| |
| |||||||
Log-Analyse und Auswertung: Win7: Regin ? viele Funde mit LOKI, akute Paranoia angebracht?Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML |
 |
02.03.2015, 22:04
| #1 |
 |  Win7: Regin ? viele Funde mit LOKI, akute Paranoia angebracht? Also, eigentlich habe ich nur aufgrund der Pressemitteilungen mal nach Regin gesucht um zu sehen, ob sich da wer auf meinem PC breit gemacht hat  . Leider gab es ziemlich viel rote Einträge also Funde mit dem von mir ausgewählten Tool Loki, dessen Log ich hier auch gleich angehängt habe. Also nun bin ich hier um die Angelegenheit zu klären und ggf. wieder für einige Monate sicher im Netz unterwegs zu sein. PC läuft eigentlich relativ normal, nur manchmal etwas langsam und geringfügige Merkwürdigkeiten, die mir nicht als besonders verdächtig erschienen sind bei einem länger nicht mehr firsch gemachten WindowsPC.  schon mal im Voraus!Defogger: Code:
ATTFilter defogger_disable by jpshortstuff (23.02.10.1)
Log created at 20:28 on 02/03/2015 (*****)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
HKCU:DAEMON Tools Lite -> Removed
Checking for services/drivers...
-=E.O.F=-
FRST: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-03-2015 Ran by ***** (administrator) on *****-PC on 02-03-2015 20:30:27 Running from C:\Users\*****\Downloads Loaded Profiles: ***** & (Available profiles: ***** & UpdatusUser & Luca & Administrator) Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: Deutsch (Deutschland) Internet Explorer Version 11 (Default browser: FF) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe (NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe (AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe (Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe (Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe (Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe () C:\Program Files (x86)\Gigabyte\EasySaver\essvr.exe (Condusiv Technologies) C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe (Hauppauge Computer Works) C:\Program Files (x86)\WinTV\TVServer\HauppaugeTVServer.exe (Hewlett-Packard Company) C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe (Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamscheduler.exe (Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamservice.exe (Nero AG) C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe (pdfforge GbR) C:\Program Files (x86)\PDF Architect\HelperService.exe (pdfforge GbR) C:\Program Files (x86)\PDF Architect\ConversionService.exe (TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe () C:\Program Files (x86)\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe () C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe (Seiko Epson Corporation) C:\Windows\System32\escsvc64.exe (Hauppauge Computer Works) C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe (Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe (Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe () C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe (VoipConnect) C:\Program Files (x86)\VoipConnect.com\VoipConnect\VoipConnect.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe (Hauppauge Computer Works, Inc.) C:\Program Files (x86)\WinTV\WinTV7\WinTVTray.exe (Acronis) C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis) C:\Program Files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe (AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe (SEIKO EPSON CORPORATION) C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe (SEIKO EPSON CORPORATION) C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe (SEIKO EPSON CORPORATION) C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe (Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe (Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Elements 12 Organizer\PhotoshopElementsFileAgent.exe (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE (Microsoft Corporation) C:\Windows\System32\prevhost.exe (Mozilla Corporation) C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe (Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe () C:\Loki-master\loki.exe () C:\Loki-master\loki.exe () C:\Loki-master\loki.exe () C:\Loki-master\loki.exe () C:\Loki-master\loki.exe ==================== Registry (Whitelisted) ================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [Acronis Scheduler2 Service] => C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe [140568 2007-08-31] (Acronis) HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [472984 2013-06-03] (Adobe Systems Incorporated) HKLM-x32\...\Run: [TrueImageMonitor.exe] => C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe [2622232 2007-08-31] (Acronis) HKLM-x32\...\Run: [AcronisTimounterMonitor] => C:\Program Files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe [907040 2007-08-31] (Acronis) HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642216 2012-08-06] (Advanced Micro Devices, Inc.) HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5223016 2014-11-05] (AVAST Software) HKLM-x32\...\Run: [FUFAXRCV] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe [502952 2012-07-09] (SEIKO EPSON CORPORATION) HKLM-x32\...\Run: [FUFAXSTM] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe [863400 2012-07-09] (SEIKO EPSON CORPORATION) HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [1058912 2012-04-02] (SEIKO EPSON CORPORATION) HKLM-x32\...\Run: [KiesTrayAgent] => C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe [311616 2014-07-25] (Samsung Electronics Co., Ltd.) HKU\S-1-5-21-2571380908-3574024337-2633154625-1000\...\Run: [ExpressCacheUI] => C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe [3991424 2013-01-08] () HKU\S-1-5-21-2571380908-3574024337-2633154625-1000\...\Run: [EasyVoip] => "C:\Program Files (x86)\EasyVoip.com\EasyVoip\easyvoip.exe" -nosplash -minimized HKU\S-1-5-21-2571380908-3574024337-2633154625-1000\...\Run: [] => C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe [845120 2014-07-25] (Samsung) HKU\S-1-5-21-2571380908-3574024337-2633154625-1000\...\Run: [CAHeadless] => C:\Program Files (x86)\Adobe\Elements 12 Organizer\CAHeadless\ElementsAutoAnalyzer.exe [1401040 2014-08-21] (Adobe Systems Incorporated) HKU\S-1-5-21-2571380908-3574024337-2633154625-1000\...\Run: [*LABAL*] => [X] HKU\S-1-5-21-2571380908-3574024337-2633154625-1000\...\Run: [VoipConnect] => C:\Program Files (x86)\VoipConnect.com\VoipConnect\VoipConnect.exe [23048288 2014-12-04] (VoipConnect) HKU\S-1-5-21-2571380908-3574024337-2633154625-1000\...\Policies\system: [LogonHoursAction] 2 HKU\S-1-5-21-2571380908-3574024337-2633154625-1000\...\Policies\system: [DontDisplayLogonHoursWarnings] 1 HKU\S-1-5-21-2571380908-3574024337-2633154625-1000\...\Policies\Explorer: [NoDriveTypeAutoRun] 0x91000000 HKU\S-1-5-21-2571380908-3574024337-2633154625-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [DAEMON Tools Lite] => C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe [3672384 2012-04-11] (DT Soft Ltd) HKU\S-1-5-21-2571380908-3574024337-2633154625-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [ExpressCacheUI] => C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe [3991424 2013-01-08] () HKU\S-1-5-21-2571380908-3574024337-2633154625-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [EasyVoip] => "C:\Program Files (x86)\EasyVoip.com\EasyVoip\easyvoip.exe" -nosplash -minimized HKU\S-1-5-21-2571380908-3574024337-2633154625-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [] => C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe [845120 2014-07-25] (Samsung) HKU\S-1-5-21-2571380908-3574024337-2633154625-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [CAHeadless] => C:\Program Files (x86)\Adobe\Elements 12 Organizer\CAHeadless\ElementsAutoAnalyzer.exe [1401040 2014-08-21] (Adobe Systems Incorporated) HKU\S-1-5-21-2571380908-3574024337-2633154625-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [*LABAL*] => [X] HKU\S-1-5-21-2571380908-3574024337-2633154625-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [VoipConnect] => C:\Program Files (x86)\VoipConnect.com\VoipConnect\VoipConnect.exe [23048288 2014-12-04] (VoipConnect) HKU\S-1-5-21-2571380908-3574024337-2633154625-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Policies\system: [LogonHoursAction] 2 HKU\S-1-5-21-2571380908-3574024337-2633154625-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Policies\system: [DontDisplayLogonHoursWarnings] 1 HKU\S-1-5-21-2571380908-3574024337-2633154625-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Policies\Explorer: [NoDriveTypeAutoRun] 0x91000000 HKU\S-1-5-21-2571380908-3574024337-2633154625-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [DAEMON Tools Lite] => C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe [3672384 2012-04-11] (DT Soft Ltd) HKU\S-1-5-21-2571380908-3574024337-2633154625-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [LightScribe Control Panel] => C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe [2736128 2010-08-16] (Hewlett-Packard Company) HKU\S-1-5-21-2571380908-3574024337-2633154625-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [KiesAirMessage] => C:\Program Files (x86)\Samsung\Kies\KiesAirMessage.exe -startup HKU\S-1-5-21-2571380908-3574024337-2633154625-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [KiesPDLR] => C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe [845120 2014-07-25] (Samsung) HKU\S-1-5-21-2571380908-3574024337-2633154625-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [KiesPreload] => C:\Program Files (x86)\Samsung\Kies\Kies.exe [1562264 2014-07-25] (Samsung) HKU\S-1-5-21-2571380908-3574024337-2633154625-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [1&1_1&1 Upload-Manager] => "C:\Program Files (x86)\1&1\1&1 Upload-Manager\DAVSRV.EXE" /hide HKU\S-1-5-21-2571380908-3574024337-2633154625-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [EasyVoip] => "C:\Program Files (x86)\EasyVoip.com\EasyVoip\easyvoip.exe" -nosplash -minimized HKU\S-1-5-21-2571380908-3574024337-2633154625-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [] => C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe [845120 2014-07-25] (Samsung) HKU\S-1-5-21-2571380908-3574024337-2633154625-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [ExpressCacheUI] => C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe [3991424 2013-01-08] () HKU\S-1-5-21-2571380908-3574024337-2633154625-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Policies\Explorer: [NoDriveTypeAutoRun] 0x91000000 HKU\S-1-5-21-2571380908-3574024337-2633154625-1359-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [LightScribe Control Panel] => C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe [2736128 2010-08-16] (Hewlett-Packard Company) HKU\S-1-5-21-2571380908-3574024337-2633154625-1359-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [EPLTarget\P0000000000000000] => C:\Windows\system32\spool\DRIVERS\x64\3\E_YATIJJE.EXE [283232 2012-02-28] (SEIKO EPSON CORPORATION) HKU\S-1-5-21-2571380908-3574024337-2633154625-1359-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Policies\system: [LogonHoursAction] 2 HKU\S-1-5-21-2571380908-3574024337-2633154625-1359-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Policies\system: [DontDisplayLogonHoursWarnings] 1 HKU\S-1-5-21-2571380908-3574024337-2633154625-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [LightScribe Control Panel] => C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe [2736128 2010-08-16] (Hewlett-Packard Company) HKU\S-1-5-21-2571380908-3574024337-2633154625-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [DAEMON Tools Lite] => C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe [3672384 2012-04-11] (DT Soft Ltd) HKU\S-1-5-21-2571380908-3574024337-2633154625-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [KiesAirMessage] => C:\Program Files (x86)\Samsung\Kies\KiesAirMessage.exe -startup HKU\S-1-5-21-2571380908-3574024337-2633154625-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [KiesPDLR] => C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe [845120 2014-07-25] (Samsung) HKU\S-1-5-21-2571380908-3574024337-2633154625-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [KiesPreload] => C:\Program Files (x86)\Samsung\Kies\Kies.exe [1562264 2014-07-25] (Samsung) HKU\S-1-5-21-2571380908-3574024337-2633154625-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [1&1_1&1 Upload-Manager] => "C:\Program Files (x86)\1&1\1&1 Upload-Manager\DAVSRV.EXE" /hide HKU\S-1-5-21-2571380908-3574024337-2633154625-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [EasyVoip] => "C:\Program Files (x86)\EasyVoip.com\EasyVoip\easyvoip.exe" -nosplash -minimized HKU\S-1-5-21-2571380908-3574024337-2633154625-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [] => C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe [845120 2014-07-25] (Samsung) HKU\S-1-5-21-2571380908-3574024337-2633154625-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [ExpressCacheUI] => C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe [3991424 2013-01-08] () Lsa: [Authentication Packages] msv1_0 relog_ap Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinTV Recording Status.lnk ShortcutTarget: WinTV Recording Status.lnk -> C:\Program Files (x86)\WinTV\WinTV7\WinTVTray.exe (Hauppauge Computer Works, Inc.) ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll (AVAST Software) GroupPolicyUsers\S-1-5-21-2571380908-3574024337-2633154625-1359\User: Group Policy restriction detected <======= ATTENTION ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) HKU\S-1-5-21-2571380908-3574024337-2633154625-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp HKU\S-1-5-21-2571380908-3574024337-2633154625-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp HKU\S-1-5-21-2571380908-3574024337-2633154625-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp HKU\S-1-5-21-2571380908-3574024337-2633154625-1359-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/de-de/?ocid=iehp HKU\S-1-5-21-2571380908-3574024337-2633154625-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp SearchScopes: HKLM -> DefaultScope value is missing. SearchScopes: HKLM-x32 -> DefaultScope value is missing. SearchScopes: HKU\S-1-5-21-2571380908-3574024337-2633154625-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> {1A70E77F-FF92-4a43-92D9-BABC4B2FBEBC} URL = hxxp://www.google.com/cse?cx=partner-pub-3794288947762788%3A7941509802&ie=UTF-8&sa=Search&siteurl=www.google.com%2Fcse%2Fhome%3Fcx%3Dpartner-pub-3794288947762788%3A7941509802&q={searchTerms} SearchScopes: HKU\S-1-5-21-2571380908-3574024337-2633154625-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> {6249BB8D-7BF5-4b02-9DE7-1797907F9AFD} URL = hxxp://de.search.yahoo.com/search?p={searchTerms}&fr=chr-devicevm&type=IEBDSV SearchScopes: HKU\S-1-5-21-2571380908-3574024337-2633154625-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> {8F073E5E-B2E0-4999-9525-13E2371A87DB} URL = hxxp://www.bing.com/search?q={searchTerms}&form=SPLBR1&pc=SPLH SearchScopes: HKU\S-1-5-21-2571380908-3574024337-2633154625-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> DefaultScope {1A70E77F-FF92-4a43-92D9-BABC4B2FBEBC} URL = hxxp://www.google.com/cse?cx=partner-pub-3794288947762788%3A7941509802&ie=UTF-8&sa=Search&siteurl=www.google.com%2Fcse%2Fhome%3Fcx%3Dpartner-pub-3794288947762788%3A7941509802&q={searchTerms} SearchScopes: HKU\S-1-5-21-2571380908-3574024337-2633154625-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> {1A70E77F-FF92-4a43-92D9-BABC4B2FBEBC} URL = hxxp://www.google.com/cse?cx=partner-pub-3794288947762788%3A7941509802&ie=UTF-8&sa=Search&siteurl=www.google.com%2Fcse%2Fhome%3Fcx%3Dpartner-pub-3794288947762788%3A7941509802&q={searchTerms} SearchScopes: HKU\S-1-5-21-2571380908-3574024337-2633154625-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> {6249BB8D-7BF5-4b02-9DE7-1797907F9AFD} URL = hxxp://de.search.yahoo.com/search?p={searchTerms}&fr=chr-devicevm&type=IEBDSV SearchScopes: HKU\S-1-5-21-2571380908-3574024337-2633154625-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> {8CFEC077-51ED-4ce6-A512-A5D5EDFE90F8} URL = hxxp://de.search.yahoo.com/search?p={searchTerms}&fr=chr-devicevm&type=IEBDSV SearchScopes: HKU\S-1-5-21-2571380908-3574024337-2633154625-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> {8F073E5E-B2E0-4999-9525-13E2371A87DB} URL = hxxp://www.bing.com/search?q={searchTerms}&form=SPLBR1&pc=SPLH SearchScopes: HKU\S-1-5-21-2571380908-3574024337-2633154625-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> {9B74648E-53EB-4e40-BBB0-55D0DEB6B7BA} URL = hxxp://www.bing.com/search?q={searchTerms}&form=SPLBR1&pc=SPLH SearchScopes: HKU\S-1-5-21-2571380908-3574024337-2633154625-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> {D1B8970E-3B78-48f9-93D3-31AE6ABFD519} URL = hxxp://www.google.com/cse?cx=partner-pub-3794288947762788%3A7941509802&ie=UTF-8&sa=Search&siteurl=www.google.com%2Fcse%2Fhome%3Fcx%3Dpartner-pub-3794288947762788%3A7941509802&q={searchTerms} BHO: No Name -> {7553EA3C-F8DA-4188-B7BC-956894EA54F5} -> No File BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation) BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software) BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation) BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) BHO-x32: PDF Architect Helper -> {3A2D5EBA-F86D-4BD3-A177-019765996711} -> C:\Program Files (x86)\PDF Architect\PDFIEHelper.dll No File BHO-x32: No Name -> {7553EA3C-F8DA-4188-B7BC-956894EA54F5} -> No File BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll No File BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation) Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt Tcpip\Parameters: [DhcpNameServer] 192.168.178.1 FireFox: ======== FF ProfilePath: C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\wpxcqavr.default FF NewTab: hxxp://www.google.com/firefox FF SearchEngineOrder.1: Google FF Keyword.URL: https://www.google.de/search?q= FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_305.dll () FF Plugin: @docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.) FF Plugin: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation) FF Plugin: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF Plugin: @microsoft.com/GENUINE -> disabled No File FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF Plugin: @tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.) FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll () FF Plugin-x32: @docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.) FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google) FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation) FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation) FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation) FF Plugin-x32: @tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.) FF Plugin-x32: @videolan.org/vlc,version=2.0.7 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN) FF Plugin HKU\S-1-5-21-2571380908-3574024337-2633154625-1000: @docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.) FF Plugin HKU\S-1-5-21-2571380908-3574024337-2633154625-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0: @docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.) FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.) FF SearchPlugin: C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\wpxcqavr.default\searchplugins\google-images.xml FF SearchPlugin: C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\wpxcqavr.default\searchplugins\google-maps.xml FF Extension: 20-20 3D Viewer - IKEA - C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\wpxcqavr.default\Extensions\2020Player_IKEA@2020Technologies.com [2014-11-10] FF Extension: CHIP Best Deal - C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\wpxcqavr.default\Extensions\ciuvo-extension@chip.de [2014-11-29] FF Extension: Cliqz Beta - C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\wpxcqavr.default\Extensions\cliqz@cliqz.com [2014-11-29] FF Extension: WEB.DE MailCheck - C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\wpxcqavr.default\Extensions\toolbar@web.de [2014-12-09] FF Extension: NO Google Analytics - C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\wpxcqavr.default\Extensions\jid1-JcGokIiQyjoBAQ@jetpack.xpi [2014-07-14] FF Extension: Adblock Plus - C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\wpxcqavr.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-03-07] FF Extension: QuickWiki - C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\wpxcqavr.default\Extensions\{EE223D7A-F30F-11DD-8F0A-D2AD55D89593}.xpi [2013-04-21] FF Extension: UITBAutoInstaller - C:\Program Files (x86)\Mozilla Firefox\distribution\bundles\{edd7fc99-d65c-4979-85c2-ddeed30c50c7} [2014-12-09] FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2012-05-26] FF HKLM-x32\...\Firefox\Extensions: [FFPDFArchitectConverter@pdfarchitect.com] - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt FF Extension: PDF Architect Converter For Firefox - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt [2013-04-14] FF HKU\S-1-5-21-2571380908-3574024337-2633154625-1000\...\Firefox\Extensions: [cliqz@cliqz.com] - C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\wpxcqavr.default\extensions\cliqz@cliqz.com FF HKU\S-1-5-21-2571380908-3574024337-2633154625-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Firefox\Extensions: [cliqz@cliqz.com] - C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\wpxcqavr.default\extensions\cliqz@cliqz.com Chrome: ======= CHR Profile: C:\Users\*****\AppData\Local\Google\Chrome\User Data\Default CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-11-05] Opera: ======= OPR Extension: (Adblock Plus) - C:\Users\*****\AppData\Roaming\Opera Software\Opera Stable\Extensions\oidhhegpmlfpoeialbgcdocjalghfpkp [2014-11-05] ==================== Services (Whitelisted) ================= (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) R2 AdobeActiveFileMonitor12.0; C:\Program Files (x86)\Adobe\Elements 12 Organizer\PhotoshopElementsFileAgent.exe [181152 2013-09-25] (Adobe Systems Incorporated) R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [361984 2012-08-06] (Advanced Micro Devices, Inc.) [File not signed] S3 AppleChargerSrv; C:\Windows\System32\AppleChargerSrv.exe [31272 2010-04-06] () R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-11-05] (AVAST Software) R2 EpsonScanSvc; C:\Windows\system32\EscSvc64.exe [135824 2011-12-12] (Seiko Epson Corporation) R2 ES lite Service; C:\Program Files (x86)\Gigabyte\EasySaver\ESSVR.EXE [68136 2009-08-24] () R2 ExpressCache; C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe [107944 2013-01-08] (Condusiv Technologies) R2 HauppaugeTVServer; C:\Program Files (x86)\WinTV\TVServer\HauppaugeTVServer.exe [577536 2012-11-11] (Hauppauge Computer Works) [File not signed] R2 LightScribeService; C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe [73728 2010-08-16] (Hewlett-Packard Company) [File not signed] R2 MBAMScheduler; C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation) R2 MBAMService; C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation) R2 PDF Architect Helper Service; C:\Program Files (x86)\PDF Architect\HelperService.exe [1324104 2013-01-09] (pdfforge GbR) R2 PDF Architect Service; C:\Program Files (x86)\PDF Architect\ConversionService.exe [795208 2013-01-09] (pdfforge GbR) R2 TryAndDecideService; C:\Program Files (x86)\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe [498872 2007-08-31] () R2 UsbClientService; C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe [245760 2011-02-18] () [File not signed] R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation) ==================== Drivers (Whitelisted) ==================== (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) R3 AnyDVD; C:\Windows\System32\Drivers\AnyDVD.sys [125512 2010-12-01] (SlySoft, Inc.) R3 AnyDVD; C:\Windows\SysWOW64\Drivers\AnyDVD.sys [125512 2010-12-01] (SlySoft, Inc.) R2 AODDriver4.1; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [53888 2012-03-05] (Advanced Micro Devices) R1 AppleCharger; C:\Windows\System32\DRIVERS\AppleCharger.sys [21104 2011-01-10] () R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2014-11-05] () R1 aswKbd; C:\Windows\System32\Drivers\aswKbd.sys [19600 2012-07-03] (AVAST Software) R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [83280 2014-11-05] (AVAST Software) R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2014-11-05] (AVAST Software) R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2014-11-05] () R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1050432 2014-11-21] (AVAST Software) R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [436624 2014-11-05] (AVAST Software) R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [116728 2014-11-05] (AVAST Software) R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [267632 2014-11-05] () R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283200 2012-05-26] (DT Soft Ltd) R1 excfs; C:\Windows\System32\DRIVERS\excfs.sys [26024 2013-01-08] (Condusiv Technologies) R0 excsd; C:\Windows\System32\DRIVERS\excsd.sys [112552 2013-01-08] (Condusiv Technologies) R0 hotcore3; C:\Windows\System32\DRIVERS\hotcore3.sys [37392 2010-05-20] (Paragon Software Group) R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-11-21] (Malwarebytes Corporation) R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2015-03-02] (Malwarebytes Corporation) R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-11-21] (Malwarebytes Corporation) R0 PxHlpa64; C:\Windows\System32\Drivers\PxHlpa64.sys [56336 2013-07-19] (Corel Corporation) S3 ssudserd; C:\Windows\System32\DRIVERS\ssudserd.sys [206080 2014-06-16] (DEVGURU Co., LTD.(www.devguru.co.kr)) S3 usbrndis6; C:\Windows\System32\DRIVERS\usb80236.sys [19968 2013-02-12] (Microsoft Corporation) S3 athr; system32\DRIVERS\athrx.sys [X] S3 dgderdrv; System32\drivers\dgderdrv.sys [X] S3 VGPU; System32\drivers\rdvgkmd.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.) ==================== One Month Created Files and Folders ======== (If an entry is included in the fixlist, the file\folder will be moved.) 2015-03-02 20:30 - 2015-03-02 20:30 - 00030483 _____ () C:\Users\*****\Downloads\FRST.txt 2015-03-02 20:30 - 2015-03-02 20:30 - 00000000 ____D () C:\FRST 2015-03-02 20:29 - 2015-03-02 20:29 - 02092544 _____ (Farbar) C:\Users\*****\Downloads\FRST64.exe 2015-03-02 20:28 - 2015-03-02 20:28 - 00000542 _____ () C:\Users\*****\Downloads\defogger_disable.log 2015-03-02 20:28 - 2015-03-02 20:28 - 00000168 _____ () C:\Users\*****\defogger_reenable 2015-03-02 20:27 - 2015-03-02 20:27 - 00050477 _____ () C:\Users\*****\Downloads\Defogger.exe 2015-03-02 19:35 - 2015-03-02 19:35 - 00000000 ___SH () C:\DkHyperbootSync 2015-03-02 10:25 - 2015-03-02 10:43 - 00056534 _____ () C:\Users\*****\Documents\Evelyn Kröll Hans.odt 2015-02-28 14:55 - 2015-02-28 14:55 - 00000000 ____D () C:\Users\*****\AppData\Local\Apps\2.0 2015-02-27 21:02 - 2015-02-27 21:02 - 01203488 _____ () C:\Users\*****\Downloads\Universal USB Installer - CHIP-Installer.exe 2015-02-27 20:44 - 2015-02-27 21:12 - 1549615104 _____ () C:\Users\*****\Downloads\linuxmint-17.1-cinnamon-64bit.iso 2015-02-27 17:11 - 2014-11-29 15:56 - 00000000 ____D () C:\Users\*****\Downloads\ReginScanner-master 2015-02-27 17:09 - 2015-02-27 17:09 - 05020871 _____ () C:\Users\*****\Downloads\ReginScanner-master.zip 2015-02-27 16:44 - 2015-02-27 16:44 - 00000000 _____ () C:\Users\*****\Desktop\Neues Textdokument.txt 2015-02-27 13:58 - 2015-03-02 20:24 - 00000000 ____D () C:\Loki-master 2015-02-27 13:58 - 2015-02-27 14:17 - 00000000 ____D () C:\Users\*****\Downloads\Loki-master 2015-02-27 13:58 - 2015-02-27 13:58 - 08991205 _____ () C:\Users\*****\Downloads\Loki-master.zip 2015-02-27 13:56 - 2015-02-27 13:57 - 08305166 _____ () C:\Users\*****\Downloads\loki.exe 2015-02-26 22:40 - 2015-02-27 12:53 - 00000000 ____D () C:\Program Files (x86)\Mozilla Thunderbird 2015-02-25 12:22 - 2015-01-09 00:44 - 00419936 _____ () C:\Windows\SysWOW64\locale.nls 2015-02-25 12:22 - 2015-01-09 00:43 - 00419936 _____ () C:\Windows\system32\locale.nls 2015-02-20 21:33 - 2015-02-20 21:33 - 00000000 __SHD () C:\Users\*****\AppData\Local\EmieUserList 2015-02-20 21:33 - 2015-02-20 21:33 - 00000000 __SHD () C:\Users\*****\AppData\Local\EmieSiteList 2015-02-20 21:33 - 2015-02-20 21:33 - 00000000 __SHD () C:\Users\*****\AppData\Local\EmieBrowserModeList 2015-02-17 19:20 - 2015-02-17 19:20 - 00002077 _____ () C:\Users\*****\Desktop\JDownloader 2.lnk 2015-02-17 19:20 - 2015-02-17 19:20 - 00000000 ____D () C:\Users\*****\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\JDownloader 2015-02-17 19:19 - 2015-02-23 01:41 - 00000000 ____D () C:\Users\*****\AppData\Local\JDownloader 2.0 2015-02-17 18:56 - 2015-01-09 04:14 - 00950272 _____ (Microsoft Corporation) C:\Windows\system32\perftrack.dll 2015-02-17 18:56 - 2015-01-09 04:14 - 00091136 _____ (Microsoft Corporation) C:\Windows\system32\wdi.dll 2015-02-17 18:56 - 2015-01-09 04:14 - 00029696 _____ (Microsoft Corporation) C:\Windows\system32\powertracker.dll 2015-02-17 18:56 - 2015-01-09 03:48 - 00076800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdi.dll 2015-02-12 16:36 - 2015-01-23 05:42 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll 2015-02-12 16:36 - 2015-01-23 05:41 - 06041600 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll 2015-02-12 16:36 - 2015-01-23 04:43 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll 2015-02-12 16:36 - 2015-01-23 04:17 - 04300800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2015-02-11 08:48 - 2015-01-14 06:47 - 00389808 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll 2015-02-11 08:48 - 2015-01-14 06:09 - 00342712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll 2015-02-11 08:48 - 2015-01-12 04:09 - 25056256 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll 2015-02-11 08:48 - 2015-01-12 04:05 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb 2015-02-11 08:48 - 2015-01-12 04:05 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll 2015-02-11 08:48 - 2015-01-12 03:49 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll 2015-02-11 08:48 - 2015-01-12 03:48 - 02885632 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll 2015-02-11 08:48 - 2015-01-12 03:48 - 00584192 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll 2015-02-11 08:48 - 2015-01-12 03:48 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll 2015-02-11 08:48 - 2015-01-12 03:47 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll 2015-02-11 08:48 - 2015-01-12 03:40 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll 2015-02-11 08:48 - 2015-01-12 03:39 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll 2015-02-11 08:48 - 2015-01-12 03:36 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll 2015-02-11 08:48 - 2015-01-12 03:34 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe 2015-02-11 08:48 - 2015-01-12 03:34 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe 2015-02-11 08:48 - 2015-01-12 03:25 - 19740160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2015-02-11 08:48 - 2015-01-12 03:25 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe 2015-02-11 08:48 - 2015-01-12 03:21 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2015-02-11 08:48 - 2015-01-12 03:21 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll 2015-02-11 08:48 - 2015-01-12 03:13 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll 2015-02-11 08:48 - 2015-01-12 03:08 - 00503296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll 2015-02-11 08:48 - 2015-01-12 03:08 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll 2015-02-11 08:48 - 2015-01-12 03:07 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll 2015-02-11 08:48 - 2015-01-12 03:07 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll 2015-02-11 08:48 - 2015-01-12 03:07 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll 2015-02-11 08:48 - 2015-01-12 03:05 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll 2015-02-11 08:48 - 2015-01-12 03:04 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll 2015-02-11 08:48 - 2015-01-12 03:02 - 02277888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2015-02-11 08:48 - 2015-01-12 03:00 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2015-02-11 08:48 - 2015-01-12 02:59 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll 2015-02-11 08:48 - 2015-01-12 02:57 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2015-02-11 08:48 - 2015-01-12 02:55 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe 2015-02-11 08:48 - 2015-01-12 02:48 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll 2015-02-11 08:48 - 2015-01-12 02:48 - 00718848 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe 2015-02-11 08:48 - 2015-01-12 02:46 - 02125824 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl 2015-02-11 08:48 - 2015-01-12 02:46 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll 2015-02-11 08:48 - 2015-01-12 02:45 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll 2015-02-11 08:48 - 2015-01-12 02:43 - 14401024 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll 2015-02-11 08:48 - 2015-01-12 02:40 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll 2015-02-11 08:48 - 2015-01-12 02:36 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll 2015-02-11 08:48 - 2015-01-12 02:35 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll 2015-02-11 08:48 - 2015-01-12 02:33 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll 2015-02-11 08:48 - 2015-01-12 02:27 - 02358272 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll 2015-02-11 08:48 - 2015-01-12 02:23 - 02052608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl 2015-02-11 08:48 - 2015-01-12 02:23 - 00688640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll 2015-02-11 08:48 - 2015-01-12 02:22 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll 2015-02-11 08:48 - 2015-01-12 02:14 - 12829184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2015-02-11 08:48 - 2015-01-12 02:14 - 01548288 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll 2015-02-11 08:48 - 2015-01-12 02:02 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll 2015-02-11 08:48 - 2015-01-12 02:00 - 01888256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2015-02-11 08:48 - 2015-01-12 01:56 - 01307136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2015-02-11 08:48 - 2015-01-12 01:55 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll 2015-02-11 08:48 - 2015-01-10 07:48 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll 2015-02-11 08:48 - 2015-01-10 07:48 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll 2015-02-11 08:48 - 2015-01-10 07:48 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll 2015-02-11 08:48 - 2015-01-10 07:48 - 00309760 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll 2015-02-11 08:48 - 2015-01-10 07:48 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll 2015-02-11 08:48 - 2015-01-10 07:48 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll 2015-02-11 08:48 - 2015-01-10 07:48 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll 2015-02-11 08:48 - 2015-01-10 07:27 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll 2015-02-11 08:48 - 2015-01-10 07:27 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll 2015-02-11 08:48 - 2015-01-10 07:27 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll 2015-02-11 08:48 - 2015-01-10 07:27 - 00221184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll 2015-02-11 08:48 - 2015-01-10 07:27 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll 2015-02-11 08:48 - 2015-01-10 07:27 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll 2015-02-11 08:48 - 2015-01-10 07:27 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll 2015-02-11 08:48 - 2015-01-09 03:03 - 03201536 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys 2015-02-11 08:47 - 2015-01-15 09:14 - 00155072 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys 2015-02-11 08:47 - 2015-01-15 09:14 - 00095680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys 2015-02-11 08:47 - 2015-01-15 09:09 - 01461760 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll 2015-02-11 08:47 - 2015-01-15 09:09 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll 2015-02-11 08:47 - 2015-01-15 09:09 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe 2015-02-11 08:47 - 2015-01-15 09:09 - 00029184 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll 2015-02-11 08:47 - 2015-01-15 09:09 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll 2015-02-11 08:47 - 2015-01-15 09:08 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe 2015-02-11 08:47 - 2015-01-15 09:06 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll 2015-02-11 08:47 - 2015-01-15 09:06 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll 2015-02-11 08:47 - 2015-01-15 09:04 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll 2015-02-11 08:47 - 2015-01-15 08:42 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe 2015-02-11 08:47 - 2015-01-15 08:42 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll 2015-02-11 08:47 - 2015-01-15 08:41 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll 2015-02-11 08:47 - 2015-01-15 08:39 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll 2015-02-11 08:47 - 2015-01-15 08:39 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll 2015-02-11 08:47 - 2015-01-15 08:37 - 00686080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll 2015-02-11 08:47 - 2015-01-15 05:22 - 00458824 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys 2015-02-11 08:47 - 2015-01-13 04:10 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll 2015-02-11 08:47 - 2015-01-13 03:49 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll 2015-02-11 08:47 - 2014-12-12 06:31 - 01480192 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll 2015-02-11 08:47 - 2014-12-12 06:07 - 01174528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll 2015-02-11 08:47 - 2014-11-26 04:53 - 00861696 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll 2015-02-11 08:47 - 2014-11-26 04:32 - 00571904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll 2015-02-11 08:47 - 2014-10-04 03:10 - 03722752 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll 2015-02-11 08:47 - 2014-10-04 02:42 - 03221504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll 2015-02-11 08:47 - 2014-10-04 02:42 - 00131584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aaclient.dll 2015-02-11 08:47 - 2014-07-07 03:07 - 00229376 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll 2015-02-11 08:47 - 2014-07-07 03:06 - 00187904 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll 2015-02-11 08:47 - 2014-07-07 02:40 - 00179200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll 2015-02-11 08:47 - 2014-07-07 02:40 - 00143872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll 2015-02-11 08:46 - 2015-01-14 07:09 - 05554112 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe 2015-02-11 08:46 - 2015-01-14 07:05 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll 2015-02-11 08:46 - 2015-01-14 07:05 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll 2015-02-11 08:46 - 2015-01-14 07:04 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe 2015-02-11 08:46 - 2015-01-14 06:44 - 03972544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe 2015-02-11 08:46 - 2015-01-14 06:44 - 03917760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe 2015-02-11 08:46 - 2015-01-14 06:41 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll 2015-02-11 08:46 - 2014-12-08 04:09 - 00406528 _____ (Microsoft Corporation) C:\Windows\system32\scesrv.dll 2015-02-11 08:46 - 2014-12-08 03:46 - 00308224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\scesrv.dll 2015-02-01 18:43 - 2015-02-01 18:43 - 00008708 _____ () C:\Users\*****\Downloads\e00138c41fbff2f035d527b699e999caae61d418.dlc ==================== One Month Modified Files and Folders ======= (If an entry is included in the fixlist, the file\folder will be moved.) 2015-03-02 20:28 - 2012-05-26 05:02 - 00000000 ____D () C:\Users\***** 2015-03-02 20:23 - 2013-06-12 23:28 - 01449813 _____ () C:\Windows\WindowsUpdate.log 2015-03-02 20:21 - 2012-07-13 23:23 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job 2015-03-02 17:18 - 2012-07-09 22:15 - 00000000 ____D () C:\Users\*****\AppData\Roaming\foobar2000 2015-03-02 16:30 - 2014-12-01 11:59 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2015-03-02 16:06 - 2009-07-14 05:45 - 00021472 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2015-03-02 16:06 - 2009-07-14 05:45 - 00021472 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2015-03-02 16:02 - 2013-01-18 16:47 - 00000000 ____D () C:\Users\*****\AppData\Local\ExpressCache 2015-03-02 15:59 - 2014-03-01 09:31 - 00056782 _____ () C:\Windows\setupact.log 2015-03-02 15:59 - 2012-05-26 06:24 - 00025640 _____ (Windows (R) Server 2003 DDK provider) C:\Windows\gdrv.sys 2015-03-02 15:59 - 2012-05-26 05:12 - 00000144 _____ () C:\service.log 2015-03-02 15:59 - 2012-05-26 05:08 - 00000000 ____D () C:\ProgramData\NVIDIA 2015-03-02 15:59 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT 2015-03-02 10:18 - 2012-08-07 19:59 - 00000000 ____D () C:\Users\*****\AppData\Roaming\PamFax Office Integrations 2015-03-01 21:59 - 2012-07-30 19:33 - 00004182 _____ () C:\Windows\System32\Tasks\avast! Emergency Update 2015-03-01 17:30 - 2014-08-20 23:40 - 00000000 ____D () C:\Users\*****\AppData\Local\Adobe 2015-03-01 00:00 - 2012-05-26 06:10 - 00000000 ____D () C:\Users\*****\AppData\Roaming\vlc 2015-02-27 20:30 - 2012-05-26 06:12 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service 2015-02-27 16:05 - 2014-08-24 18:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware 2015-02-27 16:05 - 2014-08-24 18:17 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware 2015-02-27 16:05 - 2013-06-12 23:37 - 00001106 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk 2015-02-24 19:55 - 2009-07-14 06:08 - 00032640 _____ () C:\Windows\Tasks\SCHEDLGU.TXT 2015-02-24 12:24 - 2014-11-05 21:18 - 00003852 _____ () C:\Windows\System32\Tasks\Opera scheduled Autoupdate 1415218714 2015-02-24 12:24 - 2012-05-26 06:13 - 00000000 ____D () C:\Program Files (x86)\Opera 2015-02-22 21:11 - 2011-04-12 08:43 - 00702980 _____ () C:\Windows\system32\perfh007.dat 2015-02-22 21:11 - 2011-04-12 08:43 - 00150620 _____ () C:\Windows\system32\perfc007.dat 2015-02-22 21:11 - 2009-07-14 06:13 - 01629508 _____ () C:\Windows\system32\PerfStringBackup.INI 2015-02-22 12:28 - 2014-05-14 16:12 - 00000000 ____D () C:\Users\*****\.mediathek3 2015-02-20 21:33 - 2014-05-21 19:21 - 00000069 _____ () C:\Windows\NeroDigital.ini 2015-02-20 21:33 - 2013-11-01 20:53 - 00000131 _____ () C:\Users\*****\AppData\Roaming\default.rss 2015-02-20 14:53 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\rescache 2015-02-18 11:10 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\tracing 2015-02-17 19:20 - 2012-05-28 22:08 - 00000000 ____D () C:\Program Files (x86)\JDownloader 2015-02-15 04:28 - 2012-07-08 12:16 - 00001462 _____ () C:\Users\*****\Sti_Trace.log 2015-02-14 20:08 - 2014-11-05 21:00 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox 2015-02-11 17:29 - 2009-07-14 05:45 - 05090528 _____ () C:\Windows\system32\FNTCACHE.DAT 2015-02-11 17:20 - 2014-04-28 16:38 - 00032232 _____ () C:\Windows\PFRO.log 2015-02-11 17:20 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\PolicyDefinitions 2015-02-11 13:54 - 2012-05-28 21:18 - 00000000 ____D () C:\ProgramData\Microsoft Help 2015-02-11 13:54 - 2009-07-14 03:34 - 00000478 _____ () C:\Windows\win.ini 2015-02-05 15:21 - 2012-07-13 23:23 - 00003822 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater 2015-02-05 15:21 - 2012-06-11 21:16 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2015-02-05 15:21 - 2012-06-11 21:16 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl 2015-02-03 09:39 - 2014-05-14 15:55 - 00008192 ___SH () C:\Users\*****\Thumbs.db 2015-02-01 20:58 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\LiveKernelReports ==================== Files in the root of some directories ======= 2013-11-01 20:53 - 2015-02-20 21:33 - 0000131 _____ () C:\Users\*****\AppData\Roaming\default.rss 2012-06-18 19:01 - 2014-12-31 16:59 - 0030720 _____ () C:\Users\*****\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini 2013-03-15 17:25 - 2013-03-15 17:25 - 0000840 _____ () C:\Users\*****\AppData\Local\recently-used.xbel 2012-05-26 06:33 - 2014-03-01 09:31 - 0000125 ___SH () C:\ProgramData\.zreglib 2013-02-25 17:34 - 2013-02-25 17:34 - 0000000 ____H () C:\ProgramData\DP45977C.lfl Some content of TEMP: ==================== C:\Users\*****\AppData\Local\Temp\InstallManager_GEN_GEN.exe C:\Users\*****\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe C:\Users\*****\AppData\Local\Temp\mailcheck_ff_2014_12_02.exe C:\Users\*****\AppData\Local\Temp\proxy_vole3919489089619634463.dll C:\Users\*****\AppData\Local\Temp\Quarantine.exe C:\Users\*****\AppData\Local\Temp\readSTILog.dll C:\Users\*****\AppData\Local\Temp\sdan.exe C:\Users\*****\AppData\Local\Temp\sdapk.exe C:\Users\*****\AppData\Local\Temp\sdaspwn.exe C:\Users\*****\AppData\Local\Temp\SetupVoipConnect-EasyVoip.exe ==================== Bamital & volsnap Check ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\System32\winlogon.exe => File is digitally signed C:\Windows\System32\wininit.exe => File is digitally signed C:\Windows\SysWOW64\wininit.exe => File is digitally signed C:\Windows\explorer.exe => File is digitally signed C:\Windows\SysWOW64\explorer.exe => File is digitally signed C:\Windows\System32\svchost.exe => File is digitally signed C:\Windows\SysWOW64\svchost.exe => File is digitally signed C:\Windows\System32\services.exe => File is digitally signed C:\Windows\System32\User32.dll => File is digitally signed C:\Windows\SysWOW64\User32.dll => File is digitally signed C:\Windows\System32\userinit.exe => File is digitally signed C:\Windows\SysWOW64\userinit.exe => File is digitally signed C:\Windows\System32\rpcss.dll => File is digitally signed C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2015-02-23 00:15 ==================== End Of Log ============================ FRST Addition: Code:
ATTFilter Additional scan result of Farbar Recovery Scan Tool (x64) Version: 02-03-2015
Ran by ***** at 2015-03-02 20:31:31
Running from C:\Users\*****\Downloads
Boot Mode: Normal
==========================================================
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
==================== Installed Programs ======================
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
Acronis*True*Image*Home (HKLM-x32\...\{E5343B27-55DF-40BD-9FCF-A643C1331E8A}) (Version: 11.0.8010 - Acronis)
ActiveState ActivePython 2.7.8.10 (32-bit) (HKLM-x32\...\{EF34E11A-5977-4234-BCDF-6328CA642BC4}) (Version: 2.7.10 - ActiveState Software Inc.)
