bytes JMP 000007ff7eda0ecc
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                                        000007fefed87220 5 bytes JMP 000007ff7eda1284
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                                       000007fefed8739c 5 bytes JMP 000007ff7eda163c
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                                       000007fefed87538 5 bytes JMP 000007ff7eda19f4
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                                              000007fefed875e8 5 bytes JMP 000007ff7eda03a4
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                                              000007fefed8790c 5 bytes JMP 000007ff7eda075c
.text     C:\Windows\Explorer.EXE[3772] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                                               000007fefed87ab4 5 bytes JMP 000007ff7eda0b14
.text     C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                  00000000770efac0 5 bytes JMP 0000000100030600
.text     C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                      00000000770efb58 5 bytes JMP 0000000100030804
.text     C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                       00000000770efcb0 5 bytes JMP 0000000100030c0c
.text     C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                   00000000770f0038 5 bytes JMP 0000000100030a08
.text     C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                       00000000770f1920 5 bytes JMP 0000000100030e10
.text     C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3804] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                               000000007710c4dd 5 bytes JMP 00000001000301f8
.text     C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3804] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                             0000000077111287 5 bytes JMP 00000001000303fc
.text     C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3804] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                  0000000074d7a30a 1 byte [62]
.text     C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3804] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                         00000000766aee09 5 bytes JMP 00000001002501f8
.text     C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3804] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                          00000000766b3982 5 bytes JMP 00000001002503fc
.text     C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3804] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                       00000000766b7603 5 bytes JMP 0000000100250804
.text     C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3804] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                       00000000766b835c 5 bytes JMP 0000000100250600
.text     C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3804] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                     00000000766cf52b 5 bytes JMP 0000000100250a08
.text     C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3804] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                               0000000075115181 5 bytes JMP 0000000100261014
.text     C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3804] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                   0000000075115254 5 bytes JMP 0000000100260804
.text     C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3804] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                   00000000751153d5 5 bytes JMP 0000000100260a08
.text     C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3804] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                  00000000751154c2 5 bytes JMP 0000000100260c0c
.text     C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3804] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                  00000000751155e2 5 bytes JMP 0000000100260e10
.text     C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3804] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                         000000007511567c 5 bytes JMP 00000001002601f8
.text     C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3804] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                         000000007511589f 5 bytes JMP 00000001002603fc
.text     C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3804] C:\Windows\SysWOW64\sechost.dll!DeleteService                                          0000000075115a22 5 bytes JMP 0000000100260600
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                           0000000076f13b10 5 bytes JMP 000000010048075c
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                             0000000076f17ac0 5 bytes JMP 00000001004803a4
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                 0000000076f41360 5 bytes JMP 00000000770a0470
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                          0000000076f413b0 5 bytes JMP 00000000770a0460
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                                0000000076f41430 5 bytes JMP 0000000100480b14
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                                    0000000076f41490 5 bytes JMP 0000000100480ecc
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                          0000000076f41510 5 bytes JMP 00000000770a0370
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                               0000000076f41560 5 bytes JMP 00000000770a0480
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                     0000000076f41570 5 bytes JMP 000000010048163c
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                          0000000076f41620 5 bytes JMP 00000000770a0320
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                   0000000076f41650 5 bytes JMP 00000000770a03b0
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                      0000000076f41670 5 bytes JMP 00000000770a0390
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                            0000000076f416b0 5 bytes JMP 00000000770a02e0
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                       0000000076f41700 5 bytes JMP 00000000770a0440
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                          0000000076f41730 5 bytes JMP 00000000770a02d0
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                        0000000076f41750 5 bytes JMP 00000000770a0310
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                         0000000076f41790 5 bytes JMP 00000000770a03c0
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                                 0000000076f417b0 5 bytes JMP 0000000100481284
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                      0000000076f417e0 5 bytes JMP 00000000770a03f0
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                         0000000076f41940 5 bytes JMP 00000000770a0230
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                              0000000076f41b00 1 byte JMP 00000000770a0490
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2                                          0000000076f41b02 3 bytes JMP 0000000076f41b1c
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                             0000000076f41b30 5 bytes JMP 00000000770a03a0
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                      0000000076f41c10 5 bytes JMP 00000000770a02f0
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                   0000000076f41c20 5 bytes JMP 00000000770a0350
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                         0000000076f41c80 5 bytes JMP 00000000770a0290
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                      0000000076f41d10 5 bytes JMP 00000000770a02b0
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                       0000000076f41d30 5 bytes JMP 00000000770a03d0
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                          0000000076f41d40 5 bytes JMP 00000000770a0330
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                   0000000076f41db0 5 bytes JMP 00000000770a0410
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                      0000000076f41de0 5 bytes JMP 00000000770a0240
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                           0000000076f420a0 5 bytes JMP 00000000770a01e0
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                      0000000076f42160 5 bytes JMP 00000000770a0250
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                      0000000076f42190 5 bytes JMP 00000000770a04a0
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                             0000000076f421a0 5 bytes JMP 00000000770a04b0
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                        0000000076f421d0 5 bytes JMP 00000000770a0300
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                     0000000076f421e0 5 bytes JMP 00000000770a0360
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                           0000000076f42240 5 bytes JMP 00000000770a02a0
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                        0000000076f42290 5 bytes JMP 00000000770a02c0
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                           0000000076f422c0 5 bytes JMP 00000000770a0380
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                            0000000076f422d0 5 bytes JMP 00000000770a0340
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                     0000000076f425c0 1 byte JMP 00000000770a0450
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2                                                 0000000076f425c2 3 bytes {JMP 0x15de90}
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                    0000000076f427c0 5 bytes JMP 00000000770a0260
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                       0000000076f427d0 5 bytes JMP 00000000770a0270
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                     0000000076f427e0 5 bytes JMP 00000001004819f4
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                 0000000076f429a0 5 bytes JMP 00000000770a01f0
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                  0000000076f429b0 5 bytes JMP 00000000770a0210
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                       0000000076f42a20 5 bytes JMP 00000000770a0200
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                       0000000076f42a80 5 bytes JMP 00000000770a0420
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                        0000000076f42a90 5 bytes JMP 00000000770a0430
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                   0000000076f42aa0 5 bytes JMP 00000000770a0220
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                           0000000076f42b80 5 bytes JMP 00000000770a0280
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189                                                0000000076e2eecd 1 byte [62]
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                             000007fefed86e00 5 bytes JMP 000007ff7eda1dac
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                 000007fefed86f2c 5 bytes JMP 000007ff7eda0ecc
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                 000007fefed87220 5 bytes JMP 000007ff7eda1284
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                000007fefed8739c 5 bytes JMP 000007ff7eda163c
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                000007fefed87538 5 bytes JMP 000007ff7eda19f4
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                       000007fefed875e8 5 bytes JMP 000007ff7eda03a4
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                       000007fefed8790c 5 bytes JMP 000007ff7eda075c
.text     C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[736] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                        000007fefed87ab4 5 bytes JMP 000007ff7eda0b14
.text     C:\Program Files (x86)\Spybot\TeaTimer.exe[1104] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                                    00000000770efac0 5 bytes JMP 0000000100030600
.text     C:\Program Files (x86)\Spybot\TeaTimer.exe[1104] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                                        00000000770efb58 5 bytes JMP 0000000100030804
.text     C:\Program Files (x86)\Spybot\TeaTimer.exe[1104] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                         00000000770efcb0 5 bytes JMP 0000000100030c0c
.text     C:\Program Files (x86)\Spybot\TeaTimer.exe[1104] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                     00000000770f0038 5 bytes JMP 0000000100030a08
.text     C:\Program Files (x86)\Spybot\TeaTimer.exe[1104] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                         00000000770f1920 5 bytes JMP 0000000100030e10
.text     C:\Program Files (x86)\Spybot\TeaTimer.exe[1104] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                                 000000007710c4dd 5 bytes JMP 00000001000301f8
.text     C:\Program Files (x86)\Spybot\TeaTimer.exe[1104] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                               0000000077111287 5 bytes JMP 00000001000303fc
.text     C:\Program Files (x86)\Spybot\TeaTimer.exe[1104] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                                    0000000074d7a30a 1 byte [62]
.text     C:\Program Files (x86)\Spybot\TeaTimer.exe[1104] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                           00000000766aee09 5 bytes JMP 00000001002401f8
.text     C:\Program Files (x86)\Spybot\TeaTimer.exe[1104] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                                            00000000766b3982 5 bytes JMP 00000001002403fc
.text     C:\Program Files (x86)\Spybot\TeaTimer.exe[1104] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                         00000000766b7603 5 bytes JMP 0000000100240804
.text     C:\Program Files (x86)\Spybot\TeaTimer.exe[1104] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                         00000000766b835c 5 bytes JMP 0000000100240600
.text     C:\Program Files (x86)\Spybot\TeaTimer.exe[1104] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                                       00000000766cf52b 5 bytes JMP 0000000100240a08
.text     C:\Program Files (x86)\Spybot\TeaTimer.exe[1104] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                                                 0000000075115181 5 bytes JMP 0000000100251014
.text     C:\Program Files (x86)\Spybot\TeaTimer.exe[1104] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                                     0000000075115254 5 bytes JMP 0000000100250804
.text     C:\Program Files (x86)\Spybot\TeaTimer.exe[1104] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                                     00000000751153d5 5 bytes JMP 0000000100250a08
.text     C:\Program Files (x86)\Spybot\TeaTimer.exe[1104] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                                    00000000751154c2 5 bytes JMP 0000000100250c0c
.text     C:\Program Files (x86)\Spybot\TeaTimer.exe[1104] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                                    00000000751155e2 5 bytes JMP 0000000100250e10
.text     C:\Program Files (x86)\Spybot\TeaTimer.exe[1104] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                                           000000007511567c 5 bytes JMP 00000001002501f8
.text     C:\Program Files (x86)\Spybot\TeaTimer.exe[1104] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                                           000000007511589f 5 bytes JMP 00000001002503fc
.text     C:\Program Files (x86)\Spybot\TeaTimer.exe[1104] C:\Windows\SysWOW64\sechost.dll!DeleteService                                                            0000000075115a22 5 bytes JMP 0000000100250600
.text     C:\Program Files (x86)\Spybot\TeaTimer.exe[1104] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69                                                  0000000075e31465 2 bytes [E3, 75]
.text     C:\Program Files (x86)\Spybot\TeaTimer.exe[1104] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155                                                 0000000075e314bb 2 bytes [E3, 75]
.text     ...                                                                                                                                                       * 2
.text     C:\Program Files (x86)\MirandaFusion\fusiontools\mfstart.exe[1324] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                  00000000770efac0 5 bytes JMP 0000000100030600
.text     C:\Program Files (x86)\MirandaFusion\fusiontools\mfstart.exe[1324] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                      00000000770efb58 5 bytes JMP 0000000100030804
.text     C:\Program Files (x86)\MirandaFusion\fusiontools\mfstart.exe[1324] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                       00000000770efcb0 5 bytes JMP 0000000100030c0c
.text     C:\Program Files (x86)\MirandaFusion\fusiontools\mfstart.exe[1324] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                   00000000770f0038 5 bytes JMP 0000000100030a08
.text     C:\Program Files (x86)\MirandaFusion\fusiontools\mfstart.exe[1324] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                       00000000770f1920 5 bytes JMP 0000000100030e10
.text     C:\Program Files (x86)\MirandaFusion\fusiontools\mfstart.exe[1324] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                               000000007710c4dd 5 bytes JMP 00000001000301f8
.text     C:\Program Files (x86)\MirandaFusion\fusiontools\mfstart.exe[1324] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                             0000000077111287 5 bytes JMP 00000001000303fc
.text     C:\Program Files (x86)\MirandaFusion\fusiontools\mfstart.exe[1324] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                  0000000074d7a30a 1 byte [62]
.text     C:\Program Files (x86)\MirandaFusion\fusiontools\mfstart.exe[1324] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                         00000000766aee09 5 bytes JMP 00000001002401f8
.text     C:\Program Files (x86)\MirandaFusion\fusiontools\mfstart.exe[1324] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                          00000000766b3982 5 bytes JMP 00000001002403fc
.text     C:\Program Files (x86)\MirandaFusion\fusiontools\mfstart.exe[1324] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                       00000000766b7603 5 bytes JMP 0000000100240804
.text     C:\Program Files (x86)\MirandaFusion\fusiontools\mfstart.exe[1324] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                       00000000766b835c 5 bytes JMP 0000000100240600
.text     C:\Program Files (x86)\MirandaFusion\fusiontools\mfstart.exe[1324] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                     00000000766cf52b 5 bytes JMP 0000000100240a08
.text     C:\Program Files (x86)\MirandaFusion\fusiontools\mfstart.exe[1324] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                               0000000075115181 5 bytes JMP 0000000100251014
.text     C:\Program Files (x86)\MirandaFusion\fusiontools\mfstart.exe[1324] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                   0000000075115254 5 bytes JMP 0000000100250804
.text     C:\Program Files (x86)\MirandaFusion\fusiontools\mfstart.exe[1324] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                   00000000751153d5 5 bytes JMP 0000000100250a08
.text     C:\Program Files (x86)\MirandaFusion\fusiontools\mfstart.exe[1324] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                  00000000751154c2 5 bytes JMP 0000000100250c0c
.text     C:\Program Files (x86)\MirandaFusion\fusiontools\mfstart.exe[1324] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                  00000000751155e2 5 bytes JMP 0000000100250e10
.text     C:\Program Files (x86)\MirandaFusion\fusiontools\mfstart.exe[1324] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                         000000007511567c 5 bytes JMP 00000001002501f8
.text     C:\Program Files (x86)\MirandaFusion\fusiontools\mfstart.exe[1324] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                         000000007511589f 5 bytes JMP 00000001002503fc
.text     C:\Program Files (x86)\MirandaFusion\fusiontools\mfstart.exe[1324] C:\Windows\SysWOW64\sechost.dll!DeleteService                                          0000000075115a22 5 bytes JMP 0000000100250600
.text     C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[2844] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                              00000000770efac0 5 bytes JMP 0000000100030600
.text     C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[2844] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                                  00000000770efb58 5 bytes JMP 0000000100030804
.text     C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[2844] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                   00000000770efcb0 5 bytes JMP 0000000100030c0c
.text     C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[2844] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                               00000000770f0038 5 bytes JMP 0000000100030a08
.text     C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[2844] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                   00000000770f1920 5 bytes JMP 0000000100030e10
.text     C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[2844] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                           000000007710c4dd 5 bytes JMP 00000001000301f8
.text     C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[2844] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                         0000000077111287 5 bytes JMP 00000001000303fc
.text     C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[2844] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                              0000000074d7a30a 1 byte [62]
.text     C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[2844] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                     00000000766aee09 5 bytes JMP 00000001002501f8
.text     C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[2844] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                                      00000000766b3982 5 bytes JMP 00000001002503fc
.text     C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[2844] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                   00000000766b7603 5 bytes JMP 0000000100250804
.text     C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[2844] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                   00000000766b835c 5 bytes JMP 0000000100250600
.text     C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[2844] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                                 00000000766cf52b 5 bytes JMP 0000000100250a08
.text     C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[2844] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                                           0000000075115181 5 bytes JMP 0000000100261014
.text     C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[2844] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                               0000000075115254 5 bytes JMP 0000000100260804
.text     C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[2844] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                               00000000751153d5 5 bytes JMP 0000000100260a08
.text     C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[2844] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                              00000000751154c2 5 bytes JMP 0000000100260c0c
.text     C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[2844] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                              00000000751155e2 5 bytes JMP 0000000100260e10
.text     C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[2844] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                                     000000007511567c 5 bytes JMP 00000001002601f8
.text     C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[2844] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                                     000000007511589f 5 bytes JMP 00000001002603fc
.text     C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[2844] C:\Windows\SysWOW64\sechost.dll!DeleteService                                                      0000000075115a22 5 bytes JMP 0000000100260600
.text     C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[856] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                   00000000770efac0 5 bytes JMP 0000000100030600
.text     C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[856] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                       00000000770efb58 5 bytes JMP 0000000100030804
.text     C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[856] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                        00000000770efcb0 5 bytes JMP 0000000100030c0c
.text     C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[856] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                    00000000770f0038 5 bytes JMP 0000000100030a08
.text     C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[856] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                        00000000770f1920 5 bytes JMP 0000000100030e10
.text     C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[856] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                000000007710c4dd 5 bytes JMP 00000001000301f8
.text     C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[856] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                              0000000077111287 5 bytes JMP 00000001000303fc
.text     C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[856] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                   0000000074d7a30a 1 byte [62]
.text     C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[856] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                          00000000766aee09 5 bytes JMP 00000001002401f8
.text     C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[856] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                           00000000766b3982 5 bytes JMP 00000001002403fc
.text     C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[856] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                        00000000766b7603 5 bytes JMP 0000000100240804
.text     C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[856] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                        00000000766b835c 5 bytes JMP 0000000100240600
.text     C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[856] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                      00000000766cf52b 5 bytes JMP 0000000100240a08
.text     C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[856] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                                0000000075115181 5 bytes JMP 0000000100251014
.text     C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[856] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                    0000000075115254 5 bytes JMP 0000000100250804
.text     C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[856] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                    00000000751153d5 5 bytes JMP 0000000100250a08
.text     C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[856] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                   00000000751154c2 5 bytes JMP 0000000100250c0c
.text     C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[856] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                   00000000751155e2 5 bytes JMP 0000000100250e10
.text     C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[856] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                          000000007511567c 5 bytes JMP 00000001002501f8
.text     C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[856] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                          000000007511589f 5 bytes JMP 00000001002503fc
.text     C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[856] C:\Windows\SysWOW64\sechost.dll!DeleteService                                           0000000075115a22 5 bytes JMP 0000000100250600
.text     C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[856] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                 0000000075e31465 2 bytes [E3, 75]
.text     C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe[856] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                0000000075e314bb 2 bytes [E3, 75]
.text     ...                                                                                                                                                       * 2
.text     C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                 00000000770efac0 5 bytes JMP 0000000100030600
.text     C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                     00000000770efb58 5 bytes JMP 0000000100030804
.text     C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                      00000000770efcb0 5 bytes JMP 0000000100030c0c
.text     C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                  00000000770f0038 5 bytes JMP 0000000100030a08
.text     C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                      00000000770f1920 5 bytes JMP 0000000100030e10
.text     C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[3084] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                              000000007710c4dd 5 bytes JMP 00000001000301f8
.text     C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[3084] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                            0000000077111287 5 bytes JMP 00000001000303fc
.text     C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[3084] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                 0000000074d7a30a 1 byte [62]
.text     C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[3084] C:\Windows\syswow64\user32.DLL!SetWinEventHook                        00000000766aee09 5 bytes JMP 00000001002401f8
.text     C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[3084] C:\Windows\syswow64\user32.DLL!UnhookWinEvent                         00000000766b3982 5 bytes JMP 00000001002403fc
.text     C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[3084] C:\Windows\syswow64\user32.DLL!SetWindowsHookExW                      00000000766b7603 5 bytes JMP 0000000100240804
.text     C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[3084] C:\Windows\syswow64\user32.DLL!SetWindowsHookExA                      00000000766b835c 5 bytes JMP 0000000100240600
.text     C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[3084] C:\Windows\syswow64\user32.DLL!UnhookWindowsHookEx                    00000000766cf52b 5 bytes JMP 0000000100240a08
.text     C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[3084] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity              0000000075115181 5 bytes JMP 0000000100251014
.text     C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[3084] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                  0000000075115254 5 bytes JMP 0000000100250804
.text     C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[3084] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                  00000000751153d5 5 bytes JMP 0000000100250a08
.text     C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[3084] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                 00000000751154c2 5 bytes JMP 0000000100250c0c
.text     C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[3084] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                 00000000751155e2 5 bytes JMP 0000000100250e10
.text     C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[3084] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                        000000007511567c 5 bytes JMP 00000001002501f8
.text     C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[3084] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                        000000007511589f 5 bytes JMP 00000001002503fc
.text     C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe[3084] C:\Windows\SysWOW64\sechost.dll!DeleteService                         0000000075115a22 5 bytes JMP 0000000100250600
.text     C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                               00000000770efac0 5 bytes JMP 0000000100030600
.text     C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                                   00000000770efb58 5 bytes JMP 0000000100030804
.text     C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                    00000000770efcb0 5 bytes JMP 0000000100030c0c
.text     C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                00000000770f0038 5 bytes JMP 0000000100030a08
.text     C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                    00000000770f1920 5 bytes JMP 0000000100030e10
.text     C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[2948] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                            000000007710c4dd 5 bytes JMP 00000001000301f8
.text     C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[2948] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                          0000000077111287 5 bytes JMP 00000001000303fc
.text     C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[2948] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                               0000000074d7a30a 1 byte [62]
.text     C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[2948] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                      00000000766aee09 5 bytes JMP 00000001001d01f8
.text     C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[2948] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                                       00000000766b3982 5 bytes JMP 00000001001d03fc
.text     C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[2948] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                    00000000766b7603 5 bytes JMP 00000001001d0804
.text     C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[2948] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                    00000000766b835c 5 bytes JMP 00000001001d0600
.text     C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[2948] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                                  00000000766cf52b 5 bytes JMP 00000001001d0a08
.text     C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[2948] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                                            0000000075115181 5 bytes JMP 00000001001e1014
.text     C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[2948] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                                0000000075115254 5 bytes JMP 00000001001e0804
.text     C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[2948] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                                00000000751153d5 5 bytes JMP 00000001001e0a08
.text     C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[2948] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                               00000000751154c2 5 bytes JMP 00000001001e0c0c
.text     C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[2948] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                               00000000751155e2 5 bytes JMP 00000001001e0e10
.text     C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[2948] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                                      000000007511567c 5 bytes JMP 00000001001e01f8
.text     C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[2948] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                                      000000007511589f 5 bytes JMP 00000001001e03fc
.text     C:\Program Files (x86)\avmwlanstick\WLanGUI.exe[2948] C:\Windows\SysWOW64\sechost.dll!DeleteService                                                       0000000075115a22 5 bytes JMP 00000001001e0600
.text     C:\Program Files (x86)\T-Mobile\web'n'walk Manager\DataCardMonitor.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                        00000000770efac0 5 bytes JMP 0000000100030600
.text     C:\Program Files (x86)\T-Mobile\web'n'walk Manager\DataCardMonitor.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                            00000000770efb58 5 bytes JMP 0000000100030804
.text     C:\Program Files (x86)\T-Mobile\web'n'walk Manager\DataCardMonitor.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                             00000000770efcb0 5 bytes JMP 0000000100030c0c
.text     C:\Program Files (x86)\T-Mobile\web'n'walk Manager\DataCardMonitor.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                         00000000770f0038 5 bytes JMP 0000000100030a08
.text     C:\Program Files (x86)\T-Mobile\web'n'walk Manager\DataCardMonitor.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                             00000000770f1920 5 bytes JMP 0000000100030e10
.text     C:\Program Files (x86)\T-Mobile\web'n'walk Manager\DataCardMonitor.exe[3680] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                     000000007710c4dd 5 bytes JMP 00000001000301f8
.text     C:\Program Files (x86)\T-Mobile\web'n'walk Manager\DataCardMonitor.exe[3680] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                   0000000077111287 5 bytes JMP 00000001000303fc
.text     C:\Program Files (x86)\T-Mobile\web'n'walk Manager\DataCardMonitor.exe[3680] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                        0000000074d7a30a 1 byte [62]
.text     C:\Program Files (x86)\T-Mobile\web'n'walk Manager\DataCardMonitor.exe[3680] C:\Windows\syswow64\USER32.dll!SetWinEventHook                               00000000766aee09 5 bytes JMP 00000001002401f8
.text     C:\Program Files (x86)\T-Mobile\web'n'walk Manager\DataCardMonitor.exe[3680] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                00000000766b3982 5 bytes JMP 00000001002403fc
.text     C:\Program Files (x86)\T-Mobile\web'n'walk Manager\DataCardMonitor.exe[3680] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                             00000000766b7603 5 bytes JMP 0000000100240804
.text     C:\Program Files (x86)\T-Mobile\web'n'walk Manager\DataCardMonitor.exe[3680] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                             00000000766b835c 5 bytes JMP 0000000100240600
.text     C:\Program Files (x86)\T-Mobile\web'n'walk Manager\DataCardMonitor.exe[3680] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                           00000000766cf52b 5 bytes JMP 0000000100240a08
.text     C:\Program Files (x86)\T-Mobile\web'n'walk Manager\DataCardMonitor.exe[3680] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                     0000000075115181 5 bytes JMP 0000000100251014
.text     C:\Program Files (x86)\T-Mobile\web'n'walk Manager\DataCardMonitor.exe[3680] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                         0000000075115254 5 bytes JMP 0000000100250804
.text     C:\Program Files (x86)\T-Mobile\web'n'walk Manager\DataCardMonitor.exe[3680] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                         00000000751153d5 5 bytes JMP 0000000100250a08
.text     C:\Program Files (x86)\T-Mobile\web'n'walk Manager\DataCardMonitor.exe[3680] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                        00000000751154c2 5 bytes JMP 0000000100250c0c
.text     C:\Program Files (x86)\T-Mobile\web'n'walk Manager\DataCardMonitor.exe[3680] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                        00000000751155e2 5 bytes JMP 0000000100250e10
.text     C:\Program Files (x86)\T-Mobile\web'n'walk Manager\DataCardMonitor.exe[3680] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                               000000007511567c 5 bytes JMP 00000001002501f8
.text     C:\Program Files (x86)\T-Mobile\web'n'walk Manager\DataCardMonitor.exe[3680] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                               000000007511589f 5 bytes JMP 00000001002503fc
.text     C:\Program Files (x86)\T-Mobile\web'n'walk Manager\DataCardMonitor.exe[3680] C:\Windows\SysWOW64\sechost.dll!DeleteService                                0000000075115a22 5 bytes JMP 0000000100250600
         