Adobe Flash Player 16 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 16.0.0.305 - Adobe Systems Incorporated)
Adobe Flash Player 16 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 16.0.0.305 - Adobe Systems Incorporated)
Adobe Photoshop Elements 12 (HKLM-x32\...\Adobe Photoshop Elements 12) (Version: 12.1.0.0 - Adobe Systems Incorporated)
Adobe Photoshop Elements 8.0 (HKLM-x32\...\Adobe Photoshop Elements 8.0) (Version: 8.0 - Adobe Systems Incorporated)
Adobe Photoshop Lightroom 5.6 64-bit (HKLM\...\{D19E99C2-6D9D-4075-B446-B4387EAF70A5}) (Version: 5.6.0 - Adobe Systems Incorporated)
Adobe® Content Viewer (HKLM-x32\...\com.adobe.dmp.contentviewer) (Version: 3.3.0 - Adobe Systems Incorporated)
Advertising Center (x32 Version: 0.0.0.2 - Nero AG) Hidden
AIDA64 Extreme Edition v2.30 (HKLM-x32\...\AIDA64 Extreme Edition_is1) (Version: 2.30 - FinalWire Ltd.)
AMD Catalyst Install Manager (HKLM\...\{120EC191-78F8-CA89-3511-7E90C23F5261}) (Version: 8.0.881.0 - Advanced Micro Devices, Inc.)
AnyDVD (HKLM-x32\...\AnyDVD) (Version: 6.7.5.0 - SlySoft)
ASUS nVidia Driver (x32 Version: 1.00.0000 - ASUSTek) Hidden
Avast Free Antivirus (HKLM-x32\...\avast) (Version: 10.0.2206 - AVAST Software)
Biet-O-Matic v2.14.8 (HKLM-x32\...\Biet-O-Matic v2.14.8) (Version: 2.14.8 - BOM Development Team)
Camden Town 3 Gymnasium (HKLM-x32\...\Camden Town 3 Gymnasium) (Version: - )
CCleaner (HKLM\...\CCleaner) (Version: 3.19 - Piriform)
CHIP Best Deal (HKLM-x32\...\{7553EA3C-F8DA-4188-B7BC-956894EA54F5}) (Version: 1.4.21 - Ciuvo GmbH)
Cliqz (HKLM-x32\...\{5A0C0737-6AFE-4DC6-A8B4-6DFE509ACD75}_is1) (Version: 0.5.31 - Cliqz.com)
CloneDVD2 (HKLM-x32\...\CloneDVD2) (Version: - Elaborate Bytes)
Counter-Strike (HKLM-x32\...\Steam App 10) (Version: - Valve)
DAEMON Tools Lite (HKLM-x32\...\DAEMON Tools Lite) (Version: 4.45.4.0314 - DT Soft Ltd)
DVDStyler v2.6.1 (HKLM-x32\...\DVDStyler_is1) (Version: - )
EasySaver B9.1214.1 (HKLM-x32\...\{07300F01-89CA-4CF8-92BD-2A605EB83C95}) (Version: 1.00.0000 - Gigabyte)
Elements 12 Organizer (x32 Version: 12.0 - Ihr Firmenname) Hidden
Epson Benutzerhandbuch WF-3520 Series (HKLM-x32\...\WF-3520 Series Useg) (Version: - )
Epson Connect Guide (HKLM-x32\...\Epson Connect Guide) (Version: - )
Epson Event Manager (HKLM-x32\...\{8F01524C-0676-4CC1-B4AE-64753C723391}) (Version: 3.01.0005 - Seiko Epson Corporation)
Epson FAX Utility (HKLM-x32\...\{0CBE6C93-CB2E-4378-91EE-12BE6D4E2E4A}) (Version: 1.31.00 - SEIKO EPSON CORPORATION)
Epson Netzwerkhandbuch WF-3520 Series (HKLM-x32\...\WF-3520 Series Netg) (Version: - )
Epson PC-FAX Driver (HKLM-x32\...\EPSON PC-FAX Driver 2) (Version: - )
EPSON Scan (HKLM-x32\...\EPSON Scanner) (Version: - Seiko Epson Corporation)
EPSON WF-3520 Series Printer Uninstall (HKLM\...\EPSON WF-3520 Series) (Version: - SEIKO EPSON Corporation)
EpsonNet Print (HKLM-x32\...\{3E31400D-274E-4647-916C-2CACC3741799}) (Version: 2.6.0 - SEIKO EPSON CORPORATION)
Etron USB3.0 Host Controller (HKLM-x32\...\InstallShield_{DFBB738C-71D8-4DC5-B8D2-D65C37680E27}) (Version: 0.115 - Etron Technology)
Etron USB3.0 Host Controller (x32 Version: 0.115 - Etron Technology) Hidden
Exact Audio Copy 1.0beta3 (HKLM-x32\...\Exact Audio Copy) (Version: 1.0beta3 - Andre Wiethoff)
ExpressCache (HKLM\...\{70107B03-7121-4033-B166-B6EBACA45F49}) (Version: 1.0.100.0 - Condusiv Technologies)
foobar2000 v1.1.13 (HKLM-x32\...\foobar2000) (Version: 1.1.13 - Peter Pawlowski)
GIMP 2.6.12 (HKLM\...\GIMP-2_is1) (Version: 2.6.12 - The GIMP Team)
Google Earth (HKLM-x32\...\{28E82311-8616-11E1-BEB0-B8AC6F97B88E}) (Version: 6.2.2.6613 - Google)
GPL Ghostscript (HKLM-x32\...\GPL Ghostscript 9.07) (Version: 9.07 - Artifex Software Inc.)
Hauppauge WinTV 7 (HKLM-x32\...\Hauppauge WinTV 7) (Version: v7.0.30342 (CD 2.6d) - Hauppauge Computer Works)
ImagXpress (x32 Version: 7.0.74.0 - Nero AG) Hidden
IrfanView (remove only) (HKLM-x32\...\IrfanView) (Version: 4.32 - Irfan Skiljan)
Java 7 Update 51 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217045FF}) (Version: 7.0.510 - Oracle)
Java 7 Update 67 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F06417067FF}) (Version: 7.0.670 - Oracle)
JavaFX 2.1.1 (HKLM-x32\...\{1111706F-666A-4037-7777-211328764D10}) (Version: 2.1.1 - Oracle Corporation)
JDownloader 0.9 (HKLM-x32\...\5513-1208-7298-9440) (Version: 0.9 - AppWork GmbH)
JDownloader 2 (HKLM\...\jdownloader2) (Version: 2.0 - AppWork GmbH)
LightScribe System Software (HKLM-x32\...\{705B639E-FAAF-40D7-AD58-C445321C7C3F}) (Version: 1.18.18.1 - LightScribe)
Malwarebytes Anti-Malware Version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Menu Templates - Starter Kit (x32 Version: 9.6.0.0 - Nero AG) Hidden
Microsoft .NET Framework 4.5.1 (Deutsch) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1031) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office Professional 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729 (HKLM\...\{14297226-E0A0-3781-8911-E9D529552663}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Microsoft Visual Studio 2010-Tools für Office-Laufzeit (x64) Language Pack - DEU (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64) Language Pack - DEU) (Version: 10.0.50903 - Microsoft Corporation)
Minimal ADB and Fastboot version 1.1.3 (HKLM-x32\...\{DE46417A-9E9E-4BCD-BBDD-DA21943193BB}_is1) (Version: 1.1.3 - )
Movie Templates - Starter Kit (x32 Version: 9.6.0.0 - Nero AG) Hidden
Mozilla Firefox 34.0.5 (x86 de) (HKLM-x32\...\Mozilla Firefox 34.0.5 (x86 de)) (Version: 34.0.5 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 31.1.1 - Mozilla)
Mozilla Thunderbird 31.5.0 (x86 de) (HKLM-x32\...\Mozilla Thunderbird 31.5.0 (x86 de)) (Version: 31.5.0 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MyFreeCodec (HKU\S-1-5-21-2571380908-3574024337-2633154625-1000\...\MyFreeCodec) (Version: - )
MyFreeCodec (HKU\S-1-5-21-2571380908-3574024337-2633154625-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MyFreeCodec) (Version: - )
MyFreeCodec (HKU\S-1-5-21-2571380908-3574024337-2633154625-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MyFreeCodec) (Version: - )
MyFreeCodec (HKU\S-1-5-21-2571380908-3574024337-2633154625-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MyFreeCodec) (Version: - )
Nero 9 Essentials (HKLM-x32\...\{268ea083-b21b-49da-abdf-196465c7b430}) (Version: - Nero AG)
NVIDIA 3D Vision Controller Driver 267.85 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 267.85 - NVIDIA Corporation)
NVIDIA 3D Vision Treiber 311.06 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 311.06 - NVIDIA Corporation)
NVIDIA Grafiktreiber 311.06 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 311.06 - NVIDIA Corporation)
NVIDIA HD-Audiotreiber 1.2.22.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.2.22.1 - NVIDIA Corporation)
NVIDIA PhysX-Systemsoftware 9.10.0514 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.10.0514 - NVIDIA Corporation)
NVIDIA Update 1.11.3 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 1.11.3 - NVIDIA Corporation)
ON_OFF Charge B11.0110.1 (HKLM-x32\...\{3DECD372-76A1-4483-BF10-B547790A3261}) (Version: 1.00.0001 - GIGABYTE)
Opera 12.17 (HKLM-x32\...\Opera 12.17.1863) (Version: 12.17.1863 - Opera Software ASA)
Opera Stable 27.0.1689.76 (HKLM-x32\...\Opera 27.0.1689.76) (Version: 27.0.1689.76 - Opera Software ASA)
PamFax (HKLM-x32\...\{6432B21C-CA95-46CA-87D4-178CC2E58F84}_is1) (Version: 3.5.3.17 - Scendix Software GmbH)
PamFax Office Integration (x32 Version: 1.0.4 - Scendix Software GmbH) Hidden
Paragon Partition Manager™ 11 Professional (HKLM-x32\...\{A35001F0-F1E4-11DD-A38B-005056C00008}) (Version: 90.00.0003 - Paragon Software)
PartyPoker (HKLM-x32\...\PartyPoker) (Version: - PartyGaming)
PDF Architect (HKLM-x32\...\{80A07844-CA64-4DE4-AB61-D37DDBE8074F}) (Version: 1.0.52.8917 - pdfforge)
PDFCreator (HKLM\...\{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}) (Version: 2.0.0 - pdfforge)
PDF-Viewer (HKLM\...\{A278382D-4F1B-4D47-9885-8523F7261E8D}_is1) (Version: 2.5.206.0 - Tracker Software Products Ltd)
PSE12 STI Installer (x32 Version: 12.0 - Adobe Systems Incorporated) Hidden
QPST 2.7 (HKLM-x32\...\{8035964D-75EB-4463-91DC-3F02EE9CF103}) (Version: 2.7.378 - Qualcomm)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.49.927.2011 - Realtek)
Realtek Ethernet Diagnostic Utility (HKLM-x32\...\{DADC7AB0-E554-4705-9F6A-83EA82ED708E}) (Version: 1.006 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6662 - Realtek Semiconductor Corp.)
SAMSUNG Android USB Modem Software (HKLM\...\SAMSUNG Android USB Modem) (Version: V5.28.2.1 - )
Samsung Kies (HKLM-x32\...\InstallShield_{758C8301-2696-4855-AF45-534B1200980A}) (Version: 2.5.3.13043_14 - Samsung Electronics Co., Ltd.)
Samsung Kies (x32 Version: 2.5.3.13043_14 - Samsung Electronics Co., Ltd.) Hidden
Samsung Kies3 (HKLM-x32\...\InstallShield_{88547073-C566-4895-9005-EBE98EA3F7C7}) (Version: 3.2.14072.12 - Samsung Electronics Co., Ltd.)
Samsung Kies3 (x32 Version: 3.2.14072.12 - Samsung Electronics Co., Ltd.) Hidden
Samsung Story Album Viewer (HKLM-x32\...\InstallShield_{698BBAD8-B116-495D-B879-0F07A533E57F}) (Version: 1.0.0.13054_1 - Samsung Electronics Co., Ltd.)
Samsung Story Album Viewer (x32 Version: 1.0.0.13054_1 - Samsung Electronics Co., Ltd.) Hidden
SAMSUNG USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.45.0 - SAMSUNG Electronics Co., Ltd.)
SanDisk SSD Toolkit 1.0.0.1 (HKLM-x32\...\{26326B5B-3D62-4C12-8841-6B55A19B552D}_is1) (Version: 1.0.0.1 - SanDisk Corporation)
SDFormatter (HKLM-x32\...\{179324FF-7B16-4BA8-9836-055CAAEE4F08}) (Version: 4.0.0 - SD Association)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version: - Microsoft)
Snap.Do (HKLM-x32\...\{D4CD577C-B720-4DA9-9811-A79D08F8E95D}) (Version: 1.6.1.936 - ReSoft Ltd.) <==== ATTENTION
Snap.Do Engine (HKU\S-1-5-21-2571380908-3574024337-2633154625-1000\...\{81b54b25-4ae7-44bd-81f0-ade32936b098}) (Version: 1.6.1.936 - ReSoft Ltd.) <==== ATTENTION
Snap.Do Engine (HKU\S-1-5-21-2571380908-3574024337-2633154625-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\{81b54b25-4ae7-44bd-81f0-ade32936b098}) (Version: 1.6.1.936 - ReSoft Ltd.) <==== ATTENTION
Software Updater (HKLM-x32\...\{FA7EE274-7370-43B7-9A45-A39B17CCCDC5}) (Version: 4.3.3 - SEIKO EPSON CORPORATION)
Steam (HKLM-x32\...\{048298C9-A4D3-490B-9FF9-AB023A9238F3}) (Version: 1.0.0.0 - Valve Corporation)
StreamTransport version: 1.0.2.2171 (HKLM-x32\...\{FA0BBB87-91A1-4BFD-9005-EB058BBA0E14}_is1) (Version: - )
Synology Assistant (remove only) (HKLM-x32\...\Synology Assistant) (Version: - )
TeamViewer 8 (HKLM-x32\...\TeamViewer 8) (Version: 8.0.26038 - TeamViewer)
Total Commander 64-bit (Remove or Repair) (HKLM\...\Totalcmd64) (Version: 8.01 - Ghisler Software GmbH)
TrueCrypt (HKLM-x32\...\TrueCrypt) (Version: 7.1a - TrueCrypt Foundation)
VLC media player 2.0.7 (HKLM-x32\...\VLC media player) (Version: 2.0.7 - VideoLAN)
VoipConnect (HKLM-x32\...\VoipConnect_is1) (Version: 4.14 build 760 - Finarea S.A. Switzerland)
WEB.DE MailCheck für Mozilla Firefox (HKLM-x32\...\1&1 Mail & Media GmbH Toolbar FF) (Version: 3.0.2.1739 - 1&1 Mail & Media GmbH)
WinRAR (HKLM\...\WinRAR archiver) (Version: - )
World of Tanks (HKLM-x32\...\{1EAC1D02-C6AC-4FA6-9A44-96258C37C812EU}_is1) (Version: - Wargaming.net)
==================== Custom CLSID (selected items): ==========================
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
CustomCLSID: HKU\S-1-5-21-2571380908-3574024337-2633154625-1000_Classes\CLSID\{47DB5A95-396A-3C4F-AE5E-3BD4D8402936}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2571380908-3574024337-2633154625-1000_Classes\CLSID\{483E28C6-45D1-3876-8EC5-A0329620D6F1}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2571380908-3574024337-2633154625-1000_Classes\CLSID\{4CB916F0-BD7E-4DAB-B7FA-9D53ED9B023F}\InprocServer32 -> C:\Program Files (x86)\PamFax\Office Integration\adxloader64.dll ()
CustomCLSID: HKU\S-1-5-21-2571380908-3574024337-2633154625-1000_Classes\CLSID\{558E3B62-2327-39FB-9E2D-2530560FFE78}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2571380908-3574024337-2633154625-1000_Classes\CLSID\{5C964877-5317-334A-ACDE-E38CB828DA8D}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2571380908-3574024337-2633154625-1000_Classes\CLSID\{63E67F59-4D7F-3C18-B91C-7FA09181EE8E}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2571380908-3574024337-2633154625-1000_Classes\CLSID\{6A6CF2A5-8DD6-3F74-BFEC-8353F27212FA}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2571380908-3574024337-2633154625-1000_Classes\CLSID\{6DCBC428-5457-3819-A878-69AA0E1922C6}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2571380908-3574024337-2633154625-1000_Classes\CLSID\{79807B26-A96B-3017-89EA-2B982D2A6E07}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2571380908-3574024337-2633154625-1000_Classes\CLSID\{893A634B-E4C6-37F8-BA41-2D5DF277ECA7}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2571380908-3574024337-2633154625-1000_Classes\CLSID\{975ACF6C-CADC-3007-8F78-3FE253A3E06E}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2571380908-3574024337-2633154625-1000_Classes\CLSID\{A8593BAD-0192-3428-9A4B-E6D01D60FA15}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2571380908-3574024337-2633154625-1000_Classes\CLSID\{C78C6A8A-8DC4-392B-B37E-FB5B6019C3F2}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2571380908-3574024337-2633154625-1000_Classes\CLSID\{E057D328-79E9-3408-83A6-0C4A5D40C5BB}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2571380908-3574024337-2633154625-1000_Classes\CLSID\{E33E3732-6BA0-336D-B8FF-00AE4ACAF459}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2571380908-3574024337-2633154625-1000_Classes\CLSID\{ED95C425-1650-3667-8736-016C8F55A394}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
==================== Restore Points =========================
24-02-2015 12:23:44 Windows Update
25-02-2015 12:22:19 Windows Update
==================== Hosts content: ==========================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2009-07-14 03:34 - 2014-08-21 09:23 - 00001029 ____N C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 activate.adobe.com127.0.0.1 na1r.services.adobe.com
127.0.0.1 hlrcv.stage.adobe.com
127.0.0.1 lmlicenses.wip4.adobe.com
127.0.0.1 lm.licenses.adobe.com
127.0.0.1 practivate.adobe.com
==================== Scheduled Tasks (whitelisted) =============
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
Task: {0071CBF4-4C3F-4D14-898D-387D35F1F860} - \SomotoUpdateCheckerAutoStart No Task File <==== ATTENTION
Task: {3669530E-AD3D-4BC4-A219-1383E4D3F581} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {7B2FFD5B-74FB-4C11-A180-E034D68BE59E} - System32\Tasks\Abelssoft\Updater scan => C:\Program Files (x86)\CHIP Updater\CHIPUpdater.exe
Task: {862B0A16-2EF9-4336-BCA6-5E4A3ECE800E} - System32\Tasks\chipSWU => Cscript.exe "C:\Program Files (x86)\chip\Internet Explorer\swu.vbs"
Task: {8CF32F4E-887C-426F-946F-048126F0F2C9} - System32\Tasks\{2EBDCA4B-6A38-428F-89E3-B13B20852B8D} => C:\Users\*****\Downloads\GT I5800\SuperOneClickv2.3.1-ShortFuse\SuperOneClick.exe [2011-12-04] (ShortFuse Productions)
Task: {8D68E798-E3A0-47D8-920C-C6E1830A8E2C} - System32\Tasks\Opera scheduled Autoupdate 1415218714 => C:\Program Files (x86)\Opera\launcher.exe [2015-02-23] (Opera Software)
Task: {9296F5F5-2456-4D8C-887A-A39B6BA65518} - System32\Tasks\{FE40D60E-DD02-4938-B31B-9F4B8CD00B99} => pcalua.exe -a C:\Users\*****\Downloads\Etron\SETUP.exe -d C:\Users\*****\Downloads\Etron
Task: {9A7CE287-B308-4AC5-952C-3426132E810E} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2014-11-05] (AVAST Software)
Task: {BAA40EDA-954E-44D8-9F67-BCC190D5641E} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-02-05] (Adobe Systems Incorporated)
Task: {CA179274-52C6-43F7-8296-67C7502AADAC} - System32\Tasks\{F4BF7AC2-BE08-41CF-9E09-8420A9DD029B} => C:\Users\*****\Downloads\GT I5800\SuperOneClickv2.3.1-ShortFuse\SuperOneClick.exe [2011-12-04] (ShortFuse Productions)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
==================== Loaded Modules (whitelisted) ==============
2012-11-26 08:04 - 2013-01-18 16:00 - 00087328 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2012-08-06 12:24 - 2012-08-06 12:24 - 00212480 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Container.PerformanceTuning.dll
2012-03-05 16:03 - 2012-03-05 16:03 - 00677376 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Device.dll
2012-02-16 14:53 - 2012-02-16 14:53 - 03642880 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Platform.dll
2012-05-26 05:12 - 2009-08-24 13:38 - 00068136 _____ () C:\Program Files (x86)\Gigabyte\EasySaver\ESSVR.EXE
2007-08-31 18:49 - 2007-08-31 18:49 - 00498872 _____ () C:\Program Files (x86)\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
2011-02-18 07:18 - 2011-02-18 07:18 - 00245760 _____ () C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe
2012-05-26 06:22 - 2010-03-15 10:28 - 00166400 _____ () C:\Program Files\WinRAR\rarext.dll
2013-01-08 07:59 - 2013-01-08 07:59 - 03991424 _____ () C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe
2014-10-18 16:22 - 2014-10-18 16:22 - 03631616 _____ () C:\Windows\assembly\NativeImages_v4.0.30319_64\ExpressCacheApp\2f3934e3a6a65e60f5741c00138d41df\ExpressCacheApp.ni.exe
2013-01-08 07:59 - 2013-01-08 07:59 - 00012800 _____ () C:\Program Files\Condusiv Technologies\ExpressCache\de-DE\ExpressCacheApp.resources.dll
2015-03-02 10:13 - 2015-03-02 10:13 - 02913792 _____ () C:\Program Files\AVAST Software\Avast\defs\15030200\algo.dll
2015-03-02 16:00 - 2015-03-02 16:00 - 02913792 _____ () C:\Program Files\AVAST Software\Avast\defs\15030201\algo.dll
2012-05-26 05:12 - 2009-03-13 10:30 - 00109096 _____ () C:\Program Files (x86)\Gigabyte\EasySaver\YCC.DLL
2013-02-23 19:36 - 2011-08-23 09:04 - 00057344 _____ () C:\Program Files (x86)\WinTV\TVServer\libhdhomerun.dll
2013-02-23 19:36 - 2012-10-29 17:29 - 00018944 _____ () C:\Program Files (x86)\WinTV\TVServer\HauppaugeTVServerps.dll
2007-08-31 16:13 - 2007-08-31 16:13 - 01336600 _____ () C:\Program Files (x86)\Acronis\TrueImageHome\fox.dll
2014-11-05 23:14 - 2014-11-05 23:14 - 38561576 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2015-02-26 22:40 - 2015-02-26 22:40 - 03348080 _____ () C:\Program Files (x86)\Mozilla Thunderbird\mozjs.dll
2015-02-26 22:40 - 2015-02-26 22:40 - 00158832 _____ () C:\Program Files (x86)\Mozilla Thunderbird\NSLDAP32V60.dll
2015-02-26 22:40 - 2015-02-26 22:40 - 00023152 _____ () C:\Program Files (x86)\Mozilla Thunderbird\NSLDAPPR32V60.dll
2014-11-05 21:00 - 2014-12-20 16:23 - 03758192 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
==================== Alternate Data Streams (whitelisted) =========
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
AlternateDataStreams: C:\ProgramData\TEMP:7631EA83
==================== Safe Mode (whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\63435898.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\63435898.sys => ""="Driver"
==================== EXE Association (whitelisted) ===============
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
==================== Other Areas ============================
(Currently there is no automatic fix for this section.)
HKU\S-1-5-21-2571380908-3574024337-2633154625-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\*****\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
HKU\S-1-5-21-2571380908-3574024337-2633154625-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Control Panel\Desktop\\Wallpaper -> C:\Users\*****\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
HKU\S-1-5-21-2571380908-3574024337-2633154625-1359-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Control Panel\Desktop\\Wallpaper -> C:\Users\Luca\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
HKU\S-1-5-21-2571380908-3574024337-2633154625-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 192.168.178.1
==================== MSCONFIG/TASK MANAGER disabled items ==
(Currently there is no automatic fix for this section.)
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^AutoStart IR.lnk => C:\Windows\pss\AutoStart IR.lnk.CommonStartup
MSCONFIG\startupreg: AnyDVD => C:\Program Files (x86)\SlySoft\AnyDVD\AnyDVDtray.exe
MSCONFIG\startupreg: EasyVoip => "C:\Program Files (x86)\EasyVoip.com\EasyVoip\easyvoip.exe" -nosplash -minimized
MSCONFIG\startupreg: FLV Player => C:\Users\*****\AppData\Local\WebPlayer\FLV Player\WebPlayer.exe
MSCONFIG\startupreg: KiesAirMessage => C:\Program Files (x86)\Samsung\Kies\KiesAirMessage.exe -startup
MSCONFIG\startupreg: LightScribe Control Panel => C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
==================== Accounts: =============================
Administrator (S-1-5-21-2571380908-3574024337-2633154625-500 - Administrator - Disabled) => C:\Users\Administrator
Gast (S-1-5-21-2571380908-3574024337-2633154625-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2571380908-3574024337-2633154625-1002 - Limited - Enabled)
***** (S-1-5-21-2571380908-3574024337-2633154625-1000 - Administrator - Enabled) => C:\Users\*****
Luca (S-1-5-21-2571380908-3574024337-2633154625-1359 - Administrator - Enabled) => C:\Users\Luca
UpdatusUser (S-1-5-21-2571380908-3574024337-2633154625-1003 - Limited - Enabled) => C:\Users\UpdatusUser.*****-PC
==================== Faulty Device Manager Devices =============
==================== Event log errors: =========================
Application errors:
==================
Error: (03/02/2015 03:59:48 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (03/02/2015 11:02:09 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: Fuel.Service.exe, Version: 1.0.0.0, Zeitstempel: 0x501fefb5
Name des fehlerhaften Moduls: Device.dll, Version: 4.1.0.0, Zeitstempel: 0x4f55e10b
Ausnahmecode: 0xc0000005
Fehleroffset: 0x000000000003683f
ID des fehlerhaften Prozesses: 0x854
Startzeit der fehlerhaften Anwendung: 0xFuel.Service.exe0
Pfad der fehlerhaften Anwendung: Fuel.Service.exe1
Pfad des fehlerhaften Moduls: Fuel.Service.exe2
Berichtskennung: Fuel.Service.exe3
Error: (03/02/2015 10:13:41 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (03/02/2015 07:41:55 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (03/01/2015 11:02:34 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: Fuel.Service.exe, Version: 1.0.0.0, Zeitstempel: 0x501fefb5
Name des fehlerhaften Moduls: Device.dll, Version: 4.1.0.0, Zeitstempel: 0x4f55e10b
Ausnahmecode: 0xc0000005
Fehleroffset: 0x000000000003683f
ID des fehlerhaften Prozesses: 0x730
Startzeit der fehlerhaften Anwendung: 0xFuel.Service.exe0
Pfad der fehlerhaften Anwendung: Fuel.Service.exe1
Pfad des fehlerhaften Moduls: Fuel.Service.exe2
Berichtskennung: Fuel.Service.exe3
Error: (03/01/2015 09:58:43 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (03/01/2015 08:18:45 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: Fuel.Service.exe, Version: 1.0.0.0, Zeitstempel: 0x501fefb5
Name des fehlerhaften Moduls: Device.dll, Version: 4.1.0.0, Zeitstempel: 0x4f55e10b
Ausnahmecode: 0xc0000005
Fehleroffset: 0x00000000000033c1
ID des fehlerhaften Prozesses: 0x818
Startzeit der fehlerhaften Anwendung: 0xFuel.Service.exe0
Pfad der fehlerhaften Anwendung: Fuel.Service.exe1
Pfad des fehlerhaften Moduls: Fuel.Service.exe2
Berichtskennung: Fuel.Service.exe3
Error: (03/01/2015 05:29:39 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (03/01/2015 00:00:20 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: Fuel.Service.exe, Version: 1.0.0.0, Zeitstempel: 0x501fefb5
Name des fehlerhaften Moduls: Device.dll, Version: 4.1.0.0, Zeitstempel: 0x4f55e10b
Ausnahmecode: 0xc0000005
Fehleroffset: 0x00000000000033c1
ID des fehlerhaften Prozesses: 0x7ac
Startzeit der fehlerhaften Anwendung: 0xFuel.Service.exe0
Pfad der fehlerhaften Anwendung: Fuel.Service.exe1
Pfad des fehlerhaften Moduls: Fuel.Service.exe2
Berichtskennung: Fuel.Service.exe3
Error: (02/28/2015 02:46:58 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
System errors:
=============
Error: (03/02/2015 07:11:29 PM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk3\DR3 gefunden.
Error: (03/02/2015 04:01:53 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "NVIDIA Update Service Daemon" wurde aufgrund folgenden Fehlers nicht gestartet:
%%1069
Error: (03/02/2015 04:01:53 PM) (Source: Service Control Manager) (EventID: 7038) (User: )
Description: Der Dienst "nvUpdatusService" konnte sich nicht als ".\UpdatusUser" mit dem aktuellen Kennwort aufgrund des folgenden Fehlers anmelden:
%%1330
Vergewissern Sie sich, dass der Dienst richtig konfiguriert ist im Dienste-Snap-In in der Microsoft Management Console (MMC).
Error: (03/02/2015 04:00:11 PM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk3\DR3 gefunden.
Error: (03/02/2015 11:02:09 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Dienst "AMD FUEL Service" wurde unerwartet beendet. Dies ist bereits 1 Mal passiert.
Error: (03/02/2015 10:15:41 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "NVIDIA Update Service Daemon" wurde aufgrund folgenden Fehlers nicht gestartet:
%%1069
Error: (03/02/2015 10:15:41 AM) (Source: Service Control Manager) (EventID: 7038) (User: )
Description: Der Dienst "nvUpdatusService" konnte sich nicht als ".\UpdatusUser" mit dem aktuellen Kennwort aufgrund des folgenden Fehlers anmelden:
%%1330
Vergewissern Sie sich, dass der Dienst richtig konfiguriert ist im Dienste-Snap-In in der Microsoft Management Console (MMC).
Error: (03/02/2015 07:45:58 AM) (Source: Service Control Manager) (EventID: 7043) (User: )
Description: Der Dienst AMD FUEL Service konnte nach dem Empfang eines Preshutdown-Steuerelements nicht richtig heruntergefahren werden.
Error: (03/02/2015 07:45:45 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: {995C996E-D918-4A8C-A302-45719A6F4EA7}
Error: (03/02/2015 07:45:21 AM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk4\DR4 gefunden.
Microsoft Office Sessions:
=========================
Error: (03/02/2015 03:59:48 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (03/02/2015 11:02:09 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Fuel.Service.exe1.0.0.0501fefb5Device.dll4.1.0.04f55e10bc0000005000000000003683f85401d054c92745da77C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exeC:\Program Files\ATI Technologies\ATI.ACE\Fuel\Device.dll30218676-c0c3-11e4-ac85-50e549c82baa
Error: (03/02/2015 10:13:41 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (03/02/2015 07:41:55 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (03/01/2015 11:02:34 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Fuel.Service.exe1.0.0.0501fefb5Device.dll4.1.0.04f55e10bc0000005000000000003683f73001d054627a8d2c03C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exeC:\Program Files\ATI Technologies\ATI.ACE\Fuel\Device.dlla9edd07f-c05e-11e4-8549-50e549c82baa
Error: (03/01/2015 09:58:43 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (03/01/2015 08:18:45 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Fuel.Service.exe1.0.0.0501fefb5Device.dll4.1.0.04f55e10bc000000500000000000033c181801d0543ce4951596C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exeC:\Program Files\ATI Technologies\ATI.ACE\Fuel\Device.dllc6f47f84-c047-11e4-b6b6-50e549c82baa
Error: (03/01/2015 05:29:39 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (03/01/2015 00:00:20 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Fuel.Service.exe1.0.0.0501fefb5Device.dll4.1.0.04f55e10bc000000500000000000033c17ac01d0535cc55a9cfaC:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exeC:\Program Files\ATI Technologies\ATI.ACE\Fuel\Device.dll90fb28b6-bf9d-11e4-9425-50e549c82baa
Error: (02/28/2015 02:46:58 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
==================== Memory info ===========================
Processor: AMD FX(tm)-4100 Quad-Core Processor
Percentage of memory in use: 47%
Total physical RAM: 8173.24 MB
Available physical RAM: 4263.12 MB
Total Pagefile: 16344.67 MB
Available Pagefile: 12152.25 MB
Total Virtual: 8192 MB
Available Virtual: 8191.83 MB
==================== Drives ================================
Drive c: () (Fixed) (Total:151.28 GB) (Free:22.49 GB) NTFS
Drive d: (Speicher1) (Fixed) (Total:164.01 GB) (Free:41.69 GB) NTFS
Drive e: (Speicher2) (Fixed) (Total:1509.01 GB) (Free:197.06 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (Size: 29.8 GB) (Disk ID: 74F02DEA)
Partition 1: (Not Active) - (Size=29.8 GB) - (Type=73)
========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: FC722FAE)
Partition 1: (Active) - (Size=38.7 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=164 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=1509 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=151.3 GB) - (Type=07 NTFS)
==================== End Of Log ============================
|
|
02.03.2015, 22:10
| #2 |
| | Win7: Regin ? viele Funde mit LOKI, akute Paranoia angebracht? und jetzt GMER:
__________________Code:
ATTFilter GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2015-03-02 21:07:55
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T1L0-7 WDC_WD20EARX-00PASB0 rev.51.0AB51 1863,02GB
Running: ot7oimy8.exe; Driver: C:\Users\*****\AppData\Local\Temp\ugloapod.sys
---- User code sections - GMER 2.1 ----
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f51360 5 bytes JMP 0000000100040460
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f513b0 5 bytes JMP 0000000100040450
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51510 5 bytes JMP 0000000100040370
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f51560 5 bytes JMP 0000000100040470
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f51570 5 bytes JMP 00000001000403e0
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51620 5 bytes JMP 0000000100040320
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f51650 5 bytes JMP 00000001000403b0
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f51670 5 bytes JMP 0000000100040390
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f516b0 5 bytes JMP 00000001000402e0
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51730 5 bytes JMP 00000001000402d0
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f51750 5 bytes JMP 0000000100040310
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f51790 5 bytes JMP 00000001000403c0
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f517e0 5 bytes JMP 00000001000403f0
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f51940 5 bytes JMP 0000000100040230
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b00 5 bytes JMP 0000000100040480
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b30 5 bytes JMP 00000001000403a0
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c10 5 bytes JMP 00000001000402f0
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c20 5 bytes JMP 0000000100040350
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51c80 5 bytes JMP 0000000100040290
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d10 5 bytes JMP 00000001000402b0
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d30 5 bytes JMP 00000001000403d0
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51d40 5 bytes JMP 0000000100040330
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51db0 5 bytes JMP 0000000100040410
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51de0 5 bytes JMP 0000000100040240
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f520a0 5 bytes JMP 00000001000401e0
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f52160 5 bytes JMP 0000000100040250
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f52190 5 bytes JMP 0000000100040490
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f521a0 5 bytes JMP 00000001000404a0
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f521d0 5 bytes JMP 0000000100040300
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f521e0 5 bytes JMP 0000000100040360
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f52240 5 bytes JMP 00000001000402a0
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f52290 5 bytes JMP 00000001000402c0
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f522c0 5 bytes JMP 0000000100040380
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f522d0 5 bytes JMP 0000000100040340
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f525c0 5 bytes JMP 0000000100040440
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f527c0 5 bytes JMP 0000000100040260
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f527d0 5 bytes JMP 0000000100040270
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f527e0 5 bytes JMP 0000000100040400
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f529a0 5 bytes JMP 00000001000401f0
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f529b0 5 bytes JMP 0000000100040210
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a20 5 bytes JMP 0000000100040200
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52a80 5 bytes JMP 0000000100040420
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52a90 5 bytes JMP 0000000100040430
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52aa0 5 bytes JMP 0000000100040220
.text C:\Windows\system32\csrss.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52b80 5 bytes JMP 0000000100040280
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f51360 5 bytes JMP 00000000770b0460
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f513b0 5 bytes JMP 00000000770b0450
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51510 5 bytes JMP 00000000770b0370
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f51560 5 bytes JMP 00000000770b0470
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f51570 5 bytes JMP 00000000770b03e0
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51620 5 bytes JMP 00000000770b0320
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f51650 5 bytes JMP 00000000770b03b0
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f51670 5 bytes JMP 00000000770b0390
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f516b0 5 bytes JMP 00000000770b02e0
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51730 5 bytes JMP 00000000770b02d0
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f51750 5 bytes JMP 00000000770b0310
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f51790 5 bytes JMP 00000000770b03c0
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f517e0 5 bytes JMP 00000000770b03f0
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f51940 5 bytes JMP 00000000770b0230
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b00 5 bytes JMP 00000000770b0480
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b30 5 bytes JMP 00000000770b03a0
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c10 5 bytes JMP 00000000770b02f0
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c20 5 bytes JMP 00000000770b0350
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51c80 5 bytes JMP 00000000770b0290
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d10 5 bytes JMP 00000000770b02b0
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d30 5 bytes JMP 00000000770b03d0
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51d40 5 bytes JMP 00000000770b0330
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51db0 5 bytes JMP 00000000770b0410
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51de0 5 bytes JMP 00000000770b0240
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f520a0 5 bytes JMP 00000000770b01e0
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f52160 5 bytes JMP 00000000770b0250
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f52190 5 bytes JMP 00000000770b0490
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f521a0 5 bytes JMP 00000000770b04a0
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f521d0 5 bytes JMP 00000000770b0300
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f521e0 5 bytes JMP 00000000770b0360
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f52240 5 bytes JMP 00000000770b02a0
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f52290 5 bytes JMP 00000000770b02c0
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f522c0 5 bytes JMP 00000000770b0380
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f522d0 5 bytes JMP 00000000770b0340
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f525c0 5 bytes JMP 00000000770b0440
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f527c0 5 bytes JMP 00000000770b0260
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f527d0 5 bytes JMP 00000000770b0270
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f527e0 5 bytes JMP 00000000770b0400
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f529a0 5 bytes JMP 00000000770b01f0
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f529b0 5 bytes JMP 00000000770b0210
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a20 5 bytes JMP 00000000770b0200
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52a80 5 bytes JMP 00000000770b0420
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52a90 5 bytes JMP 00000000770b0430
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52aa0 5 bytes JMP 00000000770b0220
.text C:\Windows\system32\wininit.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52b80 5 bytes JMP 00000000770b0280
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f51360 5 bytes JMP 000000014a1a0460
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f513b0 5 bytes JMP 000000014a1a0450
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51510 5 bytes JMP 000000014a1a0370
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f51560 5 bytes JMP 000000014a1a0470
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f51570 5 bytes JMP 000000014a1a03e0
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51620 5 bytes JMP 000000014a1a0320
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f51650 5 bytes JMP 000000014a1a03b0
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f51670 5 bytes JMP 000000014a1a0390
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f516b0 5 bytes JMP 000000014a1a02e0
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51730 5 bytes JMP 000000014a1a02d0
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f51750 5 bytes JMP 000000014a1a0310
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f51790 5 bytes JMP 000000014a1a03c0
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f517e0 5 bytes JMP 000000014a1a03f0
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f51940 5 bytes JMP 000000014a1a0230
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b00 5 bytes JMP 000000014a1a0480
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b30 5 bytes JMP 000000014a1a03a0
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c10 5 bytes JMP 000000014a1a02f0
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c20 5 bytes JMP 000000014a1a0350
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51c80 5 bytes JMP 000000014a1a0290
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d10 5 bytes JMP 000000014a1a02b0
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d30 5 bytes JMP 000000014a1a03d0
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51d40 5 bytes JMP 000000014a1a0330
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51db0 5 bytes JMP 000000014a1a0410
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51de0 5 bytes JMP 000000014a1a0240
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f520a0 5 bytes JMP 000000014a1a01e0
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f52160 5 bytes JMP 000000014a1a0250
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f52190 5 bytes JMP 000000014a1a0490
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f521a0 5 bytes JMP 000000014a1a04a0
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f521d0 5 bytes JMP 000000014a1a0300
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f521e0 5 bytes JMP 000000014a1a0360
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f52240 5 bytes JMP 000000014a1a02a0
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f52290 5 bytes JMP 000000014a1a02c0
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f522c0 5 bytes JMP 000000014a1a0380
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f522d0 5 bytes JMP 000000014a1a0340
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f525c0 5 bytes JMP 000000014a1a0440
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f527c0 5 bytes JMP 000000014a1a0260
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f527d0 5 bytes JMP 000000014a1a0270
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f527e0 5 bytes JMP 000000014a1a0400
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f529a0 5 bytes JMP 000000014a1a01f0
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f529b0 5 bytes JMP 000000014a1a0210
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a20 5 bytes JMP 000000014a1a0200
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52a80 5 bytes JMP 000000014a1a0420
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52a90 5 bytes JMP 000000014a1a0430
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52aa0 5 bytes JMP 000000014a1a0220
.text C:\Windows\system32\csrss.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52b80 5 bytes JMP 000000014a1a0280
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f51360 5 bytes JMP 00000000770b0460
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f513b0 5 bytes JMP 00000000770b0450
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51510 5 bytes JMP 00000000770b0370
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f51560 5 bytes JMP 00000000770b0470
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f51570 5 bytes JMP 00000000770b03e0
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51620 5 bytes JMP 00000000770b0320
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f51650 5 bytes JMP 00000000770b03b0
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f51670 5 bytes JMP 00000000770b0390
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f516b0 5 bytes JMP 00000000770b02e0
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51730 5 bytes JMP 00000000770b02d0
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f51750 5 bytes JMP 00000000770b0310
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f51790 5 bytes JMP 00000000770b03c0
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f517e0 5 bytes JMP 00000000770b03f0
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f51940 5 bytes JMP 00000000770b0230
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b00 5 bytes JMP 00000000770b0480
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b30 5 bytes JMP 00000000770b03a0
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c10 5 bytes JMP 00000000770b02f0
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c20 5 bytes JMP 00000000770b0350
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51c80 5 bytes JMP 00000000770b0290
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d10 5 bytes JMP 00000000770b02b0
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d30 5 bytes JMP 00000000770b03d0
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51d40 5 bytes JMP 00000000770b0330
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51db0 5 bytes JMP 00000000770b0410
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51de0 5 bytes JMP 00000000770b0240
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f520a0 5 bytes JMP 00000000770b01e0
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f52160 5 bytes JMP 00000000770b0250
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f52190 5 bytes JMP 00000000770b0490
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f521a0 5 bytes JMP 00000000770b04a0
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f521d0 5 bytes JMP 00000000770b0300
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f521e0 5 bytes JMP 00000000770b0360
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f52240 5 bytes JMP 00000000770b02a0
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f52290 5 bytes JMP 00000000770b02c0
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f522c0 5 bytes JMP 00000000770b0380
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f522d0 5 bytes JMP 00000000770b0340
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f525c0 5 bytes JMP 00000000770b0440
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f527c0 5 bytes JMP 00000000770b0260
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f527d0 5 bytes JMP 00000000770b0270
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f527e0 5 bytes JMP 00000000770b0400
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f529a0 5 bytes JMP 00000000770b01f0
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f529b0 5 bytes JMP 00000000770b0210
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a20 5 bytes JMP 00000000770b0200
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52a80 5 bytes JMP 00000000770b0420
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52a90 5 bytes JMP 00000000770b0430
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52aa0 5 bytes JMP 00000000770b0220
.text C:\Windows\system32\services.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52b80 5 bytes JMP 00000000770b0280
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f51360 5 bytes JMP 00000000770b0460
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f513b0 5 bytes JMP 00000000770b0450
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51510 5 bytes JMP 00000000770b0370
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f51560 5 bytes JMP 00000000770b0470
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f51570 5 bytes JMP 00000000770b03e0
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51620 5 bytes JMP 00000000770b0320
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f51650 5 bytes JMP 00000000770b03b0
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f51670 5 bytes JMP 00000000770b0390
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f516b0 5 bytes JMP 00000000770b02e0
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51730 5 bytes JMP 00000000770b02d0
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f51750 5 bytes JMP 00000000770b0310
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f51790 5 bytes JMP 00000000770b03c0
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f517e0 5 bytes JMP 00000000770b03f0
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f51940 5 bytes JMP 00000000770b0230
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b00 5 bytes JMP 00000000770b0480
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b30 5 bytes JMP 00000000770b03a0
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c10 5 bytes JMP 00000000770b02f0
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c20 5 bytes JMP 00000000770b0350
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51c80 5 bytes JMP 00000000770b0290
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d10 5 bytes JMP 00000000770b02b0
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d30 5 bytes JMP 00000000770b03d0
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51d40 5 bytes JMP 00000000770b0330
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51db0 5 bytes JMP 00000000770b0410
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51de0 5 bytes JMP 00000000770b0240
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f520a0 5 bytes JMP 00000000770b01e0
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f52160 5 bytes JMP 00000000770b0250
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f52190 5 bytes JMP 00000000770b0490
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f521a0 5 bytes JMP 00000000770b04a0
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f521d0 5 bytes JMP 00000000770b0300
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f521e0 5 bytes JMP 00000000770b0360
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f52240 5 bytes JMP 00000000770b02a0
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f52290 5 bytes JMP 00000000770b02c0
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f522c0 5 bytes JMP 00000000770b0380
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f522d0 5 bytes JMP 00000000770b0340
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f525c0 5 bytes JMP 00000000770b0440
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f527c0 5 bytes JMP 00000000770b0260
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f527d0 5 bytes JMP 00000000770b0270
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f527e0 5 bytes JMP 00000000770b0400
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f529a0 5 bytes JMP 00000000770b01f0
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f529b0 5 bytes JMP 00000000770b0210
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a20 5 bytes JMP 00000000770b0200
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52a80 5 bytes JMP 00000000770b0420
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52a90 5 bytes JMP 00000000770b0430
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52aa0 5 bytes JMP 00000000770b0220
.text C:\Windows\system32\lsass.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52b80 5 bytes JMP 00000000770b0280
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f51360 5 bytes JMP 00000000770b0460
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f513b0 5 bytes JMP 00000000770b0450
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51510 5 bytes JMP 00000000770b0370
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f51560 5 bytes JMP 00000000770b0470
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f51570 5 bytes JMP 00000000770b03e0
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51620 5 bytes JMP 00000000770b0320
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f51650 5 bytes JMP 00000000770b03b0
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f51670 5 bytes JMP 00000000770b0390
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f516b0 5 bytes JMP 00000000770b02e0
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51730 5 bytes JMP 00000000770b02d0
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f51750 5 bytes JMP 00000000770b0310
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f51790 5 bytes JMP 00000000770b03c0
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f517e0 5 bytes JMP 00000000770b03f0
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f51940 5 bytes JMP 00000000770b0230
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b00 5 bytes JMP 00000000770b0480
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b30 5 bytes JMP 00000000770b03a0
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c10 5 bytes JMP 00000000770b02f0
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c20 5 bytes JMP 00000000770b0350
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51c80 5 bytes JMP 00000000770b0290
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d10 5 bytes JMP 00000000770b02b0
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d30 5 bytes JMP 00000000770b03d0
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51d40 5 bytes JMP 00000000770b0330
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51db0 5 bytes JMP 00000000770b0410
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51de0 5 bytes JMP 00000000770b0240
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f520a0 5 bytes JMP 00000000770b01e0
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f52160 5 bytes JMP 00000000770b0250
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f52190 5 bytes JMP 00000000770b0490
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f521a0 5 bytes JMP 00000000770b04a0
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f521d0 5 bytes JMP 00000000770b0300
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f521e0 5 bytes JMP 00000000770b0360
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f52240 5 bytes JMP 00000000770b02a0
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f52290 5 bytes JMP 00000000770b02c0
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f522c0 5 bytes JMP 00000000770b0380
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f522d0 5 bytes JMP 00000000770b0340
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f525c0 5 bytes JMP 00000000770b0440
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f527c0 5 bytes JMP 00000000770b0260
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f527d0 5 bytes JMP 00000000770b0270
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f527e0 5 bytes JMP 00000000770b0400
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f529a0 5 bytes JMP 00000000770b01f0
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f529b0 5 bytes JMP 00000000770b0210
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a20 5 bytes JMP 00000000770b0200
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52a80 5 bytes JMP 00000000770b0420
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52a90 5 bytes JMP 00000000770b0430
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52aa0 5 bytes JMP 00000000770b0220
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52b80 5 bytes JMP 00000000770b0280
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f51360 5 bytes JMP 0000000100040460
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f513b0 5 bytes JMP 0000000100040450
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51510 5 bytes JMP 0000000100040370
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f51560 5 bytes JMP 0000000100040470
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f51570 5 bytes JMP 00000001000403e0
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51620 5 bytes JMP 0000000100040320
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f51650 5 bytes JMP 00000001000403b0
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f51670 5 bytes JMP 0000000100040390
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f516b0 5 bytes JMP 00000001000402e0
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51730 5 bytes JMP 00000001000402d0
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f51750 5 bytes JMP 0000000100040310
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f51790 5 bytes JMP 00000001000403c0
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f517e0 5 bytes JMP 00000001000403f0
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f51940 5 bytes JMP 0000000100040230
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b00 5 bytes JMP 0000000100040480
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b30 5 bytes JMP 00000001000403a0
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c10 5 bytes JMP 00000001000402f0
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c20 5 bytes JMP 0000000100040350
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51c80 5 bytes JMP 0000000100040290
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d10 5 bytes JMP 00000001000402b0
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d30 5 bytes JMP 00000001000403d0
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51d40 5 bytes JMP 0000000100040330
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51db0 5 bytes JMP 0000000100040410
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51de0 5 bytes JMP 0000000100040240
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f520a0 5 bytes JMP 00000001000401e0
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f52160 5 bytes JMP 0000000100040250
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f52190 5 bytes JMP 0000000100040490
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f521a0 5 bytes JMP 00000001000404a0
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f521d0 5 bytes JMP 0000000100040300
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f521e0 5 bytes JMP 0000000100040360
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f52240 5 bytes JMP 00000001000402a0
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f52290 5 bytes JMP 00000001000402c0
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f522c0 5 bytes JMP 0000000100040380
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f522d0 5 bytes JMP 0000000100040340
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f525c0 5 bytes JMP 0000000100040440
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f527c0 5 bytes JMP 0000000100040260
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f527d0 5 bytes JMP 0000000100040270
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f527e0 5 bytes JMP 0000000100040400
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f529a0 5 bytes JMP 00000001000401f0
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f529b0 5 bytes JMP 0000000100040210
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a20 5 bytes JMP 0000000100040200
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52a80 5 bytes JMP 0000000100040420
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52a90 5 bytes JMP 0000000100040430
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52aa0 5 bytes JMP 0000000100040220
.text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52b80 5 bytes JMP 0000000100040280
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f51360 5 bytes JMP 0000000100070460
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f513b0 5 bytes JMP 0000000100070450
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51510 5 bytes JMP 0000000100070370
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f51560 5 bytes JMP 0000000100070470
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f51570 5 bytes JMP 00000001000703e0
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51620 5 bytes JMP 0000000100070320
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f51650 5 bytes JMP 00000001000703b0
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f51670 5 bytes JMP 0000000100070390
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f516b0 5 bytes JMP 00000001000702e0
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51730 5 bytes JMP 00000001000702d0
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f51750 5 bytes JMP 0000000100070310
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f51790 5 bytes JMP 00000001000703c0
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f517e0 5 bytes JMP 00000001000703f0
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f51940 5 bytes JMP 0000000100070230
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b00 5 bytes JMP 0000000100070480
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b30 5 bytes JMP 00000001000703a0
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c10 5 bytes JMP 00000001000702f0
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c20 5 bytes JMP 0000000100070350
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51c80 5 bytes JMP 0000000100070290
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d10 5 bytes JMP 00000001000702b0
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d30 5 bytes JMP 00000001000703d0
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51d40 5 bytes JMP 0000000100070330
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51db0 5 bytes JMP 0000000100070410
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51de0 5 bytes JMP 0000000100070240
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f520a0 5 bytes JMP 00000001000701e0
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f52160 5 bytes JMP 0000000100070250
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f52190 5 bytes JMP 0000000100070490
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f521a0 5 bytes JMP 00000001000704a0
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f521d0 5 bytes JMP 0000000100070300
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f521e0 5 bytes JMP 0000000100070360
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f52240 5 bytes JMP 00000001000702a0
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f52290 5 bytes JMP 00000001000702c0
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f522c0 5 bytes JMP 0000000100070380
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f522d0 5 bytes JMP 0000000100070340
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f525c0 5 bytes JMP 0000000100070440
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f527c0 5 bytes JMP 0000000100070260
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f527d0 5 bytes JMP 0000000100070270
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f527e0 5 bytes JMP 0000000100070400
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f529a0 5 bytes JMP 00000001000701f0
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f529b0 5 bytes JMP 0000000100070210
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a20 5 bytes JMP 0000000100070200
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52a80 5 bytes JMP 0000000100070420
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52a90 5 bytes JMP 0000000100070430
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52aa0 5 bytes JMP 0000000100070220
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52b80 5 bytes JMP 0000000100070280
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f51360 5 bytes JMP 00000000770b0460
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f513b0 5 bytes JMP 00000000770b0450
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51510 5 bytes JMP 00000000770b0370
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f51560 5 bytes JMP 00000000770b0470
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f51570 5 bytes JMP 00000000770b03e0
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51620 5 bytes JMP 00000000770b0320
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f51650 5 bytes JMP 00000000770b03b0
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f51670 5 bytes JMP 00000000770b0390
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f516b0 5 bytes JMP 00000000770b02e0
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51730 5 bytes JMP 00000000770b02d0
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f51750 5 bytes JMP 00000000770b0310
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f51790 5 bytes JMP 00000000770b03c0
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f517e0 5 bytes JMP 00000000770b03f0
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f51940 5 bytes JMP 00000000770b0230
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b00 5 bytes JMP 00000000770b0480
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b30 5 bytes JMP 00000000770b03a0
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c10 5 bytes JMP 00000000770b02f0
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c20 5 bytes JMP 00000000770b0350
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51c80 5 bytes JMP 00000000770b0290
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d10 5 bytes JMP 00000000770b02b0
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d30 5 bytes JMP 00000000770b03d0
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51d40 5 bytes JMP 00000000770b0330
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51db0 5 bytes JMP 00000000770b0410
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51de0 5 bytes JMP 00000000770b0240
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f520a0 5 bytes JMP 00000000770b01e0
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f52160 5 bytes JMP 00000000770b0250
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f52190 5 bytes JMP 00000000770b0490
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f521a0 5 bytes JMP 00000000770b04a0
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f521d0 5 bytes JMP 00000000770b0300
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f521e0 5 bytes JMP 00000000770b0360
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f52240 5 bytes JMP 00000000770b02a0
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f52290 5 bytes JMP 00000000770b02c0
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f522c0 5 bytes JMP 00000000770b0380
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f522d0 5 bytes JMP 00000000770b0340
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f525c0 5 bytes JMP 00000000770b0440
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f527c0 5 bytes JMP 00000000770b0260
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f527d0 5 bytes JMP 00000000770b0270
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f527e0 5 bytes JMP 00000000770b0400
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f529a0 5 bytes JMP 00000000770b01f0
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f529b0 5 bytes JMP 00000000770b0210
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a20 5 bytes JMP 00000000770b0200
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52a80 5 bytes JMP 00000000770b0420
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52a90 5 bytes JMP 00000000770b0430
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52aa0 5 bytes JMP 00000000770b0220
.text C:\Windows\system32\nvvsvc.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52b80 5 bytes JMP 00000000770b0280
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f51360 5 bytes JMP 00000000770b0460
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f513b0 5 bytes JMP 00000000770b0450
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51510 5 bytes JMP 00000000770b0370
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f51560 5 bytes JMP 00000000770b0470
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f51570 5 bytes JMP 00000000770b03e0
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51620 5 bytes JMP 00000000770b0320
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f51650 5 bytes JMP 00000000770b03b0
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f51670 5 bytes JMP 00000000770b0390
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f516b0 5 bytes JMP 00000000770b02e0
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51730 5 bytes JMP 00000000770b02d0
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f51750 5 bytes JMP 00000000770b0310
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f51790 5 bytes JMP 00000000770b03c0
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f517e0 5 bytes JMP 00000000770b03f0
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f51940 5 bytes JMP 00000000770b0230
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b00 5 bytes JMP 00000000770b0480
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b30 5 bytes JMP 00000000770b03a0
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c10 5 bytes JMP 00000000770b02f0
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c20 5 bytes JMP 00000000770b0350
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51c80 5 bytes JMP 00000000770b0290
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d10 5 bytes JMP 00000000770b02b0
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d30 5 bytes JMP 00000000770b03d0
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51d40 5 bytes JMP 00000000770b0330
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51db0 5 bytes JMP 00000000770b0410
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51de0 5 bytes JMP 00000000770b0240
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f520a0 5 bytes JMP 00000000770b01e0
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f52160 5 bytes JMP 00000000770b0250
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f52190 5 bytes JMP 00000000770b0490
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f521a0 5 bytes JMP 00000000770b04a0
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f521d0 5 bytes JMP 00000000770b0300
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f521e0 5 bytes JMP 00000000770b0360
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f52240 5 bytes JMP 00000000770b02a0
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f52290 5 bytes JMP 00000000770b02c0
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f522c0 5 bytes JMP 00000000770b0380
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f522d0 5 bytes JMP 00000000770b0340
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f525c0 5 bytes JMP 00000000770b0440
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f527c0 5 bytes JMP 00000000770b0260
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f527d0 5 bytes JMP 00000000770b0270
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f527e0 5 bytes JMP 00000000770b0400
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f529a0 5 bytes JMP 00000000770b01f0
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f529b0 5 bytes JMP 00000000770b0210
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a20 5 bytes JMP 00000000770b0200
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52a80 5 bytes JMP 00000000770b0420
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52a90 5 bytes JMP 00000000770b0430
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52aa0 5 bytes JMP 00000000770b0220
.text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52b80 5 bytes JMP 00000000770b0280
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f51360 5 bytes JMP 0000000100070460
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f513b0 5 bytes JMP 0000000100070450
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51510 5 bytes JMP 0000000100070370
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f51560 5 bytes JMP 0000000100070470
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f51570 5 bytes JMP 00000001000703e0
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51620 5 bytes JMP 0000000100070320
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f51650 5 bytes JMP 00000001000703b0
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f51670 5 bytes JMP 0000000100070390
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f516b0 5 bytes JMP 00000001000702e0
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51730 5 bytes JMP 00000001000702d0
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f51750 5 bytes JMP 0000000100070310
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f51790 5 bytes JMP 00000001000703c0
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f517e0 5 bytes JMP 00000001000703f0
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f51940 5 bytes JMP 0000000100070230
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b00 5 bytes JMP 0000000100070480
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b30 5 bytes JMP 00000001000703a0
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c10 5 bytes JMP 00000001000702f0
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c20 5 bytes JMP 0000000100070350
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51c80 5 bytes JMP 0000000100070290
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d10 5 bytes JMP 00000001000702b0
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d30 5 bytes JMP 00000001000703d0
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51d40 5 bytes JMP 0000000100070330
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51db0 5 bytes JMP 0000000100070410
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51de0 5 bytes JMP 0000000100070240
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f520a0 5 bytes JMP 00000001000701e0
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f52160 5 bytes JMP 0000000100070250
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f52190 5 bytes JMP 0000000100070490
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f521a0 5 bytes JMP 00000001000704a0
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f521d0 5 bytes JMP 0000000100070300
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f521e0 5 bytes JMP 000
Geändert von charles_b (02.03.2015 um 22:17 Uhr) |
|
02.03.2015, 22:18
| #3 |
| | Win7: Regin ? viele Funde mit LOKI, akute Paranoia angebracht? GMER2:
__________________Code:
ATTFilter 0000100070360
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f52240 5 bytes JMP 00000001000702a0
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f52290 5 bytes JMP 00000001000702c0
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f522c0 5 bytes JMP 0000000100070380
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f522d0 5 bytes JMP 0000000100070340
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f525c0 5 bytes JMP 0000000100070440
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f527c0 5 bytes JMP 0000000100070260
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f527d0 5 bytes JMP 0000000100070270
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f527e0 5 bytes JMP 0000000100070400
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f529a0 5 bytes JMP 00000001000701f0
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f529b0 5 bytes JMP 0000000100070210
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a20 5 bytes JMP 0000000100070200
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52a80 5 bytes JMP 0000000100070420
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52a90 5 bytes JMP 0000000100070430
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52aa0 5 bytes JMP 0000000100070220
.text C:\Windows\System32\svchost.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52b80 5 bytes JMP 0000000100070280
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f51360 5 bytes JMP 00000000770b0460
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f513b0 5 bytes JMP 00000000770b0450
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51510 5 bytes JMP 00000000770b0370
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f51560 5 bytes JMP 00000000770b0470
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f51570 5 bytes JMP 00000000770b03e0
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51620 5 bytes JMP 00000000770b0320
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f51650 5 bytes JMP 00000000770b03b0
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f51670 5 bytes JMP 00000000770b0390
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f516b0 5 bytes JMP 00000000770b02e0
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51730 5 bytes JMP 00000000770b02d0
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f51750 5 bytes JMP 00000000770b0310
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f51790 5 bytes JMP 00000000770b03c0
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f517e0 5 bytes JMP 00000000770b03f0
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f51940 5 bytes JMP 00000000770b0230
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b00 5 bytes JMP 00000000770b0480
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b30 5 bytes JMP 00000000770b03a0
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c10 5 bytes JMP 00000000770b02f0
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c20 5 bytes JMP 00000000770b0350
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51c80 5 bytes JMP 00000000770b0290
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d10 5 bytes JMP 00000000770b02b0
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d30 5 bytes JMP 00000000770b03d0
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51d40 5 bytes JMP 00000000770b0330
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51db0 5 bytes JMP 00000000770b0410
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51de0 5 bytes JMP 00000000770b0240
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f520a0 5 bytes JMP 00000000770b01e0
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f52160 5 bytes JMP 00000000770b0250
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f52190 5 bytes JMP 00000000770b0490
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f521a0 5 bytes JMP 00000000770b04a0
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f521d0 5 bytes JMP 00000000770b0300
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f521e0 5 bytes JMP 00000000770b0360
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f52240 5 bytes JMP 00000000770b02a0
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f52290 5 bytes JMP 00000000770b02c0
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f522c0 5 bytes JMP 00000000770b0380
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f522d0 5 bytes JMP 00000000770b0340
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f525c0 5 bytes JMP 00000000770b0440
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f527c0 5 bytes JMP 00000000770b0260
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f527d0 5 bytes JMP 00000000770b0270
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f527e0 5 bytes JMP 00000000770b0400
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f529a0 5 bytes JMP 00000000770b01f0
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f529b0 5 bytes JMP 00000000770b0210
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a20 5 bytes JMP 00000000770b0200
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52a80 5 bytes JMP 00000000770b0420
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52a90 5 bytes JMP 00000000770b0430
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52aa0 5 bytes JMP 00000000770b0220
.text C:\Windows\System32\svchost.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52b80 5 bytes JMP 00000000770b0280
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f51360 5 bytes JMP 00000000770b0460
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f513b0 5 bytes JMP 00000000770b0450
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51510 5 bytes JMP 00000000770b0370
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f51560 5 bytes JMP 00000000770b0470
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f51570 5 bytes JMP 00000000770b03e0
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51620 5 bytes JMP 00000000770b0320
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f51650 5 bytes JMP 00000000770b03b0
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f51670 5 bytes JMP 00000000770b0390
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f516b0 5 bytes JMP 00000000770b02e0
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51730 5 bytes JMP 00000000770b02d0
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f51750 5 bytes JMP 00000000770b0310
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f51790 5 bytes JMP 00000000770b03c0
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f517e0 5 bytes JMP 00000000770b03f0
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f51940 5 bytes JMP 00000000770b0230
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b00 5 bytes JMP 00000000770b0480
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b30 5 bytes JMP 00000000770b03a0
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c10 5 bytes JMP 00000000770b02f0
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c20 5 bytes JMP 00000000770b0350
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51c80 5 bytes JMP 00000000770b0290
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d10 5 bytes JMP 00000000770b02b0
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d30 5 bytes JMP 00000000770b03d0