Alt 14.08.2013, 22:08   #7
TobiT
 
Win32.downloader.gen nach Systemwiederherstellung noch auf System? - Standard

Win32.downloader.gen nach Systemwiederherstellung noch auf System?



GMER (Teil 4):

Code:
ATTFilter
.text     C:\Program Files (x86)\MirandaFusion\miranda32.exe[3992] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                            00000000770efac0 5 bytes JMP 0000000100030600
.text     C:\Program Files (x86)\MirandaFusion\miranda32.exe[3992] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                                00000000770efb58 5 bytes JMP 0000000100030804
.text     C:\Program Files (x86)\MirandaFusion\miranda32.exe[3992] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                 00000000770efcb0 5 bytes JMP 0000000100030c0c
.text     C:\Program Files (x86)\MirandaFusion\miranda32.exe[3992] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                             00000000770f0038 5 bytes JMP 0000000100030a08
.text     C:\Program Files (x86)\MirandaFusion\miranda32.exe[3992] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                 00000000770f1920 5 bytes JMP 0000000100030e10
.text     C:\Program Files (x86)\MirandaFusion\miranda32.exe[3992] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                         000000007710c4dd 5 bytes JMP 00000001000301f8
.text     C:\Program Files (x86)\MirandaFusion\miranda32.exe[3992] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                       0000000077111287 5 bytes JMP 00000001000303fc
.text     C:\Program Files (x86)\MirandaFusion\miranda32.exe[3992] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                            0000000074d7a30a 1 byte [62]
.text     C:\Program Files (x86)\MirandaFusion\miranda32.exe[3992] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                                         0000000075115181 5 bytes JMP 0000000100241014
.text     C:\Program Files (x86)\MirandaFusion\miranda32.exe[3992] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                             0000000075115254 5 bytes JMP 0000000100240804
.text     C:\Program Files (x86)\MirandaFusion\miranda32.exe[3992] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                             00000000751153d5 5 bytes JMP 0000000100240a08
.text     C:\Program Files (x86)\MirandaFusion\miranda32.exe[3992] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                            00000000751154c2 5 bytes JMP 0000000100240c0c
.text     C:\Program Files (x86)\MirandaFusion\miranda32.exe[3992] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                            00000000751155e2 5 bytes JMP 0000000100240e10
.text     C:\Program Files (x86)\MirandaFusion\miranda32.exe[3992] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                                   000000007511567c 5 bytes JMP 00000001002401f8
.text     C:\Program Files (x86)\MirandaFusion\miranda32.exe[3992] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                                   000000007511589f 5 bytes JMP 00000001002403fc
.text     C:\Program Files (x86)\MirandaFusion\miranda32.exe[3992] C:\Windows\SysWOW64\sechost.dll!DeleteService                                                    0000000075115a22 5 bytes JMP 0000000100240600
.text     C:\Program Files (x86)\MirandaFusion\miranda32.exe[3992] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                   00000000766aee09 5 bytes JMP 00000001002601f8
.text     C:\Program Files (x86)\MirandaFusion\miranda32.exe[3992] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                                    00000000766b3982 5 bytes JMP 00000001002603fc
.text     C:\Program Files (x86)\MirandaFusion\miranda32.exe[3992] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                 00000000766b7603 5 bytes JMP 0000000100260804
.text     C:\Program Files (x86)\MirandaFusion\miranda32.exe[3992] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                 00000000766b835c 5 bytes JMP 0000000100260600
.text     C:\Program Files (x86)\MirandaFusion\miranda32.exe[3992] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                               00000000766cf52b 5 bytes JMP 0000000100260a08
.text     C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                        00000000770efac0 5 bytes JMP 0000000100030600
.text     C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                            00000000770efb58 5 bytes JMP 0000000100030804
.text     C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                             00000000770efcb0 5 bytes JMP 0000000100030c0c
.text     C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                         00000000770f0038 5 bytes JMP 0000000100030a08
.text     C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                             00000000770f1920 5 bytes JMP 0000000100030e10
.text     C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[1928] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                     000000007710c4dd 5 bytes JMP 00000001000301f8
.text     C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[1928] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                   0000000077111287 5 bytes JMP 00000001000303fc
.text     C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[1928] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                        0000000074d7a30a 1 byte [62]
.text     C:\Program Files\AVAST Software\Avast\AvastUI.exe[1316] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                             0000000074d7a30a 1 byte [62]
.text     C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                        00000000770efac0 5 bytes JMP 0000000100030600
.text     C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                            00000000770efb58 5 bytes JMP 0000000100030804
.text     C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                             00000000770efcb0 5 bytes JMP 0000000100030c0c
.text     C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                         00000000770f0038 5 bytes JMP 0000000100030a08
.text     C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                             00000000770f1920 5 bytes JMP 0000000100030e10
.text     C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1628] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                     000000007710c4dd 5 bytes JMP 00000001000301f8
.text     C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1628] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                   0000000077111287 5 bytes JMP 00000001000303fc
.text     C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1628] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                        0000000074d7a30a 1 byte [62]
.text     C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1628] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                               00000000766aee09 5 bytes JMP 00000001002501f8
.text     C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1628] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                                00000000766b3982 5 bytes JMP 00000001002503fc
.text     C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1628] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                             00000000766b7603 5 bytes JMP 0000000100250804
.text     C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1628] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                             00000000766b835c 5 bytes JMP 0000000100250600
.text     C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1628] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                           00000000766cf52b 5 bytes JMP 0000000100250a08
.text     C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1628] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                                     0000000075115181 5 bytes JMP 0000000100261014
.text     C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1628] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                         0000000075115254 5 bytes JMP 0000000100260804
.text     C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1628] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                         00000000751153d5 5 bytes JMP 0000000100260a08
.text     C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1628] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                        00000000751154c2 5 bytes JMP 0000000100260c0c
.text     C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1628] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                        00000000751155e2 5 bytes JMP 0000000100260e10
.text     C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1628] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                               000000007511567c 5 bytes JMP 00000001002601f8
.text     C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1628] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                               000000007511589f 5 bytes JMP 00000001002603fc
.text     C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1628] C:\Windows\SysWOW64\sechost.dll!DeleteService                                                0000000075115a22 5 bytes JMP 0000000100260600
.text     C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[4124] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                             00000000770efac0 5 bytes JMP 0000000100030600
.text     C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[4124] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                                 00000000770efb58 5 bytes JMP 0000000100030804
.text     C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[4124] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                  00000000770efcb0 5 bytes JMP 0000000100030c0c
.text     C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[4124] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                              00000000770f0038 5 bytes JMP 0000000100030a08
.text     C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[4124] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                  00000000770f1920 5 bytes JMP 0000000100030e10
.text     C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[4124] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                          000000007710c4dd 5 bytes JMP 00000001000301f8
.text     C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[4124] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                        0000000077111287 5 bytes JMP 00000001000303fc
.text     C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[4124] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                             0000000074d7a30a 1 byte [62]
.text     C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[4124] C:\Windows\syswow64\user32.DLL!SetWinEventHook                                                    00000000766aee09 5 bytes JMP 00000001001e01f8
.text     C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[4124] C:\Windows\syswow64\user32.DLL!UnhookWinEvent                                                     00000000766b3982 5 bytes JMP 00000001001e03fc
.text     C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[4124] C:\Windows\syswow64\user32.DLL!SetWindowsHookExW                                                  00000000766b7603 5 bytes JMP 00000001001e0804
.text     C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[4124] C:\Windows\syswow64\user32.DLL!SetWindowsHookExA                                                  00000000766b835c 5 bytes JMP 00000001001e0600
.text     C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[4124] C:\Windows\syswow64\user32.DLL!UnhookWindowsHookEx                                                00000000766cf52b 5 bytes JMP 00000001001e0a08
.text     C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[4124] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                                          0000000075115181 5 bytes JMP 00000001002f1014
.text     C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[4124] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                              0000000075115254 5 bytes JMP 00000001002f0804
.text     C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[4124] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                              00000000751153d5 5 bytes JMP 00000001002f0a08
.text     C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[4124] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                             00000000751154c2 5 bytes JMP 00000001002f0c0c
.text     C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[4124] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                             00000000751155e2 5 bytes JMP 00000001002f0e10
.text     C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[4124] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                                    000000007511567c 5 bytes JMP 00000001002f01f8
.text     C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[4124] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                                    000000007511589f 5 bytes JMP 00000001002f03fc
.text     C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[4124] C:\Windows\SysWOW64\sechost.dll!DeleteService                                                     0000000075115a22 5 bytes JMP 00000001002f0600
.text     C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                              00000000770efac0 5 bytes JMP 0000000100030600
.text     C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                  00000000770efb58 5 bytes JMP 0000000100030804
.text     C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                   00000000770efcb0 5 bytes JMP 0000000100030c0c
.text     C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                               00000000770f0038 5 bytes JMP 0000000100030a08
.text     C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                   00000000770f1920 5 bytes JMP 0000000100030e10
.text     C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4168] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                           000000007710c4dd 5 bytes JMP 00000001000301f8
.text     C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4168] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                         0000000077111287 5 bytes JMP 00000001000303fc
.text     C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4168] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                              0000000074d7a30a 1 byte [62]
.text     C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4168] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                           0000000075115181 5 bytes JMP 0000000100251014
.text     C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4168] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                               0000000075115254 5 bytes JMP 0000000100250804
.text     C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4168] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                               00000000751153d5 5 bytes JMP 0000000100250a08
.text     C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4168] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                              00000000751154c2 5 bytes JMP 0000000100250c0c
.text     C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4168] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                              00000000751155e2 5 bytes JMP 0000000100250e10
.text     C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4168] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                     000000007511567c 5 bytes JMP 00000001002501f8
.text     C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4168] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                     000000007511589f 5 bytes JMP 00000001002503fc
.text     C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4168] C:\Windows\SysWOW64\sechost.dll!DeleteService                                      0000000075115a22 5 bytes JMP 0000000100250600
.text     C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4168] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                     00000000766aee09 5 bytes JMP 00000001002601f8
.text     C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4168] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                      00000000766b3982 5 bytes JMP 00000001002603fc
.text     C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4168] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                   00000000766b7603 5 bytes JMP 0000000100260804
.text     C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4168] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                   00000000766b835c 5 bytes JMP 0000000100260600
.text     C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4168] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                 00000000766cf52b 5 bytes JMP 0000000100260a08
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                          0000000076f13b10 5 bytes JMP 000000010027075c
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                            0000000076f17ac0 5 bytes JMP 00000001002703a4
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                0000000076f41360 5 bytes JMP 00000000770a0470
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                         0000000076f413b0 5 bytes JMP 00000000770a0460
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                                               0000000076f41430 5 bytes JMP 0000000100270b14
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                                                   0000000076f41490 5 bytes JMP 0000000100270ecc
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                         0000000076f41510 5 bytes JMP 00000000770a0370
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                              0000000076f41560 5 bytes JMP 00000000770a0480
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                    0000000076f41570 5 bytes JMP 000000010027163c
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                         0000000076f41620 5 bytes JMP 00000000770a0320
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                  0000000076f41650 5 bytes JMP 00000000770a03b0
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                     0000000076f41670 5 bytes JMP 00000000770a0390
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                           0000000076f416b0 5 bytes JMP 00000000770a02e0
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                      0000000076f41700 5 bytes JMP 00000000770a0440
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                         0000000076f41730 5 bytes JMP 00000000770a02d0
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                       0000000076f41750 5 bytes JMP 00000000770a0310
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                        0000000076f41790 5 bytes JMP 00000000770a03c0
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                                                0000000076f417b0 5 bytes JMP 0000000100271284
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                     0000000076f417e0 5 bytes JMP 00000000770a03f0
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                        0000000076f41940 5 bytes JMP 00000000770a0230
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                             0000000076f41b00 1 byte JMP 00000000770a0490
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2                                                         0000000076f41b02 3 bytes JMP 0000000076f41b1c
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                            0000000076f41b30 5 bytes JMP 00000000770a03a0
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                     0000000076f41c10 5 bytes JMP 00000000770a02f0
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                  0000000076f41c20 5 bytes JMP 00000000770a0350
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                        0000000076f41c80 5 bytes JMP 00000000770a0290
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                     0000000076f41d10 5 bytes JMP 00000000770a02b0
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                      0000000076f41d30 5 bytes JMP 00000000770a03d0
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                         0000000076f41d40 5 bytes JMP 00000000770a0330
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                  0000000076f41db0 5 bytes JMP 00000000770a0410
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                     0000000076f41de0 5 bytes JMP 00000000770a0240
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                          0000000076f420a0 5 bytes JMP 00000000770a01e0
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                     0000000076f42160 5 bytes JMP 00000000770a0250
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                     0000000076f42190 5 bytes JMP 00000000770a04a0
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                            0000000076f421a0 5 bytes JMP 00000000770a04b0
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                       0000000076f421d0 5 bytes JMP 00000000770a0300
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                    0000000076f421e0 5 bytes JMP 00000000770a0360
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                          0000000076f42240 5 bytes JMP 00000000770a02a0
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                       0000000076f42290 5 bytes JMP 00000000770a02c0
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                          0000000076f422c0 5 bytes JMP 00000000770a0380
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                           0000000076f422d0 5 bytes JMP 00000000770a0340
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                    0000000076f425c0 1 byte JMP 00000000770a0450
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2                                                                0000000076f425c2 3 bytes {JMP 0x15de90}
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                   0000000076f427c0 5 bytes JMP 00000000770a0260
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                      0000000076f427d0 5 bytes JMP 00000000770a0270
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                    0000000076f427e0 5 bytes JMP 00000001002719f4
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                0000000076f429a0 5 bytes JMP 00000000770a01f0
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                 0000000076f429b0 5 bytes JMP 00000000770a0210
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                      0000000076f42a20 5 bytes JMP 00000000770a0200
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                      0000000076f42a80 5 bytes JMP 00000000770a0420
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                       0000000076f42a90 5 bytes JMP 00000000770a0430
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                  0000000076f42aa0 5 bytes JMP 00000000770a0220
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                          0000000076f42b80 5 bytes JMP 00000000770a0280
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                                            000007fefed86e00 5 bytes JMP 000007ff7eda1dac
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                                000007fefed86f2c 5 bytes JMP 000007ff7eda0ecc
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                                000007fefed87220 5 bytes JMP 000007ff7eda1284
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                               000007fefed8739c 5 bytes JMP 000007ff7eda163c
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                               000007fefed87538 5 bytes JMP 000007ff7eda19f4
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                                      000007fefed875e8 5 bytes JMP 000007ff7eda03a4
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                                      000007fefed8790c 5 bytes JMP 000007ff7eda075c
.text     C:\Windows\System32\svchost.exe[4736] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                                       000007fefed87ab4 5 bytes JMP 000007ff7eda0b14
.text     C:\Program Files\Windows Media Player\wmpnetwk.exe[2448] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189                                            0000000076e2eecd 1 byte [62]
.text     C:\Program Files (x86)\Nero\Update\NASvc.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                                  00000000770efac0 5 bytes JMP 0000000100030600
.text     C:\Program Files (x86)\Nero\Update\NASvc.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                                      00000000770efb58 5 bytes JMP 0000000100030804
.text     C:\Program Files (x86)\Nero\Update\NASvc.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                       00000000770efcb0 5 bytes JMP 0000000100030c0c
.text     C:\Program Files (x86)\Nero\Update\NASvc.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                   00000000770f0038 5 bytes JMP 0000000100030a08
.text     C:\Program Files (x86)\Nero\Update\NASvc.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                       00000000770f1920 5 bytes JMP 0000000100030e10
.text     C:\Program Files (x86)\Nero\Update\NASvc.exe[3740] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                               000000007710c4dd 5 bytes JMP 00000001000301f8
.text     C:\Program Files (x86)\Nero\Update\NASvc.exe[3740] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                             0000000077111287 5 bytes JMP 00000001000303fc
.text     C:\Program Files (x86)\Nero\Update\NASvc.exe[3740] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                                  0000000074d7a30a 1 byte [62]
.text     C:\Program Files (x86)\Nero\Update\NASvc.exe[3740] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                         00000000766aee09 5 bytes JMP 00000001001601f8
.text     C:\Program Files (x86)\Nero\Update\NASvc.exe[3740] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                                          00000000766b3982 5 bytes JMP 00000001001603fc
.text     C:\Program Files (x86)\Nero\Update\NASvc.exe[3740] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                       00000000766b7603 5 bytes JMP 0000000100160804
.text     C:\Program Files (x86)\Nero\Update\NASvc.exe[3740] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                       00000000766b835c 5 bytes JMP 0000000100160600
.text     C:\Program Files (x86)\Nero\Update\NASvc.exe[3740] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                                     00000000766cf52b 5 bytes JMP 0000000100160a08
.text     C:\Program Files (x86)\Nero\Update\NASvc.exe[3740] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                                               0000000075115181 5 bytes JMP 0000000100171014
.text     C:\Program Files (x86)\Nero\Update\NASvc.exe[3740] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                                   0000000075115254 5 bytes JMP 0000000100170804
.text     C:\Program Files (x86)\Nero\Update\NASvc.exe[3740] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                                   00000000751153d5 5 bytes JMP 0000000100170a08
.text     C:\Program Files (x86)\Nero\Update\NASvc.exe[3740] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                                  00000000751154c2 5 bytes JMP 0000000100170c0c
.text     C:\Program Files (x86)\Nero\Update\NASvc.exe[3740] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                                  00000000751155e2 5 bytes JMP 0000000100170e10
.text     C:\Program Files (x86)\Nero\Update\NASvc.exe[3740] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                                         000000007511567c 5 bytes JMP 00000001001701f8
.text     C:\Program Files (x86)\Nero\Update\NASvc.exe[3740] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                                         000000007511589f 5 bytes JMP 00000001001703fc
.text     C:\Program Files (x86)\Nero\Update\NASvc.exe[3740] C:\Windows\SysWOW64\sechost.dll!DeleteService                                                          0000000075115a22 5 bytes JMP 0000000100170600
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                          0000000076f13b10 5 bytes JMP 000000010044075c
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                            0000000076f17ac0 5 bytes JMP 00000001004403a4
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                0000000076f41360 5 bytes JMP 00000000770a0470
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                         0000000076f413b0 5 bytes JMP 00000000770a0460
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                                               0000000076f41430 5 bytes JMP 0000000100440b14
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                                                   0000000076f41490 5 bytes JMP 0000000100440ecc
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                         0000000076f41510 5 bytes JMP 00000000770a0370
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                              0000000076f41560 5 bytes JMP 00000000770a0480
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                    0000000076f41570 5 bytes JMP 000000010044163c
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                         0000000076f41620 5 bytes JMP 00000000770a0320
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                  0000000076f41650 5 bytes JMP 00000000770a03b0
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                     0000000076f41670 5 bytes JMP 00000000770a0390
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                           0000000076f416b0 5 bytes JMP 00000000770a02e0
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                      0000000076f41700 5 bytes JMP 00000000770a0440
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                         0000000076f41730 5 bytes JMP 00000000770a02d0
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                       0000000076f41750 5 bytes JMP 00000000770a0310
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                        0000000076f41790 5 bytes JMP 00000000770a03c0
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                                                0000000076f417b0 5 bytes JMP 0000000100441284
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                     0000000076f417e0 5 bytes JMP 00000000770a03f0
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                        0000000076f41940 5 bytes JMP 00000000770a0230
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                             0000000076f41b00 1 byte JMP 00000000770a0490
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2                                                         0000000076f41b02 3 bytes JMP 0000000076f41b1c
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                            0000000076f41b30 5 bytes JMP 00000000770a03a0
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                     0000000076f41c10 5 bytes JMP 00000000770a02f0
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                  0000000076f41c20 5 bytes JMP 00000000770a0350
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                        0000000076f41c80 5 bytes JMP 00000000770a0290
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                     0000000076f41d10 5 bytes JMP 00000000770a02b0
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                      0000000076f41d30 5 bytes JMP 00000000770a03d0
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                         0000000076f41d40 5 bytes JMP 00000000770a0330
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                  0000000076f41db0 5 bytes JMP 00000000770a0410
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                     0000000076f41de0 5 bytes JMP 00000000770a0240
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                          0000000076f420a0 5 bytes JMP 00000000770a01e0
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                     0000000076f42160 5 bytes JMP 00000000770a0250
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                     0000000076f42190 5 bytes JMP 00000000770a04a0
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                            0000000076f421a0 5 bytes JMP 00000000770a04b0
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                       0000000076f421d0 5 bytes JMP 00000000770a0300
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                    0000000076f421e0 5 bytes JMP 00000000770a0360
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                          0000000076f42240 5 bytes JMP 00000000770a02a0
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                       0000000076f42290 5 bytes JMP 00000000770a02c0
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                          0000000076f422c0 5 bytes JMP 00000000770a0380
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                           0000000076f422d0 5 bytes JMP 00000000770a0340
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                    0000000076f425c0 1 byte JMP 00000000770a0450
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2                                                                0000000076f425c2 3 bytes {JMP 0x15de90}
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                   0000000076f427c0 5 bytes JMP 00000000770a0260
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                      0000000076f427d0 5 bytes JMP 00000000770a0270
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                    0000000076f427e0 5 bytes JMP 00000001004419f4
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                0000000076f429a0 5 bytes JMP 00000000770a01f0
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                 0000000076f429b0 5 bytes JMP 00000000770a0210
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                      0000000076f42a20 5 bytes JMP 00000000770a0200
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                      0000000076f42a80 5 bytes JMP 00000000770a0420
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                       0000000076f42a90 5 bytes JMP 00000000770a0430
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                  0000000076f42aa0 5 bytes JMP 00000000770a0220
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                          0000000076f42b80 5 bytes JMP 00000000770a0280
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189                                                               0000000076e2eecd 1 byte [62]
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                                            000007fefed86e00 5 bytes JMP 000007ff7eda1dac
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                                000007fefed86f2c 5 bytes JMP 000007ff7eda0ecc
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                                000007fefed87220 5 bytes JMP 000007ff7eda1284
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                               000007fefed8739c 5 bytes JMP 000007ff7eda163c
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                               000007fefed87538 5 bytes JMP 000007ff7eda19f4
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                                      000007fefed875e8 5 bytes JMP 000007ff7eda03a4
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                                      000007fefed8790c 5 bytes JMP 000007ff7eda075c
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                                       000007fefed87ab4 5 bytes JMP 000007ff7eda0b14
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\system32\USER32.dll!UnhookWinEvent                                                                       0000000076cd8550 5 bytes JMP 000000010056075c
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                                  0000000076cdd440 5 bytes JMP 0000000100561284
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\system32\USER32.dll!SetWindowsHookExW                                                                    0000000076cdf874 5 bytes JMP 0000000100560ecc
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\system32\USER32.dll!SetWinEventHook                                                                      0000000076ce4d4c 5 bytes JMP 00000001005603a4
.text     C:\Windows\System32\svchost.exe[5148] C:\Windows\system32\USER32.dll!SetWindowsHookExA                                                                    0000000076cf8c20 5 bytes JMP 0000000100560b14
.text     C:\Windows\system32\svchost.exe[3636] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                                            000007fefed86e00 5 bytes JMP 000007ff7eda1dac
.text     C:\Windows\system32\svchost.exe[3636] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                                000007fefed86f2c 5 bytes JMP 000007ff7eda0ecc
.text     C:\Windows\system32\svchost.exe[3636] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                                000007fefed87220 5 bytes JMP 000007ff7eda1284
.text     C:\Windows\system32\svchost.exe[3636] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                               000007fefed8739c 5 bytes JMP 000007ff7eda163c
.text     C:\Windows\system32\svchost.exe[3636] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                               000007fefed87538 5 bytes JMP 000007ff7eda19f4
.text     C:\Windows\system32\svchost.exe[3636] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                                      000007fefed875e8 5 bytes JMP 000007ff7eda03a4
.text     C:\Windows\system32\svchost.exe[3636] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                                      000007fefed8790c 5 bytes JMP 000007ff7eda075c
.text     C:\Windows\system32\svchost.exe[3636] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                                       000007fefed87ab4 5 bytes JMP 000007ff7eda0b14
.text     C:\Users\*****\Desktop\FRST64.exe[5448] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                    0000000076f13b10 5 bytes JMP 000000010057075c
.text     C:\Users\*****\Desktop\FRST64.exe[5448] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                      0000000076f17ac0 5 bytes JMP 00000001005703a4
.text     C:\Users\*****\Desktop\FRST64.exe[5448] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                                         0000000076f41430 5 bytes JMP 0000000100570b14
.text     C:\Users\*****\Desktop\FRST64.exe[5448] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                                             0000000076f41490 5 bytes JMP 0000000100570ecc
.text     C:\Users\*****\Desktop\FRST64.exe[5448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                              0000000076f41570 5 bytes JMP 000000010057163c
.text     C:\Users\*****\Desktop\FRST64.exe[5448] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                                          0000000076f417b0 5 bytes JMP 0000000100571284
.text     C:\Users\*****\Desktop\FRST64.exe[5448] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                              0000000076f427e0 5 bytes JMP 00000001005719f4
.text     C:\Users\*****\Desktop\FRST64.exe[5448] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189                                                         0000000076e2eecd 1 byte [62]
.text     C:\Users\*****\Desktop\FRST64.exe[5448] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                                      000007fefed86e00 5 bytes JMP 000007ff7eda1dac
.text     C:\Users\*****\Desktop\FRST64.exe[5448] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                          000007fefed86f2c 5 bytes JMP 000007ff7eda0ecc
.text     C:\Users\*****\Desktop\FRST64.exe[5448] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                          000007fefed87220 5 bytes JMP 000007ff7eda1284
.text     C:\Users\*****\Desktop\FRST64.exe[5448] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                         000007fefed8739c 5 bytes JMP 000007ff7eda163c
.text     C:\Users\*****\Desktop\FRST64.exe[5448] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                         000007fefed87538 5 bytes JMP 000007ff7eda19f4
.text     C:\Users\*****\Desktop\FRST64.exe[5448] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                                000007fefed875e8 5 bytes JMP 000007ff7eda03a4
.text     C:\Users\*****\Desktop\FRST64.exe[5448] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                                000007fefed8790c 5 bytes JMP 000007ff7eda075c
.text     C:\Users\*****\Desktop\FRST64.exe[5448] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                                 000007fefed87ab4 5 bytes JMP 000007ff7eda0b14
.text     C:\Windows\system32\AUDIODG.EXE[5100] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189                                                               0000000076e2eecd 1 byte [62]
.text     C:\Users\*****\Desktop\gmer_2.1.19163.exe[5392] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                 0000000074d7a30a 1 byte [62]