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51d40 5 bytes JMP 00000000770b0330
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51db0 5 bytes JMP 00000000770b0410
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51de0 5 bytes JMP 00000000770b0240
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f520a0 5 bytes JMP 00000000770b01e0
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f52160 5 bytes JMP 00000000770b0250
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f52190 5 bytes JMP 00000000770b0490
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f521a0 5 bytes JMP 00000000770b04a0
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f521d0 5 bytes JMP 00000000770b0300
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f521e0 5 bytes JMP 00000000770b0360
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f52240 5 bytes JMP 00000000770b02a0
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f52290 5 bytes JMP 00000000770b02c0
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f522c0 5 bytes JMP 00000000770b0380
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f522d0 5 bytes JMP 00000000770b0340
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f525c0 5 bytes JMP 00000000770b0440
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f527c0 5 bytes JMP 00000000770b0260
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f527d0 5 bytes JMP 00000000770b0270
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f527e0 5 bytes JMP 00000000770b0400
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f529a0 5 bytes JMP 00000000770b01f0
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f529b0 5 bytes JMP 00000000770b0210
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a20 5 bytes JMP 00000000770b0200
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52a80 5 bytes JMP 00000000770b0420
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52a90 5 bytes JMP 00000000770b0430
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52aa0 5 bytes JMP 00000000770b0220
.text C:\Windows\system32\svchost.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52b80 5 bytes JMP 00000000770b0280
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f51360 5 bytes JMP 00000000770b0460
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f513b0 5 bytes JMP 00000000770b0450
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51510 5 bytes JMP 00000000770b0370
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f51560 5 bytes JMP 00000000770b0470
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f51570 5 bytes JMP 00000000770b03e0
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51620 5 bytes JMP 00000000770b0320
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f51650 5 bytes JMP 00000000770b03b0
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f51670 5 bytes JMP 00000000770b0390
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f516b0 5 bytes JMP 00000000770b02e0
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51730 5 bytes JMP 00000000770b02d0
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f51750 5 bytes JMP 00000000770b0310
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f51790 5 bytes JMP 00000000770b03c0
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f517e0 5 bytes JMP 00000000770b03f0
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f51940 5 bytes JMP 00000000770b0230
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b00 5 bytes JMP 00000000770b0480
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b30 5 bytes JMP 00000000770b03a0
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c10 5 bytes JMP 00000000770b02f0
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c20 5 bytes JMP 00000000770b0350
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51c80 5 bytes JMP 00000000770b0290
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d10 5 bytes JMP 00000000770b02b0
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d30 5 bytes JMP 00000000770b03d0
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51d40 5 bytes JMP 00000000770b0330
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51db0 5 bytes JMP 00000000770b0410
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51de0 5 bytes JMP 00000000770b0240
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f520a0 5 bytes JMP 00000000770b01e0
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f52160 5 bytes JMP 00000000770b0250
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f52190 5 bytes JMP 00000000770b0490
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f521a0 5 bytes JMP 00000000770b04a0
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f521d0 5 bytes JMP 00000000770b0300
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f521e0 5 bytes JMP 00000000770b0360
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f52240 5 bytes JMP 00000000770b02a0
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f52290 5 bytes JMP 00000000770b02c0
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f522c0 5 bytes JMP 00000000770b0380
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f522d0 5 bytes JMP 00000000770b0340
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f525c0 5 bytes JMP 00000000770b0440
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f527c0 5 bytes JMP 00000000770b0260
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f527d0 5 bytes JMP 00000000770b0270
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f527e0 5 bytes JMP 00000000770b0400
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f529a0 5 bytes JMP 00000000770b01f0
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f529b0 5 bytes JMP 00000000770b0210
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a20 5 bytes JMP 00000000770b0200
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52a80 5 bytes JMP 00000000770b0420
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52a90 5 bytes JMP 00000000770b0430
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52aa0 5 bytes JMP 00000000770b0220
.text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52b80 5 bytes JMP 00000000770b0280
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f51360 5 bytes JMP 00000000770b0460
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f513b0 5 bytes JMP 00000000770b0450
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51510 5 bytes JMP 00000000770b0370
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f51560 5 bytes JMP 00000000770b0470
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f51570 5 bytes JMP 00000000770b03e0
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51620 5 bytes JMP 00000000770b0320
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f51650 5 bytes JMP 00000000770b03b0
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f51670 5 bytes JMP 00000000770b0390
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f516b0 5 bytes JMP 00000000770b02e0
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51730 5 bytes JMP 00000000770b02d0
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f51750 5 bytes JMP 00000000770b0310
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f51790 5 bytes JMP 00000000770b03c0
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f517e0 5 bytes JMP 00000000770b03f0
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f51940 5 bytes JMP 00000000770b0230
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b00 5 bytes JMP 00000000770b0480
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b30 5 bytes JMP 00000000770b03a0
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c10 5 bytes JMP 00000000770b02f0
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c20 5 bytes JMP 00000000770b0350
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51c80 5 bytes JMP 00000000770b0290
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d10 5 bytes JMP 00000000770b02b0
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d30 5 bytes JMP 00000000770b03d0
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51d40 5 bytes JMP 00000000770b0330
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51db0 5 bytes JMP 00000000770b0410
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51de0 5 bytes JMP 00000000770b0240
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f520a0 5 bytes JMP 00000000770b01e0
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f52160 5 bytes JMP 00000000770b0250
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f52190 5 bytes JMP 00000000770b0490
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f521a0 5 bytes JMP 00000000770b04a0
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f521d0 5 bytes JMP 00000000770b0300
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f521e0 5 bytes JMP 00000000770b0360
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f52240 5 bytes JMP 00000000770b02a0
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f52290 5 bytes JMP 00000000770b02c0
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f522c0 5 bytes JMP 00000000770b0380
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f522d0 5 bytes JMP 00000000770b0340
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f525c0 5 bytes JMP 00000000770b0440
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f527c0 5 bytes JMP 00000000770b0260
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f527d0 5 bytes JMP 00000000770b0270
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f527e0 5 bytes JMP 00000000770b0400
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f529a0 5 bytes JMP 00000000770b01f0
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f529b0 5 bytes JMP 00000000770b0210
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a20 5 bytes JMP 00000000770b0200
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52a80 5 bytes JMP 00000000770b0420
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52a90 5 bytes JMP 00000000770b0430
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52aa0 5 bytes JMP 00000000770b0220
.text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52b80 5 bytes JMP 00000000770b0280
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f51360 5 bytes JMP 00000000770b0460
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f513b0 5 bytes JMP 00000000770b0450
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51510 5 bytes JMP 00000000770b0370
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f51560 5 bytes JMP 00000000770b0470
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f51570 5 bytes JMP 00000000770b03e0
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51620 5 bytes JMP 00000000770b0320
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f51650 5 bytes JMP 00000000770b03b0
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f51670 5 bytes JMP 00000000770b0390
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f516b0 5 bytes JMP 00000000770b02e0
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51730 5 bytes JMP 00000000770b02d0
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f51750 5 bytes JMP 00000000770b0310
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f51790 5 bytes JMP 00000000770b03c0
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f517e0 5 bytes JMP 00000000770b03f0
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f51940 5 bytes JMP 00000000770b0230
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b00 5 bytes JMP 00000000770b0480
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b30 5 bytes JMP 00000000770b03a0
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c10 5 bytes JMP 00000000770b02f0
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c20 5 bytes JMP 00000000770b0350
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51c80 5 bytes JMP 00000000770b0290
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d10 5 bytes JMP 00000000770b02b0
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d30 5 bytes JMP 00000000770b03d0
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51d40 5 bytes JMP 00000000770b0330
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51db0 5 bytes JMP 00000000770b0410
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51de0 5 bytes JMP 00000000770b0240
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f520a0 5 bytes JMP 00000000770b01e0
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f52160 5 bytes JMP 00000000770b0250
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f52190 5 bytes JMP 00000000770b0490
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f521a0 5 bytes JMP 00000000770b04a0
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f521d0 5 bytes JMP 00000000770b0300
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f521e0 5 bytes JMP 00000000770b0360
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f52240 5 bytes JMP 00000000770b02a0
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f52290 5 bytes JMP 00000000770b02c0
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f522c0 5 bytes JMP 00000000770b0380
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f522d0 5 bytes JMP 00000000770b0340
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f525c0 5 bytes JMP 00000000770b0440
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f527c0 5 bytes JMP 00000000770b0260
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f527d0 5 bytes JMP 00000000770b0270
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f527e0 5 bytes JMP 00000000770b0400
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f529a0 5 bytes JMP 00000000770b01f0
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f529b0 5 bytes JMP 00000000770b0210
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a20 5 bytes JMP 00000000770b0200
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52a80 5 bytes JMP 00000000770b0420
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52a90 5 bytes JMP 00000000770b0430
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52aa0 5 bytes JMP 00000000770b0220
.text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52b80 5 bytes JMP 00000000770b0280
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f51360 5 bytes JMP 00000000770b0460
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f513b0 5 bytes JMP 00000000770b0450
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51510 5 bytes JMP 00000000770b0370
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f51560 5 bytes JMP 00000000770b0470
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f51570 5 bytes JMP 00000000770b03e0
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51620 5 bytes JMP 00000000770b0320
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f51650 5 bytes JMP 00000000770b03b0
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f51670 5 bytes JMP 00000000770b0390
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f516b0 5 bytes JMP 00000000770b02e0
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51730 5 bytes JMP 00000000770b02d0
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f51750 5 bytes JMP 00000000770b0310
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f51790 5 bytes JMP 00000000770b03c0
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f517e0 5 bytes JMP 00000000770b03f0
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f51940 5 bytes JMP 00000000770b0230
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b00 5 bytes JMP 00000000770b0480
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b30 5 bytes JMP 00000000770b03a0
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c10 5 bytes JMP 00000000770b02f0
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c20 5 bytes JMP 00000000770b0350
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51c80 5 bytes JMP 00000000770b0290
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d10 5 bytes JMP 00000000770b02b0
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d30 5 bytes JMP 00000000770b03d0
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51d40 5 bytes JMP 00000000770b0330
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51db0 5 bytes JMP 00000000770b0410
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51de0 5 bytes JMP 00000000770b0240
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f520a0 5 bytes JMP 00000000770b01e0
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f52160 5 bytes JMP 00000000770b0250
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f52190 5 bytes JMP 00000000770b0490
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f521a0 5 bytes JMP 00000000770b04a0
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f521d0 5 bytes JMP 00000000770b0300
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f521e0 5 bytes JMP 00000000770b0360
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f52240 5 bytes JMP 00000000770b02a0
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f52290 5 bytes JMP 00000000770b02c0
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f522c0 5 bytes JMP 00000000770b0380
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f522d0 5 bytes JMP 00000000770b0340
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f525c0 5 bytes JMP 00000000770b0440
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f527c0 5 bytes JMP 00000000770b0260
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f527d0 5 bytes JMP 00000000770b0270
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f527e0 5 bytes JMP 00000000770b0400
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f529a0 5 bytes JMP 00000000770b01f0
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f529b0 5 bytes JMP 00000000770b0210
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a20 5 bytes JMP 00000000770b0200
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52a80 5 bytes JMP 00000000770b0420
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52a90 5 bytes JMP 00000000770b0430
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52aa0 5 bytes JMP 00000000770b0220
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52b80 5 bytes JMP 00000000770b0280
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f51360 5 bytes JMP 00000000770b0460
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f513b0 5 bytes JMP 00000000770b0450
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51510 5 bytes JMP 00000000770b0370
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f51560 5 bytes JMP 00000000770b0470
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f51570 5 bytes JMP 00000000770b03e0
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51620 5 bytes JMP 00000000770b0320
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f51650 5 bytes JMP 00000000770b03b0
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f51670 5 bytes JMP 00000000770b0390
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f516b0 5 bytes JMP 00000000770b02e0
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51730 5 bytes JMP 00000000770b02d0
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f51750 5 bytes JMP 00000000770b0310
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f51790 5 bytes JMP 00000000770b03c0
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f517e0 5 bytes JMP 00000000770b03f0
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f51940 5 bytes JMP 00000000770b0230
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b00 5 bytes JMP 00000000770b0480
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b30 5 bytes JMP 00000000770b03a0
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c10 5 bytes JMP 00000000770b02f0
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c20 5 bytes JMP 00000000770b0350
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51c80 5 bytes JMP 00000000770b0290
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d10 5 bytes JMP 00000000770b02b0
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d30 5 bytes JMP 00000000770b03d0
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51d40 5 bytes JMP 00000000770b0330
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51db0 5 bytes JMP 00000000770b0410
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51de0 5 bytes JMP 00000000770b0240
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f520a0 5 bytes JMP 00000000770b01e0
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f52160 5 bytes JMP 00000000770b0250
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f52190 5 bytes JMP 00000000770b0490
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f521a0 5 bytes JMP 00000000770b04a0
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f521d0 5 bytes JMP 00000000770b0300
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f521e0 5 bytes JMP 00000000770b0360
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f52240 5 bytes JMP 00000000770b02a0
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f52290 5 bytes JMP 00000000770b02c0
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f522c0 5 bytes JMP 00000000770b0380
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f522d0 5 bytes JMP 00000000770b0340
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f525c0 5 bytes JMP 00000000770b0440
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f527c0 5 bytes JMP 00000000770b0260
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f527d0 5 bytes JMP 00000000770b0270
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f527e0 5 bytes JMP 00000000770b0400
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f529a0 5 bytes JMP 00000000770b01f0
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f529b0 5 bytes JMP 00000000770b0210
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a20 5 bytes JMP 00000000770b0200
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52a80 5 bytes JMP 00000000770b0420
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52a90 5 bytes JMP 00000000770b0430
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52aa0 5 bytes JMP 00000000770b0220
.text C:\Windows\system32\nvvsvc.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52b80 5 bytes JMP 00000000770b0280
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f51360 5 bytes JMP 00000000770b0460
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f513b0 5 bytes JMP 00000000770b0450
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51510 5 bytes JMP 00000000770b0370
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f51560 5 bytes JMP 00000000770b0470
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f51570 5 bytes JMP 00000000770b03e0
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51620 5 bytes JMP 00000000770b0320
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f51650 5 bytes JMP 00000000770b03b0
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f51670 5 bytes JMP 00000000770b0390
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f516b0 5 bytes JMP 00000000770b02e0
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51730 5 bytes JMP 00000000770b02d0
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f51750 5 bytes JMP 00000000770b0310
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f51790 5 bytes JMP 00000000770b03c0
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f517e0 5 bytes JMP 00000000770b03f0
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f51940 5 bytes JMP 00000000770b0230
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b00 5 bytes JMP 00000000770b0480
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b30 5 bytes JMP 00000000770b03a0
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c10 5 bytes JMP 00000000770b02f0
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c20 5 bytes JMP 00000000770b0350
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51c80 5 bytes JMP 00000000770b0290
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d10 5 bytes JMP 00000000770b02b0
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d30 5 bytes JMP 00000000770b03d0
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51d40 5 bytes JMP 00000000770b0330
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51db0 5 bytes JMP 00000000770b0410
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51de0 5 bytes JMP 00000000770b0240
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f520a0 5 bytes JMP 00000000770b01e0
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f52160 5 bytes JMP 00000000770b0250
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f52190 5 bytes JMP 00000000770b0490
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f521a0 5 bytes JMP 00000000770b04a0
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f521d0 5 bytes JMP 00000000770b0300
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f521e0 5 bytes JMP 00000000770b0360
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f52240 5 bytes JMP 00000000770b02a0
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f52290 5 bytes JMP 00000000770b02c0
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f522c0 5 bytes JMP 00000000770b0380
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f522d0 5 bytes JMP 00000000770b0340
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f525c0 5 bytes JMP 00000000770b0440
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f527c0 5 bytes JMP 00000000770b0260
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f527d0 5 bytes JMP 00000000770b0270
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f527e0 5 bytes JMP 00000000770b0400
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f529a0 5 bytes JMP 00000000770b01f0
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f529b0 5 bytes JMP 00000000770b0210
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a20 5 bytes JMP 00000000770b0200
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52a80 5 bytes JMP 00000000770b0420
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52a90 5 bytes JMP 00000000770b0430
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52aa0 5 bytes JMP 00000000770b0220
.text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52b80 5 bytes JMP 00000000770b0280
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f51360 5 bytes JMP 00000000770b0460
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f513b0 5 bytes JMP 00000000770b0450
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51510 5 bytes JMP 00000000770b0370
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f51560 5 bytes JMP 00000000770b0470
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f51570 5 bytes JMP 00000000770b03e0
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51620 5 bytes JMP 00000000770b0320
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f51650 5 bytes JMP 00000000770b03b0
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f51670 5 bytes JMP 00000000770b0390
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f516b0 5 bytes JMP 00000000770b02e0
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51730 5 bytes JMP 00000000770b02d0
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f51750 5 bytes JMP 00000000770b0310
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f51790 5 bytes JMP 00000000770b03c0
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f517e0 5 bytes JMP 00000000770b03f0
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f51940 5 bytes JMP 00000000770b0230
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b00 5 bytes JMP 00000000770b0480
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b30 5 bytes JMP 00000000770b03a0
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c10 5 bytes JMP 00000000770b02f0
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c20 5 bytes JMP 00000000770b0350
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51c80 5 bytes JMP 00000000770b0290
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d10 5 bytes JMP 00000000770b02b0
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d30 5 bytes JMP 00000000770b03d0
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51d40 5 bytes JMP 00000000770b0330
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51db0 5 bytes JMP 00000000770b0410
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51de0 5 bytes JMP 00000000770b0240
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f520a0 5 bytes JMP 00000000770b01e0
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f52160 5 bytes JMP 00000000770b0250
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f52190 5 bytes JMP 00000000770b0490
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f521a0 5 bytes JMP 00000000770b04a0
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f521d0 5 bytes JMP 00000000770b0300
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f521e0 5 bytes JMP 00000000770b0360
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f52240 5 bytes JMP 00000000770b02a0
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f52290 5 bytes JMP 00000000770b02c0
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f522c0 5 bytes JMP 00000000770b0380
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f522d0 5 bytes JMP 00000000770b0340
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f525c0 5 bytes JMP 00000000770b0440
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f527c0 5 bytes JMP 00000000770b0260
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f527d0 5 bytes JMP 00000000770b0270
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f527e0 5 bytes JMP 00000000770b0400
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f529a0 5 bytes JMP 00000000770b01f0
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f529b0 5 bytes JMP 00000000770b0210
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a20 5 bytes JMP 00000000770b0200
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52a80 5 bytes JMP 00000000770b0420
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52a90 5 bytes JMP 00000000770b0430
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52aa0 5 bytes JMP 00000000770b0220
.text C:\Windows\system32\svchost.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52b80 5 bytes JMP 00000000770b0280
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f51360 5 bytes JMP 00000000770b0460
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f513b0 5 bytes JMP 00000000770b0450
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51510 5 bytes JMP 00000000770b0370
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f51560 5 bytes JMP 00000000770b0470
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f51570 5 bytes JMP 00000000770b03e0
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51620 5 bytes JMP 00000000770b0320
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f51650 5 bytes JMP 00000000770b03b0
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f51670 5 bytes JMP 00000000770b0390
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f516b0 5 bytes JMP 00000000770b02e0
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51730 5 bytes JMP 00000000770b02d0
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f51750 5 bytes JMP 00000000770b0310
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f51790 5 bytes JMP 00000000770b03c0
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f517e0 5 bytes JMP 00000000770b03f0
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f51940 5 bytes JMP 00000000770b0230
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b00 5 bytes JMP 00000000770b0480
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b30 5 bytes JMP 00000000770b03a0
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c10 5 bytes JMP 00000000770b02f0
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c20 5 bytes JMP 00000000770b0350
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51c80 5 bytes JMP 00000000770b0290
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d10 5 bytes JMP 00000000770b02b0
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d30 5 bytes JMP 00000000770b03d0
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51d40 5 bytes JMP 00000000770b0330
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51db0 5 bytes JMP 00000000770b0410
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51de0 5 bytes JMP 00000000770b0240
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f520a0 5 bytes JMP 00000000770b01e0
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f52160 5 bytes JMP 00000000770b0250
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f52190 5 bytes JMP 00000000770b0490
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f521a0 5 bytes JMP 00000000770b04a0
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f521d0 5 bytes JMP 00000000770b0300
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f521e0 5 bytes JMP 00000000770b0360
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f52240 5 bytes JMP 00000000770b02a0
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f52290 5 bytes JMP 00000000770b02c0
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f522c0 5 bytes JMP 00000000770b0380
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f522d0 5 bytes JMP 00000000770b0340
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f525c0 5 bytes JMP 00000000770b0440
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f527c0 5 bytes JMP 00000000770b0260
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f527d0 5 bytes JMP 00000000770b0270
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f527e0 5 bytes JMP 00000000770b0400
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f529a0 5 bytes JMP 00000000770b01f0
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f529b0 5 bytes JMP 00000000770b0210
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a20 5 bytes JMP 00000000770b0200
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52a80 5 bytes JMP 00000000770b0420
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52a90 5 bytes JMP 00000000770b0430
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52aa0 5 bytes JMP 00000000770b0220
.text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52b80 5 bytes JMP 00000000770b0280
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f51360 5 bytes JMP 00000000770b0460
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f513b0 5 bytes JMP 00000000770b0450
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51510 5 bytes JMP 00000000770b0370
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f51560 5 bytes JMP 00000000770b0470
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f51570 5 bytes JMP 00000000770b03e0
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51620 5 bytes JMP 00000000770b0320
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f51650 5 bytes JMP 00000000770b03b0
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f51670 5 bytes JMP 00000000770b0390
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f516b0 5 bytes JMP 00000000770b02e0
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51730 5 bytes JMP 00000000770b02d0
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f51750 5 bytes JMP 00000000770b0310
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f51790 5 bytes JMP 00000000770b03c0
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f517e0 5 bytes JMP 00000000770b03f0
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f51940 5 bytes JMP 00000000770b0230
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b00 5 bytes JMP 00000000770b0480
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b30 5 bytes JMP 00000000770b03a0
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c10 5 bytes JMP 00000000770b02f0
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c20 5 bytes JMP 00000000770b0350
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51c80 5 bytes JMP 00000000770b0290
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d10 5 bytes JMP 00000000770b02b0
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d30 5 bytes JMP 00000000770b03d0
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51d40 5 bytes JMP 00000000770b0330
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51db0 5 bytes JMP 00000000770b0410
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51de0 5 bytes JMP 00000000770b0240
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f520a0 5 bytes JMP 00000000770b01e0
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f52160 5 bytes JMP 00000000770b0250
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f52190 5 bytes JMP 00000000770b0490
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f521a0 5 bytes JMP 00000000770b04a0
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f521d0 5 bytes JMP 00000000770b0300
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f521e0 5 bytes JMP 00000000770b0360
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f52240 5 bytes JMP 00000000770b02a0
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f52290 5 bytes JMP 00000000770b02c0
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f522c0 5 bytes JMP 00000000770b0380
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f522d0 5 bytes JMP 00000000770b0340
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f525c0 5 bytes JMP 00000000770b0440
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f527c0 5 bytes JMP 00000000770b0260
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f527d0 5 bytes JMP 00000000770b0270
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f527e0 5 bytes JMP 00000000770b0400
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f529a0 5 bytes JMP 00000000770b01f0
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f529b0 5 bytes JMP 00000000770b0210
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a20 5 bytes JMP 00000000770b0200
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52a80 5 bytes JMP 00000000770b0420
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52a90 5 bytes JMP 00000000770b0430
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52aa0 5 bytes JMP 00000000770b0220
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52b80 5 bytes JMP 00000000770b0280
.text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000000031401 2 bytes JMP 74b3b21b C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2332] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000000031419 2 bytes JMP 74b3b346 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000000031431 2 bytes JMP 74bb8ea9 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000000003144a 2 bytes CALL 74b148ad C:\Windows\syswow64\kernel32.dll
.text ... * 9
.text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2332] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000000314dd 2 bytes JMP 74bb87a2 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000000314f5 2 bytes JMP 74bb8978 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2332] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000000003150d 2 bytes JMP 74bb8698 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000000031525 2 bytes JMP 74bb8a62 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000000003153d 2 bytes JMP 74b2fca8 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2332] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000000031555 2 bytes JMP 74b368ef C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000000003156d 2 bytes JMP 74bb8f61 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000000031585 2 bytes JMP 74bb8ac2 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2332] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000000003159d 2 bytes JMP 74bb865c C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000000315b5 2 bytes JMP 74b2fd41 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000000315cd 2 bytes JMP 74b3b2dc C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000000316b2 2 bytes JMP 74bb8e24 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000000316bd 2 bytes JMP 74bb85f1 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 000000006e5511a8 2 bytes [55, 6E]
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 248 000000006e55127d 2 bytes CALL 74b114b9 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 395 000000006e551310 2 bytes CALL 74b114b9 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 000000006e5513a8 2 bytes [55, 6E]
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 000000006e551422 2 bytes [55, 6E]
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 000000006e551498 2 bytes [55, 6E]
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkD3dContextCreate + 4 000000006eeb1825 2 bytes JMP 74e46125 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkD3dContextDestroy + 4 000000006eeb1830 2 bytes JMP 74e46145 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkD3dContextDestroyAll + 4 000000006eeb183b 2 bytes JMP 74e46165 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkD3dDrawPrimitives2 + 4 000000006eeb1846 2 bytes JMP 74e45a05 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkD3dValidateTextureStageState + 4 000000006eeb1851 2 bytes JMP 74e46185 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdAddAttachedSurface + 4 000000006eeb185c 2 bytes JMP 74e46265 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdAlphaBlt + 4 000000006eeb1867 2 bytes JMP 74e46285 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdAttachSurface + 4 000000006eeb1872 2 bytes JMP 74e462a5 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdBeginMoCompFrame + 4 000000006eeb187d 2 bytes JMP 74e462c5 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdBlt + 4 000000006eeb1888 2 bytes JMP 74e45a25 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCanCreateD3DBuffer + 4 000000006eeb1893 2 bytes JMP 74e462e5 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCanCreateSurface + 4 000000006eeb189e 2 bytes JMP 74e45aa5 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdColorControl + 4 000000006eeb18a9 2 bytes JMP 74e46305 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateD3DBuffer + 4 000000006eeb18b4 2 bytes JMP 74e46325 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateDirectDrawObject + 4 000000006eeb18bf 2 bytes JMP 74e11fcb C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateMoComp + 4 000000006eeb18ca 2 bytes JMP 74e46365 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateSurface + 4 000000006eeb18d5 2 bytes JMP 74e45ac5 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateSurfaceEx + 4 000000006eeb18e0 2 bytes JMP 74e45b45 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateSurfaceObject + 4 000000006eeb18eb 2 bytes JMP 74e45b65 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdDeleteDirectDrawObject + 4 000000006eeb18f6 2 bytes JMP 74e468c5 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdDeleteSurfaceObject + 4 000000006eeb1901 2 bytes JMP 74e45a85 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdDestroyD3DBuffer + 4 000000006eeb190c 2 bytes JMP 74e468e5 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdDestroyMoComp + 4 000000006eeb1917 2 bytes JMP 74e46925 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdDestroySurface + 4 000000006eeb1922 2 bytes JMP 74e45ae5 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdEndMoCompFrame + 4 000000006eeb192d 2 bytes JMP 74e46945 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdFlip + 4 000000006eeb1938 2 bytes JMP 74e46965 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdFlipToGDISurface + 4 000000006eeb1943 2 bytes JMP 74e46985 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetAvailDriverMemory + 4 000000006eeb194e 2 bytes JMP 74e469a5 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetBltStatus + 4 000000006eeb1959 2 bytes JMP 74e469c5 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetDC + 4 000000006eeb1964 2 bytes JMP 74e469e5 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetDriverInfo + 4 000000006eeb196f 2 bytes JMP 74e46a05 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetDriverState + 4 000000006eeb197a 2 bytes JMP 74e46a25 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetDxHandle + 4 000000006eeb1985 2 bytes JMP 74e46a45 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetFlipStatus + 4 000000006eeb1990 2 bytes JMP 74e46a65 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetInternalMoCompInfo + 4 000000006eeb199b 2 bytes JMP 74e46a85 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetMoCompBuffInfo + 4 000000006eeb19a6 2 bytes JMP 74e46aa5 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetMoCompFormats + 4 000000006eeb19b1 2 bytes JMP 74e46ac5 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetMoCompGuids + 4 000000006eeb19bc 2 bytes JMP 74e46ae5 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetScanLine + 4 000000006eeb19c7 2 bytes JMP 74e46b05 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdLock + 4 000000006eeb19d2 2 bytes JMP 74e46b25 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdLockD3D + 4 000000006eeb19dd 2 bytes JMP 74e45b85 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdQueryDirectDrawObject + 4 000000006eeb19e8 2 bytes JMP 74e46b65 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdQueryMoCompStatus + 4 000000006eeb19f3 2 bytes JMP 74e46b85 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdReenableDirectDrawObject + 4 000000006eeb19fe 2 bytes JMP 74e46bc3 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdReleaseDC + 4 000000006eeb1a09 2 bytes JMP 74e46be3 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdRenderMoComp + 4 000000006eeb1a14 2 bytes JMP 74e46c03 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdResetVisrgn + 4 000000006eeb1a1f 2 bytes JMP 74e45b05 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdSetColorKey + 4 000000006eeb1a2a 2 bytes JMP 74e46c23 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdSetExclusiveMode + 4 000000006eeb1a35 2 bytes JMP 74e46c43 C:\Windows\syswow64\GDI32.dll
|
|
02.03.2015, 22:19
| #4 |
| | Win7: Regin ? viele Funde mit LOKI, akute Paranoia angebracht? GMER3: Code:
ATTFilter .text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdSetGammaRamp + 4 000000006eeb1a40 2 bytes JMP 74e46c63 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdSetOverlayPosition + 4 000000006eeb1a4b 2 bytes JMP 74e46c83 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdUnattachSurface + 4 000000006eeb1a56 2 bytes JMP 74e46ca3 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdUnlock + 4 000000006eeb1a61 2 bytes JMP 74e46cc3 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdUnlockD3D + 4 000000006eeb1a6c 2 bytes JMP 74e45ba5 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdUpdateOverlay + 4 000000006eeb1a77 2 bytes JMP 74e46ce3 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 4 000000006eeb1a82 2 bytes JMP 74e46d03 C:\Windows\syswow64\GDI32.dll
.text C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe[2656] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 52 000000006eeb1ab2 2 bytes JMP 74ebdc75 C:\Windows\syswow64\msvcrt.dll
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f51360 5 bytes JMP 00000000770b0460
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f513b0 5 bytes JMP 00000000770b0450
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51510 5 bytes JMP 00000000770b0370
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f51560 5 bytes JMP 00000000770b0470
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f51570 5 bytes JMP 00000000770b03e0
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51620 5 bytes JMP 00000000770b0320
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f51650 5 bytes JMP 00000000770b03b0
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f51670 5 bytes JMP 00000000770b0390
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f516b0 5 bytes JMP 00000000770b02e0
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51730 5 bytes JMP 00000000770b02d0
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f51750 5 bytes JMP 00000000770b0310
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f51790 5 bytes JMP 00000000770b03c0
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f517e0 5 bytes JMP 00000000770b03f0
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f51940 5 bytes JMP 00000000770b0230
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b00 5 bytes JMP 00000000770b0480
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b30 5 bytes JMP 00000000770b03a0
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c10 5 bytes JMP 00000000770b02f0
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c20 5 bytes JMP 00000000770b0350
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51c80 5 bytes JMP 00000000770b0290
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d10 5 bytes JMP 00000000770b02b0
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d30 5 bytes JMP 00000000770b03d0
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51d40 5 bytes JMP 00000000770b0330
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51db0 5 bytes JMP 00000000770b0410
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51de0 5 bytes JMP 00000000770b0240
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f520a0 5 bytes JMP 00000000770b01e0
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f52160 5 bytes JMP 00000000770b0250
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f52190 5 bytes JMP 00000000770b0490
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f521a0 5 bytes JMP 00000000770b04a0
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f521d0 5 bytes JMP 00000000770b0300
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f521e0 5 bytes JMP 00000000770b0360
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f52240 5 bytes JMP 00000000770b02a0
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f52290 5 bytes JMP 00000000770b02c0
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f522c0 5 bytes JMP 00000000770b0380
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f522d0 5 bytes JMP 00000000770b0340
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f525c0 5 bytes JMP 00000000770b0440
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f527c0 5 bytes JMP 00000000770b0260
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f527d0 5 bytes JMP 00000000770b0270
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f527e0 5 bytes JMP 00000000770b0400
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f529a0 5 bytes JMP 00000000770b01f0
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f529b0 5 bytes JMP 00000000770b0210
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a20 5 bytes JMP 00000000770b0200
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52a80 5 bytes JMP 00000000770b0420
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52a90 5 bytes JMP 00000000770b0430
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52aa0 5 bytes JMP 00000000770b0220
.text C:\Windows\system32\svchost.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52b80 5 bytes JMP 00000000770b0280
.text C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000000021401 2 bytes JMP 74b3b21b C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe[3024] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000000021419 2 bytes JMP 74b3b346 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000000021431 2 bytes JMP 74bb8ea9 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000000002144a 2 bytes CALL 74b148ad C:\Windows\syswow64\kernel32.dll
.text ... * 9
.text C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe[3024] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000000214dd 2 bytes JMP 74bb87a2 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000000214f5 2 bytes JMP 74bb8978 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe[3024] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000000002150d 2 bytes JMP 74bb8698 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000000021525 2 bytes JMP 74bb8a62 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000000002153d 2 bytes JMP 74b2fca8 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe[3024] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000000021555 2 bytes JMP 74b368ef C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000000002156d 2 bytes JMP 74bb8f61 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000000021585 2 bytes JMP 74bb8ac2 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe[3024] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000000002159d 2 bytes JMP 74bb865c C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000000215b5 2 bytes JMP 74b2fd41 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000000215cd 2 bytes JMP 74b3b2dc C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000000216b2 2 bytes JMP 74bb8e24 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000000216bd 2 bytes JMP 74bb85f1 C:\Windows\syswow64\kernel32.dll
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f51360 5 bytes JMP 00000000770b0460
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f513b0 5 bytes JMP 00000000770b0450
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51510 5 bytes JMP 00000000770b0370
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f51560 5 bytes JMP 00000000770b0470
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f51570 5 bytes JMP 00000000770b03e0
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51620 5 bytes JMP 00000000770b0320
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f51650 5 bytes JMP 00000000770b03b0
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f51670 5 bytes JMP 00000000770b0390
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f516b0 5 bytes JMP 00000000770b02e0
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51730 5 bytes JMP 00000000770b02d0
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f51750 5 bytes JMP 00000000770b0310
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f51790 5 bytes JMP 00000000770b03c0
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f517e0 5 bytes JMP 00000000770b03f0
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f51940 5 bytes JMP 00000000770b0230
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b00 5 bytes JMP 00000000770b0480
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b30 5 bytes JMP 00000000770b03a0
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c10 5 bytes JMP 00000000770b02f0
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c20 5 bytes JMP 00000000770b0350
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51c80 5 bytes JMP 00000000770b0290
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d10 5 bytes JMP 00000000770b02b0
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d30 5 bytes JMP 00000000770b03d0
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51d40 5 bytes JMP 00000000770b0330
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51db0 5 bytes JMP 00000000770b0410
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51de0 5 bytes JMP 00000000770b0240
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f520a0 5 bytes JMP 00000000770b01e0
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f52160 5 bytes JMP 00000000770b0250
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f52190 5 bytes JMP 00000000770b0490
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f521a0 5 bytes JMP 00000000770b04a0
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f521d0 5 bytes JMP 00000000770b0300
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f521e0 5 bytes JMP 00000000770b0360
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f52240 5 bytes JMP 00000000770b02a0
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f52290 5 bytes JMP 00000000770b02c0
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f522c0 5 bytes JMP 00000000770b0380
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f522d0 5 bytes JMP 00000000770b0340
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f525c0 5 bytes JMP 00000000770b0440
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f527c0 5 bytes JMP 00000000770b0260
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f527d0 5 bytes JMP 00000000770b0270
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f527e0 5 bytes JMP 00000000770b0400
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f529a0 5 bytes JMP 00000000770b01f0
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f529b0 5 bytes JMP 00000000770b0210
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a20 5 bytes JMP 00000000770b0200
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52a80 5 bytes JMP 00000000770b0420
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52a90 5 bytes JMP 00000000770b0430
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52aa0 5 bytes JMP 00000000770b0220
.text C:\Windows\system32\EscSvc64.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52b80 5 bytes JMP 00000000770b0280
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f51360 5 bytes JMP 00000000770b0460
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f513b0 5 bytes JMP 00000000770b0450
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51510 5 bytes JMP 00000000770b0370
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f51560 5 bytes JMP 00000000770b0470
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f51570 5 bytes JMP 00000000770b03e0
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51620 5 bytes JMP 00000000770b0320
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f51650 5 bytes JMP 00000000770b03b0
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f51670 5 bytes JMP 00000000770b0390
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f516b0 5 bytes JMP 00000000770b02e0
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51730 5 bytes JMP 00000000770b02d0
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f51750 5 bytes JMP 00000000770b0310
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f51790 5 bytes JMP 00000000770b03c0
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f517e0 5 bytes JMP 00000000770b03f0
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f51940 5 bytes JMP 00000000770b0230
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b00 5 bytes JMP 00000000770b0480
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b30 5 bytes JMP 00000000770b03a0
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c10 5 bytes JMP 00000000770b02f0
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c20 5 bytes JMP 00000000770b0350
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51c80 5 bytes JMP 00000000770b0290
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d10 5 bytes JMP 00000000770b02b0
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d30 5 bytes JMP 00000000770b03d0
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51d40 5 bytes JMP 00000000770b0330
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51db0 5 bytes JMP 00000000770b0410
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51de0 5 bytes JMP 00000000770b0240
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f520a0 5 bytes JMP 00000000770b01e0
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f52160 5 bytes JMP 00000000770b0250
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f52190 5 bytes JMP 00000000770b0490
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f521a0 5 bytes JMP 00000000770b04a0
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f521d0 5 bytes JMP 00000000770b0300
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f521e0 5 bytes JMP 00000000770b0360
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f52240 5 bytes JMP 00000000770b02a0
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f52290 5 bytes JMP 00000000770b02c0
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f522c0 5 bytes JMP 00000000770b0380
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f522d0 5 bytes JMP 00000000770b0340
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f525c0 5 bytes JMP 00000000770b0440
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f527c0 5 bytes JMP 00000000770b0260
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f527d0 5 bytes JMP 00000000770b0270
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f527e0 5 bytes JMP 00000000770b0400
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f529a0 5 bytes JMP 00000000770b01f0
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f529b0 5 bytes JMP 00000000770b0210
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a20 5 bytes JMP 00000000770b0200
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52a80 5 bytes JMP 00000000770b0420
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52a90 5 bytes JMP 00000000770b0430
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52aa0 5 bytes JMP 00000000770b0220
.text C:\Windows\Explorer.EXE[3672] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52b80 5 bytes JMP 00000000770b0280
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f51360 5 bytes JMP 00000000770b0460
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f513b0 5 bytes JMP 00000000770b0450
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51510 5 bytes JMP 00000000770b0370
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f51560 5 bytes JMP 00000000770b0470
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f51570 5 bytes JMP 00000000770b03e0
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51620 5 bytes JMP 00000000770b0320
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f51650 5 bytes JMP 00000000770b03b0
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f51670 5 bytes JMP 00000000770b0390
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f516b0 5 bytes JMP 00000000770b02e0
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51730 5 bytes JMP 00000000770b02d0
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f51750 5 bytes JMP 00000000770b0310
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f51790 5 bytes JMP 00000000770b03c0
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f517e0 5 bytes JMP 00000000770b03f0
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f51940 5 bytes JMP 00000000770b0230
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b00 5 bytes JMP 00000000770b0480
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b30 5 bytes JMP 00000000770b03a0
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c10 5 bytes JMP 00000000770b02f0
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c20 5 bytes JMP 00000000770b0350
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51c80 5 bytes JMP 00000000770b0290
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d10 5 bytes JMP 00000000770b02b0
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d30 5 bytes JMP 00000000770b03d0
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51d40 5 bytes JMP 00000000770b0330
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51db0 5 bytes JMP 00000000770b0410
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51de0 5 bytes JMP 00000000770b0240
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f520a0 5 bytes JMP 00000000770b01e0
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f52160 5 bytes JMP 00000000770b0250
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f52190 5 bytes JMP 00000000770b0490
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f521a0 5 bytes JMP 00000000770b04a0
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f521d0 5 bytes JMP 00000000770b0300
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f521e0 5 bytes JMP 00000000770b0360
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f52240 5 bytes JMP 00000000770b02a0
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f52290 5 bytes JMP 00000000770b02c0
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f522c0 5 bytes JMP 00000000770b0380
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f522d0 5 bytes JMP 00000000770b0340
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f525c0 5 bytes JMP 00000000770b0440
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f527c0 5 bytes JMP 00000000770b0260
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f527d0 5 bytes JMP 00000000770b0270
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f527e0 5 bytes JMP 00000000770b0400
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f529a0 5 bytes JMP 00000000770b01f0
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f529b0 5 bytes JMP 00000000770b0210
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a20 5 bytes JMP 00000000770b0200
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52a80 5 bytes JMP 00000000770b0420
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52a90 5 bytes JMP 00000000770b0430
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52aa0 5 bytes JMP 00000000770b0220
.text C:\Windows\system32\svchost.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52b80 5 bytes JMP 00000000770b0280
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f51360 5 bytes JMP 0000000100060460
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f513b0 5 bytes JMP 0000000100060450
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51510 5 bytes JMP 0000000100060370
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f51560 5 bytes JMP 0000000100060470
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f51570 5 bytes JMP 00000001000603e0
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51620 5 bytes JMP 0000000100060320
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f51650 5 bytes JMP 00000001000603b0
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f51670 5 bytes JMP 0000000100060390
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f516b0 5 bytes JMP 00000001000602e0
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51730 5 bytes JMP 00000001000602d0
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f51750 5 bytes JMP 0000000100060310
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f51790 5 bytes JMP 00000001000603c0
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f517e0 5 bytes JMP 00000001000603f0
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f51940 5 bytes JMP 0000000100060230
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b00 5 bytes JMP 0000000100060480
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b30 5 bytes JMP 00000001000603a0
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c10 5 bytes JMP 00000001000602f0
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c20 5 bytes JMP 0000000100060350
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51c80 5 bytes JMP 0000000100060290
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d10 5 bytes JMP 00000001000602b0
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d30 5 bytes JMP 00000001000603d0
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51d40 5 bytes JMP 0000000100060330
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51db0 5 bytes JMP 0000000100060410
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51de0 5 bytes JMP 0000000100060240
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f520a0 5 bytes JMP 00000001000601e0
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f52160 5 bytes JMP 0000000100060250
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f52190 5 bytes JMP 0000000100060490
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f521a0 5 bytes JMP 00000001000604a0
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f521d0 5 bytes JMP 0000000100060300
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f521e0 5 bytes JMP 0000000100060360
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f52240 5 bytes JMP 00000001000602a0
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f52290 5 bytes JMP 00000001000602c0
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f522c0 5 bytes JMP 0000000100060380
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f522d0 5 bytes JMP 0000000100060340
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f525c0 5 bytes JMP 0000000100060440
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f527c0 5 bytes JMP 0000000100060260
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f527d0 5 bytes JMP 0000000100060270
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f527e0 5 bytes JMP 0000000100060400
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f529a0 5 bytes JMP 00000001000601f0
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f529b0 5 bytes JMP 0000000100060210
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a20 5 bytes JMP 0000000100060200
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52a80 5 bytes JMP 0000000100060420
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52a90 5 bytes JMP 0000000100060430
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52aa0 5 bytes JMP 0000000100060220
.text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52b80 5 bytes JMP 0000000100060280
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f51360 5 bytes JMP 00000000770b0460
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f513b0 5 bytes JMP 00000000770b0450
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51510 5 bytes JMP 00000000770b0370
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f51560 5 bytes JMP 00000000770b0470
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f51570 5 bytes JMP 00000000770b03e0
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51620 5 bytes JMP 00000000770b0320
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f51650 5 bytes JMP 00000000770b03b0
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f51670 5 bytes JMP 00000000770b0390
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f516b0 5 bytes JMP 00000000770b02e0
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51730 5 bytes JMP 00000000770b02d0
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f51750 5 bytes JMP 00000000770b0310
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f51790 5 bytes JMP 00000000770b03c0
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f517e0 5 bytes JMP 00000000770b03f0
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f51940 5 bytes JMP 00000000770b0230
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b00 5 bytes JMP 00000000770b0480
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b30 5 bytes JMP 00000000770b03a0
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c10 5 bytes JMP 00000000770b02f0
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c20 5 bytes JMP 00000000770b0350
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51c80 5 bytes JMP 00000000770b0290
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d10 5 bytes JMP 00000000770b02b0
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d30 5 bytes JMP 00000000770b03d0
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51d40 5 bytes JMP 00000000770b0330
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51db0 5 bytes JMP 00000000770b0410
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51de0 5 bytes JMP 00000000770b0240
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f520a0 5 bytes JMP 00000000770b01e0
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f52160 5 bytes JMP 00000000770b0250
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f52190 5 bytes JMP 00000000770b0490
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f521a0 5 bytes JMP 00000000770b04a0
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f521d0 5 bytes JMP 00000000770b0300
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f521e0 5 bytes JMP 00000000770b0360
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f52240 5 bytes JMP 00000000770b02a0
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f52290 5 bytes JMP 00000000770b02c0
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f522c0 5 bytes JMP 00000000770b0380
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f522d0 5 bytes JMP 00000000770b0340
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f525c0 5 bytes JMP 00000000770b0440
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f527c0 5 bytes JMP 00000000770b0260
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f527d0 5 bytes JMP 00000000770b0270
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f527e0 5 bytes JMP 00000000770b0400
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f529a0 5 bytes JMP 00000000770b01f0
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f529b0 5 bytes JMP 00000000770b0210
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a20 5 bytes JMP 00000000770b0200
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52a80 5 bytes JMP 00000000770b0420
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52a90 5 bytes JMP 00000000770b0430
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52aa0 5 bytes JMP 00000000770b0220
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52b80 5 bytes JMP 00000000770b0280
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f51360 5 bytes JMP 00000000770b0460
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f513b0 5 bytes JMP 00000000770b0450
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51510 5 bytes JMP 00000000770b0370
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f51560 5 bytes JMP 00000000770b0470
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f51570 5 bytes JMP 00000000770b03e0
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51620 5 bytes JMP 00000000770b0320
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f51650 5 bytes JMP 00000000770b03b0
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f51670 5 bytes JMP 00000000770b0390
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f516b0 5 bytes JMP 00000000770b02e0
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51730 5 bytes JMP 00000000770b02d0
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f51750 5 bytes JMP 00000000770b0310
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f51790 5 bytes JMP 00000000770b03c0
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f517e0 5 bytes JMP 00000000770b03f0
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f51940 5 bytes JMP 00000000770b0230
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b00 5 bytes JMP 00000000770b0480
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b30 5 bytes JMP 00000000770b03a0
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c10 5 bytes JMP 00000000770b02f0
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c20 5 bytes JMP 00000000770b0350
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51c80 5 bytes JMP 00000000770b0290
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d10 5 bytes JMP 00000000770b02b0
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d30 5 bytes JMP 00000000770b03d0
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51d40 5 bytes JMP 00000000770b0330
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51db0 5 bytes JMP 00000000770b0410
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51de0 5 bytes JMP 00000000770b0240
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f520a0 5 bytes JMP 00000000770b01e0
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f52160 5 bytes JMP 00000000770b0250
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f52190 5 bytes JMP 00000000770b0490
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f521a0 5 bytes JMP 00000000770b04a0
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f521d0 5 bytes JMP 00000000770b0300
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f521e0 5 bytes JMP 00000000770b0360
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f52240 5 bytes JMP 00000000770b02a0
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f52290 5 bytes JMP 00000000770b02c0
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f522c0 5 bytes JMP 00000000770b0380
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f522d0 5 bytes JMP 00000000770b0340
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f525c0 5 bytes JMP 00000000770b0440
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f527c0 5 bytes JMP 00000000770b0260
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f527d0 5 bytes JMP 00000000770b0270
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f527e0 5 bytes JMP 00000000770b0400
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f529a0 5 bytes JMP 00000000770b01f0
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f529b0 5 bytes JMP 00000000770b0210
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a20 5 bytes JMP 00000000770b0200
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52a80 5 bytes JMP 00000000770b0420
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52a90 5 bytes JMP 00000000770b0430
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52aa0 5 bytes JMP 00000000770b0220
.text C:\Windows\System32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52b80 5 bytes JMP 00000000770b0280
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f51360 5 bytes JMP 0000000100070460
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f513b0 5 bytes JMP 0000000100070450
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51510 5 bytes JMP 0000000100070370
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f51560 5 bytes JMP 0000000100070470
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f51570 5 bytes JMP 00000001000703e0
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51620 5 bytes JMP 0000000100070320
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f51650 5 bytes JMP 00000001000703b0
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f51670 5 bytes JMP 0000000100070390
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f516b0 5 bytes JMP 00000001000702e0
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51730 5 bytes JMP 00000001000702d0
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f51750 5 bytes JMP 0000000100070310
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f51790 5 bytes JMP 00000001000703c0
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f517e0 5 bytes JMP 00000001000703f0
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f51940 5 bytes JMP 0000000100070230
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b00 5 bytes JMP 0000000100070480
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b30 5 bytes JMP 00000001000703a0
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c10 5 bytes JMP 00000001000702f0
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c20 5 bytes JMP 0000000100070350
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51c80 5 bytes JMP 0000000100070290
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d10 5 bytes JMP 00000001000702b0
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d30 5 bytes JMP 00000001000703d0
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51d40 5 bytes JMP 0000000100070330
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51db0 5 bytes JMP 0000000100070410
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51de0 5 bytes JMP 0000000100070240
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f520a0 5 bytes JMP 00000001000701e0
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f52160 5 bytes JMP 0000000100070250
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f52190 5 bytes JMP 0000000100070490
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f521a0 5 bytes JMP 00000001000704a0
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f521d0 5 bytes JMP 0000000100070300
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f521e0 5 bytes JMP 0000000100070360
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f52240 5 bytes JMP 00000001000702a0
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f52290 5 bytes JMP 00000001000702c0
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f522c0 5 bytes JMP 0000000100070380
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f522d0 5 bytes JMP 0000000100070340
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f525c0 5 bytes JMP 0000000100070440
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f527c0 5 bytes JMP 0000000100070260
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f527d0 5 bytes JMP 0000000100070270
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f527e0 5 bytes JMP 0000000100070400
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f529a0 5 bytes JMP 00000001000701f0
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f529b0 5 bytes JMP 0000000100070210
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a20 5 bytes JMP 0000000100070200
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52a80 5 bytes JMP 0000000100070420
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52a90 5 bytes JMP 0000000100070430
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52aa0 5 bytes JMP 0000000100070220
.text C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52b80 5 bytes JMP 0000000100070280
.text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4784] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000074b18791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f51360 5 bytes JMP 00000000770b0460
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f513b0 5 bytes JMP 00000000770b0450
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51510 5 bytes JMP 00000000770b0370
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f51560 5 bytes JMP 00000000770b0470
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f51570 5 bytes JMP 00000000770b03e0
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51620 5 bytes JMP 00000000770b0320
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f51650 5 bytes JMP 00000000770b03b0
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f51670 5 bytes JMP 00000000770b0390
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f516b0 5 bytes JMP 00000000770b02e0
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51730 5 bytes JMP 00000000770b02d0
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f51750 5 bytes JMP 00000000770b0310
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f51790 5 bytes JMP 00000000770b03c0
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f517e0 5 bytes JMP 00000000770b03f0
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f51940 5 bytes JMP 00000000770b0230
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b00 5 bytes JMP 00000000770b0480
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b30 5 bytes JMP 00000000770b03a0
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c10 5 bytes JMP 00000000770b02f0
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c20 5 bytes JMP 00000000770b0350
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51c80 5 bytes JMP 00000000770b0290
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d10 5 bytes JMP 00000000770b02b0
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d30 5 bytes JMP 00000000770b03d0
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51d40 5 bytes JMP 00000000770b0330
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51db0 5 bytes JMP 00000000770b0410
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51de0 5 bytes JMP 00000000770b0240
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f520a0 5 bytes JMP 00000000770b01e0
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f52160 5 bytes JMP 00000000770b0250
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f52190 5 bytes JMP 00000000770b0490
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f521a0 5 bytes JMP 00000000770b04a0
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f521d0 5 bytes JMP 00000000770b0300
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f521e0 5 bytes JMP 00000000770b0360
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f52240 5 bytes JMP 00000000770b02a0
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f52290 5 bytes JMP 00000000770b02c0
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f522c0 5 bytes JMP 00000000770b0380
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f522d0 5 bytes JMP 00000000770b0340
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f525c0 5 bytes JMP 00000000770b0440
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f527c0 5 bytes JMP 00000000770b0260
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f527d0 5 bytes JMP 00000000770b0270
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f527e0 5 bytes JMP 00000000770b0400
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f529a0 5 bytes JMP 00000000770b01f0
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f529b0 5 bytes JMP 00000000770b0210
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a20 5 bytes JMP 00000000770b0200
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52a80 5 bytes JMP 00000000770b0420
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52a90 5 bytes JMP 00000000770b0430
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52aa0 5 bytes JMP 00000000770b0220
.text C:\Windows\system32\wbem\wmiprvse.exe[4576] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52b80 5 bytes JMP 00000000770b0280
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f51360 5 bytes JMP 0000000100070460
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f513b0 5 bytes JMP 0000000100070450
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51510 5 bytes JMP 0000000100070370
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f51560 5 bytes JMP 0000000100070470
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f51570 5 bytes JMP 00000001000703e0
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51620 5 bytes JMP 0000000100070320
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f51650 5 bytes JMP 00000001000703b0
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f51670 5 bytes JMP 0000000100070390
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f516b0 5 bytes JMP 00000001000702e0
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51730 5 bytes JMP 00000001000702d0
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f51750 5 bytes JMP 0000000100070310
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f51790 5 bytes JMP 00000001000703c0
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f517e0 5 bytes JMP 00000001000703f0
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f51940 5 bytes JMP 0000000100070230
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b00 5 bytes JMP 0000000100070480
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b30 5 bytes JMP 00000001000703a0
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c10 5 bytes JMP 00000001000702f0
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c20 5 bytes JMP 0000000100070350
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51c80 5 bytes JMP 0000000100070290
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d10 5 bytes JMP 00000001000702b0
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d30 5 bytes JMP 00000001000703d0
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51d40 5 bytes JMP 0000000100070330
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51db0 5 bytes JMP 0000000100070410
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51de0 5 bytes JMP 0000000100070240
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f520a0 5 bytes JMP 00000001000701e0
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f52160 5 bytes JMP 0000000100070250
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f52190 5 bytes JMP 0000000100070490
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f521a0 5 bytes JMP 00000001000704a0
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f521d0 5 bytes JMP 0000000100070300
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f521e0 5 bytes JMP 0000000100070360
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f52240 5 bytes JMP 00000001000702a0
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f52290 5 bytes JMP 00000001000702c0
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f522c0 5 bytes JMP 0000000100070380
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f522d0 5 bytes JMP 0000000100070340
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f525c0 5 bytes JMP 0000000100070440
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f527c0 5 bytes JMP 0000000100070260
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f527d0 5 bytes JMP 0000000100070270
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f527e0 5 bytes JMP 0000000100070400
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f529a0 5 bytes JMP 00000001000701f0
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f529b0 5 bytes JMP 0000000100070210
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a20 5 bytes JMP 0000000100070200
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52a80 5 bytes JMP 0000000100070420
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52a90 5 bytes JMP 0000000100070430
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52aa0 5 bytes JMP 0000000100070220
.text C:\Windows\system32\SearchIndexer.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52b80 5 bytes JMP 0000000100070280
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f51360 5 bytes JMP 00000000770b0460
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f513b0 5 bytes JMP 00000000770b0450
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51510 5 bytes JMP 00000000770b0370
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f51560 5 bytes JMP 00000000770b0470
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f51570 5 bytes JMP 00000000770b03e0
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51620 5 bytes JMP 00000000770b0320
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f51650 5 bytes JMP 00000000770b03b0
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f51670 5 bytes JMP 00000000770b0390
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f516b0 5 bytes JMP 00000000770b02e0
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51730 5 bytes JMP 00000000770b02d0
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f51750 5 bytes JMP 00000000770b0310
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f51790 5 bytes JMP 00000000770b03c0
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f517e0 5 bytes JMP 00000000770b03f0
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f51940 5 bytes JMP 00000000770b0230
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b00 5 bytes JMP 00000000770b0480
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b30 5 bytes JMP 00000000770b03a0
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c10 5 bytes JMP 00000000770b02f0
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c20 5 bytes JMP 00000000770b0350
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51c80 5 bytes JMP 00000000770b0290
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d10 5 bytes JMP 00000000770b02b0
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d30 5 bytes JMP 00000000770b03d0
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51d40 5 bytes JMP 00000000770b0330
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51db0 5 bytes JMP 00000000770b0410
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51de0 5 bytes JMP 00000000770b0240
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f520a0 5 bytes JMP 00000000770b01e0
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f52160 5 bytes JMP 00000000770b0250
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f52190 5 bytes JMP 00000000770b0490
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f521a0 5 bytes JMP 00000000770b04a0
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f521d0 5 bytes JMP 00000000770b0300
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f521e0 5 bytes JMP 00000000770b0360
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f52240 5 bytes JMP 00000000770b02a0
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f52290 5 bytes JMP 00000000770b02c0
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f522c0 5 bytes JMP 00000000770b0380
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f522d0 5 bytes JMP 00000000770b0340
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f525c0 5 bytes JMP 00000000770b0440
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f527c0 5 bytes JMP 00000000770b0260
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f527d0 5 bytes JMP 00000000770b0270
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f527e0 5 bytes JMP 00000000770b0400
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f529a0 5 bytes JMP 00000000770b01f0
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f529b0 5 bytes JMP 00000000770b0210
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a20 5 bytes JMP 00000000770b0200
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52a80 5 bytes JMP 00000000770b0420
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52a90 5 bytes JMP 00000000770b0430
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52aa0 5 bytes JMP 00000000770b0220
.text C:\Windows\system32\wuauclt.exe[6020] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52b80 5 bytes JMP 00000000770b0280
---- EOF - GMER 2.1 ----
|
|
02.03.2015, 22:20
| #5 |
| | Win7: Regin ? viele Funde mit LOKI, akute Paranoia angebracht? und nun LOKI: Code:
ATTFilter Feb 27 14:17:23 *****-PC LOKI: LOKI - Starting Loki Scan on *****-PC
Feb 27 14:17:23 *****-PC LOKI: Current user has admin rights - very good
Feb 27 14:17:23 *****-PC LOKI: Setting LOKI process with PID: 4876 to priority IDLE
Feb 27 14:17:23 *****-PC LOKI: File Name Characteristics initialized with 68 regex patterns
Feb 27 14:17:23 *****-PC LOKI: File Name Suspicious Characteristics initialized with 68 regex patterns
Feb 27 14:17:23 *****-PC LOKI: Malware Hashes initialized with 689 hashes
Feb 27 14:17:23 *****-PC LOKI: False Positive Hashes initialized with 12 hashes
Feb 27 14:17:23 *****-PC LOKI: Initialized Yara rules from thor-hacktools.yar
Feb 27 14:17:23 *****-PC LOKI: Initialized Yara rules from thor-webshells.yar
Feb 27 14:17:23 *****-PC LOKI: Initialized Yara rules from yara_rules.yar
Feb 27 14:17:27 *****-PC LOKI: Skipping Process - PID: 0 NAME: System Idle Process CMD: N/A
Feb 27 14:17:28 *****-PC LOKI: Skipping Process - PID: 4 NAME: System CMD: N/A
Feb 27 14:17:28 *****-PC LOKI: Scanning Process - PID: 564 NAME: smss.exe CMD: \SystemRoot\System32\smss.exe
Feb 27 14:17:28 *****-PC LOKI: Scanning Process - PID: 752 NAME: csrss.exe CMD: %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
Feb 27 14:17:28 *****-PC LOKI: Scanning Process - PID: 984 NAME: wininit.exe CMD: wininit.exe
Feb 27 14:17:29 *****-PC LOKI: Scanning Process - PID: 1008 NAME: csrss.exe CMD: %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
Feb 27 14:17:29 *****-PC LOKI: Scanning Process - PID: 616 NAME: services.exe CMD: C:\Windows\system32\services.exe
Feb 27 14:17:30 *****-PC LOKI: Scanning Process - PID: 632 NAME: lsass.exe CMD: C:\Windows\system32\lsass.exe
Feb 27 14:17:31 *****-PC LOKI: Scanning Process - PID: 760 NAME: lsm.exe CMD: C:\Windows\system32\lsm.exe
Feb 27 14:17:31 *****-PC LOKI: Scanning Process - PID: 1040 NAME: winlogon.exe CMD: winlogon.exe
Feb 27 14:17:32 *****-PC LOKI: Scanning Process - PID: 1124 NAME: svchost.exe CMD: C:\Windows\system32\svchost.exe -k DcomLaunch
Feb 27 14:17:32 *****-PC LOKI: Scanning Process - PID: 1208 NAME: nvvsvc.exe CMD: "C:\Windows\system32\nvvsvc.exe"
Feb 27 14:17:33 *****-PC LOKI: Scanning Process - PID: 1232 NAME: nvSCPAPISvr.exe CMD: "C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe"
Feb 27 14:17:34 *****-PC LOKI: Scanning Process - PID: 1272 NAME: svchost.exe CMD: C:\Windows\system32\svchost.exe -k RPCSS
Feb 27 14:17:35 *****-PC LOKI: Scanning Process - PID: 1340 NAME: svchost.exe CMD: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
Feb 27 14:17:35 *****-PC LOKI: Scanning Process - PID: 1432 NAME: svchost.exe CMD: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
Feb 27 14:17:35 *****-PC LOKI: Scanning Process - PID: 1492 NAME: svchost.exe CMD: C:\Windows\system32\svchost.exe -k LocalService
Feb 27 14:17:36 *****-PC LOKI: Scanning Process - PID: 1532 NAME: svchost.exe CMD: C:\Windows\system32\svchost.exe -k netsvcs
Feb 27 14:17:36 *****-PC LOKI: Scanning Process - PID: 1584 NAME: audiodg.exe CMD: N/A
Feb 27 14:17:37 *****-PC LOKI: Error while process memory Yara check (maybe the process doesn't exist anymore or access denied). PID: 1584 NAME: audiodg.exe
Feb 27 14:17:37 *****-PC LOKI: Scanning Process - PID: 1752 NAME: svchost.exe CMD: C:\Windows\system32\svchost.exe -k NetworkService
Feb 27 14:17:37 *****-PC LOKI: Scanning Process - PID: 1880 NAME: AvastSvc.exe CMD: "C:\Program Files\AVAST Software\Avast\AvastSvc.exe"
Feb 27 14:17:37 *****-PC LOKI: Scanning Process - PID: 1940 NAME: NvXDSync.exe CMD: "C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe"
Feb 27 14:17:37 *****-PC LOKI: Scanning Process - PID: 1948 NAME: nvvsvc.exe CMD: C:\Windows\system32\nvvsvc.exe -session -first
Feb 27 14:17:38 *****-PC LOKI: Scanning Process - PID: 1924 NAME: spoolsv.exe CMD: C:\Windows\System32\spoolsv.exe
Feb 27 14:17:38 *****-PC LOKI: Scanning Process - PID: 2056 NAME: svchost.exe CMD: C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
Feb 27 14:17:39 *****-PC LOKI: Scanning Process - PID: 2152 NAME: schedul2.exe CMD: "C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe"
Feb 27 14:17:40 *****-PC LOKI: Scanning Process - PID: 2184 NAME: PhotoshopElementsFileAgent.exe CMD: "C:\Program Files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe"
Feb 27 14:17:42 *****-PC LOKI: Scanning Process - PID: 2248 NAME: Fuel.Service.exe CMD: "C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe" /launchService
Feb 27 14:17:44 *****-PC LOKI: Scanning Process - PID: 2340 NAME: essvr.exe CMD: "C:\Program Files (x86)\Gigabyte\EasySaver\ESSVR.EXE"
Feb 27 14:17:45 *****-PC LOKI: Scanning Process - PID: 2368 NAME: ExpressCache.exe CMD: "C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe"
Feb 27 14:17:45 *****-PC LOKI: Scanning Process - PID: 2416 NAME: HauppaugeTVServer.exe CMD: "C:\Program Files (x86)\WinTV\TVServer\HauppaugeTVServer.exe"
Feb 27 14:17:45 *****-PC LOKI: Scanning Process - PID: 2440 NAME: LSSrvc.exe CMD: "C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe"
Feb 27 14:17:46 *****-PC LOKI: Scanning Process - PID: 2484 NAME: NBService.exe CMD: "C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe"
Feb 27 14:17:48 *****-PC LOKI: Scanning Process - PID: 2588 NAME: HelperService.exe CMD: "C:\Program Files (x86)\PDF Architect\HelperService.exe"
Feb 27 14:17:50 *****-PC LOKI: Scanning Process - PID: 2624 NAME: ConversionService.exe CMD: "C:\Program Files (x86)\PDF Architect\ConversionService.exe"
Feb 27 14:17:51 *****-PC LOKI: Scanning Process - PID: 2676 NAME: svchost.exe CMD: C:\Windows\system32\svchost.exe -k imgsvc
Feb 27 14:17:51 *****-PC LOKI: Scanning Process - PID: 2704 NAME: TeamViewer_Service.exe CMD: "C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe"
Feb 27 14:17:54 *****-PC LOKI: Scanning Process - PID: 2748 NAME: TrueImageTryStartService.exe CMD: "C:\Program Files (x86)\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe"
Feb 27 14:17:56 *****-PC LOKI: Scanning Process - PID: 2968 NAME: UsbClientService.exe CMD: "C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe"
Feb 27 14:17:57 *****-PC LOKI: Scanning Process - PID: 2992 NAME: escsvc64.exe CMD: C:\Windows\system32\EscSvc64.exe
Feb 27 14:17:57 *****-PC LOKI: Scanning Process - PID: 3088 NAME: CaptureGenPCI.exe CMD: "C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe" -Embedding
Feb 27 14:17:58 *****-PC LOKI: Scanning Process - PID: 3904 NAME: svchost.exe CMD: C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
Feb 27 14:17:58 *****-PC LOKI: Scanning Process - PID: 1688 NAME: WUDFHost.exe CMD: "C:\Windows\System32\WUDFHost.exe" -HostGUID:{193a1820-d9ac-4997-8c55-be817523f6aa} -IoEventPortName:HostProcess-960b5c56-52b0-4bd0-8b9d-b81b40506a04 -SystemEventPortName:HostProcess-e2657b63-a323-4497-be27-8b1f9404b47a -IoCancelEventPortName:HostProcess-bd9c471d-4f53-4d1c-ab64-41b4d9c6241b -NonStateChangingEventPortName:HostProcess-4688234b-f17b-4651-9d96-7ff5e41cf795 -ServiceSID:S-1-5-80-2652678385-582572993-1835434367-1344795993-749280709 -LifetimeId:d5bfe5d7-6369-417e-8f42-584db5ea19f8 -DeviceGroupId:WpdFsGroup
Feb 27 14:17:59 *****-PC LOKI: Scanning Process - PID: 2132 NAME: PhotoshopElementsFileAgent.exe CMD: "C:\Program Files (x86)\Adobe\Elements 12 Organizer\PhotoshopElementsFileAgent.exe"
Feb 27 14:18:00 *****-PC LOKI: Scanning Process - PID: 3656 NAME: taskhost.exe CMD: "taskhost.exe"
Feb 27 14:18:00 *****-PC LOKI: Scanning Process - PID: 3472 NAME: dwm.exe CMD: "C:\Windows\system32\Dwm.exe"
Feb 27 14:18:00 *****-PC LOKI: Scanning Process - PID: 3224 NAME: WmiPrvSE.exe CMD: C:\Windows\system32\wbem\wmiprvse.exe
Feb 27 14:18:01 *****-PC LOKI: Scanning Process - PID: 1284 NAME: schedhlp.exe CMD: "C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe"
Feb 27 14:18:02 *****-PC LOKI: Scanning Process - PID: 3060 NAME: ExpressCacheApp.exe CMD: "C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe" -s
Feb 27 14:18:02 *****-PC LOKI: Scanning Process - PID: 1152 NAME: svchost.exe CMD: C:\Windows\System32\svchost.exe -k secsvcs
Feb 27 14:18:02 *****-PC LOKI: Scanning Process - PID: 3880 NAME: VoipConnect.exe CMD: "C:\Program Files (x86)\VoipConnect.com\VoipConnect\VoipConnect.exe" -nosplash -minimized
Feb 27 14:18:02 *****-PC LOKI: Scanning Process - PID: 3084 NAME: WinTVTray.exe CMD: "C:\Program Files (x86)\WinTV\WinTV7\WinTVTray.exe"
Feb 27 14:18:03 *****-PC LOKI: Scanning Process - PID: 1652 NAME: TrueImageMonitor.exe CMD: "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe"
Feb 27 14:18:04 *****-PC LOKI: Scanning Process - PID: 1372 NAME: nvtray.exe CMD: "C:/Program Files/NVIDIA Corporation/Display/nvtray.exe" -user_has_logged_in 1
Feb 27 14:18:04 *****-PC LOKI: Scanning Process - PID: 3456 NAME: TimounterMonitor.exe CMD: "C:\Program Files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe"
Feb 27 14:18:06 *****-PC LOKI: Scanning Process - PID: 4204 NAME: AvastUI.exe CMD: "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
Feb 27 14:18:06 *****-PC LOKI: Scanning Process - PID: 4216 NAME: FUFAXRCV.exe CMD: "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe"
Feb 27 14:18:07 *****-PC LOKI: Scanning Process - PID: 4324 NAME: FUFAXSTM.exe CMD: "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe"
Feb 27 14:18:08 *****-PC LOKI: Scanning Process - PID: 4444 NAME: EEventManager.exe CMD: "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe"
Feb 27 14:18:09 *****-PC LOKI: Scanning Process - PID: 4588 NAME: KiesTrayAgent.exe CMD: "C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe"
Feb 27 14:18:12 *****-PC LOKI: Scanning Process - PID: 4828 NAME: unsecapp.exe CMD: C:\Windows\system32\wbem\unsecapp.exe -Embedding
Feb 27 14:18:12 *****-PC LOKI: Scanning Process - PID: 5096 NAME: SearchIndexer.exe CMD: C:\Windows\system32\SearchIndexer.exe /Embedding
Feb 27 14:18:12 *****-PC LOKI: Scanning Process - PID: 2052 NAME: wmpnetwk.exe CMD: "C:\Program Files\Windows Media Player\wmpnetwk.exe"
Feb 27 14:18:12 *****-PC LOKI: Scanning Process - PID: 5204 NAME: svchost.exe CMD: C:\Windows\System32\svchost.exe -k LocalServicePeerNet
Feb 27 14:18:12 *****-PC LOKI: Scanning Process - PID: 5640 NAME: OSPPSVC.EXE CMD: "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
Feb 27 14:18:13 *****-PC LOKI: Scanning Process - PID: 1292 NAME: wuauclt.exe CMD: "C:\Windows\system32\wuauclt.exe"
Feb 27 14:18:14 *****-PC LOKI: Scanning Process - PID: 3244 NAME: firefox.exe CMD: "C:\Program Files (x86)\Mozilla Firefox\firefox.exe"
Feb 27 14:18:14 *****-PC LOKI: Scanning Process - PID: 5176 NAME: plugin-container.exe CMD: "C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel=3244.197dbf60.2125378784 "C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll" -greomni "C:\Program Files (x86)\Mozilla Firefox\omni.ja" -appomni "C:\Program Files (x86)\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files (x86)\Mozilla Firefox\browser" E7CF176E110C211B 3244 "\\.\pipe\gecko-crash-server-pipe.3244" plugin
Feb 27 14:18:14 *****-PC LOKI: Scanning Process - PID: 5872 NAME: FlashPlayerPlugin_16_0_0_305.exe CMD: "C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe" --proxy-stub-channel=Flash5176.5E896188.19395 --host-broker-channel=Flash5176.5E896188.1588 --host-pid=5176 --host-npapi-version=27 --plugin-path="C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll"
Feb 27 14:18:16 *****-PC LOKI: Scanning Process - PID: 1712 NAME: FlashPlayerPlugin_16_0_0_305.exe CMD: "C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe" --channel=5872.0064F1E8.799481580 --proxy-stub-channel=Flash5176.5E896188.19395 --plugin-path="C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll" --host-npapi-version=27 --type=renderer
Feb 27 14:18:16 *****-PC LOKI: Scanning Process - PID: 5972 NAME: loki.exe CMD: "C:\Users\*****\Downloads\loki.exe"
Feb 27 14:18:16 *****-PC LOKI: Scanning Process - PID: 3692 NAME: loki.exe CMD: "C:\Users\*****\Downloads\loki.exe"
Feb 27 14:18:16 *****-PC LOKI: Scanning Process - PID: 4640 NAME: loki.exe CMD: "C:\Users\*****\Downloads\loki.exe"
Feb 27 14:18:17 *****-PC LOKI: Scanning Process - PID: 1516 NAME: loki.exe CMD: "C:\Users\*****\Downloads\Loki-master\Loki-master\loki.exe"
Feb 27 14:18:17 *****-PC LOKI: Scanning Process - PID: 4224 NAME: svchost.exe CMD: C:\Windows\System32\svchost.exe -k WerSvcGroup
Feb 27 14:18:17 *****-PC LOKI: Scanning Process - PID: 5428 NAME: explorer.exe CMD: explorer.exe
Feb 27 14:18:17 *****-PC LOKI: explorer.exe has a parent ID but should have none PID: 5428 NAME: explorer.exe OWNER: ***** CMD: C:\Windows\explorer.exe PATH: C:\Windows\explorer.exe
Feb 27 14:18:17 *****-PC LOKI: Scanning Process - PID: 4464 NAME: SearchProtocolHost.exe CMD: "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2571380908-3574024337-2633154625-10004_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2571380908-3574024337-2633154625-10004 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
Feb 27 14:18:17 *****-PC LOKI: Error while process memory Yara check (maybe the process doesn't exist anymore or access denied). PID: 4464 NAME: SearchProtocolHost.exe
Feb 27 14:18:18 *****-PC LOKI: Scanning Process - PID: 2584 NAME: SearchFilterHost.exe CMD: "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520
Feb 27 14:18:18 *****-PC LOKI: Error while process memory Yara check (maybe the process doesn't exist anymore or access denied). PID: 2584 NAME: SearchFilterHost.exe
Feb 27 14:18:18 *****-PC LOKI: Scanning Process - PID: 6132 NAME: loki.exe CMD: "C:\Loki-master\loki.exe"
Feb 27 14:18:18 *****-PC LOKI: Scanning Process - PID: 5952 NAME: conhost.exe CMD: \??\C:\Windows\system32\conhost.exe "329462692-390639054-12001081291654027199633157389-181121868726655263-434927851
Feb 27 14:18:20 *****-PC LOKI: Skipping LOKI Process - PID: 4876 NAME: loki.exe CMD: "C:\Loki-master\loki.exe"
Feb 27 14:18:20 *****-PC LOKI: Scanning Process - PID: 5080 NAME: WmiPrvSE.exe CMD: C:\Windows\sysWOW64\wbem\wmiprvse.exe -Embedding
Feb 27 14:18:21 *****-PC LOKI: Scanning C:\ ...