---- Threads - GMER 2.1 ----

Thread    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4016:4032]                                                                                    0000000075117587
Thread    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4016:4036]                                                                                    0000000070d30cb3
Thread    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4016:4072]                                                                                    0000000077122e65
Thread    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4016:1224]                                                                                    0000000077123e85
Thread    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4016:6136]                                                                                    0000000077123e85
Thread    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4016:4056]                                                                                    0000000077123e85
Thread    C:\Program Files\Windows Media Player\wmpnetwk.exe [2448:4824]                                                                                            000007feff000168
Thread    C:\Program Files\Windows Media Player\wmpnetwk.exe [2448:3004]                                                                                            000007fefaf32a7c
Thread    C:\Program Files\Windows Media Player\wmpnetwk.exe [2448:2384]                                                                                            000007feea7ad618
Thread    C:\Program Files\Windows Media Player\wmpnetwk.exe [2448:3768]                                                                                            000007fef8d35124

---- Registry - GMER 2.1 ----

Reg       HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type                                                                                                      2
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start                                                                                                     2
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl                                                                                              1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName                                                                                               aswFsBlk
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group                                                                                                     FSFilter Activity Monitor
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService                                                                                           FltMgr?
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description                                                                                               avast! mini-filter driver (aswFsBlk)
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag                                                                                                       3
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances                                                                                                 
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance                                                                                 aswFsBlk Instance
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance                                                                               
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude                                                                      388400
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags                                                                         0
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk                                                                                                           
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type                                                                                                     2
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start                                                                                                    2
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl                                                                                             1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath                                                                                                \??\C:\Windows\system32\drivers\aswMonFlt.sys
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName                                                                                              aswMonFlt
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group                                                                                                    FSFilter Anti-Virus
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService                                                                                          FltMgr?
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description                                                                                              avast! mini-filter driver (aswMonFlt)
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances                                                                                                
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance                                                                                aswMonFlt Instance
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance                                                                             
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude                                                                    320700
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags                                                                       0
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt                                                                                                          
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath                                                                                                   \SystemRoot\System32\Drivers\aswrdr2.sys
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type                                                                                                        1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start                                                                                                       1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl                                                                                                1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName                                                                                                 aswRdr
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group                                                                                                       PNP_TDI
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService                                                                                             tcpip?
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description                                                                                                 avast! WFP Redirect driver
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters                                                                                                  
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault                                                                               
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault                                                                               nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRdr                                                                                                             
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type                                                                                                       1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start                                                                                                      0
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl                                                                                               1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName                                                                                                aswRvrt
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description                                                                                                avast! Revert
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters                                                                                                 
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter                                                                                     185
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter                                                                                     2489598
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot                                                                                      \Device\Harddisk0\Partition3\Windows
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown                                                                                1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswRvrt                                                                                                            
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type                                                                                                        2
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start                                                                                                       1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl                                                                                                1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName                                                                                                 aswSnx
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group                                                                                                       FSFilter Virtualization
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService                                                                                             FltMgr?
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description                                                                                                 avast! virtualization driver (aswSnx)
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag                                                                                                         2
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances                                                                                                   
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance                                                                                   aswSnx Instance
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance                                                                                   
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude                                                                          137600
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags                                                                             0
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters                                                                                                  
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder                                                                                    \DosDevices\C:\Program Files\AVAST Software\Avast
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder                                                                                       \DosDevices\C:\ProgramData\AVAST Software\Avast
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSnx                                                                                                             
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type                                                                                                         1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start                                                                                                        1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl                                                                                                 1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName                                                                                                  aswSP
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description                                                                                                  avast! Self Protection
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters                                                                                                   
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield                                                                                       1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder                                                                                     \DosDevices\C:\Program Files\AVAST Software\Avast
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder                                                                                        \DosDevices\C:\ProgramData\AVAST Software\Avast
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder                                                                                \DosDevices\C:\Program Files
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder                                                                                      \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswSP                                                                                                              
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type                                                                                                        1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start                                                                                                       1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl                                                                                                1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName                                                                                                 avast! Network Shield Support
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group                                                                                                       PNP_TDI
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService                                                                                             tcpip?
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description                                                                                                 avast! Network Shield TDI driver
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag                                                                                                         11
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswTdi                                                                                                             
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type                                                                                                        1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start                                                                                                       3
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl                                                                                                1
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName                                                                                                 aswVmm
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description                                                                                                 avast! VM Monitor
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters                                                                                                  
Reg       HKLM\SYSTEM\CurrentControlSet\services\aswVmm                                                                                                             
Reg       HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type                                                                                              32
Reg       HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start                                                                                             2
Reg       HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl                                                                                      1
Reg       HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath                                                                                         "C:\Program Files\AVAST Software\Avast\AvastSvc.exe"
Reg       HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName                                                                                       avast! Antivirus
Reg       HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group                                                                                             ShellSvcGroup
Reg       HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService                                                                                   aswMonFlt?RpcSS?
Reg       HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64                                                                                             1
Reg       HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName                                                                                        LocalSystem
Reg       HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType                                                                                    1
Reg       HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description                                                                                       Verwaltet und implementiert avast! Antivirus-Dienste f?r diesen Computer. Dies beinhaltet den Echtzeit-Schutz, den Virus-Container und den Planer.
Reg       HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus                                                                                                   
Reg       HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type                                                                                                          2
Reg       HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start                                                                                                         2
Reg       HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl                                                                                                  1
Reg       HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName                                                                                                   aswFsBlk
Reg       HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group                                                                                                         FSFilter Activity Monitor
Reg       HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService                                                                                               FltMgr?
Reg       HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description                                                                                                   avast! mini-filter driver (aswFsBlk)
Reg       HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag                                                                                                           3
Reg       HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet)                                                                             
Reg       HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance                                                                                     aswFsBlk Instance
Reg       HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet)                                                           
Reg       HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude                                                                          388400
Reg       HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags                                                                             0
Reg       HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type                                                                                                         2
Reg       HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start                                                                                                        2
Reg       HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl                                                                                                 1
Reg       HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath                                                                                                    \??\C:\Windows\system32\drivers\aswMonFlt.sys
Reg       HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName                                                                                                  aswMonFlt
Reg       HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group                                                                                                        FSFilter Anti-Virus
Reg       HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService                                                                                              FltMgr?
Reg       HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description                                                                                                  avast! mini-filter driver (aswMonFlt)
Reg       HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet)                                                                            
Reg       HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance                                                                                    aswMonFlt Instance
Reg       HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet)                                                         
Reg       HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude                                                                        320700
Reg       HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags                                                                           0
Reg       HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath                                                                                                       \SystemRoot\System32\Drivers\aswrdr2.sys
Reg       HKLM\SYSTEM\ControlSet002\services\aswRdr@Type                                                                                                            1
Reg       HKLM\SYSTEM\ControlSet002\services\aswRdr@Start                                                                                                           1
Reg       HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl                                                                                                    1
Reg       HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName                                                                                                     aswRdr
Reg       HKLM\SYSTEM\ControlSet002\services\aswRdr@Group                                                                                                           PNP_TDI
Reg       HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService                                                                                                 tcpip?
Reg       HKLM\SYSTEM\ControlSet002\services\aswRdr@Description                                                                                                     avast! WFP Redirect driver
Reg       HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet)                                                                              
Reg       HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault                                                                                   
Reg       HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault                                                                                   nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll
Reg       HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type                                                                                                           1
Reg       HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start                                                                                                          0
Reg       HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl                                                                                                   1
Reg       HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName                                                                                                    aswRvrt
Reg       HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description                                                                                                    avast! Revert
Reg       HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet)                                                                             
Reg       HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter                                                                                         185
Reg       HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter                                                                                         2489598
Reg       HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot                                                                                          \Device\Harddisk0\Partition3\Windows
Reg       HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown                                                                                    1
Reg       HKLM\SYSTEM\ControlSet002\services\aswSnx@Type                                                                                                            2
Reg       HKLM\SYSTEM\ControlSet002\services\aswSnx@Start                                                                                                           1
Reg       HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl                                                                                                    1
Reg       HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName                                                                                                     aswSnx
Reg       HKLM\SYSTEM\ControlSet002\services\aswSnx@Group                                                                                                           FSFilter Virtualization
Reg       HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService                                                                                                 FltMgr?
Reg       HKLM\SYSTEM\ControlSet002\services\aswSnx@Description                                                                                                     avast! virtualization driver (aswSnx)
Reg       HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag                                                                                                             2
Reg       HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet)                                                                               
Reg       HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance                                                                                       aswSnx Instance
Reg       HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet)                                                               
Reg       HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude                                                                              137600
Reg       HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags                                                                                 0
Reg       HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet)                                                                              
Reg       HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder                                                                                        \DosDevices\C:\Program Files\AVAST Software\Avast
Reg       HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder                                                                                           \DosDevices\C:\ProgramData\AVAST Software\Avast
Reg       HKLM\SYSTEM\ControlSet002\services\aswSP@Type                                                                                                             1
Reg       HKLM\SYSTEM\ControlSet002\services\aswSP@Start                                                                                                            1
Reg       HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl                                                                                                     1
Reg       HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName                                                                                                      aswSP
Reg       HKLM\SYSTEM\ControlSet002\services\aswSP@Description                                                                                                      avast! Self Protection
Reg       HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet)                                                                               
Reg       HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield                                                                                           1
Reg       HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder                                                                                         \DosDevices\C:\Program Files\AVAST Software\Avast
Reg       HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder                                                                                            \DosDevices\C:\ProgramData\AVAST Software\Avast
Reg       HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder                                                                                    \DosDevices\C:\Program Files
Reg       HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder                                                                                          \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget
Reg       HKLM\SYSTEM\ControlSet002\services\aswTdi@Type                                                                                                            1
Reg       HKLM\SYSTEM\ControlSet002\services\aswTdi@Start                                                                                                           1
Reg       HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl                                                                                                    1
Reg       HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName                                                                                                     avast! Network Shield Support
Reg       HKLM\SYSTEM\ControlSet002\services\aswTdi@Group                                                                                                           PNP_TDI
Reg       HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService                                                                                                 tcpip?
Reg       HKLM\SYSTEM\ControlSet002\services\aswTdi@Description                                                                                                     avast! Network Shield TDI driver
Reg       HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag                                                                                                             11
Reg       HKLM\SYSTEM\ControlSet002\services\aswVmm@Type                                                                                                            1
Reg       HKLM\SYSTEM\ControlSet002\services\aswVmm@Start                                                                                                           3
Reg       HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl                                                                                                    1
Reg       HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName                                                                                                     aswVmm
Reg       HKLM\SYSTEM\ControlSet002\services\aswVmm@Description                                                                                                     avast! VM Monitor
Reg       HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet)                                                                              
Reg       HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type                                                                                                  32
Reg       HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start                                                                                                 2
Reg       HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl                                                                                          1
Reg       HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath                                                                                             "C:\Program Files\AVAST Software\Avast\AvastSvc.exe"
Reg       HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName                                                                                           avast! Antivirus
Reg       HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group                                                                                                 ShellSvcGroup
Reg       HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService                                                                                       aswMonFlt?RpcSS?
Reg       HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64                                                                                                 1
Reg       HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName                                                                                            LocalSystem
Reg       HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType                                                                                        1
Reg       HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description                                                                                           Verwaltet und implementiert avast! Antivirus-Dienste f?r diesen Computer. Dies beinhaltet den Echtzeit-Schutz, den Virus-Container und den Planer.