Feb 27 14:21:28 *****-PC LOKI: Yara Rule MATCH: OPCLEAVER_BackDoorLogger FILE: C:\Loki-master\optional_signatures\public_apt_win_cleaver.yar
Feb 27 14:21:28 *****-PC LOKI: Yara Rule MATCH: OPCLEAVER_Jasus FILE: C:\Loki-master\optional_signatures\public_apt_win_cleaver.yar
Feb 27 14:21:28 *****-PC LOKI: Yara Rule MATCH: OPCLEAVER_ShellCreator2 FILE: C:\Loki-master\optional_signatures\public_apt_win_cleaver.yar
Feb 27 14:21:28 *****-PC LOKI: Yara Rule MATCH: OPCLEAVER_SmartCopy2 FILE: C:\Loki-master\optional_signatures\public_apt_win_cleaver.yar
Feb 27 14:21:28 *****-PC LOKI: Yara Rule MATCH: OPCLEAVER_TinyZBot FILE: C:\Loki-master\optional_signatures\public_apt_win_cleaver.yar
Feb 27 14:21:28 *****-PC LOKI: Yara Rule MATCH: OPCLEAVER_ZhoupinExploitCrew FILE: C:\Loki-master\optional_signatures\public_apt_win_cleaver.yar
Feb 27 14:21:28 *****-PC LOKI: Yara Rule MATCH: OPCLEAVER_antivirusdetector FILE: C:\Loki-master\optional_signatures\public_apt_win_cleaver.yar
Feb 27 14:21:28 *****-PC LOKI: Yara Rule MATCH: OPCLEAVER_csext FILE: C:\Loki-master\optional_signatures\public_apt_win_cleaver.yar
Feb 27 14:21:28 *****-PC LOKI: Yara Rule MATCH: OPCLEAVER_kagent FILE: C:\Loki-master\optional_signatures\public_apt_win_cleaver.yar
Feb 27 14:21:28 *****-PC LOKI: Yara Rule MATCH: OPCLEAVER_mimikatzWrapper FILE: C:\Loki-master\optional_signatures\public_apt_win_cleaver.yar
Feb 27 14:21:28 *****-PC LOKI: Yara Rule MATCH: OPCLEAVER_pvz_in FILE: C:\Loki-master\optional_signatures\public_apt_win_cleaver.yar
Feb 27 14:21:28 *****-PC LOKI: Yara Rule MATCH: OPCLEAVER_zhLookUp FILE: C:\Loki-master\optional_signatures\public_apt_win_cleaver.yar
Feb 27 14:21:28 *****-PC LOKI: Yara Rule MATCH: OPCLEAVER_zhmimikatz FILE: C:\Loki-master\optional_signatures\public_apt_win_cleaver.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: r57shell_php_php FILE: C:\Loki-master\optional_signatures\public_web_exploits.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WindowsCredentialEditor FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Amplia_Security_Tool FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: PwDump FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: PScan_Portscan_1 FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: HackTool_Samples FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: HackTool_Producers FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Mimikatz_Memory_Rule_1 FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Mimikatz_Memory_Rule_2 FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Mimikatz_SampleSet_1 FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Mimikatz_SampleSet_3 FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Mimikatz_SampleSet_5 FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Mimikatz_SampleSet_7 FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Fierce2 FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Ncrack FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: SQLMap FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: PortScanner FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: NetBIOS_Name_Scanner FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: FeliksPack3___Scanners_ipscan FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: IP_Stealing_Utilities FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: PortRacer FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: scanarator FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: _Bitchin_Threads_ FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: portscan FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: ProPort_zip_Folder_ProPort FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: StealthWasp_s_Basic_PortScanner_v1_2 FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: BluesPortScan FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: scanarator_iis FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Angry_IP_Scanner_v2_08_ipscan FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: crack_Loader FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: CN_Packed_Scanner FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Beastdoor_Backdoor FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Powershell_Netcat FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: CN_Hacktool_MilkT_Scanner FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WCE_Modified_1_1014 FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: iKAT_command_lines_agent FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: iKAT_startbar FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: iKAT_gpdisable_customcmd_kitrap0d_uacpoc FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: BypassUac2 FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: BypassUac_9 FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: APT_Proxy_Malware_Packed_dev FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Ncat_Hacktools_CN FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: MS08_067_Exploit_Hacktools_CN FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Hacktools_CN_Burst_sql FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Hacktools_CN_JoHor_Rdos FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Hacktools_CN_Panda_445TOOL FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Hacktools_CN_WinEggDrop FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Hacktools_CN_Panda_Burst FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Hacktools_CN_GOGOGO_Bat FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Hacktools_CN_Burst_pass FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Hacktools_CN_JoHor_Posts_Killer FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Hacktools_CN_JoHor_Rdos_3_6_uplis FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Hacktools_CN_JoHor_Rdos_get FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Hacktools_CN_JoHor_Rdos_LineExp FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Hacktools_CN_Burst_Start FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Hacktools_CN_Burst_Blast FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: VUBrute_VUBrute FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: VUBrute_config FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: sig_238_listip FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: ArtTrayHookDll FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: EditServer FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: sig_238_letmein FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: sig_238_token FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: sig_238_webget FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: ASPack_Chinese FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: sig_238_filespy FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: EditKeyLogReadMe FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: PassSniffer_zip_Folder_readme FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: EditKeyLog FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: PassSniffer FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: UnPack_rar_Folder_InjectT FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Jc_WinEggDrop_Shell FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: UnPack_rar_Folder_TBack FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: ByPassFireWall_zip_Folder_Inject FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: sig_238_sqlcmd FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: sig_238_2323 FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: CleanIISLog FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: sqlcheck FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: sig_238_RunAsEx FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: SplitJoin_V1_3_3_rar_Folder_3 FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: InstGina FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: sig_238_findoor FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WinEggDropShellFinal_zip_Folder_InjectT FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: gina_zip_Folder_gina FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: sig_238_xsniff FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: sig_238_fscan FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: _FsHttp_FsPop_FsSniffer FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Ammyy_Admin_AA_v3 FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: LinuxHacktool_eyes_scanssh FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: LinuxHacktool_eyes_scanner FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: LinuxHacktool_eyes_pscan2 FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: LinuxHacktool_eyes_a FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: LinuxHacktool_eyes_mass FILE: C:\Loki-master\signatures\thor-hacktools.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_iMHaPFtp_2 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_caidao_shell_guo FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_PHP_redcod FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_php_sh_server FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_cihshell_fix FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_php_up FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_asp_EFSO_2 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_jsp_up FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_Server_Variables FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_caidao_shell_ice_2 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_phpspy2010 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_asp_ice FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_asp_404 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_webshell_cnseay02_1 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_php_fbi FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_B374kPHP_B374k FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_php_list FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_caidao_shell_404 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_ASP_aspydrv FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_Dx_Dx FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_MySQL_Web_Interface_Version_0_8 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_phpkit_1_0_odd FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_wsb_idc FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_php_404 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_webshell_cnseay_x FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_asp_up FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_phpkit_0_1a_odd FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_jsp_k81 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_jsp_cmdjsp FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_Java_Shell FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_PHP_r57142 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_simple_backdoor FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_php_cmd FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_PHP_co FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_PHP_150 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_PHP_c37 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_PHP_b37 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_PHP_bug_1_ FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_ghost_source_icesword_silic FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_browser_201_3_400_in_JFolder_jfolder01_jsp_leo_ma_warn_webshell_nc_download FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_Dive_Shell_1_0_Emperor_Hacking_Team_xxx FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_jsp_reverse_jsp_reverse_jspbd FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_gfs_sh_r57shell_r57shell127_SnIpEr_SA_xxx FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_itsec_PHPJackal_itsecteam_shell_jHn FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_NIX_REMOTE_WEB_SHELL_NIX_REMOTE_WEB_xxx1 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_000_403_c5_config_myxx_queryDong_spyjsp2010_zend FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_000_403_807_a_c5_config_css_dm_he1p_xxx FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_PHPSPY FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_c99_locus7s_c99_w4cking_xxx FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_r57shell127_r57_kartal_r57 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_webshells_new_con2 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_Expdoor_com_ASP FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_webshells_new_php2 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_bypass_iisuser_p FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_sig_404super FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_webshells_new_JSP FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_webshell_123 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_dev_core FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_webshells_new_pHp FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_webshells_new_pppp FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_webshells_new_code FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_webshells_new_xxxx FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_webshells_new_PHP1 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_webshells_new_asp1 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_webshells_new_php6 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_GetPostpHp FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_webshells_new_php5 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_webshells_new_PHP FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: webshell_webshells_new_Asp FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: perlbot_pl FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: php_backdoor_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: shankar_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Casus15_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: small_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: shellbot_pl FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: fuckphpshell_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: ngh_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: jsp_reverse_jsp FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Tool_asp FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: NT_Addy_asp FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: SimAttacker___Vrsion_1_0_0___priv8_4_My_friend_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: phvayvv_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: r57shell_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: rst_sql_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: wh_bindshell_py FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: lurm_safemod_on_cgi FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: c99madshell_v2_0_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: w3d_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WinX_Shell_html FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Dx_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: csh_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: pHpINJ_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: sig_2008_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: ak74shell_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Rem_View_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Java_Shell_js FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: STNC_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: aZRaiLPhp_v1_0_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: zacosmall_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: CmdAsp_asp FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: simple_backdoor_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: mysql_shell_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Dive_Shell_1_0___Emperor_Hacking_Team_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Asmodeus_v0_1_pl FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Reader_asp FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: phpshell17_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: SimShell_1_0___Simorgh_Security_MGZ_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: jspshall_jsp FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: rootshell_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: connectback2_pl FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: shells_PHP_wso FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: backdoor1_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: elmaliseker_asp FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: s72_Shell_v1_1_Coding_html FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: hidshell_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: kacak_asp FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: PHP_Backdoor_Connect_pl_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Antichat_Socks5_Server_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Antichat_Shell_v1_3_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: cyberlords_sql_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Ayyildiz_Tim___AYT__Shell_v_2_1_Biz_html FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: EFSO_2_asp FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: lamashell_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Ajax_PHP_Command_Shell_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: JspWebshell_1_2_jsp FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Sincap_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Phyton_Shell_py FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: sh_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: phpjackal_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: sql_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: cgi_python_py FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: ru24_post_sh_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: telnetd_pl FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: php_include_w_shell_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: shell_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: telnet_cgi FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: ironshell_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: backdoorfr_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: aspydrv_asp FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: cmdjsp_jsp FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: h4ntu_shell__powered_by_tsoi_ FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Ajan_asp FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: PHANTASMA_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: MySQL_Web_Interface_Version_0_8_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: _nst_php_php_img_php_php_nstview_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: _network_php_php_xinfo_php_php_nfm_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: _r577_php_php_SnIpEr_SA_Shell_php_r57_php_php_r57_Shell_php_php_spy_php_php_s_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: _w_php_php_wacking_php_php_SpecialShell_99_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: _r577_php_php_SnIpEr_SA_Shell_php_r57_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: _wacking_php_php_1_SpecialShell_99_php_php_c100_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: _r577_php_php_r57_php_php_r57_Shell_php_php_spy_php_php_s_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: _webadmin_php_php_iMHaPFtp_php_php_Private_i3lue_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: multiple_php_webshells FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: _w_php_php_c99madshell_v2_1_php_php_wacking_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_SpecialShell_99_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: _nst_php_php_cybershell_php_php_img_php_php_nstview_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_1_SpecialShell_99_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: _r577_php_php_r57_php_php_spy_php_php_s_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: _nixrem_php_php_c99shell_v1_0_php_php_c99php_NIX_REMOTE_WEB_SHELL_v_0_5_alpha_Lite_Public_Version_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: PHP_Cloaked_Webshell_SuperFetchExec FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_dC3_Security_Crew_Shell_PRiV FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_simattacker FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_DTool_Pro FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_ironshell FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_b374k_mini_shell_php_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_Sincap_1_0 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_b374k_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_SimAttacker___Vrsion_1_0_0___priv8_4_My_friend FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_h4ntu_shell__powered_by_tsoi_ FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_php_webshells_MyShell FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_php_webshells_pws FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_reader_asp_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_php_backdoor FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_php_webshells_pHpINJ FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_php_webshells_NGH FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_php_webshells_matamu FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_ru24_post_sh FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_hiddens_shell_v1 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_c99_locus7s FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_safe0ver FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_php_webshells_kral FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_cgitelnet FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_NTDaddy_v1_9 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_lamashell FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_Simple_PHP_backdoor_by_DK FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_CmdAsp_asp_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_NCC_Shell FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_php_webshells_README FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_backupsql FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_AK_74_Security_Team_Web_Shell_Beta_Version FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_php_webshells_cpanel FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_php_webshells_529 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_qsd_php_backdoor FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_Ayyildiz_Tim___AYT__Shell_v_2_1_Biz FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_Gamma_Web_Shell FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_WinX_Shell FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_php_include_w_shell FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_PhpSpy_Ver_2006 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_php_webshells_myshell FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_php_webshells_lolipop FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_simple_cmd FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_go_shell FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_aZRaiLPhp_v1_0 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_webshells_zehir4 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_zehir4_asp_php FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_php_webshells_lostDC FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_CasuS_1_5 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell__Ajax_PHP_Command_Shell_Ajax_PHP_Command_Shell_soldierofallah FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell__Small_Web_Shell_by_ZaCo_small_zaco_zacosmall FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_Generic_PHP_1 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell__CrystalShell_v_1_erne_stres FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_Generic_PHP_5 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell__findsock_php_findsock_shell_php_reverse_shell FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: WebShell_Generic_PHP_6 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: Unpack_Injectt FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: FeliksPack3___PHP_Shells_ssh FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: bin_Client FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: ZXshell2_0_rar_Folder_ZXshell FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: RkNTLoad FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: binder2_binder2 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: thelast_orice2 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: sendmail FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: FSO_s_zehir4 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: hkshell_hkshell FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: DarkSpy105 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: EditServer FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:30 *****-PC LOKI: Yara Rule MATCH: FSO_s_reader FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: svchostdll FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: HYTop_DevPack_server FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: vanquish FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: BIN_Client FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: Simple_PHP_BackDooR FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: hkshell_hkrmv FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: FeliksPack3___PHP_Shells_phpft FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: bdcli100 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: rdrbs084 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: HYTop_CaseSwitch_2005 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: FSO_s_casus15_2 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: installer FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: elmaliseker FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: shelltools_g0t_root_resolve FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: shelltools_g0t_root_Fport FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: HYTop_DevPack_upload FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: PasswordReminder FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: rknt_zip_Folder_RkNT FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: dbgntboot FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: PHP_shell FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: rdrbs100 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: Mithril_Mithril FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: hkdoordll FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: Mithril_v1_45_dllTest FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: dbgiis6cli FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: Debug_cress FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: FeliksPack3___PHP_Shells_usr FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: FSO_s_phpinj FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: xssshell_db FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: EditServer_2 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: by064cli FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: Mithril_dllTest FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: connector FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: shelltools_g0t_root_HideRun FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: regshell FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: PHP_Shell_v1_7 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: xssshell_save FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: screencap FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: ZXshell2_0_rar_Folder_zxrecv FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: _root_040_zip_Folder_deploy FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: by063cli FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: icyfox007v1_10_rar_Folder_asp FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: byshell063_ntboot_2 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: shelltools_g0t_root_xwhois FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: vanquish_2 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: ZXshell2_0_rar_Folder_nc FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: BIN_Server FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: HYTop2006_rar_Folder_2006 FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: HDConfig FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: Webshell_and_Exploit_CN_APT_HK FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: Pastebin_Webshell FILE: C:\Loki-master\signatures\thor-webshells.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: HackTool_Samples FILE: C:\Loki-master\signatures\yara_rules.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: FiveEyes_QUERTY_Malwaresig_20123_cmdDef FILE: C:\Loki-master\signatures\yara_rules.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: FiveEyes_QUERTY_Malwareqwerty_20123 FILE: C:\Loki-master\signatures\yara_rules.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: FiveEyes_QUERTY_Malwaresig_20120_cmdDef FILE: C:\Loki-master\signatures\yara_rules.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: FiveEyes_QUERTY_Malwaresig_20121_cmdDef FILE: C:\Loki-master\signatures\yara_rules.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: OPCLEAVER_BackDoorLogger FILE: C:\Loki-master\signatures\yara_rules.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: OPCLEAVER_Jasus FILE: C:\Loki-master\signatures\yara_rules.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: OPCLEAVER_ShellCreator2 FILE: C:\Loki-master\signatures\yara_rules.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: OPCLEAVER_SmartCopy2 FILE: C:\Loki-master\signatures\yara_rules.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: OPCLEAVER_SynFlooder FILE: C:\Loki-master\signatures\yara_rules.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: OPCLEAVER_TinyZBot FILE: C:\Loki-master\signatures\yara_rules.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: OPCLEAVER_ZhoupinExploitCrew FILE: C:\Loki-master\signatures\yara_rules.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: OPCLEAVER_antivirusdetector FILE: C:\Loki-master\signatures\yara_rules.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: OPCLEAVER_csext FILE: C:\Loki-master\signatures\yara_rules.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: OPCLEAVER_kagent FILE: C:\Loki-master\signatures\yara_rules.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: OPCLEAVER_mimikatzWrapper FILE: C:\Loki-master\signatures\yara_rules.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: OPCLEAVER_pvz_in FILE: C:\Loki-master\signatures\yara_rules.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: OPCLEAVER_zhLookUp FILE: C:\Loki-master\signatures\yara_rules.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: OPCLEAVER_zhmimikatz FILE: C:\Loki-master\signatures\yara_rules.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: OPCLEAVER_CCProxy_Config FILE: C:\Loki-master\signatures\yara_rules.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: WaterBug_wipbot_2013_dll FILE: C:\Loki-master\signatures\yara_rules.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: Anthem_DeepPanda_lot1 FILE: C:\Loki-master\signatures\yara_rules.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: Anthem_DeepPanda_htran_exe FILE: C:\Loki-master\signatures\yara_rules.yar
Feb 27 14:21:31 *****-PC LOKI: Yara Rule MATCH: apt_equation_equationlaser_runtimeclasses FILE: C:\Loki-master\signatures\yara_rules.yar
Feb 27 14:45:17 *****-PC LOKI: File Name Suspicious IOC matched PATTERN: \\windows\.exe$ DESC: ThreatExpert Statistics - filename known for malware MATCH: C:\Program Files (x86)\ Malwarebytes Anti-Malware \Chameleon\Windows\windows.exe
Feb 27 15:37:20 *****-PC LOKI: File Name Suspicious IOC matched PATTERN: \\starter\.exe$ DESC: ThreatExpert Statistics - filename known for malware MATCH: C:\Users\*****\Downloads\adt-bundle-windows-x86_64-20131030\eclipse\plugins\org.eclipse.cdt.core.win32.x86_64_5.2.0.201202111925\os\win32\x86_64\starter.exe
|
|
04.03.2015, 06:24
| #6 |
| /// the machine /// TB-Ausbilder    | Win7: Regin ? viele Funde mit LOKI, akute Paranoia angebracht? hi, Lade Dir bitte von hier  Revo Uninstaller (alternativ portable Revo Uninstaller) herunter.
Scan mit Combofix
__________________ --> Win7: Regin ? viele Funde mit LOKI, akute Paranoia angebracht? |
|
04.03.2015, 22:48
| #7 |
| | Win7: Regin ? viele Funde mit LOKI, akute Paranoia angebracht? Alles hat entsprechend geklappt, Combofix hat auch nicht gemeckert. Hier das LOG: Code:
ATTFilter ComboFix 15-03-01.01 - Laslo 04.03.2015 22:27:33.1.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.49.1031.18.8173.4204 [GMT 1:00]
ausgeführt von:: c:\users\Laslo\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Laslo\AppData\Local\assembly\tmp
c:\users\Laslo\AppData\Local\assembly\tmp\GLI2Y6NE\__AssemblyInfo__.ini
c:\users\Laslo\AppData\Local\assembly\tmp\GLI2Y6NE\AddinExpress.MSO.2005.DLL
.
.
((((((((((((((((((((((( Dateien erstellt von 2015-02-04 bis 2015-03-04 ))))))))))))))))))))))))))))))
.
.
2015-03-04 21:40 . 2015-03-04 21:40 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2015-03-04 20:50 . 2015-03-04 20:50 -------- d-----w- c:\program files (x86)\VS Revo Group
2015-03-03 17:18 . 2015-01-29 09:07 11910896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D93A2E4C-7C1D-4F0D-A0DF-39D47D27D150}\mpengine.dll
2015-03-02 19:30 . 2015-03-02 19:32 -------- d-----w- C:\FRST
2015-02-28 13:55 . 2015-02-28 13:55 -------- d-----w- c:\users\Laslo\AppData\Local\Apps
2015-02-27 12:58 . 2015-03-02 19:24 -------- d-----w- C:\Loki-master
2015-02-26 21:40 . 2015-02-27 11:53 -------- d-----w- c:\program files (x86)\Mozilla Thunderbird
2015-02-20 20:33 . 2015-02-20 20:33 -------- d-sh--w- c:\users\Laslo\AppData\Local\EmieUserList
2015-02-20 20:33 . 2015-02-20 20:33 -------- d-sh--w- c:\users\Laslo\AppData\Local\EmieSiteList
2015-02-20 20:33 . 2015-02-20 20:33 -------- d-sh--w- c:\users\Laslo\AppData\Local\EmieBrowserModeList
2015-02-17 18:19 . 2015-02-23 00:41 -------- d-----w- c:\users\Laslo\AppData\Local\JDownloader 2.0
2015-02-17 17:56 . 2015-01-09 03:14 91136 ----a-w- c:\windows\system32\wdi.dll
2015-02-17 17:56 . 2015-01-09 03:14 950272 ----a-w- c:\windows\system32\perftrack.dll
2015-02-17 17:56 . 2015-01-09 03:14 29696 ----a-w- c:\windows\system32\powertracker.dll
2015-02-17 17:56 . 2015-01-09 02:48 76800 ----a-w- c:\windows\SysWow64\wdi.dll
2015-02-12 15:36 . 2015-01-23 03:43 620032 ----a-w- c:\windows\SysWow64\jscript9diag.dll
2015-02-12 15:36 . 2015-01-23 03:17 4300800 ----a-w- c:\windows\SysWow64\jscript9.dll
2015-02-12 15:36 . 2015-01-23 04:42 814080 ----a-w- c:\windows\system32\jscript9diag.dll
2015-02-12 15:36 . 2015-01-23 04:41 6041600 ----a-w- c:\windows\system32\jscript9.dll
2015-02-11 07:47 . 2015-01-13 03:10 1424384 ----a-w- c:\windows\system32\WindowsCodecs.dll
2015-02-11 07:46 . 2014-12-08 03:09 406528 ----a-w- c:\windows\system32\scesrv.dll
2015-02-11 07:46 . 2014-12-08 02:46 308224 ----a-w- c:\windows\SysWow64\scesrv.dll
2015-02-11 07:46 . 2015-01-14 06:09 5554112 ----a-w- c:\windows\system32\ntoskrnl.exe
2015-02-11 07:46 . 2015-01-14 05:44 3972544 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2015-02-11 07:46 . 2015-01-14 05:44 3917760 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2015-02-11 07:46 . 2015-01-14 06:05 503808 ----a-w- c:\windows\system32\srcore.dll
2015-02-11 07:46 . 2015-01-14 06:05 50176 ----a-w- c:\windows\system32\srclient.dll
2015-02-11 07:46 . 2015-01-14 06:04 296960 ----a-w- c:\windows\system32\rstrui.exe
2015-02-11 07:46 . 2015-01-14 05:41 43008 ----a-w- c:\windows\SysWow64\srclient.dll
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-03-04 21:17 . 2014-12-01 10:59 129752 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-03-04 19:19 . 2012-05-26 05:24 25640 ----a-w- c:\windows\gdrv.sys
2015-02-05 14:21 . 2012-06-11 20:16 701616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2015-02-05 14:21 . 2012-06-11 20:16 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-12-22 23:41 . 2010-11-21 03:27 298120 ------w- c:\windows\system32\MpSigStub.exe
2014-12-19 03:06 . 2015-01-14 07:31 210432 ----a-w- c:\windows\system32\profsvc.dll
2014-12-19 01:46 . 2015-01-14 07:31 141312 ----a-w- c:\windows\system32\drivers\mrxdav.sys
2014-12-11 17:47 . 2015-01-14 07:31 52736 ----a-w- c:\windows\system32\TSWbPrxy.exe
2014-12-06 04:17 . 2015-01-14 07:31 303616 ----a-w- c:\windows\system32\nlasvc.dll
2014-12-06 03:50 . 2015-01-14 07:31 52224 ----a-w- c:\windows\SysWow64\nlaapi.dll
2014-12-06 03:50 . 2015-01-14 07:31 156672 ----a-w- c:\windows\SysWow64\ncsi.dll
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ExpressCacheUI"="c:\program files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe" [2013-01-08 3991424]
"CAHeadless"="c:\program files (x86)\Adobe\Elements 12 Organizer\CAHeadless\ElementsAutoAnalyzer.exe" [2014-08-21 1401040]
"VoipConnect"="c:\program files (x86)\VoipConnect.com\VoipConnect\VoipConnect.exe" [2014-12-04 23048288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"TrueImageMonitor.exe"="c:\program files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-08-31 2622232]
"AcronisTimounterMonitor"="c:\program files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-08-31 907040]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-08-06 642216]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-11-05 5223016]
"FUFAXRCV"="c:\program files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe" [2012-07-09 502952]
"FUFAXSTM"="c:\program files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe" [2012-07-09 863400]
"EEventManager"="c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe" [2012-04-02 1058912]
"KiesTrayAgent"="c:\program files (x86)\Samsung\Kies\KiesTrayAgent.exe" [2014-07-25 311616]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WinTV Recording Status.lnk - c:\program files (x86)\WinTV\WinTV7\WinTVTray.exe [2013-2-23 151040]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 EpsonScanSvc;Epson Scanner Service;c:\windows\system32\EscSvc64.exe;c:\windows\SYSNATIVE\EscSvc64.exe [x]
R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\ Malwarebytes Anti-Malware \mbamscheduler.exe;c:\program files (x86)\ Malwarebytes Anti-Malware \mbamscheduler.exe [x]
R2 MBAMService;MBAMService;c:\program files (x86)\ Malwarebytes Anti-Malware \mbamservice.exe;c:\program files (x86)\ Malwarebytes Anti-Malware \mbamservice.exe [x]
R3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\Drivers\ssadadb.sys;c:\windows\SYSNATIVE\Drivers\ssadadb.sys [x]
R3 AppleChargerSrv;AppleChargerSrv;c:\windows\system32\AppleChargerSrv.exe;c:\windows\SYSNATIVE\AppleChargerSrv.exe [x]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssudbus.sys [x]
R3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys;c:\windows\SYSNATIVE\drivers\dgderdrv.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 RTTEAMPT;Realtek Teaming Protocol Driver (NDIS 6.0);c:\windows\system32\DRIVERS\RtTeam60.sys;c:\windows\SYSNATIVE\DRIVERS\RtTeam60.sys [x]
R3 RTVLANPT;Realtek Vlan Protocol Driver (NDIS 6.2);c:\windows\system32\DRIVERS\RtVlan620.sys;c:\windows\SYSNATIVE\DRIVERS\RtVlan620.sys [x]
R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssudmdm.sys [x]
R3 ssudserd;SAMSUNG Mobile USB Diagnostic Serial Port(DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudserd.sys;c:\windows\SYSNATIVE\DRIVERS\ssudserd.sys [x]
R3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys;c:\windows\SYSNATIVE\drivers\Synth3dVsc.sys [x]
R3 TEAM;Realtek Virtual Miniport Driver for Teaming (NDIS 6.0);c:\windows\system32\DRIVERS\RtTeam60.sys;c:\windows\SYSNATIVE\DRIVERS\RtTeam60.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys;c:\windows\SYSNATIVE\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;%TsUsbGD.DeviceDesc.Generic%;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
R3 usbrndis6;USB-RNDIS6-Adapter;c:\windows\system32\DRIVERS\usb80236.sys;c:\windows\SYSNATIVE\DRIVERS\usb80236.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S0 excsd;ExpressCache Storage Filter Driver;c:\windows\system32\DRIVERS\excsd.sys;c:\windows\SYSNATIVE\DRIVERS\excsd.sys [x]
S0 hotcore3;hc3ServiceName;c:\windows\system32\DRIVERS\hotcore3.sys;c:\windows\SYSNATIVE\DRIVERS\hotcore3.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S1 AppleCharger;AppleCharger;c:\windows\system32\DRIVERS\AppleCharger.sys;c:\windows\SYSNATIVE\DRIVERS\AppleCharger.sys [x]
S1 aswKbd;aswKbd; [x]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys;c:\windows\SYSNATIVE\drivers\aswSnx.sys [x]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys;c:\windows\SYSNATIVE\drivers\aswSP.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys;c:\windows\SYSNATIVE\DRIVERS\dtsoftbus01.sys [x]
S1 excfs;ExpressCache File System Filter Driver;c:\windows\system32\DRIVERS\excfs.sys;c:\windows\SYSNATIVE\DRIVERS\excfs.sys [x]
S1 HCW88AUD;Hauppauge WinTV 88x Audio Capture;c:\windows\system32\drivers\hcw88aud.sys;c:\windows\SYSNATIVE\drivers\hcw88aud.sys [x]
S2 AdobeActiveFileMonitor12.0;Adobe Active File Monitor V12;c:\program files (x86)\Adobe\Elements 12 Organizer\PhotoshopElementsFileAgent.exe;c:\program files (x86)\Adobe\Elements 12 Organizer\PhotoshopElementsFileAgent.exe [x]
S2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [x]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [x]
S2 AODDriver4.1;AODDriver4.1;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [x]
S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys;c:\windows\SYSNATIVE\drivers\aswHwid.sys [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys [x]
S2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys;c:\windows\SYSNATIVE\drivers\aswStm.sys [x]
S2 ES lite Service;ES lite Service for program management.;c:\program files (x86)\Gigabyte\EasySaver\ESSVR.EXE;c:\program files (x86)\Gigabyte\EasySaver\ESSVR.EXE [x]
S2 ExpressCache;ExpressCache;c:\program files\Condusiv Technologies\ExpressCache\ExpressCache.exe;c:\program files\Condusiv Technologies\ExpressCache\ExpressCache.exe [x]
S2 HauppaugeTVServer;HauppaugeTVServer;c:\program files (x86)\WinTV\TVServer\HauppaugeTVServer.exe;c:\program files (x86)\WinTV\TVServer\HauppaugeTVServer.exe [x]
S2 PDF Architect Helper Service;PDF Architect Helper Service;c:\program files (x86)\PDF Architect\HelperService.exe;c:\program files (x86)\PDF Architect\HelperService.exe [x]
S2 PDF Architect Service;PDF Architect Service;c:\program files (x86)\PDF Architect\ConversionService.exe;c:\program files (x86)\PDF Architect\ConversionService.exe [x]
S2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\DRIVERS\RtNdPt60.sys;c:\windows\SYSNATIVE\DRIVERS\RtNdPt60.sys [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x]
S2 UsbClientService;UsbClientService;c:\program files (x86)\Synology\Assistant\UsbClientService.exe;c:\program files (x86)\Synology\Assistant\UsbClientService.exe [x]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys;c:\windows\SYSNATIVE\DRIVERS\amdiox64.sys [x]
S3 busenum;Synology Virtual USB Hub;c:\windows\system32\DRIVERS\busenum.sys;c:\windows\SYSNATIVE\DRIVERS\busenum.sys [x]
S3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;c:\windows\system32\Drivers\EtronHub3.sys;c:\windows\SYSNATIVE\Drivers\EtronHub3.sys [x]
S3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;c:\windows\system32\Drivers\EtronXHCI.sys;c:\windows\SYSNATIVE\Drivers\EtronXHCI.sys [x]
S3 HCW88BDA;Hauppauge WinTV 88x DVB Tuner/Demod;c:\windows\system32\drivers\hcw88bda.sys;c:\windows\SYSNATIVE\drivers\hcw88bda.sys [x]
S3 HCW88TSE;Hauppauge WinTV 88x MPEG/TS Capture;c:\windows\system32\drivers\hcw88tse.sys;c:\windows\SYSNATIVE\drivers\hcw88tse.sys [x]
S3 HCW88TUNE;Hauppauge WinTV 88x Tuner;c:\windows\system32\drivers\hcw88tun.sys;c:\windows\SYSNATIVE\drivers\hcw88tun.sys [x]
S3 hcw88vid;Hauppauge WinTV 88x Video;c:\windows\system32\drivers\hcw88vid.sys;c:\windows\SYSNATIVE\drivers\hcw88vid.sys [x]
S3 HCW88XBAR;Hauppauge WinTV 88x Crossbar;c:\windows\system32\drivers\HCW88BAR.sys;c:\windows\SYSNATIVE\drivers\HCW88BAR.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys;c:\windows\SYSNATIVE\DRIVERS\usbfilter.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-08-16 11:43 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Inhalt des "geplante Tasks" Ordners
.
2015-03-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-11 14:21]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-11-05 22:14 860984 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acronis Scheduler2 Service"="c:\program files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-08-31 140568]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2013-06-03 472984]
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uSearchAssistant = hxxp://www.google.com
IE: An OneNote s&enden - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: Nach Microsoft E&xcel exportieren - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.178.1
FF - ProfilePath - c:\users\Laslo\AppData\Roaming\Mozilla\Firefox\Profiles\wpxcqavr.default\
FF - prefs.js: keyword.URL - hxxps://www.google.de/search?q=
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Wow6432Node-HKCU-Run-EasyVoip - c:\program files (x86)\EasyVoip.com\EasyVoip\easyvoip.exe
Wow6432Node-HKCU-Run-*LABAL* - (no file)
SafeBoot-63435898.sys
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_305_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_305_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_305_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_305_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.16"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2015-03-04 22:44:17
ComboFix-quarantined-files.txt 2015-03-04 21:44
.
Vor Suchlauf: 17 Verzeichnis(se), 25.239.777.280 Bytes frei
Nach Suchlauf: 22 Verzeichnis(se), 25.503.408.128 Bytes frei
.
- - End Of File - - C49575DE1D846D72697CC63D0B114351
5FB38429D5D77768867C76DCBDB35194
|
|
05.03.2015, 09:12
| #8 |
| /// the machine /// TB-Ausbilder | Win7: Regin ? viele Funde mit LOKI, akute Paranoia angebracht? Downloade Dir bitte  Malwarebytes Anti-Malware
Downloade Dir bitte  AdwCleaner auf deinen Desktop.
Beende bitte Deine Schutzsoftware um eventuelle Konflikte zu vermeiden.
und ein frisches FRST log bitte.