---- EOF - GMER 2.1 ----
         
Spybot (nach Systemwiederherstellung mit Angabe des dann gefundenen Viruses):
Code:
ATTFilter
--- Report generated: 2013-08-12 22:00 ---

Win32.Downloader.gen: [SBI $F03796FC] IE start page (Registry change, nothing done)
  HKEY_USERS\S-1-5-21-3666680677-634416668-595475190-1000\Software\Microsoft\Internet Explorer\Main\Start Page=about:blank

Win32.Downloader.gen: [SBI $E6AD2227] Program directory (Directory, nothing done)
  C:\Users\*****\AppData\Local\Conduit\

Win32.Downloader.gen: [SBI $F65FFCFA]  Library (File, nothing done)
  C:\Program Files (x86)\Conduit\Community Alerts\Alert.dll
  Properties.size=638560
  Properties.md5=6796F6E449F90A543DC3345538ACC46F
  Properties.filedate=1308838846
  Properties.filedatetext=2011-06-23 16:20:46

Win32.Downloader.gen: [SBI $82F4FAFD]  Data (File, nothing done)
  C:\END
  Properties.size=9
  Properties.md5=A103FDF7348130EF3F3FEF56B1700A27
  Properties.filedate=1344676346
  Properties.filedatetext=2012-08-11 11:12:25


--- Spybot - Search & Destroy version: 1.6.2  (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2011-04-26 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2013-04-11 Includes\Adware.sbi (*)
2013-07-30 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2012-11-14 Includes\Dialer.sbi (*)
2013-04-11 Includes\DialerC.sbi (*)
2013-04-11 Includes\HeavyDuty.sbi (*)
2012-11-14 Includes\Hijackers.sbi (*)
2013-04-11 Includes\HijackersC.sbi (*)
2012-11-14 Includes\iPhone.sbi (*)
2013-06-25 Includes\Keyloggers.sbi (*)
2013-04-11 Includes\KeyloggersC.sbi (*)
2013-05-29 Includes\Malware.sbi (*)
2013-08-06 Includes\MalwareC.sbi (*)
2012-11-14 Includes\PUPS.sbi (*)
2013-08-06 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2012-11-14 Includes\Security.sbi (*)
2013-04-11 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2013-05-22 Includes\Spyware.sbi (*)
2013-08-06 Includes\SpywareC.sbi (*)
2012-11-19 Includes\Tracks.uti
2013-01-16 Includes\Trojans.sbi (*)
2013-07-11 Includes\TrojansC-02.sbi (*)
2013-07-31 Includes\TrojansC-03.sbi (*)
2013-08-06 Includes\TrojansC-04.sbi (*)
2013-06-13 Includes\TrojansC-05.sbi (*)
2013-08-06 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
         

Alt 15.08.2013, 13:13   #8
schrauber
/// the machine
/// TB-Ausbilder
 

Win32.downloader.gen nach Systemwiederherstellung noch auf System? - Standard

Win32.downloader.gen nach Systemwiederherstellung noch auf System?



Combofix sollte ausschließlich ausgeführt werden, wenn dies von einem Teammitglied angewiesen wurde!
Downloade dir bitte Combofix vom folgenden Downloadspiegel

Link 1


WICHTIG - Speichere Combofix auf deinem Desktop
  • Deaktiviere bitte all deine Anti Viren sowie Anti Malware/Spyware Scanner. Diese können Combofix bei der Arbeit stören.
Starte die Combofix.exe und folge den Anweisungen auf dem Bildschirm.

Wenn Combofix fertig ist, wird es eine Logfile erstellen. Bitte poste die C:\Combofix.txt in deiner nächsten Antwort.


Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten
Zitat:
Es wurde versucht, einen Registrierungsschlüssel einem ungültigen Vorgang zu unterziehen, der zum Löschen markiert wurde.
starte den Rechner einfach neu. Dies sollte das Problem beheben.
__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Alt 15.08.2013, 19:01   #9
TobiT
 
Win32.downloader.gen nach Systemwiederherstellung noch auf System? - Standard

Win32.downloader.gen nach Systemwiederherstellung noch auf System?



Danke. Anbei das Combofix-Log:

Combofix Logfile:
Code:
ATTFilter
ComboFix 13-08-14.02 - ***** 15.08.2013  18:36:06.1.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.49.1031.18.4087.2485 [GMT 2:00]
ausgeführt von:: c:\users\*****\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\AVM
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\AVM Stick & Surf.gif
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\avmacc64.dll
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\avmadd64.DLL
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\avmeject.sys
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\client\AVM Stick & Surf.gif
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\client\avmacc32.dll
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\client\avmsysnet.dll
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\client\avmwlapi.dll
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\client\FRITZ!WLAN.chm
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\client\FRITZ!WLAN_N.chm
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\client\instwcli.exe
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\client\instwcli.inf
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\client\prehook.dll
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\client\readme.htm
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\client\wlangui.exe
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\client\wlangui.ini
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\client\wlannetservice.exe
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\fwlan.cat
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\fwlan4.cat
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\fwlan464.inf
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\fwlan4ci.dll
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\fwlan64.inf
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\fwlanci.dll
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\fwlanusb.sys
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\fwlanusb4.bin
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\fwlanusb4.sys
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\fwlanusbn.bin
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\fwlanusbn_wxp.sys
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\FwUSB1b.bin
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\fwusbn.cat
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\fwusbn64.inf
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\fwusbnci.dll
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\readme.htm
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\setup.exe
c:\program files (x86)\AVM\AVM_FRITZ!WLAN_USB_Stick_x64_Build100906\Setup.ini
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\vpngui.exe.lnk
c:\users\*****\AppData\Local\Temp\nssF769.tmp\System.dll
c:\users\*****\AppData\Local\Temp\nssF769.tmp\System.dll
c:\windows\Installer\{5FDC06BF-3D3D-4367-8FFB-4FAFCB61972D}\Icon09DB8A851.exe
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((   Dateien erstellt von 2013-07-15 bis 2013-08-15  ))))))))))))))))))))))))))))))
.
.
2013-08-15 16:42 . 2013-08-15 16:42	--------	d-----w-	c:\users\Default\AppData\Local\temp
2013-08-14 17:50 . 2013-08-14 17:50	--------	d-----w-	c:\program files (x86)\7-Zip
2013-08-14 16:38 . 2013-08-14 16:38	--------	d-----w-	C:\FRST
2013-08-14 15:58 . 2013-08-14 15:58	--------	d-----w-	c:\program files (x86)\Common Files\Adobe
2013-08-14 15:37 . 2013-07-09 05:46	1472512	----a-w-	c:\windows\system32\crypt32.dll
2013-08-14 15:37 . 2013-07-09 05:52	224256	----a-w-	c:\windows\system32\wintrust.dll
2013-08-14 15:37 . 2013-07-09 05:46	184320	----a-w-	c:\windows\system32\cryptsvc.dll
2013-08-14 15:37 . 2013-07-09 05:46	139776	----a-w-	c:\windows\system32\cryptnet.dll
2013-08-14 15:37 . 2013-07-09 04:52	175104	----a-w-	c:\windows\SysWow64\wintrust.dll
2013-08-14 15:37 . 2013-07-09 04:46	140288	----a-w-	c:\windows\SysWow64\cryptsvc.dll
2013-08-14 15:37 . 2013-07-09 04:46	1166848	----a-w-	c:\windows\SysWow64\crypt32.dll
2013-08-14 15:37 . 2013-07-09 04:46	103936	----a-w-	c:\windows\SysWow64\cryptnet.dll
2013-08-13 16:08 . 2013-07-02 08:34	9460976	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{2BC6633F-C43C-41FC-8565-6C8ABF56D98C}\mpengine.dll
2013-08-13 12:45 . 2013-08-13 16:06	--------	d-----w-	c:\programdata\Kaspersky Lab
2013-08-12 20:18 . 2013-08-14 16:08	--------	d-----w-	c:\windows\system32\MRT
2013-08-11 17:54 . 2013-08-11 17:54	--------	d-----w-	c:\users\*****\AppData\Local\ElevatedDiagnostics
2013-08-06 17:53 . 2013-08-06 17:53	--------	d-----w-	c:\users\*****\AppData\Roaming\Avira
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-14 16:06 . 2011-04-29 10:04	78161360	----a-w-	c:\windows\system32\MRT.exe
2013-07-16 21:44 . 2012-03-31 08:07	692104	----a-w-	c:\windows\SysWow64\FlashPlayerApp.exe
2013-07-16 21:44 . 2011-05-19 07:00	71048	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-07-09 04:45 . 2013-08-14 15:36	44032	----a-w-	c:\windows\apppatch\acwow64.dll
2013-07-01 18:11 . 2013-07-01 18:11	96168	----a-w-	c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-07-01 18:11 . 2012-05-06 15:13	867240	----a-w-	c:\windows\SysWow64\npdeployJava1.dll
2013-07-01 18:11 . 2011-08-28 13:26	789416	----a-w-	c:\windows\SysWow64\deployJava1.dll
2013-06-05 03:34 . 2013-07-11 12:09	3153920	----a-w-	c:\windows\system32\win32k.sys
2013-06-04 06:00 . 2013-07-11 12:10	624128	----a-w-	c:\windows\system32\qedit.dll
2013-06-04 04:53 . 2013-07-11 12:10	509440	----a-w-	c:\windows\SysWow64\qedit.dll
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36	130736	----a-w-	c:\users\*****\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36	130736	----a-w-	c:\users\*****\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36	130736	----a-w-	c:\users\*****\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2010-02-01 18:03	120176	----a-w-	c:\program files (x86)\EgisTec MyWinLocker\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot\TeaTimer.exe" [2009-03-05 2260480]
"Miranda Fusion"="c:\program files (x86)\MirandaFusion\fusiontools\mfstart.exe" [2012-06-12 1122241]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SuiteTray"="c:\program files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe" [2010-02-01 337264]
"EgisUpdate"="c:\program files (x86)\EgisTec IPS\EgisUpdate.exe" [2009-12-25 201512]
"EgisTecPMMUpdate"="c:\program files (x86)\EgisTec IPS\PmmUpdate.exe" [2009-12-25 401192]
"Hotkey Utility"="c:\program files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe" [2010-08-04 611872]
"MDS_Menu"="c:\program files (x86)\Acer Arcade Deluxe\MediaShow Espresso\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]
"ArcadeMovieService"="c:\program files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe" [2010-02-05 124136]
"AVMWlanClient"="c:\program files (x86)\avmwlanstick\wlangui.exe" [2010-10-22 2105344]
"DataCardMonitor"="c:\program files (x86)\T-Mobile\web'n'walk Manager\DataCardMonitor.exe" [2011-11-22 253952]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2012-08-08 348664]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-03-06 4767304]
"DivXMediaServer"="c:\program files (x86)\DivX\DivX Media Server\DivXMediaServer.exe" [2013-03-28 450560]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-12-19 642808]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2013-02-13 1263952]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2013-05-01 421888]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
.
c:\users\*****\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\*****\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-25 27776968]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office10\OSA.EXE -b -l [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe;c:\program files (x86)\Google\Update\GoogleUpdate.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 aswVmm;aswVmm; [x]
R3 avmeject;AVM Eject;c:\windows\system32\drivers\avmeject.sys;c:\windows\SYSNATIVE\drivers\avmeject.sys [x]
R3 gupdatem;Google Update-Dienst (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe;c:\program files (x86)\Google\Update\GoogleUpdate.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
S0 aswRvrt;aswRvrt; [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys;c:\windows\SYSNATIVE\DRIVERS\avkmgr.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys;c:\windows\SYSNATIVE\DRIVERS\dtsoftbus01.sys [x]
S1 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\DRIVERS\mwlPSDFilter.sys;c:\windows\SYSNATIVE\DRIVERS\mwlPSDFilter.sys [x]
S1 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\DRIVERS\mwlPSDNServ.sys;c:\windows\SYSNATIVE\DRIVERS\mwlPSDNServ.sys [x]
S1 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\DRIVERS\mwlPSDVDisk.sys;c:\windows\SYSNATIVE\DRIVERS\mwlPSDVDisk.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 AntiVirSchedulerService;Avira Planer;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys [x]
S2 Greg_Service;GRegService;c:\program files (x86)\Acer\Registration\GregHSRW.exe;c:\program files (x86)\Acer\Registration\GregHSRW.exe [x]
S2 MWLService;MyWinLocker Service;c:\program files (x86)\EgisTec MyWinLocker\x86\MWLService.exe;c:\program files (x86)\EgisTec MyWinLocker\x86\MWLService.exe [x]
S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe;c:\program files (x86)\Nero\Update\NASvc.exe [x]
S2 PDF Architect Helper Service;PDF Architect Helper Service;c:\program files (x86)\PDF Architect\HelperService.exe;c:\program files (x86)\PDF Architect\HelperService.exe [x]
S2 PDF Architect Service;PDF Architect Service;c:\program files (x86)\PDF Architect\ConversionService.exe;c:\program files (x86)\PDF Architect\ConversionService.exe [x]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot\SDWinSec.exe;c:\program files (x86)\Spybot\SDWinSec.exe [x]
S2 Updater Service;Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe;c:\program files\Acer\Acer Updater\UpdaterService.exe [x]
S2 USBS3S4Detection;USBS3S4Detection;c:\oem\USBDECTION\USBS3S4Detection.exe;c:\oem\USBDECTION\USBS3S4Detection.exe [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]
S3 FWLANUSB;AVM FRITZ!WLAN;c:\windows\system32\DRIVERS\fwlanusb.sys;c:\windows\SYSNATIVE\DRIVERS\fwlanusb.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
Inhalt des "geplante Tasks" Ordners
.
2013-08-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 21:44]
.
2013-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-22 12:18]
.
2013-08-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-22 12:18]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-03-06 23:32	133840	----a-w-	c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36	164016	----a-w-	c:\users\Dr *****\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36	164016	----a-w-	c:\users\Dr *****\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36	164016	----a-w-	c:\users\Dr *****\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36	164016	----a-w-	c:\users\Dr *****\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2010-02-01 18:06	137584	----a-w-	c:\program files (x86)\EgisTec MyWinLocker\x64\PSDProtect.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mwlDaemon"="c:\program files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe" [2010-02-01 349552]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-02-24 9642528]
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = about:blank
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: &Citavi Picker... - file://c:\programdata\Swiss Academic Software\Citavi Picker\Internet Explorer\ShowContextMenu.html
IE: Free YouTube to MP3 Converter - c:\users\*****\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: Nach Microsoft &Excel exportieren - c:\progra~2\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.178.1
FF - ProfilePath - c:\users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\kx6q9p3p.default\
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
URLSearchHooks-{09152f0b-739c-4dec-a245-1aa8a37594f1} - (no file)
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_USERS\S-1-5-21-3666680677-634416668-595475190-1000\Software\SecuROM\License information*]
"datasecu"=hex:6e,42,eb,92,66,9c,25,20,92,51,72,ae,06,df,d9,7e,a7,e8,d8,9e,f2,
   40,75,96,a7,8d,9b,23,87,9b,99,f4,56,15,3e,83,02,f2,9e,cf,f9,42,dc,57,f6,46,\
"rkeysecu"=hex:f5,80,0b,9a,47,5f,30,25,fc,82,41,bf,05,26,5b,a5
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\avmwlanstick\WlanNetService.exe
c:\program files (x86)\Cisco VPN Client\cvpnd.exe
c:\program files (x86)\Cyberlink\Shared files\RichVideo.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2013-08-15  18:51:37 - PC wurde neu gestartet
ComboFix-quarantined-files.txt  2013-08-15 16:51
.
Vor Suchlauf: 11 Verzeichnis(se), 131.863.638.016 Bytes frei
Nach Suchlauf: 18 Verzeichnis(se), 132.393.197.568 Bytes frei
.
- - End Of File - - 64F2951DB0A56EF1F88113C78CF8D71E
--- --- ---
D41D8CD98F00B204E9800998ECF8427E
         

Geändert von TobiT (15.08.2013 um 19:31 Uhr)

Alt 15.08.2013, 21:07   #10
schrauber
/// the machine
/// TB-Ausbilder
 

Win32.downloader.gen nach Systemwiederherstellung noch auf System? - Standard

Win32.downloader.gen nach Systemwiederherstellung noch auf System?



Downloade Dir bitte Malwarebytes Anti-Malware
  • Installiere das Programm in den vorgegebenen Pfad. (Bebilderte Anleitung zu MBAM)
  • Starte Malwarebytes' Anti-Malware (MBAM).
  • Klicke im Anschluss auf Scannen, wähle den Bedrohungssuchlauf aus und klicke auf Suchlauf starten.
  • Lass am Ende des Suchlaufs alle Funde (falls vorhanden) in die Quarantäne verschieben. Klicke dazu auf Auswahl entfernen.
  • Lass deinen Rechner ggf. neu starten, um die Bereinigung abzuschließen.
  • Starte MBAM, klicke auf Verlauf und dann auf Anwendungsprotokolle.
  • Wähle das neueste Scan-Protokoll aus und klicke auf Export. Wähle Textdatei (.txt) aus und speichere die Datei als mbam.txt auf dem Desktop ab. Das Logfile von MBAM findest du hier.
  • Füge den Inhalt der mbam.txt mit deiner nächsten Antwort hinzu.


Downloade Dir bitte AdwCleaner Logo Icon AdwCleaner auf deinen Desktop.
  • Schließe alle offenen Programme und Browser. Bebilderte Anleitung zu AdwCleaner.
  • Starte die AdwCleaner.exe mit einem Doppelklick.
  • Stimme den Nutzungsbedingungen zu.
  • Klicke auf Optionen und vergewissere dich, dass die folgenden Punkte ausgewählt sind:
    • "Tracing" Schlüssel löschen
    • Winsock Einstellungen zurücksetzen
    • Proxy Einstellungen zurücksetzen
    • Internet Explorer Richtlinien zurücksetzen
    • Chrome Richtlinien zurücksetzen
    • Stelle sicher, dass alle 5 Optionen wie hier dargestellt, ausgewählt sind
  • Klicke auf Suchlauf und warte bis dieser abgeschlossen ist.
  • Klicke nun auf Löschen und bestätige auftretende Hinweise mit Ok.
  • Dein Rechner wird automatisch neu gestartet. Nach dem Neustart öffnet sich eine Textdatei. Poste mir deren Inhalt mit deiner nächsten Antwort.
  • Die Logdatei findest du auch unter C:\AdwCleaner\AdwCleaner[Cx].txt. (x = fortlaufende Nummer).

Beende bitte Deine Schutzsoftware um eventuelle Konflikte zu vermeiden.
Bitte lade Junkware Removal Tool auf Deinen Desktop

  • Starte das Tool mit Doppelklick. Ab Windows Vista (oder höher) bitte mit Rechtsklick "als Administrator ausführen" starten.
  • Drücke eine beliebige Taste, um das Tool zu starten.
  • Je nach System kann der Scan eine Weile dauern.
  • Wenn das Tool fertig ist wird das Logfile (JRT.txt) auf dem Desktop gespeichert und automatisch geöffnet.
  • Bitte poste den Inhalt der JRT.txt in Deiner nächsten Antwort.


und ein frisches FRST log bitte.
__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Alt 16.08.2013, 00:23   #11
TobiT
 
Win32.downloader.gen nach Systemwiederherstellung noch auf System? - Standard

Win32.downloader.gen nach Systemwiederherstellung noch auf System?



Danke

Malwarebytes:

Code:
ATTFilter
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Datenbank Version: v2013.08.15.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16660
***** :: *****-PC [Administrator]

15.08.2013 23:50:33
mbam-log-2013-08-15 (23-50-33).txt

Art des Suchlaufs: Quick-Scan
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 253836
Laufzeit: 4 Minute(n), 11 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 0
(Keine bösartigen Objekte gefunden)

(Ende)
         
Adw-Cleaner:

AdwCleaner Logfile:
Code:
ATTFilter
# AdwCleaner v2.306 - Datei am 16/08/2013 um 00:00:39 erstellt
# Aktualisiert am 19/07/2013 von Xplode
# Betriebssystem : Windows 7 Home Premium Service Pack 1 (64 bits)
# Benutzer : ***** - *****-PC
# Bootmodus : Normal
# Ausgeführt unter : C:\Users\******\Desktop\adwcleaner.exe
# Option [Löschen]


**** [Dienste] ****


***** [Dateien / Ordner] *****

Ordner Gelöscht : C:\Program Files (x86)\Common Files\DVDVideoSoft\TB
Ordner Gelöscht : C:\Program Files (x86)\Conduit
Ordner Gelöscht : C:\ProgramData\Partner
Ordner Gelöscht : C:\ProgramData\Premium
Ordner Gelöscht : C:\Users\*****\AppData\LocalLow\boost_interprocess
Ordner Gelöscht : C:\Users\*****\AppData\LocalLow\Conduit
Ordner Gelöscht : C:\Users\*****\AppData\Roaming\dvdvideosoftiehelpers
Ordner Gelöscht : C:\Users\*****\AppData\Roaming\pdfforge

***** [Registrierungsdatenbank] *****

Schlüssel Gelöscht : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Schlüssel Gelöscht : HKCU\Software\AppDataLow\Software\SmartBar
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Schlüssel Gelöscht : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Toolbar.CT3197087
Schlüssel Gelöscht : HKLM\Software\Conduit
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASAPI32
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASMANCS
Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{25A3A431-30BB-47C8-AD6A-E1063801134F}
Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Wert Gelöscht : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{25A3A431-30BB-47C8-AD6A-E1063801134F}]

***** [Internet Browser] *****

-\\ Internet Explorer v10.0.9200.16660

[OK] Die Registrierungsdatenbank ist sauber.

-\\ Mozilla Firefox v22.0 (de)

Datei : C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\kx6q9p3p.default\prefs.js

[OK] Die Datei ist sauber.

*************************

AdwCleaner[S1].txt - [2687 octets] - [16/08/2013 00:00:39]

########## EOF - C:\AdwCleaner[S1].txt - [2747 octets] ##########
         
Junkware Removal Tool

Code:
ATTFilter
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.4.6 (08.15.2013:1)
OS: Windows 7 Home Premium x64
Ran by ***** on 16.08.2013 at  0:10:08,76
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\apnstub_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\apnstub_rasmancs



~~~ Files

Successfully deleted: [File] "C:\Windows\wininit.ini"