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
05.03.2015, 12:30
| #9 |
| | Win7: Regin ? viele Funde mit LOKI, akute Paranoia angebracht? MBAM: Code:
ATTFilter Malwarebytes Anti-Malware www.malwarebytes.org Suchlauf Datum: 05.03.2015 Suchlauf-Zeit: 09:35:11 Logdatei: MWB0503.txt Administrator: Ja Version: 2.00.4.1028 Malware Datenbank: v2015.03.05.01 Rootkit Datenbank: v2015.02.25.01 Lizenz: Testversion Malware Schutz: Aktiviert Bösartiger Webseiten Schutz: Aktiviert Selbstschutz: Deaktiviert Betriebssystem: Windows 7 Service Pack 1 CPU: x64 Dateisystem: NTFS Benutzer: ***** Suchlauf-Art: Bedrohungs-Suchlauf Ergebnis: Abgeschlossen Durchsuchte Objekte: 535541 Verstrichene Zeit: 14 Min, 47 Sek Speicher: Aktiviert Autostart: Aktiviert Dateisystem: Aktiviert Archive: Aktiviert Rootkits: Deaktiviert Heuristik: Aktiviert PUP: Warnen PUM: Aktiviert Prozesse: 0 (Keine schädliche Elemente erkannt) Module: 0 (Keine schädliche Elemente erkannt) Registrierungsschlüssel: 0 (Keine schädliche Elemente erkannt) Registrierungswerte: 0 (Keine schädliche Elemente erkannt) Registrierungsdaten: 0 (Keine schädliche Elemente erkannt) Ordner: 0 (Keine schädliche Elemente erkannt) Dateien: 0 (Keine schädliche Elemente erkannt) Physische Sektoren: 0 (Keine schädliche Elemente erkannt) (end) AdwCleaner: Code:
ATTFilter # AdwCleaner v4.111 - Bericht erstellt 05/03/2015 um 11:44:22
# Aktualisiert 18/02/2015 von Xplode
# Datenbank : 2015-03-02.3 [Server]
# Betriebssystem : Windows 7 Ultimate Service Pack 1 (x64)
# Benutzername : ***** - *****-PC
# Gestarted von : C:\Users\*****\Desktop\AdwCleaner_4.111.exe
# Option : Löschen
***** [ Dienste ] *****
***** [ Dateien / Ordner ] *****
Ordner Gelöscht : C:\Program Files (x86)\foxydeal
Ordner Gelöscht : C:\Users\*****\AppData\Local\pdfforge
Ordner Gelöscht : C:\Users\*****\AppData\Roaming\pdfforge
Ordner Gelöscht : C:\Users\*****\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FLV Player
Datei Gelöscht : C:\Users\*****\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Goodgame Empire.lnk
Datei Gelöscht : C:\Users\*****\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Goodgame Empire.lnk
Datei Gelöscht : C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\wpxcqavr.default\foxydeal.sqlite
***** [ Geplante Tasks ] *****
Task Gelöscht : SomotoUpdateCheckerAutoStart
***** [ Verknüpfungen ] *****
***** [ Registrierungsdatenbank ] *****
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{00B11DA2-75ED-4364-ABA5-9A95B1F5E946}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Schlüssel Gelöscht : HKCU\Software\Myfree Codec
Schlüssel Gelöscht : HKCU\Software\OCS
Schlüssel Gelöscht : HKCU\Software\foxydeal
Schlüssel Gelöscht : HKCU\Software\AppDataLow\foxydeal
Schlüssel Gelöscht : HKLM\SOFTWARE\Myfree Codec
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3152E1F19977892449DC968802CE8964
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\649A52D257CA5DB4EAAE8BA9EB23E467
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\5E8031606EB60A64C882918F8FF38DD4
***** [ Internetbrowser ] *****
-\\ Internet Explorer v11.0.9600.17631
-\\ Mozilla Firefox v34.0.5 (x86 de)
[b5n7j0wg.default\prefs.js] - Zeile Gelöscht : user_pref("browser.newtab.url", "chrome://unitedtb/content/newtab/newtab-page.xhtml");
-\\ Google Chrome v
-\\ Opera v27.0.1689.76
*************************
AdwCleaner[R0].txt - [4580 Bytes] - [10/05/2014 16:49:14]
AdwCleaner[R1].txt - [3301 Bytes] - [05/03/2015 09:58:48]
AdwCleaner[S0].txt - [4341 Bytes] - [10/05/2014 16:57:01]
AdwCleaner[S1].txt - [3060 Bytes] - [05/03/2015 11:44:22]
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [3119 Bytes] ##########
JRT: Code:
ATTFilter ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.3 (03.01.2015:1)
OS: Windows 7 Ultimate x64
Ran by ***** on 05.03.2015 at 12:08:25,38
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services
~~~ Registry Values
~~~ Registry Keys
~~~ Files
~~~ Folders
Successfully deleted: [Folder] "C:\Program Files (x86)\myfree codec"
~~~ FireFox
Successfully deleted: [Folder] C:\Users\*****\AppData\Roaming\mozilla\firefox\profiles\wpxcqavr.default\extensions\toolbar@web.de
Emptied folder: C:\Users\*****\AppData\Roaming\mozilla\firefox\profiles\wpxcqavr.default\minidumps [63 files]
~~~ Event Viewer Logs were cleared
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 05.03.2015 at 12:16:02,46
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
FRST: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-03-2015 Ran by ***** (administrator) on *****-PC on 05-03-2015 12:21:20 Running from C:\Users\*****\Downloads Loaded Profiles: ***** (Available profiles: ***** & UpdatusUser & Luca & Administrator) Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: Deutsch (Deutschland) Internet Explorer Version 11 (Default browser: IE) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe (NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe (AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe (Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe (Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe (Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe () C:\Program Files (x86)\Gigabyte\EasySaver\essvr.exe (Condusiv Technologies) C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe (Hauppauge Computer Works) C:\Program Files (x86)\WinTV\TVServer\HauppaugeTVServer.exe (Hewlett-Packard Company) C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe (Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamscheduler.exe (Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamservice.exe (Nero AG) C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe (pdfforge GbR) C:\Program Files (x86)\PDF Architect\HelperService.exe (pdfforge GbR) C:\Program Files (x86)\PDF Architect\ConversionService.exe (TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe () C:\Program Files (x86)\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe () C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe (Seiko Epson Corporation) C:\Windows\System32\escsvc64.exe (Hauppauge Computer Works) C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe (Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe (Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe () C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe (VoipConnect) C:\Program Files (x86)\VoipConnect.com\VoipConnect\VoipConnect.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe (Hauppauge Computer Works, Inc.) C:\Program Files (x86)\WinTV\WinTV7\WinTVTray.exe (Acronis) C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis) C:\Program Files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe (AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe (SEIKO EPSON CORPORATION) C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe (Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Elements 12 Organizer\PhotoshopElementsFileAgent.exe (SEIKO EPSON CORPORATION) C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe (SEIKO EPSON CORPORATION) C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe (Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe (Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe (Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe ==================== Registry (Whitelisted) ================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [Acronis Scheduler2 Service] => C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe [140568 2007-08-31] (Acronis) HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [472984 2013-06-03] (Adobe Systems Incorporated) HKLM-x32\...\Run: [TrueImageMonitor.exe] => C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe [2622232 2007-08-31] (Acronis) HKLM-x32\...\Run: [AcronisTimounterMonitor] => C:\Program Files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe [907040 2007-08-31] (Acronis) HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642216 2012-08-06] (Advanced Micro Devices, Inc.) HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5223016 2014-11-05] (AVAST Software) HKLM-x32\...\Run: [FUFAXRCV] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe [502952 2012-07-09] (SEIKO EPSON CORPORATION) HKLM-x32\...\Run: [FUFAXSTM] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe [863400 2012-07-09] (SEIKO EPSON CORPORATION) HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [1058912 2012-04-02] (SEIKO EPSON CORPORATION) HKLM-x32\...\Run: [KiesTrayAgent] => C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe [311616 2014-07-25] (Samsung Electronics Co., Ltd.) HKU\S-1-5-21-2571380908-3574024337-2633154625-1000\...\Run: [ExpressCacheUI] => C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe [3991424 2013-01-08] () HKU\S-1-5-21-2571380908-3574024337-2633154625-1000\...\Run: [CAHeadless] => C:\Program Files (x86)\Adobe\Elements 12 Organizer\CAHeadless\ElementsAutoAnalyzer.exe [1401040 2014-08-21] (Adobe Systems Incorporated) HKU\S-1-5-21-2571380908-3574024337-2633154625-1000\...\Run: [VoipConnect] => C:\Program Files (x86)\VoipConnect.com\VoipConnect\VoipConnect.exe [23048288 2014-12-04] (VoipConnect) HKU\S-1-5-21-2571380908-3574024337-2633154625-1000\...\Policies\system: [LogonHoursAction] 2 HKU\S-1-5-21-2571380908-3574024337-2633154625-1000\...\Policies\system: [DontDisplayLogonHoursWarnings] 1 HKU\S-1-5-21-2571380908-3574024337-2633154625-1000\...\Policies\Explorer: [NoDriveTypeAutoRun] 0x91000000 Lsa: [Authentication Packages] msv1_0 relog_ap Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinTV Recording Status.lnk ShortcutTarget: WinTV Recording Status.lnk -> C:\Program Files (x86)\WinTV\WinTV7\WinTVTray.exe (Hauppauge Computer Works, Inc.) ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll (AVAST Software) GroupPolicyUsers\S-1-5-21-2571380908-3574024337-2633154625-1359\User: Group Policy restriction detected <======= ATTENTION ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) HKU\S-1-5-21-2571380908-3574024337-2633154625-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome HKU\S-1-5-21-2571380908-3574024337-2633154625-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation) BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software) BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation) BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) BHO-x32: PDF Architect Helper -> {3A2D5EBA-F86D-4BD3-A177-019765996711} -> C:\Program Files (x86)\PDF Architect\PDFIEHelper.dll No File BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll No File BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation) Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File Tcpip\Parameters: [DhcpNameServer] 192.168.178.1 FireFox: ======== FF ProfilePath: C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\wpxcqavr.default FF NewTab: hxxp://www.google.com/firefox FF SearchEngineOrder.1: Google FF Keyword.URL: https://www.google.de/search?q= FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_305.dll () FF Plugin: @docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.) FF Plugin: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation) FF Plugin: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF Plugin: @microsoft.com/GENUINE -> disabled No File FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF Plugin: @tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.) FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll () FF Plugin-x32: @docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.) FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google) FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation) FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation) FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation) FF Plugin-x32: @tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.) FF Plugin-x32: @videolan.org/vlc,version=2.0.7 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN) FF Plugin HKU\S-1-5-21-2571380908-3574024337-2633154625-1000: @docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.) FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.) FF SearchPlugin: C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\wpxcqavr.default\searchplugins\google-images.xml FF SearchPlugin: C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\wpxcqavr.default\searchplugins\google-maps.xml FF Extension: 20-20 3D Viewer - IKEA - C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\wpxcqavr.default\Extensions\2020Player_IKEA@2020Technologies.com [2014-11-10] FF Extension: Cliqz Beta - C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\wpxcqavr.default\Extensions\cliqz@cliqz.com [2014-11-29] FF Extension: NO Google Analytics - C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\wpxcqavr.default\Extensions\jid1-JcGokIiQyjoBAQ@jetpack.xpi [2014-07-14] FF Extension: Adblock Plus - C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\wpxcqavr.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-03-07] FF Extension: QuickWiki - C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\wpxcqavr.default\Extensions\{EE223D7A-F30F-11DD-8F0A-D2AD55D89593}.xpi [2013-04-21] FF Extension: UITBAutoInstaller - C:\Program Files (x86)\Mozilla Firefox\distribution\bundles\{edd7fc99-d65c-4979-85c2-ddeed30c50c7} [2014-12-09] FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2012-05-26] FF HKLM-x32\...\Firefox\Extensions: [FFPDFArchitectConverter@pdfarchitect.com] - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt FF Extension: PDF Architect Converter For Firefox - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt [2013-04-14] FF HKU\S-1-5-21-2571380908-3574024337-2633154625-1000\...\Firefox\Extensions: [cliqz@cliqz.com] - C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\wpxcqavr.default\extensions\cliqz@cliqz.com Chrome: ======= CHR Profile: C:\Users\*****\AppData\Local\Google\Chrome\User Data\Default CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-11-05] Opera: ======= OPR Extension: (Adblock Plus) - C:\Users\*****\AppData\Roaming\Opera Software\Opera Stable\Extensions\oidhhegpmlfpoeialbgcdocjalghfpkp [2014-11-05] ==================== Services (Whitelisted) ================= (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) R2 AdobeActiveFileMonitor12.0; C:\Program Files (x86)\Adobe\Elements 12 Organizer\PhotoshopElementsFileAgent.exe [181152 2013-09-25] (Adobe Systems Incorporated) R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [361984 2012-08-06] (Advanced Micro Devices, Inc.) [File not signed] S3 AppleChargerSrv; C:\Windows\System32\AppleChargerSrv.exe [31272 2010-04-06] () R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-11-05] (AVAST Software) R2 EpsonScanSvc; C:\Windows\system32\EscSvc64.exe [135824 2011-12-12] (Seiko Epson Corporation) R2 ES lite Service; C:\Program Files (x86)\Gigabyte\EasySaver\ESSVR.EXE [68136 2009-08-24] () R2 ExpressCache; C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe [107944 2013-01-08] (Condusiv Technologies) R2 HauppaugeTVServer; C:\Program Files (x86)\WinTV\TVServer\HauppaugeTVServer.exe [577536 2012-11-11] (Hauppauge Computer Works) [File not signed] R2 LightScribeService; C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe [73728 2010-08-16] (Hewlett-Packard Company) [File not signed] R2 MBAMScheduler; C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation) R2 MBAMService; C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation) R2 PDF Architect Helper Service; C:\Program Files (x86)\PDF Architect\HelperService.exe [1324104 2013-01-09] (pdfforge GbR) R2 PDF Architect Service; C:\Program Files (x86)\PDF Architect\ConversionService.exe [795208 2013-01-09] (pdfforge GbR) R2 TryAndDecideService; C:\Program Files (x86)\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe [498872 2007-08-31] () R2 UsbClientService; C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe [245760 2011-02-18] () [File not signed] R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation) ==================== Drivers (Whitelisted) ==================== (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) R3 AnyDVD; C:\Windows\System32\Drivers\AnyDVD.sys [125512 2010-12-01] (SlySoft, Inc.) R3 AnyDVD; C:\Windows\SysWOW64\Drivers\AnyDVD.sys [125512 2010-12-01] (SlySoft, Inc.) R2 AODDriver4.1; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [53888 2012-03-05] (Advanced Micro Devices) R1 AppleCharger; C:\Windows\System32\DRIVERS\AppleCharger.sys [21104 2011-01-10] () R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2014-11-05] () R1 aswKbd; C:\Windows\System32\Drivers\aswKbd.sys [19600 2012-07-03] (AVAST Software) R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [83280 2014-11-05] (AVAST Software) R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2014-11-05] (AVAST Software) R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2014-11-05] () R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1050432 2014-11-21] (AVAST Software) R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [436624 2014-11-05] (AVAST Software) R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [116728 2014-11-05] (AVAST Software) R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [267632 2014-11-05] () R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283200 2012-05-26] (DT Soft Ltd) R1 excfs; C:\Windows\System32\DRIVERS\excfs.sys [26024 2013-01-08] (Condusiv Technologies) R0 excsd; C:\Windows\System32\DRIVERS\excsd.sys [112552 2013-01-08] (Condusiv Technologies) R0 hotcore3; C:\Windows\System32\DRIVERS\hotcore3.sys [37392 2010-05-20] (Paragon Software Group) R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-11-21] (Malwarebytes Corporation) R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2015-03-05] (Malwarebytes Corporation) R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-11-21] (Malwarebytes Corporation) R0 PxHlpa64; C:\Windows\System32\Drivers\PxHlpa64.sys [56336 2013-07-19] (Corel Corporation) S3 ssudserd; C:\Windows\System32\DRIVERS\ssudserd.sys [206080 2014-06-16] (DEVGURU Co., LTD.(www.devguru.co.kr)) S3 usbrndis6; C:\Windows\System32\DRIVERS\usb80236.sys [19968 2013-02-12] (Microsoft Corporation) S3 athr; system32\DRIVERS\athrx.sys [X] S3 catchme; \??\C:\ComboFix\catchme.sys [X] S3 dgderdrv; System32\drivers\dgderdrv.sys [X] S3 VGPU; System32\drivers\rdvgkmd.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.) ==================== One Month Created Files and Folders ======== (If an entry is included in the fixlist, the file\folder will be moved.) 2015-03-05 12:17 - 2015-03-05 12:17 - 00000000 ___SH () C:\DkHyperbootSync 2015-03-05 12:16 - 2015-03-05 12:16 - 00000956 _____ () C:\Users\*****\Desktop\JRT.txt 2015-03-05 09:58 - 2015-03-05 09:38 - 02126848 _____ () C:\Users\*****\Desktop\AdwCleaner_4.111.exe 2015-03-05 09:58 - 2015-03-05 09:38 - 01388333 _____ (Thisisu) C:\Users\*****\Desktop\JRT.exe 2015-03-05 09:38 - 2015-03-05 09:38 - 02126848 _____ () C:\Users\*****\Downloads\AdwCleaner_4.111.exe 2015-03-05 09:38 - 2015-03-05 09:38 - 01388333 _____ (Thisisu) C:\Users\*****\Downloads\JRT.exe 2015-03-04 22:24 - 2015-03-04 22:44 - 00000000 ____D () C:\Qoobox 2015-03-04 22:24 - 2011-06-26 07:45 - 00256000 _____ () C:\Windows\PEV.exe 2015-03-04 22:24 - 2010-11-07 18:20 - 00208896 _____ () C:\Windows\MBR.exe 2015-03-04 22:24 - 2009-04-20 05:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe 2015-03-04 22:24 - 2000-08-31 01:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe 2015-03-04 22:24 - 2000-08-31 01:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe 2015-03-04 22:24 - 2000-08-31 01:00 - 00098816 _____ () C:\Windows\sed.exe 2015-03-04 22:24 - 2000-08-31 01:00 - 00080412 _____ () C:\Windows\grep.exe 2015-03-04 22:24 - 2000-08-31 01:00 - 00068096 _____ () C:\Windows\zip.exe 2015-03-04 22:23 - 2015-03-04 22:41 - 00000000 ____D () C:\Windows\erdnt 2015-03-04 22:22 - 2015-03-04 22:22 - 05612482 ____R (Swearware) C:\Users\*****\Downloads\ComboFix.exe 2015-03-04 21:50 - 2015-03-04 21:50 - 00001268 _____ () C:\Users\*****\Desktop\Revo Uninstaller.lnk 2015-03-04 21:50 - 2015-03-04 21:50 - 00000000 ____D () C:\Program Files (x86)\VS Revo Group 2015-03-04 21:48 - 2015-03-04 21:48 - 02623656 _____ (VS Revo Group Ltd.) C:\Users\*****\Downloads\revosetup95.exe 2015-03-03 08:30 - 2015-03-03 08:30 - 00192826 _____ () C:\Users\*****\Downloads\ups_1S63A0003659818362.zip 2015-03-03 00:09 - 2015-03-03 00:09 - 00467640 _____ () C:\Windows\Minidump\030315-39811-01.dmp 2015-03-02 20:35 - 2015-03-02 20:36 - 00380416 _____ () C:\Users\*****\Downloads\ot7oimy8.exe 2015-03-02 20:31 - 2015-03-02 20:32 - 00037023 _____ () C:\Users\*****\Downloads\Addition.txt 2015-03-02 20:30 - 2015-03-05 12:21 - 00019348 _____ () C:\Users\*****\Downloads\FRST.txt 2015-03-02 20:30 - 2015-03-05 12:21 - 00000000 ____D () C:\FRST 2015-03-02 20:29 - 2015-03-02 20:29 - 02092544 _____ (Farbar) C:\Users\*****\Downloads\FRST64.exe 2015-03-02 20:28 - 2015-03-02 20:28 - 00000542 _____ () C:\Users\*****\Downloads\defogger_disable.log 2015-03-02 20:28 - 2015-03-02 20:28 - 00000168 _____ () C:\Users\*****\defogger_reenable 2015-03-02 20:27 - 2015-03-02 20:27 - 00050477 _____ () C:\Users\*****\Downloads\Defogger.exe 2015-03-02 10:25 - 2015-03-02 10:43 - 00056534 _____ () C:\Users\*****\Documents\Evelyn Kröll Hans.odt 2015-02-28 14:55 - 2015-02-28 14:55 - 00000000 ____D () C:\Users\*****\AppData\Local\Apps\2.0 2015-02-27 21:02 - 2015-02-27 21:02 - 01203488 _____ () C:\Users\*****\Downloads\Universal USB Installer - CHIP-Installer.exe 2015-02-27 20:44 - 2015-02-27 21:12 - 1549615104 _____ () C:\Users\*****\Downloads\linuxmint-17.1-cinnamon-64bit.iso 2015-02-27 17:11 - 2014-11-29 15:56 - 00000000 ____D () C:\Users\*****\Downloads\ReginScanner-master 2015-02-27 17:09 - 2015-02-27 17:09 - 05020871 _____ () C:\Users\*****\Downloads\ReginScanner-master.zip 2015-02-27 16:44 - 2015-02-27 16:44 - 00000000 _____ () C:\Users\*****\Desktop\Neues Textdokument.txt 2015-02-27 13:58 - 2015-03-02 20:24 - 00000000 ____D () C:\Loki-master 2015-02-27 13:58 - 2015-02-27 14:17 - 00000000 ____D () C:\Users\*****\Downloads\Loki-master 2015-02-27 13:58 - 2015-02-27 13:58 - 08991205 _____ () C:\Users\*****\Downloads\Loki-master.zip 2015-02-27 13:56 - 2015-02-27 13:57 - 08305166 _____ () C:\Users\*****\Downloads\loki.exe 2015-02-26 22:40 - 2015-02-27 12:53 - 00000000 ____D () C:\Program Files (x86)\Mozilla Thunderbird 2015-02-25 12:22 - 2015-01-09 00:44 - 00419936 _____ () C:\Windows\SysWOW64\locale.nls 2015-02-25 12:22 - 2015-01-09 00:43 - 00419936 _____ () C:\Windows\system32\locale.nls 2015-02-20 21:33 - 2015-02-20 21:33 - 00000000 __SHD () C:\Users\*****\AppData\Local\EmieUserList 2015-02-20 21:33 - 2015-02-20 21:33 - 00000000 __SHD () C:\Users\*****\AppData\Local\EmieSiteList 2015-02-20 21:33 - 2015-02-20 21:33 - 00000000 __SHD () C:\Users\*****\AppData\Local\EmieBrowserModeList 2015-02-17 19:20 - 2015-02-17 19:20 - 00002077 _____ () C:\Users\*****\Desktop\JDownloader 2.lnk 2015-02-17 19:20 - 2015-02-17 19:20 - 00000000 ____D () C:\Users\*****\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\JDownloader 2015-02-17 19:19 - 2015-02-23 01:41 - 00000000 ____D () C:\Users\*****\AppData\Local\JDownloader 2.0 2015-02-17 18:56 - 2015-01-09 04:14 - 00950272 _____ (Microsoft Corporation) C:\Windows\system32\perftrack.dll 2015-02-17 18:56 - 2015-01-09 04:14 - 00091136 _____ (Microsoft Corporation) C:\Windows\system32\wdi.dll 2015-02-17 18:56 - 2015-01-09 04:14 - 00029696 _____ (Microsoft Corporation) C:\Windows\system32\powertracker.dll 2015-02-17 18:56 - 2015-01-09 03:48 - 00076800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdi.dll 2015-02-12 16:36 - 2015-01-23 05:42 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll 2015-02-12 16:36 - 2015-01-23 05:41 - 06041600 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll 2015-02-12 16:36 - 2015-01-23 04:43 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll 2015-02-12 16:36 - 2015-01-23 04:17 - 04300800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2015-02-11 08:48 - 2015-01-14 06:47 - 00389808 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll 2015-02-11 08:48 - 2015-01-14 06:09 - 00342712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll 2015-02-11 08:48 - 2015-01-12 04:09 - 25056256 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll 2015-02-11 08:48 - 2015-01-12 04:05 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb 2015-02-11 08:48 - 2015-01-12 04:05 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll 2015-02-11 08:48 - 2015-01-12 03:49 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll 2015-02-11 08:48 - 2015-01-12 03:48 - 02885632 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll 2015-02-11 08:48 - 2015-01-12 03:48 - 00584192 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll 2015-02-11 08:48 - 2015-01-12 03:48 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll 2015-02-11 08:48 - 2015-01-12 03:47 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll 2015-02-11 08:48 - 2015-01-12 03:40 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll 2015-02-11 08:48 - 2015-01-12 03:39 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll 2015-02-11 08:48 - 2015-01-12 03:36 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll 2015-02-11 08:48 - 2015-01-12 03:34 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe 2015-02-11 08:48 - 2015-01-12 03:34 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe 2015-02-11 08:48 - 2015-01-12 03:25 - 19740160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2015-02-11 08:48 - 2015-01-12 03:25 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe 2015-02-11 08:48 - 2015-01-12 03:21 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2015-02-11 08:48 - 2015-01-12 03:21 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll 2015-02-11 08:48 - 2015-01-12 03:13 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll 2015-02-11 08:48 - 2015-01-12 03:08 - 00503296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll 2015-02-11 08:48 - 2015-01-12 03:08 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll 2015-02-11 08:48 - 2015-01-12 03:07 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll 2015-02-11 08:48 - 2015-01-12 03:07 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll 2015-02-11 08:48 - 2015-01-12 03:07 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll 2015-02-11 08:48 - 2015-01-12 03:05 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll 2015-02-11 08:48 - 2015-01-12 03:04 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll 2015-02-11 08:48 - 2015-01-12 03:02 - 02277888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2015-02-11 08:48 - 2015-01-12 03:00 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2015-02-11 08:48 - 2015-01-12 02:59 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll 2015-02-11 08:48 - 2015-01-12 02:57 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2015-02-11 08:48 - 2015-01-12 02:55 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe 2015-02-11 08:48 - 2015-01-12 02:48 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll 2015-02-11 08:48 - 2015-01-12 02:48 - 00718848 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe 2015-02-11 08:48 - 2015-01-12 02:46 - 02125824 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl 2015-02-11 08:48 - 2015-01-12 02:46 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll 2015-02-11 08:48 - 2015-01-12 02:45 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll 2015-02-11 08:48 - 2015-01-12 02:43 - 14401024 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll 2015-02-11 08:48 - 2015-01-12 02:40 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll 2015-02-11 08:48 - 2015-01-12 02:36 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll 2015-02-11 08:48 - 2015-01-12 02:35 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll 2015-02-11 08:48 - 2015-01-12 02:33 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll 2015-02-11 08:48 - 2015-01-12 02:27 - 02358272 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll 2015-02-11 08:48 - 2015-01-12 02:23 - 02052608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl 2015-02-11 08:48 - 2015-01-12 02:23 - 00688640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll 2015-02-11 08:48 - 2015-01-12 02:22 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll 2015-02-11 08:48 - 2015-01-12 02:14 - 12829184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2015-02-11 08:48 - 2015-01-12 02:14 - 01548288 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll 2015-02-11 08:48 - 2015-01-12 02:02 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll 2015-02-11 08:48 - 2015-01-12 02:00 - 01888256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2015-02-11 08:48 - 2015-01-12 01:56 - 01307136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2015-02-11 08:48 - 2015-01-12 01:55 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll 2015-02-11 08:48 - 2015-01-10 07:48 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll 2015-02-11 08:48 - 2015-01-10 07:48 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll 2015-02-11 08:48 - 2015-01-10 07:48 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll 2015-02-11 08:48 - 2015-01-10 07:48 - 00309760 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll 2015-02-11 08:48 - 2015-01-10 07:48 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll 2015-02-11 08:48 - 2015-01-10 07:48 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll 2015-02-11 08:48 - 2015-01-10 07:48 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll 2015-02-11 08:48 - 2015-01-10 07:27 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll 2015-02-11 08:48 - 2015-01-10 07:27 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll 2015-02-11 08:48 - 2015-01-10 07:27 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll 2015-02-11 08:48 - 2015-01-10 07:27 - 00221184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll 2015-02-11 08:48 - 2015-01-10 07:27 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll 2015-02-11 08:48 - 2015-01-10 07:27 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll 2015-02-11 08:48 - 2015-01-10 07:27 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll 2015-02-11 08:48 - 2015-01-09 03:03 - 03201536 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys 2015-02-11 08:47 - 2015-01-15 09:14 - 00155072 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys 2015-02-11 08:47 - 2015-01-15 09:14 - 00095680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys 2015-02-11 08:47 - 2015-01-15 09:09 - 01461760 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll 2015-02-11 08:47 - 2015-01-15 09:09 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll 2015-02-11 08:47 - 2015-01-15 09:09 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe 2015-02-11 08:47 - 2015-01-15 09:09 - 00029184 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll 2015-02-11 08:47 - 2015-01-15 09:09 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll 2015-02-11 08:47 - 2015-01-15 09:08 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe 2015-02-11 08:47 - 2015-01-15 09:06 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll 2015-02-11 08:47 - 2015-01-15 09:06 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll 2015-02-11 08:47 - 2015-01-15 09:04 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll 2015-02-11 08:47 - 2015-01-15 08:42 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe 2015-02-11 08:47 - 2015-01-15 08:42 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll 2015-02-11 08:47 - 2015-01-15 08:41 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll 2015-02-11 08:47 - 2015-01-15 08:39 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll 2015-02-11 08:47 - 2015-01-15 08:39 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll 2015-02-11 08:47 - 2015-01-15 08:37 - 00686080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll 2015-02-11 08:47 - 2015-01-15 05:22 - 00458824 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys 2015-02-11 08:47 - 2015-01-13 04:10 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll 2015-02-11 08:47 - 2015-01-13 03:49 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll 2015-02-11 08:47 - 2014-12-12 06:31 - 01480192 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll 2015-02-11 08:47 - 2014-12-12 06:07 - 01174528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll 2015-02-11 08:47 - 2014-11-26 04:53 - 00861696 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll 2015-02-11 08:47 - 2014-11-26 04:32 - 00571904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll 2015-02-11 08:47 - 2014-10-04 03:10 - 03722752 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll 2015-02-11 08:47 - 2014-10-04 02:42 - 03221504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll 2015-02-11 08:47 - 2014-10-04 02:42 - 00131584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aaclient.dll 2015-02-11 08:47 - 2014-07-07 03:07 - 00229376 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll 2015-02-11 08:47 - 2014-07-07 03:06 - 00187904 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll 2015-02-11 08:47 - 2014-07-07 02:40 - 00179200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll 2015-02-11 08:47 - 2014-07-07 02:40 - 00143872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll 2015-02-11 08:46 - 2015-01-14 07:09 - 05554112 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe 2015-02-11 08:46 - 2015-01-14 07:05 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll 2015-02-11 08:46 - 2015-01-14 07:05 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll 2015-02-11 08:46 - 2015-01-14 07:04 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe 2015-02-11 08:46 - 2015-01-14 06:44 - 03972544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe 2015-02-11 08:46 - 2015-01-14 06:44 - 03917760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe 2015-02-11 08:46 - 2015-01-14 06:41 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll 2015-02-11 08:46 - 2014-12-08 04:09 - 00406528 _____ (Microsoft Corporation) C:\Windows\system32\scesrv.dll 2015-02-11 08:46 - 2014-12-08 03:46 - 00308224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\scesrv.dll ==================== One Month Modified Files and Folders ======= (If an entry is included in the fixlist, the file\folder will be moved.) 2015-03-05 12:21 - 2012-07-13 23:23 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job 2015-03-05 11:53 - 2009-07-14 05:45 - 00021472 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2015-03-05 11:53 - 2009-07-14 05:45 - 00021472 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2015-03-05 11:49 - 2013-06-12 23:28 - 01666147 _____ () C:\Windows\WindowsUpdate.log 2015-03-05 11:48 - 2014-12-01 11:59 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2015-03-05 11:48 - 2013-01-18 16:47 - 00000000 ____D () C:\Users\*****\AppData\Local\ExpressCache 2015-03-05 11:45 - 2014-03-01 09:31 - 00057286 _____ () C:\Windows\setupact.log 2015-03-05 11:45 - 2012-05-26 06:24 - 00025640 _____ (Windows (R) Server 2003 DDK provider) C:\Windows\gdrv.sys 2015-03-05 11:45 - 2012-05-26 05:12 - 00000144 _____ () C:\service.log 2015-03-05 11:45 - 2012-05-26 05:08 - 00000000 ____D () C:\ProgramData\NVIDIA 2015-03-05 11:45 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT 2015-03-05 11:44 - 2014-05-10 16:49 - 00000000 ____D () C:\AdwCleaner 2015-03-05 09:33 - 2012-05-26 06:10 - 00000000 ____D () C:\Users\*****\AppData\Roaming\vlc 2015-03-04 23:06 - 2014-04-28 16:38 - 00032766 _____ () C:\Windows\PFRO.log 2015-03-04 22:44 - 2009-07-14 04:20 - 00000000 __RHD () C:\Users\Default 2015-03-04 22:40 - 2009-07-14 03:34 - 00000215 _____ () C:\Windows\system.ini 2015-03-04 12:41 - 2014-08-20 23:40 - 00000000 ____D () C:\Users\*****\AppData\Local\Adobe 2015-03-03 20:04 - 2012-07-09 22:15 - 00000000 ____D () C:\Users\*****\AppData\Roaming\foobar2000 2015-03-03 00:09 - 2014-04-28 16:38 - 00000000 ____D () C:\Windows\Minidump 2015-03-02 20:57 - 2014-05-14 15:55 - 00008192 ___SH () C:\Users\*****\Thumbs.db 2015-03-02 20:28 - 2012-05-26 05:02 - 00000000 ____D () C:\Users\***** 2015-03-02 10:18 - 2012-08-07 19:59 - 00000000 ____D () C:\Users\*****\AppData\Roaming\PamFax Office Integrations 2015-03-01 21:59 - 2012-07-30 19:33 - 00004182 _____ () C:\Windows\System32\Tasks\avast! Emergency Update 2015-02-27 20:30 - 2012-05-26 06:12 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service 2015-02-27 16:05 - 2014-08-24 18:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware 2015-02-27 16:05 - 2014-08-24 18:17 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware 2015-02-27 16:05 - 2013-06-12 23:37 - 00001106 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk 2015-02-24 19:55 - 2009-07-14 06:08 - 00032640 _____ () C:\Windows\Tasks\SCHEDLGU.TXT 2015-02-24 12:24 - 2014-11-05 21:18 - 00003852 _____ () C:\Windows\System32\Tasks\Opera scheduled Autoupdate 1415218714 2015-02-24 12:24 - 2012-05-26 06:13 - 00000000 ____D () C:\Program Files (x86)\Opera 2015-02-22 21:11 - 2011-04-12 08:43 - 00702980 _____ () C:\Windows\system32\perfh007.dat 2015-02-22 21:11 - 2011-04-12 08:43 - 00150620 _____ () C:\Windows\system32\perfc007.dat 2015-02-22 21:11 - 2009-07-14 06:13 - 01629508 _____ () C:\Windows\system32\PerfStringBackup.INI 2015-02-22 12:28 - 2014-05-14 16:12 - 00000000 ____D () C:\Users\*****\.mediathek3 2015-02-20 21:33 - 2014-05-21 19:21 - 00000069 _____ () C:\Windows\NeroDigital.ini 2015-02-20 21:33 - 2013-11-01 20:53 - 00000131 _____ () C:\Users\*****\AppData\Roaming\default.rss 2015-02-20 14:53 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\rescache 2015-02-18 11:10 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\tracing 2015-02-17 19:20 - 2012-05-28 22:08 - 00000000 ____D () C:\Program Files (x86)\JDownloader 2015-02-15 04:28 - 2012-07-08 12:16 - 00001462 _____ () C:\Users\*****\Sti_Trace.log 2015-02-14 20:08 - 2014-11-05 21:00 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox 2015-02-11 17:29 - 2009-07-14 05:45 - 05090528 _____ () C:\Windows\system32\FNTCACHE.DAT 2015-02-11 17:20 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\PolicyDefinitions 2015-02-11 13:54 - 2012-05-28 21:18 - 00000000 ____D () C:\ProgramData\Microsoft Help 2015-02-11 13:54 - 2009-07-14 03:34 - 00000478 _____ () C:\Windows\win.ini 2015-02-05 15:21 - 2012-07-13 23:23 - 00003822 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater 2015-02-05 15:21 - 2012-06-11 21:16 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2015-02-05 15:21 - 2012-06-11 21:16 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl ==================== Files in the root of some directories ======= 2013-11-01 20:53 - 2015-02-20 21:33 - 0000131 _____ () C:\Users\*****\AppData\Roaming\default.rss 2012-06-18 19:01 - 2014-12-31 16:59 - 0030720 _____ () C:\Users\*****\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini 2013-03-15 17:25 - 2013-03-15 17:25 - 0000840 _____ () C:\Users\*****\AppData\Local\recently-used.xbel 2012-05-26 06:33 - 2014-03-01 09:31 - 0000125 ___SH () C:\ProgramData\.zreglib 2013-02-25 17:34 - 2013-02-25 17:34 - 0000000 ____H () C:\ProgramData\DP45977C.lfl Some content of TEMP: ==================== C:\Users\*****\AppData\Local\Temp\Quarantine.exe C:\Users\*****\AppData\Local\Temp\sqlite3.dll ==================== Bamital & volsnap Check ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\System32\winlogon.exe => File is digitally signed C:\Windows\System32\wininit.exe => File is digitally signed C:\Windows\SysWOW64\wininit.exe => File is digitally signed C:\Windows\explorer.exe => File is digitally signed C:\Windows\SysWOW64\explorer.exe => File is digitally signed C:\Windows\System32\svchost.exe => File is digitally signed C:\Windows\SysWOW64\svchost.exe => File is digitally signed C:\Windows\System32\services.exe => File is digitally signed C:\Windows\System32\User32.dll => File is digitally signed C:\Windows\SysWOW64\User32.dll => File is digitally signed C:\Windows\System32\userinit.exe => File is digitally signed C:\Windows\SysWOW64\userinit.exe => File is digitally signed C:\Windows\System32\rpcss.dll => File is digitally signed C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2015-03-05 10:16 ==================== End Of Log ============================ |
|
05.03.2015, 18:59
| #10 |
| /// the machine /// TB-Ausbilder | Win7: Regin ? viele Funde mit LOKI, akute Paranoia angebracht?ESET Online Scanner
Downloade Dir bitte  SecurityCheck und:
und ein frisches FRST log bitte. Noch Probleme? 
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
06.03.2015, 13:12
| #11 |
| | Win7: Regin ? viele Funde mit LOKI, akute Paranoia angebracht? So jetzt ist mir ein Missgeschick unterlaufen. Zuerst hat Eset 13 Funde gehabt, hauptsächlich aus den Quaratänen der anderen Programme. Diese sind dann gelöscht worden, und leider hat sich wegen der Setzung des Hakens bei: Programm nach Suchlauf deinstallieren das Log verflüchtigt. Habe dann einen zweiten Durchlauf gestartet, nun keine Funde mehr Log anbei: Code:
ATTFilter ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=505890d0ad0e6b4493977a195e069c9a
# engine=22779
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2015-03-06 07:59:47
# local_time=2015-03-06 08:59:47 (+0100, Mitteleuropäische Zeit)
# country="Germany"
# lang=1031
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='avast! Internet Security'
# compatibility_mode=779 16777213 85 72 9721453 190049277 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776573 100 94 229286 177258637 0 0
# scanned=554580
# found=0
# cleaned=0
# scan_time=5659
Log SecurityCheck: Code:
ATTFilter Results of screen317's Security Check version 0.99.96
Windows 7 Service Pack 1 x64 (UAC is disabled!)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
avast! Antivirus
Antivirus out of date!
`````````Anti-malware/Other Utilities Check:`````````
JavaFX 2.1.1
Java 7 Update 51
Java version 32-bit out of Date!
Java 64-bit 8 Update 31
Adobe Flash Player 16.0.0.305
Mozilla Firefox 34.0.5 Firefox out of Date!
Mozilla Thunderbird (31.5.0)
````````Process Check: objlist.exe by Laurent````````
AVAST Software Avast AvastSvc.exe
AVAST Software Avast AvastUI.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:
````````````````````End of Log``````````````````````
Log FRST: [CODE] Results of screen317's Security Check version 0.99.96 Windows 7 Service Pack 1 x64 (UAC is disabled!) Internet Explorer 11 ``````````````Antivirus/Firewall Check:`````````````` avast! Antivirus Antivirus out of date! `````````Anti-malware/Other Utilities Check:````````` JavaFX 2.1.1 Java 7 Update 51 Java version 32-bit out of Date! Java 64-bit 8 Update 31 Adobe Flash Player 16.0.0.305 Mozilla Firefox 34.0.5 Firefox out of Date! Mozilla Thunderbird (31.5.0) ````````Process Check: objlist.exe by Laurent```````` AVAST Software Avast AvastSvc.exe AVAST Software Avast AvastUI.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: ````````````````````End of Log`````````````````````` FRST Logfile: FRST Logfile: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-03-2015
Ran by ***** (administrator) on *****-PC on 06-03-2015 09:35:26
Running from C:\Users\*****\Downloads
Loaded Profiles: ***** (Available profiles: ***** & UpdatusUser & Luca & Administrator)
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
() C:\Program Files (x86)\Gigabyte\EasySaver\essvr.exe
(Condusiv Technologies) C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe
(Hauppauge Computer Works) C:\Program Files (x86)\WinTV\TVServer\HauppaugeTVServer.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
(Nero AG) C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
(pdfforge GbR) C:\Program Files (x86)\PDF Architect\HelperService.exe
(pdfforge GbR) C:\Program Files (x86)\PDF Architect\ConversionService.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
(Hauppauge Computer Works) C:\Program Files (x86)\WinTV\TVServer\CaptureGenPCI.exe
() C:\Program Files (x86)\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
() C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Elements 12 Organizer\PhotoshopElementsFileAgent.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
() C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe
(VoipConnect) C:\Program Files (x86)\VoipConnect.com\VoipConnect\VoipConnect.exe
(Hauppauge Computer Works, Inc.) C:\Program Files (x86)\WinTV\WinTV7\WinTVTray.exe
(Acronis) C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
(Acronis) C:\Program Files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [Acronis Scheduler2 Service] => C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe [140568 2007-08-31] (Acronis)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [472984 2013-06-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [TrueImageMonitor.exe] => C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe [2622232 2007-08-31] (Acronis)
HKLM-x32\...\Run: [AcronisTimounterMonitor] => C:\Program Files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe [907040 2007-08-31] (Acronis)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642216 2012-08-06] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5223016 2014-11-05] (AVAST Software)
HKLM-x32\...\Run: [FUFAXRCV] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe [502952 2012-07-09] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [FUFAXSTM] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe [863400 2012-07-09] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [1058912 2012-04-02] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [KiesTrayAgent] => C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe [311616 2014-07-25] (Samsung Electronics Co., Ltd.)
HKU\S-1-5-21-2571380908-3574024337-2633154625-1000\...\Run: [ExpressCacheUI] => C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCacheApp.exe [3991424 2013-01-08] ()
HKU\S-1-5-21-2571380908-3574024337-2633154625-1000\...\Run: [CAHeadless] => C:\Program Files (x86)\Adobe\Elements 12 Organizer\CAHeadless\ElementsAutoAnalyzer.exe [1401040 2014-08-21] (Adobe Systems Incorporated)
HKU\S-1-5-21-2571380908-3574024337-2633154625-1000\...\Run: [VoipConnect] => C:\Program Files (x86)\VoipConnect.com\VoipConnect\VoipConnect.exe [23048288 2014-12-04] (VoipConnect)
HKU\S-1-5-21-2571380908-3574024337-2633154625-1000\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-2571380908-3574024337-2633154625-1000\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\S-1-5-21-2571380908-3574024337-2633154625-1000\...\Policies\Explorer: [NoDriveTypeAutoRun] 0x91000000
Lsa: [Authentication Packages] msv1_0 relog_ap
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinTV Recording Status.lnk
ShortcutTarget: WinTV Recording Status.lnk -> C:\Program Files (x86)\WinTV\WinTV7\WinTVTray.exe (Hauppauge Computer Works, Inc.)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll (AVAST Software)
GroupPolicyUsers\S-1-5-21-2571380908-3574024337-2633154625-1359\User: Group Policy restriction detected <======= ATTENTION
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
HKU\S-1-5-21-2571380908-3574024337-2633154625-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-2571380908-3574024337-2633154625-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: PDF Architect Helper -> {3A2D5EBA-F86D-4BD3-A177-019765996711} -> C:\Program Files (x86)\PDF Architect\PDFIEHelper.dll No File
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll No File
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1
FireFox:
========
FF ProfilePath: C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\wpxcqavr.default
FF NewTab: hxxp://www.google.com/firefox
FF SearchEngineOrder.1: Google
FF Keyword.URL: https://www.google.de/search?q=
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_305.dll ()
FF Plugin: @docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.)
FF Plugin: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll ()
FF Plugin-x32: @docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.)
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: @tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.7 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin HKU\S-1-5-21-2571380908-3574024337-2633154625-1000: @docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.)
FF SearchPlugin: C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\wpxcqavr.default\searchplugins\google-images.xml
FF SearchPlugin: C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\wpxcqavr.default\searchplugins\google-maps.xml
FF Extension: 20-20 3D Viewer - IKEA - C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\wpxcqavr.default\Extensions\2020Player_IKEA@2020Technologies.com [2014-11-10]
FF Extension: Cliqz Beta - C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\wpxcqavr.default\Extensions\cliqz@cliqz.com [2014-11-29]
FF Extension: NO Google Analytics - C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\wpxcqavr.default\Extensions\jid1-JcGokIiQyjoBAQ@jetpack.xpi [2014-07-14]
FF Extension: Adblock Plus - C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\wpxcqavr.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-03-07]
FF Extension: QuickWiki - C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\wpxcqavr.default\Extensions\{EE223D7A-F30F-11DD-8F0A-D2AD55D89593}.xpi [2013-04-21]
FF Extension: UITBAutoInstaller - C:\Program Files (x86)\Mozilla Firefox\distribution\bundles\{edd7fc99-d65c-4979-85c2-ddeed30c50c7} [2014-12-09]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2012-05-26]
FF HKLM-x32\...\Firefox\Extensions: [FFPDFArchitectConverter@pdfarchitect.com] - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt
FF Extension: PDF Architect Converter For Firefox - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt [2013-04-14]
FF HKU\S-1-5-21-2571380908-3574024337-2633154625-1000\...\Firefox\Extensions: [cliqz@cliqz.com] - C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\wpxcqavr.default\extensions\cliqz@cliqz.com
Chrome:
=======
CHR Profile: C:\Users\*****\AppData\Local\Google\Chrome\User Data\Default
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-11-05]
Opera:
=======
OPR Extension: (Adblock Plus) - C:\Users\*****\AppData\Roaming\Opera Software\Opera Stable\Extensions\oidhhegpmlfpoeialbgcdocjalghfpkp [2014-11-05]
==================== Services (Whitelisted) =================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
R2 AdobeActiveFileMonitor12.0; C:\Program Files (x86)\Adobe\Elements 12 Organizer\PhotoshopElementsFileAgent.exe [181152 2013-09-25] (Adobe Systems Incorporated)
R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [361984 2012-08-06] (Advanced Micro Devices, Inc.) [File not signed]
S3 AppleChargerSrv; C:\Windows\System32\AppleChargerSrv.exe [31272 2010-04-06] ()
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-11-05] (AVAST Software)
S2 EpsonScanSvc; C:\Windows\system32\EscSvc64.exe [135824 2011-12-12] (Seiko Epson Corporation)
R2 ES lite Service; C:\Program Files (x86)\Gigabyte\EasySaver\ESSVR.EXE [68136 2009-08-24] ()
R2 ExpressCache; C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe [107944 2013-01-08] (Condusiv Technologies)
R2 HauppaugeTVServer; C:\Program Files (x86)\WinTV\TVServer\HauppaugeTVServer.exe [577536 2012-11-11] (Hauppauge Computer Works) [File not signed]
R2 LightScribeService; C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe [73728 2010-08-16] (Hewlett-Packard Company) [File not signed]
S2 MBAMScheduler; C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
R2 PDF Architect Helper Service; C:\Program Files (x86)\PDF Architect\HelperService.exe [1324104 2013-01-09] (pdfforge GbR)
R2 PDF Architect Service; C:\Program Files (x86)\PDF Architect\ConversionService.exe [795208 2013-01-09] (pdfforge GbR)
R2 TryAndDecideService; C:\Program Files (x86)\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe [498872 2007-08-31] ()
R2 UsbClientService; C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe [245760 2011-02-18] () [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
R3 AnyDVD; C:\Windows\System32\Drivers\AnyDVD.sys [125512 2010-12-01] (SlySoft, Inc.)
R3 AnyDVD; C:\Windows\SysWOW64\Drivers\AnyDVD.sys [125512 2010-12-01] (SlySoft, Inc.)
R2 AODDriver4.1; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [53888 2012-03-05] (Advanced Micro Devices)
R1 AppleCharger; C:\Windows\System32\DRIVERS\AppleCharger.sys [21104 2011-01-10] ()
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2014-11-05] ()
R1 aswKbd; C:\Windows\System32\Drivers\aswKbd.sys [19600 2012-07-03] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [83280 2014-11-05] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2014-11-05] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2014-11-05] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1050432 2014-11-21] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [436624 2014-11-05] (AVAST Software)
S2 aswStm; C:\Windows\system32\drivers\aswStm.sys [116728 2014-11-05] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [267632 2014-11-05] ()
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283200 2012-05-26] (DT Soft Ltd)
R1 excfs; C:\Windows\System32\DRIVERS\excfs.sys [26024 2013-01-08] (Condusiv Technologies)
R0 excsd; C:\Windows\System32\DRIVERS\excsd.sys [112552 2013-01-08] (Condusiv Technologies)
R0 hotcore3; C:\Windows\System32\DRIVERS\hotcore3.sys [37392 2010-05-20] (Paragon Software Group)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-11-21] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-11-21] (Malwarebytes Corporation)
R0 PxHlpa64; C:\Windows\System32\Drivers\PxHlpa64.sys [56336 2013-07-19] (Corel Corporation)
S3 ssudserd; C:\Windows\System32\DRIVERS\ssudserd.sys [206080 2014-06-16] (DEVGURU Co., LTD.(www.devguru.co.kr))
S3 usbrndis6; C:\Windows\System32\DRIVERS\usb80236.sys [19968 2013-02-12] (Microsoft Corporation)
S3 athr; system32\DRIVERS\athrx.sys [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 dgderdrv; System32\drivers\dgderdrv.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
==================== NetSvcs (Whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
==================== One Month Created Files and Folders ========
(If an entry is included in the fixlist, the file\folder will be moved.)
2015-03-06 09:35 - 2015-03-06 09:35 - 00000000 ___SH () C:\DkHyperbootSync
2015-03-06 09:15 - 2015-03-06 09:15 - 00852594 _____ () C:\Users\*****\Desktop\SecurityCheck.exe
2015-03-05 22:34 - 2015-03-06 00:24 - 00000000 ____D () C:\Users\*****\Desktop\mmm
2015-03-05 21:41 - 2015-03-05 21:41 - 00000000 ____D () C:\Users\*****\AppData\Local\calibre-cache
2015-03-05 21:40 - 2015-03-05 22:59 - 00000000 ____D () C:\Users\*****\Documents\Calibre-Bibliothek
2015-03-05 21:39 - 2015-03-05 21:41 - 00000000 ____D () C:\Users\*****\AppData\Roaming\calibre
2015-03-05 21:39 - 2015-03-05 21:39 - 00000890 _____ () C:\Users\Public\Desktop\calibre 64bit - E-book management.lnk
2015-03-05 21:39 - 2015-03-05 21:39 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\calibre 64bit - E-book Management
2015-03-05 21:39 - 2015-03-05 21:39 - 00000000 ____D () C:\Program Files\Calibre2
2015-03-05 21:37 - 2015-03-05 21:38 - 69517312 _____ () C:\Users\*****\Downloads\calibre-64bit-2.20.0.msi
2015-03-05 19:35 - 2015-03-05 19:35 - 00000000 ____D () C:\Program Files (x86)\ESET
2015-03-05 19:34 - 2015-03-05 19:33 - 02347384 _____ (ESET) C:\Users\*****\Desktop\esetsmartinstaller_deu.exe
2015-03-05 19:33 - 2015-03-05 19:33 - 02347384 _____ (ESET) C:\Users\*****\Downloads\esetsmartinstaller_deu.exe
2015-03-05 12:16 - 2015-03-05 12:16 - 00000956 _____ () C:\Users\*****\Desktop\JRT.txt
2015-03-05 09:58 - 2015-03-05 09:38 - 02126848 _____ () C:\Users\*****\Desktop\AdwCleaner_4.111.exe
2015-03-05 09:58 - 2015-03-05 09:38 - 01388333 _____ (Thisisu) C:\Users\*****\Desktop\JRT.exe
2015-03-05 09:38 - 2015-03-05 09:38 - 02126848 _____ () C:\Users\*****\Downloads\AdwCleaner_4.111.exe
2015-03-05 09:38 - 2015-03-05 09:38 - 01388333 _____ (Thisisu) C:\Users\*****\Downloads\JRT.exe
2015-03-04 22:24 - 2015-03-04 22:44 - 00000000 ____D () C:\Qoobox
2015-03-04 22:24 - 2011-06-26 07:45 - 00256000 _____ () C:\Windows\PEV.exe
2015-03-04 22:24 - 2010-11-07 18:20 - 00208896 _____ () C:\Windows\MBR.exe
2015-03-04 22:24 - 2009-04-20 05:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2015-03-04 22:24 - 2000-08-31 01:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2015-03-04 22:24 - 2000-08-31 01:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2015-03-04 22:24 - 2000-08-31 01:00 - 00098816 _____ () C:\Windows\sed.exe
2015-03-04 22:24 - 2000-08-31 01:00 - 00080412 _____ () C:\Windows\grep.exe
2015-03-04 22:24 - 2000-08-31 01:00 - 00068096 _____ () C:\Windows\zip.exe
2015-03-04 22:23 - 2015-03-04 22:41 - 00000000 ____D () C:\Windows\erdnt
2015-03-04 22:22 - 2015-03-04 22:22 - 05612482 ____R (Swearware) C:\Users\*****\Downloads\ComboFix.exe
2015-03-04 21:50 - 2015-03-04 21:50 - 00001268 _____ () C:\Users\*****\Desktop\Revo Uninstaller.lnk
2015-03-04 21:50 - 2015-03-04 21:50 - 00000000 ____D () C:\Program Files (x86)\VS Revo Group
2015-03-04 21:48 - 2015-03-04 21:48 - 02623656 _____ (VS Revo Group Ltd.) C:\Users\*****\Downloads\revosetup95.exe
2015-03-03 08:30 - 2015-03-03 08:30 - 00192826 _____ () C:\Users\*****\Downloads\ups_1S63A0003659818362.zip
2015-03-03 00:09 - 2015-03-03 00:09 - 00467640 _____ () C:\Windows\Minidump\030315-39811-01.dmp
2015-03-02 20:35 - 2015-03-02 20:36 - 00380416 _____ () C:\Users\*****\Downloads\ot7oimy8.exe
2015-03-02 20:31 - 2015-03-02 20:32 - 00037023 _____ () C:\Users\*****\Downloads\Addition.txt
2015-03-02 20:30 - 2015-03-06 09:35 - 00018902 _____ () C:\Users\*****\Downloads\FRST.txt
2015-03-02 20:30 - 2015-03-06 09:35 - 00000000 ____D () C:\FRST
2015-03-02 20:29 - 2015-03-02 20:29 - 02092544 _____ (Farbar) C:\Users\*****\Downloads\FRST64.exe
2015-03-02 20:28 - 2015-03-02 20:28 - 00000542 _____ () C:\Users\*****\Downloads\defogger_disable.log
2015-03-02 20:28 - 2015-03-02 20:28 - 00000168 _____ () C:\Users\*****\defogger_reenable
2015-03-02 20:27 - 2015-03-02 20:27 - 00050477 _____ () C:\Users\*****\Downloads\Defogger.exe
2015-03-02 10:25 - 2015-03-02 10:43 - 00056534 _____ () C:\Users\*****\Documents\Evelyn Kröll Hans.odt
2015-02-28 14:55 - 2015-02-28 14:55 - 00000000 ____D () C:\Users\*****\AppData\Local\Apps\2.0
2015-02-27 20:44 - 2015-02-27 21:12 - 1549615104 _____ () C:\Users\*****\Downloads\linuxmint-17.1-cinnamon-64bit.iso
2015-02-27 17:11 - 2014-11-29 15:56 - 00000000 ____D () C:\Users\*****\Downloads\ReginScanner-master
2015-02-27 17:09 - 2015-02-27 17:09 - 05020871 _____ () C:\Users\*****\Downloads\ReginScanner-master.zip
2015-02-27 16:44 - 2015-02-27 16:44 - 00000000 _____ () C:\Users\*****\Desktop\Neues Textdokument.txt
2015-02-27 13:58 - 2015-03-05 13:55 - 00000000 ____D () C:\Loki-master
2015-02-27 13:58 - 2015-02-27 14:17 - 00000000 ____D () C:\Users\*****\Downloads\Loki-master
2015-02-27 13:58 - 2015-02-27 13:58 - 08991205 _____ () C:\Users\*****\Downloads\Loki-master.zip
2015-02-27 13:56 - 2015-02-27 13:57 - 08305166 _____ () C:\Users\*****\Downloads\loki.exe
2015-02-26 22:40 - 2015-02-27 12:53 - 00000000 ____D () C:\Program Files (x86)\Mozilla Thunderbird
2015-02-25 12:22 - 2015-01-09 00:44 - 00419936 _____ () C:\Windows\SysWOW64\locale.nls
2015-02-25 12:22 - 2015-01-09 00:43 - 00419936 _____ () C:\Windows\system32\locale.nls
2015-02-20 21:33 - 2015-02-20 21:33 - 00000000 __SHD () C:\Users\*****\AppData\Local\EmieUserList
2015-02-20 21:33 - 2015-02-20 21:33 - 00000000 __SHD () C:\Users\*****\AppData\Local\EmieSiteList
2015-02-20 21:33 - 2015-02-20 21:33 - 00000000 __SHD () C:\Users\*****\AppData\Local\EmieBrowserModeList
2015-02-17 19:20 - 2015-02-17 19:20 - 00002077 _____ () C:\Users\*****\Desktop\JDownloader 2.lnk
2015-02-17 19:20 - 2015-02-17 19:20 - 00000000 ____D () C:\Users\*****\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\JDownloader
2015-02-17 19:19 - 2015-02-23 01:41 - 00000000 ____D () C:\Users\*****\AppData\Local\JDownloader 2.0
2015-02-17 18:56 - 2015-01-09 04:14 - 00950272 _____ (Microsoft Corporation) C:\Windows\system32\perftrack.dll
2015-02-17 18:56 - 2015-01-09 04:14 - 00091136 _____ (Microsoft Corporation) C:\Windows\system32\wdi.dll
2015-02-17 18:56 - 2015-01-09 04:14 - 00029696 _____ (Microsoft Corporation) C:\Windows\system32\powertracker.dll
2015-02-17 18:56 - 2015-01-09 03:48 - 00076800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdi.dll
2015-02-12 16:36 - 2015-01-23 05:42 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2015-02-12 16:36 - 2015-01-23 05:41 - 06041600 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-02-12 16:36 - 2015-01-23 04:43 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2015-02-12 16:36 - 2015-01-23 04:17 - 04300800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2015-02-11 08:48 - 2015-01-14 06:47 - 00389808 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-02-11 08:48 - 2015-01-14 06:09 - 00342712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2015-02-11 08:48 - 2015-01-12 04:09 - 25056256 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-02-11 08:48 - 2015-01-12 04:05 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-02-11 08:48 - 2015-01-12 04:05 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2015-02-11 08:48 - 2015-01-12 03:49 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-02-11 08:48 - 2015-01-12 03:48 - 02885632 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-02-11 08:48 - 2015-01-12 03:48 - 00584192 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-02-11 08:48 - 2015-01-12 03:48 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2015-02-11 08:48 - 2015-01-12 03:47 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2015-02-11 08:48 - 2015-01-12 03:40 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-02-11 08:48 - 2015-01-12 03:39 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-02-11 08:48 - 2015-01-12 03:36 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-02-11 08:48 - 2015-01-12 03:34 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-02-11 08:48 - 2015-01-12 03:34 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2015-02-11 08:48 - 2015-01-12 03:25 - 19740160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-02-11 08:48 - 2015-01-12 03:25 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2015-02-11 08:48 - 2015-01-12 03:21 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2015-02-11 08:48 - 2015-01-12 03:21 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-02-11 08:48 - 2015-01-12 03:13 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2015-02-11 08:48 - 2015-01-12 03:08 - 00503296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-02-11 08:48 - 2015-01-12 03:08 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-02-11 08:48 - 2015-01-12 03:07 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-02-11 08:48 - 2015-01-12 03:07 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2015-02-11 08:48 - 2015-01-12 03:07 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2015-02-11 08:48 - 2015-01-12 03:05 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2015-02-11 08:48 - 2015-01-12 03:04 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-02-11 08:48 - 2015-01-12 03:02 - 02277888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-02-11 08:48 - 2015-01-12 03:00 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2015-02-11 08:48 - 2015-01-12 02:59 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2015-02-11 08:48 - 2015-01-12 02:57 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2015-02-11 08:48 - 2015-01-12 02:55 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2015-02-11 08:48 - 2015-01-12 02:48 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-02-11 08:48 - 2015-01-12 02:48 - 00718848 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-02-11 08:48 - 2015-01-12 02:46 - 02125824 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-02-11 08:48 - 2015-01-12 02:46 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2015-02-11 08:48 - 2015-01-12 02:45 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2015-02-11 08:48 - 2015-01-12 02:43 - 14401024 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-02-11 08:48 - 2015-01-12 02:40 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2015-02-11 08:48 - 2015-01-12 02:36 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2015-02-11 08:48 - 2015-01-12 02:35 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2015-02-11 08:48 - 2015-01-12 02:33 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2015-02-11 08:48 - 2015-01-12 02:27 - 02358272 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-02-11 08:48 - 2015-01-12 02:23 - 02052608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2015-02-11 08:48 - 2015-01-12 02:23 - 00688640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-02-11 08:48 - 2015-01-12 02:22 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2015-02-11 08:48 - 2015-01-12 02:14 - 12829184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-02-11 08:48 - 2015-01-12 02:14 - 01548288 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-02-11 08:48 - 2015-01-12 02:02 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-02-11 08:48 - 2015-01-12 02:00 - 01888256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-02-11 08:48 - 2015-01-12 01:56 - 01307136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-02-11 08:48 - 2015-01-12 01:55 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2015-02-11 08:48 - 2015-01-10 07:48 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-02-11 08:48 - 2015-01-10 07:48 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-02-11 08:48 - 2015-01-10 07:48 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2015-02-11 08:48 - 2015-01-10 07:48 - 00309760 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2015-02-11 08:48 - 2015-01-10 07:48 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2015-02-11 08:48 - 2015-01-10 07:48 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2015-02-11 08:48 - 2015-01-10 07:48 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2015-02-11 08:48 - 2015-01-10 07:27 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2015-02-11 08:48 - 2015-01-10 07:27 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2015-02-11 08:48 - 2015-01-10 07:27 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2015-02-11 08:48 - 2015-01-10 07:27 - 00221184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2015-02-11 08:48 - 2015-01-10 07:27 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2015-02-11 08:48 - 2015-01-10 07:27 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2015-02-11 08:48 - 2015-01-10 07:27 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2015-02-11 08:48 - 2015-01-09 03:03 - 03201536 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-02-11 08:47 - 2015-01-15 09:14 - 00155072 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2015-02-11 08:47 - 2015-01-15 09:14 - 00095680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2015-02-11 08:47 - 2015-01-15 09:09 - 01461760 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-02-11 08:47 - 2015-01-15 09:09 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2015-02-11 08:47 - 2015-01-15 09:09 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2015-02-11 08:47 - 2015-01-15 09:09 - 00029184 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2015-02-11 08:47 - 2015-01-15 09:09 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2015-02-11 08:47 - 2015-01-15 09:08 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2015-02-11 08:47 - 2015-01-15 09:06 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2015-02-11 08:47 - 2015-01-15 09:06 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2015-02-11 08:47 - 2015-01-15 09:04 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2015-02-11 08:47 - 2015-01-15 08:42 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2015-02-11 08:47 - 2015-01-15 08:42 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2015-02-11 08:47 - 2015-01-15 08:41 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2015-02-11 08:47 - 2015-01-15 08:39 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2015-02-11 08:47 - 2015-01-15 08:39 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2015-02-11 08:47 - 2015-01-15 08:37 - 00686080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2015-02-11 08:47 - 2015-01-15 05:22 - 00458824 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2015-02-11 08:47 - 2015-01-13 04:10 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2015-02-11 08:47 - 2015-01-13 03:49 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2015-02-11 08:47 - 2014-12-12 06:31 - 01480192 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2015-02-11 08:47 - 2014-12-12 06:07 - 01174528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2015-02-11 08:47 - 2014-11-26 04:53 - 00861696 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2015-02-11 08:47 - 2014-11-26 04:32 - 00571904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll
2015-02-11 08:47 - 2014-10-04 03:10 - 03722752 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2015-02-11 08:47 - 2014-10-04 02:42 - 03221504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2015-02-11 08:47 - 2014-10-04 02:42 - 00131584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aaclient.dll
2015-02-11 08:47 - 2014-07-07 03:07 - 00229376 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll
2015-02-11 08:47 - 2014-07-07 03:06 - 00187904 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll
2015-02-11 08:47 - 2014-07-07 02:40 - 00179200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2015-02-11 08:47 - 2014-07-07 02:40 - 00143872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2015-02-11 08:46 - 2015-01-14 07:09 - 05554112 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-02-11 08:46 - 2015-01-14 07:05 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-02-11 08:46 - 2015-01-14 07:05 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-02-11 08:46 - 2015-01-14 07:04 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-02-11 08:46 - 2015-01-14 06:44 - 03972544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-02-11 08:46 - 2015-01-14 06:44 - 03917760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-02-11 08:46 - 2015-01-14 06:41 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-02-11 08:46 - 2014-12-08 04:09 - 00406528 _____ (Microsoft Corporation) C:\Windows\system32\scesrv.dll
2015-02-11 08:46 - 2014-12-08 03:46 - 00308224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\scesrv.dll
==================== One Month Modified Files and Folders =======
(If an entry is included in the fixlist, the file\folder will be moved.)
2015-03-06 09:21 - 2012-07-13 23:23 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-03-06 07:26 - 2013-06-12 23:28 - 01759225 _____ () C:\Windows\WindowsUpdate.log
2015-03-06 07:26 - 2009-07-14 05:45 - 00021472 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-03-06 07:26 - 2009-07-14 05:45 - 00021472 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-03-06 07:22 - 2014-12-01 11:59 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-03-06 07:22 - 2013-01-18 16:47 - 00000000 ____D () C:\Users\*****\AppData\Local\ExpressCache
2015-03-06 07:19 - 2012-05-26 05:12 - 00000144 _____ () C:\service.log
2015-03-06 07:18 - 2014-03-01 09:31 - 00057398 _____ () C:\Windows\setupact.log
2015-03-06 07:18 - 2012-05-26 06:24 - 00025640 _____ (Windows (R) Server 2003 DDK provider) C:\Windows\gdrv.sys
2015-03-06 07:18 - 2012-05-26 05:08 - 00000000 ____D () C:\ProgramData\NVIDIA
2015-03-06 07:18 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-03-05 17:08 - 2014-08-20 23:40 - 00000000 ____D () C:\Users\*****\AppData\Local\Adobe
2015-03-05 11:44 - 2014-05-10 16:49 - 00000000 ____D () C:\AdwCleaner
2015-03-05 09:33 - 2012-05-26 06:10 - 00000000 ____D () C:\Users\*****\AppData\Roaming\vlc
2015-03-04 23:06 - 2014-04-28 16:38 - 00032766 _____ () C:\Windows\PFRO.log
2015-03-04 22:44 - 2009-07-14 04:20 - 00000000 __RHD () C:\Users\Default
2015-03-04 22:40 - 2009-07-14 03:34 - 00000215 _____ () C:\Windows\system.ini
2015-03-03 20:04 - 2012-07-09 22:15 - 00000000 ____D () C:\Users\*****\AppData\Roaming\foobar2000
2015-03-03 00:09 - 2014-04-28 16:38 - 00000000 ____D () C:\Windows\Minidump
2015-03-02 20:57 - 2014-05-14 15:55 - 00008192 ___SH () C:\Users\*****\Thumbs.db
2015-03-02 20:28 - 2012-05-26 05:02 - 00000000 ____D () C:\Users\*****
2015-03-02 10:18 - 2012-08-07 19:59 - 00000000 ____D () C:\Users\*****\AppData\Roaming\PamFax Office Integrations
2015-03-01 21:59 - 2012-07-30 19:33 - 00004182 _____ () C:\Windows\System32\Tasks\avast! Emergency Update
2015-02-27 20:30 - 2012-05-26 06:12 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-02-27 16:05 - 2014-08-24 18:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware
2015-02-27 16:05 - 2014-08-24 18:17 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware
2015-02-27 16:05 - 2013-06-12 23:37 - 00001106 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2015-02-24 19:55 - 2009-07-14 06:08 - 00032640 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-02-24 12:24 - 2014-11-05 21:18 - 00003852 _____ () C:\Windows\System32\Tasks\Opera scheduled Autoupdate 1415218714
2015-02-24 12:24 - 2012-05-26 06:13 - 00000000 ____D () C:\Program Files (x86)\Opera
2015-02-24 03:17 - 2010-11-21 04:27 - 00295552 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2015-02-22 21:11 - 2011-04-12 08:43 - 00702980 _____ () C:\Windows\system32\perfh007.dat
2015-02-22 21:11 - 2011-04-12 08:43 - 00150620 _____ () C:\Windows\system32\perfc007.dat
2015-02-22 21:11 - 2009-07-14 06:13 - 01629508 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-02-22 12:28 - 2014-05-14 16:12 - 00000000 ____D () C:\Users\*****\.mediathek3
2015-02-20 21:33 - 2014-05-21 19:21 - 00000069 _____ () C:\Windows\NeroDigital.ini
2015-02-20 21:33 - 2013-11-01 20:53 - 00000131 _____ () C:\Users\*****\AppData\Roaming\default.rss
2015-02-20 14:53 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\rescache
2015-02-18 11:10 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\tracing
2015-02-17 19:20 - 2012-05-28 22:08 - 00000000 ____D () C:\Program Files (x86)\JDownloader
2015-02-15 04:28 - 2012-07-08 12:16 - 00001462 _____ () C:\Users\*****\Sti_Trace.log
2015-02-14 20:08 - 2014-11-05 21:00 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-02-11 17:29 - 2009-07-14 05:45 - 05090528 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-02-11 17:20 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\PolicyDefinitions
2015-02-11 13:54 - 2012-05-28 21:18 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-02-11 13:54 - 2009-07-14 03:34 - 00000478 _____ () C:\Windows\win.ini
2015-02-05 15:21 - 2012-07-13 23:23 - 00003822 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-02-05 15:21 - 2012-06-11 21:16 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-02-05 15:21 - 2012-06-11 21:16 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
==================== Files in the root of some directories =======
2013-11-01 20:53 - 2015-02-20 21:33 - 0000131 _____ () C:\Users\*****\AppData\Roaming\default.rss
2012-06-18 19:01 - 2014-12-31 16:59 - 0030720 _____ () C:\Users\*****\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-03-15 17:25 - 2013-03-15 17:25 - 0000840 _____ () C:\Users\*****\AppData\Local\recently-used.xbel
2012-05-26 06:33 - 2014-03-01 09:31 - 0000125 ___SH () C:\ProgramData\.zreglib
2013-02-25 17:34 - 2013-02-25 17:34 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
Some content of TEMP:
====================
C:\Users\*****\AppData\Local\Temp\Quarantine.exe
C:\Users\*****\AppData\Local\Temp\sqlite3.dll
==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2015-03-05 10:16
==================== End Of Log ============================
--- --- --- --- --- --- Also zu deiner Frage, ich denke nun sieht es besser aus und ich danke Dir, dass Du mich geführt hast. Genauer kann ich es aber erst nach einiger Zeit sagen, aber es fühlt sich schon sauberer an. Ich habe jetzt nochmal mit LOKI gescannt und dabei bemerkt, dass fast alle Funde auf die eigene Signatur/Virusdefinition verwiesen, also wohl false positive sind. Was meinst Du? Bin wohl etwas in Panik verfallen.Oder? |
|
06.03.2015, 16:39
| #12 |
| /// the machine /// TB-Ausbilder | Win7: Regin ? viele Funde mit LOKI, akute Paranoia angebracht? Java und Firefox updaten. Was isn LOKI?  Wir haben bissl Adware entfernt.  Cleanup: (Die Reihenfolge ist hier entscheidend) Falls Defogger verwendet wurde: Erneut starten und auf Re-enable klicken. Falls Combofix verwendet wurde:  Combofix deinstallieren
Alle Logs gepostet? Dann lade Dir bitte  DelFix herunter.
Hinweis: DelFix entfernt u.a. alle verwendeten Programme, die Quarantäne unserer Scanner, den Java-Cache und löscht sich abschließend selbst. Starte Deinen Rechner abschließend neu. Sollten jetzt noch Programme aus unserer Bereinigung übrig sein, kannst Du diese bedenkenlos löschen. Wenn Du möchtest, kannst Du hier sagen, ob Du mit mir und meiner Hilfe zufrieden warst... und/oder das Forum mit einer kleinen Spende  unterstützen.   Absicherung: Beim Betriebsystem Windows die automatischen Updates aktivieren. Auch die sicherheitsrelevante Software sollte immer nur in der aktuellsten Version vorliegen: Browser Java Flash-Player PDF-Reader Sicherheitslücken in deren alten Versionen werden dazu ausgenutzt, um beim einfachen Besuch einer manipulierten Website per "Drive-by" Malware zu installieren. Ich empfehle z.B. die Verwendung von Mozilla Firefox statt des Internet Explorers. Zudem lassen sich mit dem Firefox auch PDF-Dokumente öffnen. Aktiviere eine Firewall. Die in Windows integrierte genügt im Normalfall völlig. Verwende ein Antivirusprogramm mit Echtzeitscanner und stets aktueller Signaturendatenbank. Meine Empfehlung:  Emsisoft Zusätzlich kannst Du Deinen PC regelmäßig mit Malwarebytes Anti-Malware und ESET scannen. Optional:  NoScript verhindert das Ausführen von aktiven Inhalten (Java, JavaScript, Flash,...) für sämtliche Websites. Man kann aber nach dem Prinzip einer Whitelist festlegen, auf welchen Seiten Scripts erlaubt werden sollen. Malwarebytes Anti Exploit: Schützt die Anwendungen des Computers vor der Ausnutzung bekannter Schwachstellen.Lade Software von einem sauberen Portal wie  .Wähle beim Installieren von Software immer die benutzerdefinierte Option und entferne den Haken bei allen optional angebotenen Toolbars oder sonstigen, fürs Programm, irrelevanten Ergänzungen. Um Adware wieder los zu werden, empfiehlt sich zunächst die Deinstallation sowie die anschließende Resteentfernung mit Adwcleaner . Abschließend noch ein paar grundsätzliche Bemerkungen: Ändere regelmäßig Deine wichtigen Online-Passwörter und erstelle regelmäßig Backups Deiner wichtigen Dateien oder des Systems. Der Nutzen von Registry-Cleanern, Optimizern usw. zur Performancesteigerung ist umstritten. Ich empfehle deshalb, die Finger von der Registry zu lassen und lieber die windowseigene Datenträgerbereinigung zu verwenden.
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
| Themen zu Win7: Regin ? viele Funde mit LOKI, akute Paranoia angebracht? |
| .dll, administrator, adobe, adware, antivirus, avast, browser, computer, converter, defender, desktop, explorer, firefox, flash player, google analytics, langsam, mozilla, newtab, registry, scan, security, services.exe, software, svchost.exe, synology, system, temp, tracker, winlogon.exe |
dann auf 
und dann auf 
. 
WARNUNG an die MITLESER: 
+ R Taste und schreibe Combofix /Uninstall in das 
Linear-Darstellung