~~~ Folders



~~~ FireFox

Emptied folder: C:\Users\*****\AppData\Roaming\mozilla\firefox\profiles\kx6q9p3p.default\minidumps [46 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 16.08.2013 at  0:14:40,71
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         
Neues FRST log:


FRST Logfile:

FRST Logfile:
Code:
ATTFilter
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 14-08-2013 01
Ran by ***** (administrator) on 16-08-2013 00:19:53
Running from C:\Users\*****\Desktop
Windows 7 Home Premium Service Pack 1 (X64) OS Language: German Standard
Internet Explorer Version 10
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(AMD) C:\Windows\system32\atiesrxx.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(AMD) C:\Windows\system32\atieclxx.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(AVM Berlin) C:\Program Files (x86)\avmwlanstick\WlanNetService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco VPN Client\cvpnd.exe
(Acer Incorporated) C:\Program Files (x86)\Acer\Registration\GregHSRW.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe
(pdfforge GbR) C:\Program Files (x86)\PDF Architect\HelperService.exe
(pdfforge GbR) C:\Program Files (x86)\PDF Architect\ConversionService.exe
() C:\Program Files (x86)\Cyberlink\Shared files\RichVideo.exe
() C:\OEM\USBDECTION\USBS3S4Detection.exe
(Safer Networking Ltd.) C:\Program Files (x86)\Spybot\SDWinSec.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Miranda Fusion Team) C:\Program Files (x86)\MirandaFusion\fusiontools\mfstart.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe
(modified by Miranda Fusion Team) C:\Program Files (x86)\MirandaFusion\miranda32.exe
() C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe
(CyberLink Corp.) C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe
(AVM Berlin) C:\Program Files (x86)\avmwlanstick\WLanGUI.exe
(Huawei Technologies Co., Ltd.) C:\Program Files (x86)\T-Mobile\web'n'walk Manager\DataCardMonitor.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
() C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Nero AG) C:\Program Files (x86)\Nero\Update\NASvc.exe
(VideoLAN) C:\Program Files (x86)\VideoLAN\VLC\vlc.exe
(Microsoft Corporation) C:\Windows\SysWOW64\notepad.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [mwlDaemon] - C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe [349552 2010-02-01] (Egis Technology Inc.)
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [9642528 2010-02-24] (Realtek Semiconductor)
HKCU\...\Run: [SpybotSD TeaTimer] - C:\Program Files (x86)\Spybot\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKCU\...\Run: [Miranda Fusion] - C:\Program Files (x86)\MirandaFusion\fusiontools\mfstart.exe [1122241 2012-06-12] (Miranda Fusion Team)
HKLM-x32\...\Run: [SuiteTray] - C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe [337264 2010-02-01] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisUpdate] - C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe [201512 2009-12-25] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisTecPMMUpdate] - C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe [401192 2009-12-25] (Egis Technology Inc.)
HKLM-x32\...\Run: [Hotkey Utility] - C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe [611872 2010-08-04] ()
HKLM-x32\...\Run: [MDS_Menu] - C:\Program Files (x86)\Acer Arcade Deluxe\MediaShow Espresso\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [ArcadeMovieService] - C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe [124136 2010-02-05] (CyberLink Corp.)
HKLM-x32\...\Run: [AVMWlanClient] - C:\Program Files (x86)\avmwlanstick\wlangui.exe [2105344 2010-10-22] (AVM Berlin)
HKLM-x32\...\Run: [DataCardMonitor] - C:\Program Files (x86)\T-Mobile\web'n'walk Manager\DataCardMonitor.exe [253952 2011-11-22] (Huawei Technologies Co., Ltd.)
HKLM-x32\...\Run: [avgnt] - C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [348664 2012-08-08] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [avast] - C:\Program Files\AVAST Software\Avast\avastUI.exe [4767304 2013-03-07] (AVAST Software)
HKLM-x32\...\Run: [DivXMediaServer] - C:\Program Files (x86)\DivX\DivX Media Server\DivXMediaServer.exe [450560 2013-03-28] (DivX, LLC)
HKLM-x32\...\Run: [StartCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642808 2012-12-19] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [DivXUpdate] - C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe [1263952 2013-02-13] ()
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-05-11] (Adobe Systems Incorporated)
HKU\Default\...\RunOnce: [ScrSav] - C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe [154144 2010-01-15] ()
HKU\Default User\...\RunOnce: [ScrSav] - C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe [154144 2010-01-15] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
Startup: C:\Users\*****\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\*****\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - DefaultScope value is missing.
BHO: avast! WebRep - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
BHO-x32: DivX Plus Web Player HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
BHO-x32: PDF Architect Helper - {3A2D5EBA-F86D-4BD3-A177-019765996711} - C:\Program Files (x86)\PDF Architect\PDFIEHelper.dll (pdfforge GbR)
BHO-x32: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\Spybot\SDHelper.dll (Safer Networking Limited)
BHO-x32: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  No File
BHO-x32: SwissAcademic.Citavi.Picker.IEPicker - {609D670F-B735-4da7-AC6D-F3BD358E325E} - C:\Windows\\SysWOW64\mscoree.dll (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO-x32: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - avast! WebRep - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
Toolbar: HKLM-x32 - avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Handler: msdaipp - No CLSID Value - 
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation)
Handler-x32: msdaipp - No CLSID Value - 
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1

FireFox:
========
FF ProfilePath: C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\kx6q9p3p.default
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_8_800_94.dll ()
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_94.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @divx.com/DivX Browser Plugin,version=1.0.0 - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF Plugin-x32: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin-x32: @java.com/DTPlugin,version=10.25.2 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.25.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeLive,version=1.5 - C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8081.0709 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.8 - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: No Name - C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\kx6q9p3p.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF Extension: Default - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF HKLM-x32\...\Firefox\Extensions: [{8AA36F4F-6DC7-4c06-77AF-5035170634FE}] C:\ProgramData\Swiss Academic Software\Citavi Picker\Firefox
FF Extension: Citavi Picker - C:\ProgramData\Swiss Academic Software\Citavi Picker\Firefox
FF HKLM-x32\...\Firefox\Extensions: [{23fcfd51-4958-4f00-80a3-ae97e717ed8b}] C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5
FF Extension: DivX Plus Web Player HTML5 &lt;video&gt; - C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: avast! WebRep - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF HKLM-x32\...\Firefox\Extensions: [FFPDFArchitectConverter@pdfarchitect.com] C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt
FF Extension: PDF Architect Converter For Firefox - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt

==================== Services (Whitelisted) =================

R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [86224 2012-05-08] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [110032 2012-05-08] (Avira Operations GmbH & Co. KG)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [45248 2013-03-07] (AVAST Software)
R2 AVM WLAN Connection Service; C:\Program Files (x86)\avmwlanstick\WlanNetService.exe [376832 2010-10-22] (AVM Berlin)
R2 CVPND; C:\Program Files (x86)\Cisco VPN Client\cvpnd.exe [1529856 2011-03-04] (Cisco Systems, Inc.)
R2 MWLService; C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe [305520 2010-02-01] (Egis Technology Inc.)
R2 PDF Architect Helper Service; C:\Program Files (x86)\PDF Architect\HelperService.exe [1324104 2013-01-09] (pdfforge GbR)
R2 PDF Architect Service; C:\Program Files (x86)\PDF Architect\ConversionService.exe [795208 2013-01-09] (pdfforge GbR)
R2 RichVideo; C:\Program Files (x86)\Cyberlink\Shared files\RichVideo.exe [244904 2010-02-03] ()
R2 SBSDWSCService; C:\Program Files (x86)\Spybot\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
R2 USBS3S4Detection; C:\OEM\USBDECTION\USBS3S4Detection.exe [76320 2009-12-09] ()

==================== Drivers (Whitelisted) ====================

R2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [33400 2013-03-07] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [80816 2013-03-07] (AVAST Software)
R1 aswRdr; C:\Windows\System32\Drivers\aswrdr2.sys [70992 2013-03-07] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65336 2013-03-07] ()
R1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [1025808 2013-03-07] (AVAST Software)
R1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [377920 2013-03-07] (AVAST Software)
R1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [68920 2013-03-07] (AVAST Software)
S3 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [178624 2013-03-07] ()
R2 atksgt; C:\Windows\System32\DRIVERS\atksgt.sys [314016 2011-04-26] ()
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [98848 2012-05-08] (Avira GmbH)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [132832 2012-05-08] (Avira GmbH)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [27760 2011-09-16] (Avira GmbH)
S3 avmeject; C:\Windows\System32\drivers\avmeject.sys [14120 2010-10-22] (AVM Berlin)
R3 CVPNDRVA; C:\Windows\system32\Drivers\CVPNDRVA.sys [306536 2011-03-04] ()
R3 CVPNDRVA; C:\Windows\system32\Drivers\CVPNDRVA.sys [306536 2011-03-04] ()
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [270912 2011-11-02] (DT Soft Ltd)
R3 FWLANUSB; C:\Windows\System32\DRIVERS\fwlanusb.sys [460800 2010-10-22] (AVM GmbH)
R2 lirsgt; C:\Windows\System32\DRIVERS\lirsgt.sys [43680 2011-04-26] ()
S3 catchme; \??\C:\ComboFix\catchme.sys [x]
S1 tcpipBM; No ImagePath

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-08-16 00:10 - 2013-08-16 00:10 - 00000000 ____D C:\Windows\ERUNT
2013-08-16 00:09 - 2013-08-16 00:09 - 01159319 _____ (Thisisu) C:\Users\*****\Desktop\JRT(1).exe
2013-08-16 00:06 - 2013-08-16 00:06 - 00002784 _____ C:\Users\*****\Desktop\AdwCleaner[S1].txt
2013-08-16 00:00 - 2013-08-16 00:01 - 00002814 _____ C:\AdwCleaner[S1].txt
2013-08-15 23:59 - 2013-08-15 23:59 - 00666633 _____ C:\Users\*****\Desktop\adwcleaner.exe
2013-08-15 23:48 - 2013-08-15 23:48 - 00001113 _____ C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2013-08-15 23:48 - 2013-08-15 23:48 - 00000000 ____D C:\Users\*****\AppData\Roaming\Malwarebytes
2013-08-15 23:48 - 2013-08-15 23:48 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-08-15 23:48 - 2013-08-15 23:48 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-08-15 23:48 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2013-08-15 23:43 - 2013-08-15 23:43 - 00000000 _____ C:\Users\*****\Downloads\JRT.exe
2013-08-15 23:42 - 2013-08-15 23:43 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\*****\Desktop\mbam-setup-1.75.0.1300.exe
2013-08-15 18:51 - 2013-08-15 18:51 - 00025007 _____ C:\ComboFix.txt
2013-08-15 18:33 - 2013-08-15 18:51 - 00000000 ____D C:\Qoobox
2013-08-15 18:33 - 2013-08-15 18:50 - 00000000 ____D C:\Windows\erdnt
2013-08-15 18:33 - 2011-06-26 08:45 - 00256000 _____ C:\Windows\PEV.exe
2013-08-15 18:33 - 2010-11-07 19:20 - 00208896 _____ C:\Windows\MBR.exe
2013-08-15 18:33 - 2009-04-20 06:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2013-08-15 18:33 - 2000-08-31 02:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2013-08-15 18:33 - 2000-08-31 02:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2013-08-15 18:33 - 2000-08-31 02:00 - 00098816 _____ C:\Windows\sed.exe
2013-08-15 18:33 - 2000-08-31 02:00 - 00080412 _____ C:\Windows\grep.exe
2013-08-15 18:33 - 2000-08-31 02:00 - 00068096 _____ C:\Windows\zip.exe
2013-08-15 18:31 - 2013-08-15 18:31 - 05104931 ____R (Swearware) C:\Users\*****\Desktop\ComboFix.exe
2013-08-14 19:54 - 2013-08-14 19:55 - 00000000 ____D C:\Users\*****\Desktop\Neuer Ordner
2013-08-14 19:53 - 2013-08-14 19:53 - 00023016 _____ C:\Users\*****\Desktop\Desktop.7z
2013-08-14 19:50 - 2013-08-14 19:50 - 00000000 ____D C:\Program Files (x86)\7-Zip
2013-08-14 19:48 - 2013-08-14 19:48 - 01110476 _____ C:\Users\*****\Downloads\7z920.exe
2013-08-14 19:30 - 2013-08-14 21:51 - 00002790 _____ C:\Users\*****\Desktop\SpybotSD.Report.txt
2013-08-14 18:55 - 2013-08-14 19:43 - 00411625 _____ C:\Users\*****\Desktop\Gmer.txt
2013-08-14 18:40 - 2013-08-14 18:40 - 00377856 _____ C:\Users\*****\Desktop\gmer_2.1.19163.exe
2013-08-14 18:39 - 2013-08-14 19:49 - 00024018 _____ C:\Users\*****\Desktop\Addition.txt
2013-08-14 18:38 - 2013-08-14 18:38 - 00000000 ____D C:\FRST
2013-08-14 18:37 - 2013-08-14 18:37 - 01575570 _____ (Farbar) C:\Users\*****\Desktop\FRST64.exe
2013-08-14 18:36 - 2013-08-16 00:08 - 00000480 _____ C:\Users\*****\Desktop\defogger_disable.log
2013-08-14 18:36 - 2013-08-14 18:36 - 00000000 _____ C:\Users\*****\defogger_reenable
2013-08-14 18:34 - 2013-08-14 18:34 - 00050477 _____ C:\Users\*****\Desktop\Defogger.exe
2013-08-14 18:23 - 2013-08-14 18:23 - 00001070 _____ C:\Users\Public\Desktop\VLC media player.lnk
2013-08-14 18:12 - 2013-07-26 07:13 - 02241024 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-08-14 18:12 - 2013-07-26 07:13 - 01365504 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-08-14 18:12 - 2013-07-26 07:13 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2013-08-14 18:12 - 2013-07-26 07:12 - 19239424 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-08-14 18:12 - 2013-07-26 07:12 - 15405056 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-08-14 18:12 - 2013-07-26 07:12 - 03958784 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-08-14 18:12 - 2013-07-26 07:12 - 02647040 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-08-14 18:12 - 2013-07-26 07:12 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-08-14 18:12 - 2013-07-26 07:12 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-08-14 18:12 - 2013-07-26 07:12 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-08-14 18:12 - 2013-07-26 07:12 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2013-08-14 18:12 - 2013-07-26 07:12 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2013-08-14 18:12 - 2013-07-26 07:12 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-08-14 18:12 - 2013-07-26 07:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2013-08-14 18:12 - 2013-07-26 05:35 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-08-14 18:12 - 2013-07-26 05:13 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-08-14 18:12 - 2013-07-26 05:13 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-08-14 18:12 - 2013-07-26 05:12 - 14329344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-08-14 18:12 - 2013-07-26 05:12 - 02877440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-08-14 18:12 - 2013-07-26 05:12 - 02048512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-08-14 18:12 - 2013-07-26 05:12 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-08-14 18:12 - 2013-07-26 05:12 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-08-14 18:12 - 2013-07-26 05:12 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-08-14 18:12 - 2013-07-26 05:12 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-08-14 18:12 - 2013-07-26 05:12 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-08-14 18:12 - 2013-07-26 05:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-08-14 18:12 - 2013-07-26 05:11 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-08-14 18:12 - 2013-07-26 05:11 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-08-14 18:12 - 2013-07-26 04:49 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-08-14 18:12 - 2013-07-26 04:39 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2013-08-14 18:12 - 2013-07-26 03:59 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-08-14 18:03 - 2013-08-14 18:03 - 23003252 _____ C:\Users\*****\Downloads\vlc-2.0.8-win32.exe
2013-08-14 17:59 - 2013-08-14 17:59 - 00002023 _____ C:\Users\Public\Desktop\Adobe Reader XI.lnk
2013-08-14 17:37 - 2013-07-09 07:52 - 00224256 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll
2013-08-14 17:37 - 2013-07-09 07:46 - 01472512 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2013-08-14 17:37 - 2013-07-09 07:46 - 00184320 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll
2013-08-14 17:37 - 2013-07-09 07:46 - 00139776 _____ (Microsoft Corporation) C:\Windows\system32\cryptnet.dll
2013-08-14 17:37 - 2013-07-09 06:52 - 00175104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2013-08-14 17:37 - 2013-07-09 06:46 - 01166848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-08-14 17:37 - 2013-07-09 06:46 - 00140288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-08-14 17:37 - 2013-07-09 06:46 - 00103936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-08-14 17:36 - 2013-07-25 11:25 - 01888768 _____ (Microsoft Corporation) C:\Windows\system32\WMVDECOD.DLL
2013-08-14 17:36 - 2013-07-25 10:57 - 01620992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2013-08-14 17:36 - 2013-07-19 03:58 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2013-08-14 17:36 - 2013-07-19 03:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2013-08-14 17:36 - 2013-07-09 08:03 - 05550528 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2013-08-14 17:36 - 2013-07-09 07:54 - 01732032 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2013-08-14 17:36 - 2013-07-09 07:53 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2013-08-14 17:36 - 2013-07-09 07:51 - 01217024 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2013-08-14 17:36 - 2013-07-09 07:03 - 03968960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-08-14 17:36 - 2013-07-09 07:03 - 03913664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-08-14 17:36 - 2013-07-09 06:53 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2013-08-14 17:36 - 2013-07-09 06:52 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2013-08-14 17:36 - 2013-07-09 06:52 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-08-14 17:36 - 2013-07-09 04:49 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-08-14 17:36 - 2013-07-09 04:49 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-08-14 17:36 - 2013-07-09 04:49 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-08-14 17:36 - 2013-07-09 04:49 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-08-14 17:36 - 2013-07-06 08:03 - 01910208 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2013-08-14 17:36 - 2013-06-15 06:32 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tssecsrv.sys
2013-08-13 18:08 - 2013-08-13 18:08 - 00002077 _____ C:\Users\*****\Desktop\Entfernen des Avira DE-Cleaners.lnk
2013-08-13 18:08 - 2013-08-13 18:08 - 00002006 _____ C:\Users\*****\Desktop\Avira DE-Cleaner.lnk
2013-08-13 14:45 - 2013-08-13 18:06 - 00000000 ____D C:\ProgramData\Kaspersky Lab
2013-08-13 13:53 - 2013-08-13 13:54 - 00883840 _____ C:\Users\*****\Downloads\Avira-DE100-Cleaner.exe
2013-08-13 13:52 - 2013-08-13 13:54 - 78816192 _____ (                                                            ) C:\Users\*****\Downloads\de_cleaner_kaspersky.exe
2013-08-12 22:18 - 2013-08-14 18:08 - 00000000 ____D C:\Windows\system32\MRT
2013-08-06 19:53 - 2013-08-06 19:53 - 00000000 ____D C:\Users\*****\AppData\Roaming\Avira
2013-07-30 14:50 - 2013-07-30 14:52 - 00000000 ____D C:\Users\*****\Desktop\susi tasse
2013-07-24 10:27 - 2013-07-24 10:27 - 01069944 _____ (Solid State Networks) C:\Users\*****\Downloads\install_reader11_de_mssd_aaa_aih.exe
2013-07-23 14:35 - 2013-07-23 15:48 - 00013824 _____ C:\Users\*****\Documents\Gebfeier 2013_Teilnahmeliste.xls

==================== One Month Modified Files and Folders =======

2013-08-16 00:14 - 2013-08-16 00:14 - 00001026 _____ C:\Users\*****\Desktop\JRT.txt
2013-08-16 00:10 - 2013-08-16 00:10 - 00000000 ____D C:\Windows\ERUNT
2013-08-16 00:09 - 2013-08-16 00:09 - 01159319 _____ (Thisisu) C:\Users\*****\Desktop\JRT(1).exe
2013-08-16 00:09 - 2009-07-14 06:45 - 00009696 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-08-16 00:09 - 2009-07-14 06:45 - 00009696 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-08-16 00:08 - 2013-08-14 18:36 - 00000480 _____ C:\Users\*****\Desktop\defogger_disable.log
2013-08-16 00:07 - 2011-04-27 04:23 - 00654150 _____ C:\Windows\system32\perfh007.dat
2013-08-16 00:07 - 2011-04-27 04:23 - 00130022 _____ C:\Windows\system32\perfc007.dat
2013-08-16 00:07 - 2009-07-14 07:13 - 01498742 _____ C:\Windows\system32\PerfStringBackup.INI
2013-08-16 00:06 - 2013-08-16 00:06 - 00002784 _____ C:\Users\*****\Desktop\AdwCleaner[S1].txt
2013-08-16 00:04 - 2011-05-22 14:18 - 00001110 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-08-16 00:03 - 2011-04-26 20:02 - 00000000 ____D C:\Users\*****\AppData\Roaming\Dropbox
2013-08-16 00:02 - 2011-12-14 19:59 - 00052947 _____ C:\Windows\setupact.log
2013-08-16 00:02 - 2011-05-22 14:18 - 00001106 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-08-16 00:02 - 2009-07-14 07:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-08-16 00:01 - 2013-08-16 00:00 - 00002814 _____ C:\AdwCleaner[S1].txt
2013-08-16 00:01 - 2011-04-26 18:40 - 01333930 _____ C:\Windows\WindowsUpdate.log
2013-08-15 23:59 - 2013-08-15 23:59 - 00666633 _____ C:\Users\*****\Desktop\adwcleaner.exe
2013-08-15 23:57 - 2011-04-26 21:53 - 00000000 ____D C:\Users\*****\AppData\Roaming\vlc
2013-08-15 23:48 - 2013-08-15 23:48 - 00001113 _____ C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2013-08-15 23:48 - 2013-08-15 23:48 - 00000000 ____D C:\Users\*****\AppData\Roaming\Malwarebytes
2013-08-15 23:48 - 2013-08-15 23:48 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-08-15 23:48 - 2013-08-15 23:48 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-08-15 23:43 - 2013-08-15 23:43 - 00000000 _____ C:\Users\*****\Downloads\JRT.exe
2013-08-15 23:43 - 2013-08-15 23:42 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\*****\Desktop\mbam-setup-1.75.0.1300.exe
2013-08-15 19:30 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\rescache
2013-08-15 19:26 - 2013-03-23 12:52 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-08-15 18:51 - 2013-08-15 18:51 - 00025007 _____ C:\ComboFix.txt
2013-08-15 18:51 - 2013-08-15 18:33 - 00000000 ____D C:\Qoobox
2013-08-15 18:51 - 2009-07-14 05:20 - 00000000 __RHD C:\Users\Default
2013-08-15 18:50 - 2013-08-15 18:33 - 00000000 ____D C:\Windows\erdnt
2013-08-15 18:46 - 2009-07-14 04:34 - 00000215 _____ C:\Windows\system.ini
2013-08-15 18:44 - 2012-03-24 01:03 - 00097180 _____ C:\Windows\PFRO.log
2013-08-15 18:31 - 2013-08-15 18:31 - 05104931 ____R (Swearware) C:\Users\*****\Desktop\ComboFix.exe
2013-08-15 00:04 - 2011-09-12 21:30 - 00003958 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{E0CB425A-65F4-4C06-90FA-73791B2C1B6D}
2013-08-14 21:51 - 2013-08-14 19:30 - 00002790 _____ C:\Users\*****\Desktop\SpybotSD.Report.txt
2013-08-14 19:55 - 2013-08-14 19:54 - 00000000 ____D C:\Users\*****\Desktop\Neuer Ordner
2013-08-14 19:53 - 2013-08-14 19:53 - 00023016 _____ C:\Users\*****\Desktop\Desktop.7z
2013-08-14 19:50 - 2013-08-14 19:50 - 00000000 ____D C:\Program Files (x86)\7-Zip
2013-08-14 19:49 - 2013-08-14 18:39 - 00024018 _____ C:\Users\*****\Desktop\Addition.txt
2013-08-14 19:48 - 2013-08-14 19:48 - 01110476 _____ C:\Users\*****\Downloads\7z920.exe
2013-08-14 19:43 - 2013-08-14 18:55 - 00411625 _____ C:\Users\*****\Desktop\Gmer.txt
2013-08-14 18:40 - 2013-08-14 18:40 - 00377856 _____ C:\Users\*****\Desktop\gmer_2.1.19163.exe
2013-08-14 18:38 - 2013-08-14 18:38 - 00000000 ____D C:\FRST
2013-08-14 18:37 - 2013-08-14 18:37 - 01575570 _____ (Farbar) C:\Users\*****\Desktop\FRST64.exe
2013-08-14 18:36 - 2013-08-14 18:36 - 00000000 _____ C:\Users\*****\defogger_reenable
2013-08-14 18:36 - 2011-04-26 18:53 - 00000000 ____D C:\Users\*****
2013-08-14 18:34 - 2013-08-14 18:34 - 00050477 _____ C:\Users\*****\Desktop\Defogger.exe
2013-08-14 18:23 - 2013-08-14 18:23 - 00001070 _____ C:\Users\Public\Desktop\VLC media player.lnk
2013-08-14 18:08 - 2013-08-12 22:18 - 00000000 ____D C:\Windows\system32\MRT
2013-08-14 18:06 - 2011-04-29 12:04 - 78161360 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2013-08-14 18:03 - 2013-08-14 18:03 - 23003252 _____ C:\Users\*****\Downloads\vlc-2.0.8-win32.exe
2013-08-14 18:02 - 2011-04-26 19:41 - 00000000 ____D C:\Users\DRTHRE~1\AppData\Local\Adobe
2013-08-14 17:59 - 2013-08-14 17:59 - 00002023 _____ C:\Users\Public\Desktop\Adobe Reader XI.lnk
2013-08-14 17:58 - 2010-05-12 14:25 - 00000000 ____D C:\ProgramData\Adobe
2013-08-14 17:58 - 2010-05-12 14:25 - 00000000 ____D C:\Program Files (x86)\Adobe
2013-08-13 18:08 - 2013-08-13 18:08 - 00002077 _____ C:\Users\*****\Desktop\Entfernen des Avira DE-Cleaners.lnk
2013-08-13 18:08 - 2013-08-13 18:08 - 00002006 _____ C:\Users\*****\Desktop\Avira DE-Cleaner.lnk
2013-08-13 18:08 - 2011-04-26 18:57 - 00000000 ___RD C:\Users\*****\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-08-13 18:06 - 2013-08-13 14:45 - 00000000 ____D C:\ProgramData\Kaspersky Lab
2013-08-13 13:54 - 2013-08-13 13:53 - 00883840 _____ C:\Users\*****\Downloads\Avira-DE100-Cleaner.exe
2013-08-13 13:54 - 2013-08-13 13:52 - 78816192 _____ (                                                            ) C:\Users\*****\Downloads\de_cleaner_kaspersky.exe
2013-08-13 07:28 - 2011-04-26 20:02 - 00000000 ____D C:\Users\*****\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2013-08-13 07:28 - 2011-04-26 19:50 - 00000000 ____D C:\Program Files (x86)\MirandaFusion
2013-08-13 07:28 - 2011-04-26 19:32 - 00000000 ____D C:\Program Files (x86)\Spybot
2013-08-13 07:28 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\registration
2013-08-13 07:28 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\AppCompat
2013-08-13 07:27 - 2012-03-24 01:05 - 00000000 ____D C:\ProgramData\Avira
2013-08-13 07:27 - 2012-03-24 01:05 - 00000000 ____D C:\Program Files (x86)\Avira
2013-08-13 07:27 - 2011-04-26 20:05 - 00000000 ___RD C:\Users\*****\Dropbox
2013-08-12 21:32 - 2012-08-31 14:38 - 00003924 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2013-08-12 21:32 - 2012-08-31 14:38 - 00001926 _____ C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2013-08-12 21:32 - 2011-07-06 08:26 - 00000000 _____ C:\Windows\SysWOW64\config.nt
2013-08-12 21:31 - 2011-04-26 19:32 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-08-08 19:09 - 2012-06-25 22:21 - 00016896 _____ C:\Users\*****\Documents\Festivalmitnahmeliste.xls
2013-08-06 22:08 - 2012-02-06 17:26 - 00000000 ____D C:\Users\*****\Documents\CVs
2013-08-06 19:53 - 2013-08-06 19:53 - 00000000 ____D C:\Users\*****\AppData\Roaming\Avira
2013-08-01 21:49 - 2013-07-14 13:39 - 00000000 ____D C:\Users\*****\Documents\Orte
2013-08-01 12:36 - 2012-03-30 15:26 - 00002272 ____H C:\Users\*****\Documents\Default.rdp
2013-07-30 14:52 - 2013-07-30 14:50 - 00000000 ____D C:\Users\*****\Desktop\susi tasse
2013-07-27 12:39 - 2011-05-09 22:02 - 00000000 ____D C:\Users\*****\Documents\Finanzen
2013-07-26 07:13 - 2013-08-14 18:12 - 02241024 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-07-26 07:13 - 2013-08-14 18:12 - 01365504 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-07-26 07:13 - 2013-08-14 18:12 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2013-07-26 07:12 - 2013-08-14 18:12 - 19239424 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-07-26 07:12 - 2013-08-14 18:12 - 15405056 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-07-26 07:12 - 2013-08-14 18:12 - 03958784 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-07-26 07:12 - 2013-08-14 18:12 - 02647040 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-07-26 07:12 - 2013-08-14 18:12 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-07-26 07:12 - 2013-08-14 18:12 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-07-26 07:12 - 2013-08-14 18:12 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-07-26 07:12 - 2013-08-14 18:12 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2013-07-26 07:12 - 2013-08-14 18:12 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2013-07-26 07:12 - 2013-08-14 18:12 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-07-26 07:12 - 2013-08-14 18:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2013-07-26 05:35 - 2013-08-14 18:12 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-07-26 05:13 - 2013-08-14 18:12 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-07-26 05:13 - 2013-08-14 18:12 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-07-26 05:12 - 2013-08-14 18:12 - 14329344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-07-26 05:12 - 2013-08-14 18:12 - 02877440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-07-26 05:12 - 2013-08-14 18:12 - 02048512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-07-26 05:12 - 2013-08-14 18:12 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-07-26 05:12 - 2013-08-14 18:12 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-07-26 05:12 - 2013-08-14 18:12 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-07-26 05:12 - 2013-08-14 18:12 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-07-26 05:12 - 2013-08-14 18:12 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-07-26 05:12 - 2013-08-14 18:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-07-26 05:11 - 2013-08-14 18:12 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-07-26 05:11 - 2013-08-14 18:12 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-07-26 04:49 - 2013-08-14 18:12 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-07-26 04:39 - 2013-08-14 18:12 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2013-07-26 03:59 - 2013-08-14 18:12 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-07-25 11:25 - 2013-08-14 17:36 - 01888768 _____ (Microsoft Corporation) C:\Windows\system32\WMVDECOD.DLL
2013-07-25 10:57 - 2013-08-14 17:36 - 01620992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2013-07-24 10:27 - 2013-07-24 10:27 - 01069944 _____ (Solid State Networks) C:\Users\*****\Downloads\install_reader11_de_mssd_aaa_aih.exe
2013-07-23 15:48 - 2013-07-23 14:35 - 00013824 _____ C:\Users\*****\Documents\Gebfeier 2013_Teilnahmeliste.xls
2013-07-19 03:58 - 2013-08-14 17:36 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2013-07-19 03:41 - 2013-08-14 17:36 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2013-08-13 01:45

==================== End Of Log ============================
         
--- --- ---

--- --- ---

Alt 16.08.2013, 09:43   #12
schrauber
/// the machine
/// TB-Ausbilder
 

Win32.downloader.gen nach Systemwiederherstellung noch auf System? - Standard

Win32.downloader.gen nach Systemwiederherstellung noch auf System?




ESET Online Scanner

  • Hier findest du eine bebilderte Anleitung zu ESET Online Scanner
  • Lade und starte Eset Online Scanner
  • Setze einen Haken bei Ja, ich bin mit den Nutzungsbedingungen einverstanden und klicke auf Starten.
  • Aktiviere die "Erkennung von eventuell unerwünschten Anwendungen" und wähle folgende Einstellungen.
  • Klicke auf Starten.
  • Die Signaturen werden heruntergeladen, der Scan beginnt automatisch.
  • Klicke am Ende des Suchlaufs auf Fertig stellen.
  • Schließe das Fenster von ESET.
  • Explorer öffnen.
  • C:\Programme\Eset\EsetOnlineScanner\log.txt (bei 64 Bit auch C:\Programme (x86)\Eset\EsetOnlineScanner\log.txt) suchen und mit Deinem Editor öffnen (bebildert).
  • Logfile hier posten.
  • Deinstallation: Systemsteuerung => Software / Programme deinstallieren => Eset Online Scanner V3 entfernen.
  • Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset


Downloade Dir bitte SecurityCheck und:

  • Speichere es auf dem Desktop.
  • Starte SecurityCheck.exe und folge den Anweisungen in der DOS-Box.
  • Wenn der Scan beendet wurde sollte sich ein Textdokument (checkup.txt) öffnen.
Poste den Inhalt bitte hier.

und ein frisches FRST log bitte. Noch Probleme?
__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Alt 16.08.2013, 16:15   #13
TobiT
 
Win32.downloader.gen nach Systemwiederherstellung noch auf System? - Standard

Win32.downloader.gen nach Systemwiederherstellung noch auf System?



Hallo Schrauber,

danke für deine stets sehr zeitnahen Antworten. Ich habe bis Montag keinen Zugang mehr zum Problem-PC, werde dann aber sofort die von dir angeforderten Logs hochladen.

Schönes Wochenende,
Tobias

Alt 16.08.2013, 17:52   #14
schrauber
/// the machine
/// TB-Ausbilder
 

Win32.downloader.gen nach Systemwiederherstellung noch auf System? - Standard

Win32.downloader.gen nach Systemwiederherstellung noch auf System?



ok
__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Alt 19.08.2013, 18:51   #15
TobiT
 
Win32.downloader.gen nach Systemwiederherstellung noch auf System? - Standard

Win32.downloader.gen nach Systemwiederherstellung noch auf System?



Hallo Schrauber,

anbei die angeforderten Logs:

Eset Smart Installer:

Code:
ATTFilter
ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=3827cb16cdfa8445a97156c6c59c3a40
# engine=14800
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2013-08-16 02:12:53
# local_time=2013-08-16 04:12:53 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=774 16777213 85 91 324681 153372245 0 0
# compatibility_mode=1799 16775165 100 99 4764 122425393 0 0
# compatibility_mode=5893 16776573 100 94 4823 128292223 0 0
# scanned=150561
# found=0
# cleaned=0
# scan_time=4128
ESETSmartInstaller@High as downloader log:
Can not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internet# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=3827cb16cdfa8445a97156c6c59c3a40
# engine=14824
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2013-08-19 03:01:35
# local_time=2013-08-19 05:01:35 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=774 16777213 85 91 586803 153634367 0 0
# compatibility_mode=1799 16775165 100 99 23729 122687515 259665 0
# compatibility_mode=5893 16776573 100 94 266945 128554345 0 0
# scanned=244358
# found=0
# cleaned=0
# scan_time=23407
         
Security-Check:
Code:
ATTFilter
 Results of screen317's Security Check version 0.99.72  
 Windows 7 Service Pack 1 x64   
 Internet Explorer 10  
``````````````Antivirus/Firewall Check:`````````````` 
avast! Antivirus   
 Antivirus out of date!  
`````````Anti-malware/Other Utilities Check:````````` 
 Spybot - Search & Destroy 
 Malwarebytes Anti-Malware Version 1.75.0.1300  
 Java 7 Update 25  
 Adobe Flash Player 11.8.800.94  
 Adobe Reader XI  
 Mozilla Firefox 22.0 Firefox out of Date!  
````````Process Check: objlist.exe by Laurent````````  
 Spybot Teatimer.exe is disabled! 
 Avira Antivir avgnt.exe 
 Avira Antivir avguard.exe 
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast AvastUI.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  
````````````````````End of Log``````````````````````
         
Neues FRST:

FRST Logfile:
Code:
ATTFilter
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 14-08-2013 01
Ran by ***** (administrator) on 19-08-2013 18:36:34
Running from C:\Users\*****\Desktop
Windows 7 Home Premium Service Pack 1 (X64) OS Language: German Standard
Internet Explorer Version 10
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(AMD) C:\Windows\system32\atiesrxx.exe
(AMD) C:\Windows\system32\atieclxx.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(AVM Berlin) C:\Program Files (x86)\avmwlanstick\WlanNetService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco VPN Client\cvpnd.exe
(Acer Incorporated) C:\Program Files (x86)\Acer\Registration\GregHSRW.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe
(pdfforge GbR) C:\Program Files (x86)\PDF Architect\HelperService.exe
(pdfforge GbR) C:\Program Files (x86)\PDF Architect\ConversionService.exe
() C:\Program Files (x86)\Cyberlink\Shared files\RichVideo.exe
(Acer Group) C:\Program Files\Acer\Acer Updater\UpdaterService.exe
() C:\OEM\USBDECTION\USBS3S4Detection.exe
(Safer Networking Ltd.) C:\Program Files (x86)\Spybot\SDWinSec.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Miranda Fusion Team) C:\Program Files (x86)\MirandaFusion\fusiontools\mfstart.exe
(modified by Miranda Fusion Team) C:\Program Files (x86)\MirandaFusion\miranda32.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe
() C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe
(CyberLink Corp.) C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe
(AVM Berlin) C:\Program Files (x86)\avmwlanstick\WLanGUI.exe
(Huawei Technologies Co., Ltd.) C:\Program Files (x86)\T-Mobile\web'n'walk Manager\DataCardMonitor.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe
() C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Nero AG) C:\Program Files (x86)\Nero\Update\NASvc.exe
() C:\Users\*****\Desktop\Defogger.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [mwlDaemon] - C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe [349552 2010-02-01] (Egis Technology Inc.)
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [9642528 2010-02-24] (Realtek Semiconductor)
HKCU\...\Run: [SpybotSD TeaTimer] - C:\Program Files (x86)\Spybot\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKCU\...\Run: [Miranda Fusion] - C:\Program Files (x86)\MirandaFusion\fusiontools\mfstart.exe [1122241 2012-06-12] (Miranda Fusion Team)
HKLM-x32\...\Run: [SuiteTray] - C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe [337264 2010-02-01] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisUpdate] - C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe [201512 2009-12-25] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisTecPMMUpdate] - C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe [401192 2009-12-25] (Egis Technology Inc.)
HKLM-x32\...\Run: [Hotkey Utility] - C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe [611872 2010-08-04] ()
HKLM-x32\...\Run: [MDS_Menu] - C:\Program Files (x86)\Acer Arcade Deluxe\MediaShow Espresso\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [ArcadeMovieService] - C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe [124136 2010-02-05] (CyberLink Corp.)
HKLM-x32\...\Run: [AVMWlanClient] - C:\Program Files (x86)\avmwlanstick\wlangui.exe [2105344 2010-10-22] (AVM Berlin)
HKLM-x32\...\Run: [DataCardMonitor] - C:\Program Files (x86)\T-Mobile\web'n'walk Manager\DataCardMonitor.exe [253952 2011-11-22] (Huawei Technologies Co., Ltd.)
HKLM-x32\...\Run: [avgnt] - C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [348664 2012-08-08] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [avast] - C:\Program Files\AVAST Software\Avast\avastUI.exe [4767304 2013-03-07] (AVAST Software)
HKLM-x32\...\Run: [DivXMediaServer] - C:\Program Files (x86)\DivX\DivX Media Server\DivXMediaServer.exe [450560 2013-03-28] (DivX, LLC)
HKLM-x32\...\Run: [StartCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642808 2012-12-19] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [DivXUpdate] - C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe [1263952 2013-02-13] ()
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-05-11] (Adobe Systems Incorporated)
HKU\Default\...\RunOnce: [ScrSav] - C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe [154144 2010-01-15] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
Startup: C:\Users\*****\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\*****\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - DefaultScope value is missing.
BHO: avast! WebRep - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
BHO-x32: DivX Plus Web Player HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
BHO-x32: PDF Architect Helper - {3A2D5EBA-F86D-4BD3-A177-019765996711} - C:\Program Files (x86)\PDF Architect\PDFIEHelper.dll (pdfforge GbR)
BHO-x32: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\Spybot\SDHelper.dll (Safer Networking Limited)
BHO-x32: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  No File
BHO-x32: SwissAcademic.Citavi.Picker.IEPicker - {609D670F-B735-4da7-AC6D-F3BD358E325E} - C:\Windows\\SysWOW64\mscoree.dll (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO-x32: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - avast! WebRep - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
Toolbar: HKLM-x32 - avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Handler: msdaipp - No CLSID Value - 
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation)
Handler-x32: msdaipp - No CLSID Value - 
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1

FireFox:
========
FF ProfilePath: C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\kx6q9p3p.default
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_8_800_94.dll ()
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_94.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @divx.com/DivX Browser Plugin,version=1.0.0 - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF Plugin-x32: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin-x32: @java.com/DTPlugin,version=10.25.2 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.25.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeLive,version=1.5 - C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8081.0709 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.8 - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: No Name - C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\kx6q9p3p.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF Extension: Default - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF HKLM-x32\...\Firefox\Extensions: [{8AA36F4F-6DC7-4c06-77AF-5035170634FE}] C:\ProgramData\Swiss Academic Software\Citavi Picker\Firefox
FF Extension: Citavi Picker - C:\ProgramData\Swiss Academic Software\Citavi Picker\Firefox
FF HKLM-x32\...\Firefox\Extensions: [{23fcfd51-4958-4f00-80a3-ae97e717ed8b}] C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5
FF Extension: DivX Plus Web Player HTML5 &lt;video&gt; - C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: avast! WebRep - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF HKLM-x32\...\Firefox\Extensions: [FFPDFArchitectConverter@pdfarchitect.com] C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt
FF Extension: PDF Architect Converter For Firefox - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt

==================== Services (Whitelisted) =================

R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [86224 2012-05-08] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [110032 2012-05-08] (Avira Operations GmbH & Co. KG)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [45248 2013-03-07] (AVAST Software)
R2 AVM WLAN Connection Service; C:\Program Files (x86)\avmwlanstick\WlanNetService.exe [376832 2010-10-22] (AVM Berlin)
R2 CVPND; C:\Program Files (x86)\Cisco VPN Client\cvpnd.exe [1529856 2011-03-04] (Cisco Systems, Inc.)
R2 MWLService; C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe [305520 2010-02-01] (Egis Technology Inc.)
R2 PDF Architect Helper Service; C:\Program Files (x86)\PDF Architect\HelperService.exe [1324104 2013-01-09] (pdfforge GbR)
R2 PDF Architect Service; C:\Program Files (x86)\PDF Architect\ConversionService.exe [795208 2013-01-09] (pdfforge GbR)
R2 RichVideo; C:\Program Files (x86)\Cyberlink\Shared files\RichVideo.exe [244904 2010-02-03] ()
R2 SBSDWSCService; C:\Program Files (x86)\Spybot\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
R2 USBS3S4Detection; C:\OEM\USBDECTION\USBS3S4Detection.exe [76320 2009-12-09] ()

==================== Drivers (Whitelisted) ====================

R2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [33400 2013-03-07] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [80816 2013-03-07] (AVAST Software)
R1 aswRdr; C:\Windows\System32\Drivers\aswrdr2.sys [70992 2013-03-07] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65336 2013-03-07] ()
R1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [1025808 2013-03-07] (AVAST Software)
R1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [377920 2013-03-07] (AVAST Software)
R1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [68920 2013-03-07] (AVAST Software)
S3 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [178624 2013-03-07] ()
R2 atksgt; C:\Windows\System32\DRIVERS\atksgt.sys [314016 2011-04-26] ()
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [98848 2012-05-08] (Avira GmbH)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [132832 2012-05-08] (Avira GmbH)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [27760 2011-09-16] (Avira GmbH)
S3 avmeject; C:\Windows\System32\drivers\avmeject.sys [14120 2010-10-22] (AVM Berlin)
R3 CVPNDRVA; C:\Windows\system32\Drivers\CVPNDRVA.sys [306536 2011-03-04] ()
R3 CVPNDRVA; C:\Windows\system32\Drivers\CVPNDRVA.sys [306536 2011-03-04] ()
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [270912 2011-11-02] (DT Soft Ltd)
S3 FWLANUSB; C:\Windows\System32\DRIVERS\fwlanusb.sys [460800 2010-10-22] (AVM GmbH)
R2 lirsgt; C:\Windows\System32\DRIVERS\lirsgt.sys [43680 2011-04-26] ()
S3 catchme; \??\C:\ComboFix\catchme.sys [x]
S1 tcpipBM; No ImagePath

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-08-19 18:25 - 2013-08-19 18:25 - 00891115 _____ C:\Users\*****\Downloads\SecurityCheck.exe
2013-08-19 18:24 - 2013-08-19 18:24 - 00001722 _____ C:\Users\*****\Desktop\Eset.txt
2013-08-16 15:02 - 2013-08-16 15:02 - 00000000 ____D C:\Program Files (x86)\ESET
2013-08-16 14:56 - 2013-08-16 14:56 - 02347384 _____ (ESET) C:\Users\*****\Desktop\esetsmartinstaller_enu.exe
2013-08-16 09:15 - 2013-08-19 10:27 - 00000376 _____ C:\Windows\wininit.ini
2013-08-16 00:22 - 2013-08-16 00:22 - 00039398 _____ C:\Users\*****\Desktop\FRST Zweitscan.txt
2013-08-16 00:14 - 2013-08-16 00:14 - 00001026 _____ C:\Users\*****\Desktop\JRT.txt
2013-08-16 00:10 - 2013-08-16 00:10 - 00000000 ____D C:\Windows\ERUNT
2013-08-16 00:09 - 2013-08-16 00:09 - 01159319 _____ (Thisisu) C:\Users\*****\Desktop\JRT(1).exe
2013-08-16 00:06 - 2013-08-16 00:06 - 00002784 _____ C:\Users\*****\Desktop\AdwCleaner[S1].txt
2013-08-16 00:00 - 2013-08-16 00:01 - 00002814 _____ C:\AdwCleaner[S1].txt
2013-08-15 23:59 - 2013-08-15 23:59 - 00666633 _____ C:\Users\*****\Desktop\adwcleaner.exe
2013-08-15 23:48 - 2013-08-15 23:48 - 00001113 _____ C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2013-08-15 23:48 - 2013-08-15 23:48 - 00000000 ____D C:\Users\*****\AppData\Roaming\Malwarebytes
2013-08-15 23:48 - 2013-08-15 23:48 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-08-15 23:48 - 2013-08-15 23:48 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-08-15 23:48 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2013-08-15 23:43 - 2013-08-15 23:43 - 00000000 _____ C:\Users\*****\Downloads\JRT.exe
2013-08-15 23:42 - 2013-08-15 23:43 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\*****\Desktop\mbam-setup-1.75.0.1300.exe
2013-08-15 18:51 - 2013-08-15 18:51 - 00025007 _____ C:\ComboFix.txt
2013-08-15 18:33 - 2013-08-15 18:51 - 00000000 ____D C:\Qoobox
2013-08-15 18:33 - 2013-08-15 18:50 - 00000000 ____D C:\Windows\erdnt
2013-08-15 18:33 - 2011-06-26 08:45 - 00256000 _____ C:\Windows\PEV.exe
2013-08-15 18:33 - 2010-11-07 19:20 - 00208896 _____ C:\Windows\MBR.exe
2013-08-15 18:33 - 2009-04-20 06:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2013-08-15 18:33 - 2000-08-31 02:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2013-08-15 18:33 - 2000-08-31 02:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2013-08-15 18:33 - 2000-08-31 02:00 - 00098816 _____ C:\Windows\sed.exe
2013-08-15 18:33 - 2000-08-31 02:00 - 00080412 _____ C:\Windows\grep.exe
2013-08-15 18:33 - 2000-08-31 02:00 - 00068096 _____ C:\Windows\zip.exe
2013-08-15 18:31 - 2013-08-15 18:31 - 05104931 ____R (Swearware) C:\Users\*****\Desktop\ComboFix.exe
2013-08-14 19:54 - 2013-08-14 19:55 - 00000000 ____D C:\Users\*****\Desktop\Neuer Ordner
2013-08-14 19:53 - 2013-08-14 19:53 - 00023016 _____ C:\Users\*****\Desktop\Desktop.7z
2013-08-14 19:50 - 2013-08-14 19:50 - 00000000 ____D C:\Program Files (x86)\7-Zip
2013-08-14 19:48 - 2013-08-14 19:48 - 01110476 _____ C:\Users\*****\Downloads\7z920.exe
2013-08-14 19:30 - 2013-08-14 21:51 - 00002790 _____ C:\Users\*****\Desktop\SpybotSD.Report.txt
2013-08-14 18:55 - 2013-08-14 19:43 - 00411625 _____ C:\Users\*****\Desktop\Gmer.txt
2013-08-14 18:40 - 2013-08-14 18:40 - 00377856 _____ C:\Users\*****\Desktop\gmer_2.1.19163.exe
2013-08-14 18:39 - 2013-08-14 19:49 - 00024018 _____ C:\Users\*****\Desktop\Addition.txt
2013-08-14 18:38 - 2013-08-14 18:38 - 00000000 ____D C:\FRST
2013-08-14 18:37 - 2013-08-14 18:37 - 01575570 _____ (Farbar) C:\Users\*****\Desktop\FRST64.exe
2013-08-14 18:36 - 2013-08-19 18:36 - 00000480 _____ C:\Users\*****\Desktop\defogger_disable.log
2013-08-14 18:36 - 2013-08-14 18:36 - 00000000 _____ C:\Users\*****\defogger_reenable
2013-08-14 18:34 - 2013-08-14 18:34 - 00050477 _____ C:\Users\*****\Desktop\Defogger.exe
2013-08-14 18:23 - 2013-08-14 18:23 - 00001070 _____ C:\Users\Public\Desktop\VLC media player.lnk
2013-08-14 18:12 - 2013-07-26 07:13 - 02241024 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-08-14 18:12 - 2013-07-26 07:13 - 01365504 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-08-14 18:12 - 2013-07-26 07:13 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2013-08-14 18:12 - 2013-07-26 07:12 - 19239424 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-08-14 18:12 - 2013-07-26 07:12 - 15405056 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-08-14 18:12 - 2013-07-26 07:12 - 03958784 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-08-14 18:12 - 2013-07-26 07:12 - 02647040 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-08-14 18:12 - 2013-07-26 07:12 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-08-14 18:12 - 2013-07-26 07:12 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-08-14 18:12 - 2013-07-26 07:12 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-08-14 18:12 - 2013-07-26 07:12 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2013-08-14 18:12 - 2013-07-26 07:12 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2013-08-14 18:12 - 2013-07-26 07:12 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-08-14 18:12 - 2013-07-26 07:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2013-08-14 18:12 - 2013-07-26 05:35 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-08-14 18:12 - 2013-07-26 05:13 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-08-14 18:12 - 2013-07-26 05:13 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-08-14 18:12 - 2013-07-26 05:12 - 14329344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-08-14 18:12 - 2013-07-26 05:12 - 02877440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-08-14 18:12 - 2013-07-26 05:12 - 02048512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-08-14 18:12 - 2013-07-26 05:12 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-08-14 18:12 - 2013-07-26 05:12 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-08-14 18:12 - 2013-07-26 05:12 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-08-14 18:12 - 2013-07-26 05:12 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-08-14 18:12 - 2013-07-26 05:12 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-08-14 18:12 - 2013-07-26 05:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-08-14 18:12 - 2013-07-26 05:11 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-08-14 18:12 - 2013-07-26 05:11 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-08-14 18:12 - 2013-07-26 04:49 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-08-14 18:12 - 2013-07-26 04:39 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2013-08-14 18:12 - 2013-07-26 03:59 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-08-14 18:03 - 2013-08-14 18:03 - 23003252 _____ C:\Users\*****\Downloads\vlc-2.0.8-win32.exe
2013-08-14 17:59 - 2013-08-14 17:59 - 00002023 _____ C:\Users\Public\Desktop\Adobe Reader XI.lnk
2013-08-14 17:37 - 2013-07-09 07:52 - 00224256 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll
2013-08-14 17:37 - 2013-07-09 07:46 - 01472512 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2013-08-14 17:37 - 2013-07-09 07:46 - 00184320 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll
2013-08-14 17:37 - 2013-07-09 07:46 - 00139776 _____ (Microsoft Corporation) C:\Windows\system32\cryptnet.dll
2013-08-14 17:37 - 2013-07-09 06:52 - 00175104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2013-08-14 17:37 - 2013-07-09 06:46 - 01166848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-08-14 17:37 - 2013-07-09 06:46 - 00140288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-08-14 17:37 - 2013-07-09 06:46 - 00103936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-08-14 17:36 - 2013-07-25 11:25 - 01888768 _____ (Microsoft Corporation) C:\Windows\system32\WMVDECOD.DLL
2013-08-14 17:36 - 2013-07-25 10:57 - 01620992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2013-08-14 17:36 - 2013-07-19 03:58 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2013-08-14 17:36 - 2013-07-19 03:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2013-08-14 17:36 - 2013-07-09 08:03 - 05550528 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2013-08-14 17:36 - 2013-07-09 07:54 - 01732032 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2013-08-14 17:36 - 2013-07-09 07:53 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2013-08-14 17:36 - 2013-07-09 07:51 - 01217024 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2013-08-14 17:36 - 2013-07-09 07:03 - 03968960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-08-14 17:36 - 2013-07-09 07:03 - 03913664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-08-14 17:36 - 2013-07-09 06:53 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2013-08-14 17:36 - 2013-07-09 06:52 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2013-08-14 17:36 - 2013-07-09 06:52 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-08-14 17:36 - 2013-07-09 04:49 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-08-14 17:36 - 2013-07-09 04:49 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-08-14 17:36 - 2013-07-09 04:49 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-08-14 17:36 - 2013-07-09 04:49 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-08-14 17:36 - 2013-07-06 08:03 - 01910208 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2013-08-14 17:36 - 2013-06-15 06:32 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tssecsrv.sys
2013-08-13 18:08 - 2013-08-13 18:08 - 00002077 _____ C:\Users\*****\Desktop\Entfernen des Avira DE-Cleaners.lnk
2013-08-13 18:08 - 2013-08-13 18:08 - 00002006 _____ C:\Users\*****\Desktop\Avira DE-Cleaner.lnk
2013-08-13 14:45 - 2013-08-13 18:06 - 00000000 ____D C:\ProgramData\Kaspersky Lab
2013-08-13 13:53 - 2013-08-13 13:54 - 00883840 _____ C:\Users\*****\Downloads\Avira-DE100-Cleaner.exe
2013-08-13 13:52 - 2013-08-13 13:54 - 78816192 _____ (                                                            ) C:\Users\*****\Downloads\de_cleaner_kaspersky.exe
2013-08-12 22:18 - 2013-08-14 18:08 - 00000000 ____D C:\Windows\system32\MRT
2013-08-06 19:53 - 2013-08-06 19:53 - 00000000 ____D C:\Users\*****\AppData\Roaming\Avira
2013-07-30 14:50 - 2013-07-30 14:52 - 00000000 ____D C:\Users\*****\Desktop\susi tasse
2013-07-24 10:27 - 2013-07-24 10:27 - 01069944 _____ (Solid State Networks) C:\Users\*****\Downloads\install_reader11_de_mssd_aaa_aih.exe
2013-07-23 14:35 - 2013-07-23 15:48 - 00013824 _____ C:\Users\*****\Documents\Gebfeier 2013_Teilnahmeliste.xls

==================== One Month Modified Files and Folders =======

2013-08-19 18:36 - 2013-08-14 18:36 - 00000480 _____ C:\Users\*****\Desktop\defogger_disable.log
2013-08-19 18:27 - 2013-08-19 18:27 - 00000997 _____ C:\Users\*****\Desktop\Security_checkup.txt
2013-08-19 18:27 - 2011-04-27 04:23 - 00654150 _____ C:\Windows\system32\perfh007.dat
2013-08-19 18:27 - 2011-04-27 04:23 - 00130022 _____ C:\Windows\system32\perfc007.dat
2013-08-19 18:27 - 2009-07-14 07:13 - 01498742 _____ C:\Windows\system32\PerfStringBackup.INI
2013-08-19 18:26 - 2013-03-23 12:52 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-08-19 18:25 - 2013-08-19 18:25 - 00891115 _____ C:\Users\*****\Downloads\SecurityCheck.exe
2013-08-19 18:24 - 2013-08-19 18:24 - 00001722 _____ C:\Users\*****\Desktop\Eset.txt
2013-08-19 18:04 - 2011-05-22 14:18 - 00001110 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-08-19 16:04 - 2011-05-22 14:18 - 00001106 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-08-19 12:53 - 2011-12-14 19:59 - 00053227 _____ C:\Windows\setupact.log
2013-08-19 10:33 - 2009-07-14 06:45 - 00009696 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-08-19 10:33 - 2009-07-14 06:45 - 00009696 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-08-19 10:27 - 2013-08-16 09:15 - 00000376 _____ C:\Windows\wininit.ini
2013-08-19 10:27 - 2011-04-26 20:02 - 00000000 ____D C:\Users\*****\AppData\Roaming\Dropbox
2013-08-19 10:26 - 2009-07-14 07:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-08-16 16:19 - 2011-04-26 21:53 - 00000000 ____D C:\Users\*****\AppData\Roaming\vlc
2013-08-16 16:19 - 2011-04-26 18:40 - 01383032 _____ C:\Windows\WindowsUpdate.log
2013-08-16 15:02 - 2013-08-16 15:02 - 00000000 ____D C:\Program Files (x86)\ESET
2013-08-16 14:56 - 2013-08-16 14:56 - 02347384 _____ (ESET) C:\Users\*****\Desktop\esetsmartinstaller_enu.exe
2013-08-16 09:19 - 2011-09-12 21:30 - 00003958 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{E0CB425A-65F4-4C06-90FA-73791B2C1B6D}
2013-08-16 00:22 - 2013-08-16 00:22 - 00039398 _____ C:\Users\*****\Desktop\FRST Zweitscan.txt
2013-08-16 00:14 - 2013-08-16 00:14 - 00001026 _____ C:\Users\*****\Desktop\JRT.txt
2013-08-16 00:10 - 2013-08-16 00:10 - 00000000 ____D C:\Windows\ERUNT
2013-08-16 00:09 - 2013-08-16 00:09 - 01159319 _____ (Thisisu) C:\Users\*****\Desktop\JRT(1).exe
2013-08-16 00:06 - 2013-08-16 00:06 - 00002784 _____ C:\Users\*****\Desktop\AdwCleaner[S1].txt
2013-08-16 00:01 - 2013-08-16 00:00 - 00002814 _____ C:\AdwCleaner[S1].txt
2013-08-15 23:59 - 2013-08-15 23:59 - 00666633 _____ C:\Users\*****\Desktop\adwcleaner.exe
2013-08-15 23:48 - 2013-08-15 23:48 - 00001113 _____ C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2013-08-15 23:48 - 2013-08-15 23:48 - 00000000 ____D C:\Users\*****\AppData\Roaming\Malwarebytes
2013-08-15 23:48 - 2013-08-15 23:48 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-08-15 23:48 - 2013-08-15 23:48 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-08-15 23:43 - 2013-08-15 23:43 - 00000000 _____ C:\Users\*****\Downloads\JRT.exe
2013-08-15 23:43 - 2013-08-15 23:42 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\*****\Desktop\mbam-setup-1.75.0.1300.exe
2013-08-15 19:30 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\rescache
2013-08-15 18:51 - 2013-08-15 18:51 - 00025007 _____ C:\ComboFix.txt
2013-08-15 18:51 - 2013-08-15 18:33 - 00000000 ____D C:\Qoobox
2013-08-15 18:51 - 2009-07-14 05:20 - 00000000 __RHD C:\Users\Default
2013-08-15 18:50 - 2013-08-15 18:33 - 00000000 ____D C:\Windows\erdnt
2013-08-15 18:46 - 2009-07-14 04:34 - 00000215 _____ C:\Windows\system.ini
2013-08-15 18:44 - 2012-03-24 01:03 - 00097180 _____ C:\Windows\PFRO.log
2013-08-15 18:31 - 2013-08-15 18:31 - 05104931 ____R (Swearware) C:\Users\*****\Desktop\ComboFix.exe
2013-08-14 21:51 - 2013-08-14 19:30 - 00002790 _____ C:\Users\*****\Desktop\SpybotSD.Report.txt
2013-08-14 19:55 - 2013-08-14 19:54 - 00000000 ____D C:\Users\*****\Desktop\Neuer Ordner
2013-08-14 19:53 - 2013-08-14 19:53 - 00023016 _____ C:\Users\*****\Desktop\Desktop.7z
2013-08-14 19:50 - 2013-08-14 19:50 - 00000000 ____D C:\Program Files (x86)\7-Zip
2013-08-14 19:49 - 2013-08-14 18:39 - 00024018 _____ C:\Users\*****\Desktop\Addition.txt
2013-08-14 19:48 - 2013-08-14 19:48 - 01110476 _____ C:\Users\*****\Downloads\7z920.exe
2013-08-14 19:43 - 2013-08-14 18:55 - 00411625 _____ C:\Users\*****\Desktop\Gmer.txt
2013-08-14 18:40 - 2013-08-14 18:40 - 00377856 _____ C:\Users\*****\Desktop\gmer_2.1.19163.exe
2013-08-14 18:38 - 2013-08-14 18:38 - 00000000 ____D C:\FRST
2013-08-14 18:37 - 2013-08-14 18:37 - 01575570 _____ (Farbar) C:\Users\*****\Desktop\FRST64.exe
2013-08-14 18:36 - 2013-08-14 18:36 - 00000000 _____ C:\Users\*****\defogger_reenable
2013-08-14 18:36 - 2011-04-26 18:53 - 00000000 ____D C:\Users\*****
2013-08-14 18:34 - 2013-08-14 18:34 - 00050477 _____ C:\Users\*****\Desktop\Defogger.exe
2013-08-14 18:23 - 2013-08-14 18:23 - 00001070 _____ C:\Users\Public\Desktop\VLC media player.lnk
2013-08-14 18:08 - 2013-08-12 22:18 - 00000000 ____D C:\Windows\system32\MRT
2013-08-14 18:06 - 2011-04-29 12:04 - 78161360 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2013-08-14 18:03 - 2013-08-14 18:03 - 23003252 _____ C:\Users\*****\Downloads\vlc-2.0.8-win32.exe
2013-08-14 18:02 - 2011-04-26 19:41 - 00000000 ____D C:\Users\DRTHRE~1\AppData\Local\Adobe
2013-08-14 17:59 - 2013-08-14 17:59 - 00002023 _____ C:\Users\Public\Desktop\Adobe Reader XI.lnk
2013-08-14 17:58 - 2010-05-12 14:25 - 00000000 ____D C:\ProgramData\Adobe
2013-08-14 17:58 - 2010-05-12 14:25 - 00000000 ____D C:\Program Files (x86)\Adobe
2013-08-13 18:08 - 2013-08-13 18:08 - 00002077 _____ C:\Users\*****\Desktop\Entfernen des Avira DE-Cleaners.lnk
2013-08-13 18:08 - 2013-08-13 18:08 - 00002006 _____ C:\Users\*****\Desktop\Avira DE-Cleaner.lnk
2013-08-13 18:08 - 2011-04-26 18:57 - 00000000 ___RD C:\Users\*****\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-08-13 18:06 - 2013-08-13 14:45 - 00000000 ____D C:\ProgramData\Kaspersky Lab
2013-08-13 13:54 - 2013-08-13 13:53 - 00883840 _____ C:\Users\*****\Downloads\Avira-DE100-Cleaner.exe
2013-08-13 13:54 - 2013-08-13 13:52 - 78816192 _____ (                                                            ) C:\Users\*****\Downloads\de_cleaner_kaspersky.exe
2013-08-13 07:28 - 2011-04-26 20:02 - 00000000 ____D C:\Users\*****\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2013-08-13 07:28 - 2011-04-26 19:50 - 00000000 ____D C:\Program Files (x86)\MirandaFusion
2013-08-13 07:28 - 2011-04-26 19:32 - 00000000 ____D C:\Program Files (x86)\Spybot
2013-08-13 07:28 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\registration
2013-08-13 07:28 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\AppCompat
2013-08-13 07:27 - 2012-03-24 01:05 - 00000000 ____D C:\ProgramData\Avira
2013-08-13 07:27 - 2012-03-24 01:05 - 00000000 ____D C:\Program Files (x86)\Avira
2013-08-13 07:27 - 2011-04-26 20:05 - 00000000 ___RD C:\Users\*****\Dropbox
2013-08-12 21:32 - 2012-08-31 14:38 - 00003924 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2013-08-12 21:32 - 2012-08-31 14:38 - 00001926 _____ C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2013-08-12 21:32 - 2011-07-06 08:26 - 00000000 _____ C:\Windows\SysWOW64\config.nt
2013-08-12 21:31 - 2011-04-26 19:32 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-08-08 19:09 - 2012-06-25 22:21 - 00016896 _____ C:\Users\*****\Documents\Festivalmitnahmeliste.xls
2013-08-06 22:08 - 2012-02-06 17:26 - 00000000 ____D C:\Users\*****\Documents\CVs
2013-08-06 19:53 - 2013-08-06 19:53 - 00000000 ____D C:\Users\*****\AppData\Roaming\Avira
2013-08-01 21:49 - 2013-07-14 13:39 - 00000000 ____D C:\Users\*****\Documents\Orte
2013-08-01 12:36 - 2012-03-30 15:26 - 00002272 ____H C:\Users\*****\Documents\Default.rdp
2013-07-30 14:52 - 2013-07-30 14:50 - 00000000 ____D C:\Users\*****\Desktop\susi tasse
2013-07-27 12:39 - 2011-05-09 22:02 - 00000000 ____D C:\Users\*****\Documents\Finanzen
2013-07-26 07:13 - 2013-08-14 18:12 - 02241024 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-07-26 07:13 - 2013-08-14 18:12 - 01365504 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-07-26 07:13 - 2013-08-14 18:12 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2013-07-26 07:12 - 2013-08-14 18:12 - 19239424 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-07-26 07:12 - 2013-08-14 18:12 - 15405056 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-07-26 07:12 - 2013-08-14 18:12 - 03958784 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-07-26 07:12 - 2013-08-14 18:12 - 02647040 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-07-26 07:12 - 2013-08-14 18:12 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-07-26 07:12 - 2013-08-14 18:12 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-07-26 07:12 - 2013-08-14 18:12 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-07-26 07:12 - 2013-08-14 18:12 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2013-07-26 07:12 - 2013-08-14 18:12 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2013-07-26 07:12 - 2013-08-14 18:12 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-07-26 07:12 - 2013-08-14 18:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2013-07-26 05:35 - 2013-08-14 18:12 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-07-26 05:13 - 2013-08-14 18:12 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-07-26 05:13 - 2013-08-14 18:12 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-07-26 05:12 - 2013-08-14 18:12 - 14329344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-07-26 05:12 - 2013-08-14 18:12 - 02877440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-07-26 05:12 - 2013-08-14 18:12 - 02048512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-07-26 05:12 - 2013-08-14 18:12 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-07-26 05:12 - 2013-08-14 18:12 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-07-26 05:12 - 2013-08-14 18:12 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-07-26 05:12 - 2013-08-14 18:12 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-07-26 05:12 - 2013-08-14 18:12 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-07-26 05:12 - 2013-08-14 18:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-07-26 05:11 - 2013-08-14 18:12 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-07-26 05:11 - 2013-08-14 18:12 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-07-26 04:49 - 2013-08-14 18:12 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-07-26 04:39 - 2013-08-14 18:12 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2013-07-26 03:59 - 2013-08-14 18:12 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-07-25 11:25 - 2013-08-14 17:36 - 01888768 _____ (Microsoft Corporation) C:\Windows\system32\WMVDECOD.DLL
2013-07-25 10:57 - 2013-08-14 17:36 - 01620992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2013-07-24 10:27 - 2013-07-24 10:27 - 01069944 _____ (Solid State Networks) C:\Users\*****\Downloads\install_reader11_de_mssd_aaa_aih.exe
2013-07-23 15:48 - 2013-07-23 14:35 - 00013824 _____ C:\Users\*****\Documents\Gebfeier 2013_Teilnahmeliste.xls

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2013-08-13 01:45

==================== End Of Log ============================
         
--- --- ---


Danke!

Antwort

Themen zu Win32.downloader.gen nach Systemwiederherstellung noch auf System?
avast, avira, avira antivir, bedanken, destroy, erkannt, frage, geeignet, gmer, hintergrund, interne, internetradio, keine verbindung, nicht mehr, nichts, quarantäne, scan, scanner, search, setzen, spybot, systemwiederherstellung, verbindung, virusfund, win, win32.downloader.gen



Ähnliche Themen: Win32.downloader.gen nach Systemwiederherstellung noch auf System?


  1. Befinden sich noch Trojaner (dropper.gen; win32.downloader.gen)auf meinem Computer oder nicht?
    Log-Analyse und Auswertung - 02.06.2014 (7)
  2. System infiziert oder Fehlalarm? (Win32.Downloader.gen)
    Plagegeister aller Art und deren Bekämpfung - 24.12.2013 (1)
  3. BooTDSS.O auch nach Systemwiederherstellung noch vorhanden, Windows 7
    Log-Analyse und Auswertung - 20.11.2013 (13)
  4. BKA Trojaner in Windows 7 nach Systemwiederherstellung noch da?
    Log-Analyse und Auswertung - 24.03.2013 (22)
  5. GVU Trojaner nach Systemwiederherstellung und Kaspersky unlock noch da
    Log-Analyse und Auswertung - 23.02.2013 (15)
  6. BKA Trojaner nach Systemwiederherstellung immer noch da? OTL, EXTRAS, Gmer
    Log-Analyse und Auswertung - 24.09.2012 (22)
  7. a variant of Win32/Kryptik.AIWA und mehr nach Systemwiederherstellung entdeckt
    Plagegeister aller Art und deren Bekämpfung - 10.09.2012 (40)
  8. Ich habe den Bundestrojaner und nach der Systemwiederherstellung kann ich den Laptop wieder benutzen, aber ist der Trojaner jetzt noch da?
    Log-Analyse und Auswertung - 30.08.2012 (12)
  9. Sind Bundespolizei und Gemavirus nach Systemwiederherstellung noch auf meinem PC?
    Log-Analyse und Auswertung - 24.03.2012 (1)
  10. Nach Systemwiederherstellung (Win 7) immer noch Malewarebefall?
    Log-Analyse und Auswertung - 07.03.2012 (5)
  11. Bundespolizei Trojaner nach Systemwiederherstellung noch vorhanden?
    Log-Analyse und Auswertung - 06.03.2012 (19)
  12. Unsicher ob System sauber nach Systemwiederherstellung
    Log-Analyse und Auswertung - 12.06.2011 (3)
  13. Trojaner nach Systemwiederherstellung noch auf PC?
    Plagegeister aller Art und deren Bekämpfung - 12.05.2011 (3)
  14. Noch thinkpoint Reste nach Systemwiederherstellung
    Alles rund um Windows - 09.04.2011 (3)
  15. Trojan-Downloader.Win32.Geral.zvj; System Kompromittiert!
    Plagegeister aller Art und deren Bekämpfung - 04.02.2011 (19)
  16. Trojan.Win32.Agent.acra, Trojan-Downloader.JS.gen und noch ein paar weitere
    Log-Analyse und Auswertung - 09.09.2008 (3)
  17. Win32:Gothic[Trj] System noch sicher??
    Plagegeister aller Art und deren Bekämpfung - 26.12.2007 (1)

Zum Thema Win32.downloader.gen nach Systemwiederherstellung noch auf System? - Hallo, vorab möchte ich mich herzlich dafür bedanken, dass man hier die Möglichkeit hat, sich mit Virus-Problemen an Euch zu wenden! Ich hatte mir vor einigen Tagen offensichtlich einen Virus - Win32.downloader.gen nach Systemwiederherstellung noch auf System?...
Archiv
Du betrachtest: Win32.downloader.gen nach Systemwiederherstellung noch auf System? auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.