Cuddles1709 | 30.09.2014 14:37 | GMER Code:
GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2014-09-30 13:37:05
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.GT00 596,17GB
Running: Gmer-19357.exe; Driver: C:\Users\Mellie\AppData\Local\Temp\pwddypod.sys
---- Kernel code sections - GMER 2.1 ----
INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80003604000 63 bytes [00, 00, AD, 00, 43, 63, 56, ...]
INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 592 fffff80003604040 6 bytes [13, A0, 02, 00, 00, 00]
---- User code sections - GMER 2.1 ----
.text C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe[1160] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077abfac0 5 bytes JMP 0000000174d68cf0
.text C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe[1160] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077abfb58 5 bytes JMP 0000000174d68ea0
.text C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe[1160] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ac0038 5 bytes JMP 0000000174d68d80
.text C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe[1160] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075e31465 2 bytes [E3, 75]
.text C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe[1160] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075e314bb 2 bytes [E3, 75]
.text ... * 2
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Windows\system32\nvvsvc.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Windows\system32\nvvsvc.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Windows\system32\nvvsvc.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Windows\system32\nvvsvc.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Windows\system32\WLANExt.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Windows\system32\WLANExt.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Windows\system32\WLANExt.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Windows\system32\WLANExt.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Windows\System32\spoolsv.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Windows\system32\svchost.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Windows\system32\svchost.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Windows\system32\svchost.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Windows\system32\svchost.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077abfac0 5 bytes JMP 0000000174d68cf0
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077abfb58 5 bytes JMP 0000000174d68ea0
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1924] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ac0038 5 bytes JMP 0000000174d68d80
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077abfac0 5 bytes JMP 0000000174d68cf0
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077abfb58 5 bytes JMP 0000000174d68ea0
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ac0038 5 bytes JMP 0000000174d68d80
.text C:\Program Files\Bonjour\mDNSResponder.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Program Files\Bonjour\mDNSResponder.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Program Files\Bonjour\mDNSResponder.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Program Files\Bonjour\mDNSResponder.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe[1116] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077abfac0 5 bytes JMP 0000000174d68cf0
.text C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe[1116] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077abfb58 5 bytes JMP 0000000174d68ea0
.text C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe[1116] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ac0038 5 bytes JMP 0000000174d68d80
.text C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1644] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077abfac0 5 bytes JMP 0000000174d68cf0
.text C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1644] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077abfb58 5 bytes JMP 0000000174d68ea0
.text C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1644] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ac0038 5 bytes JMP 0000000174d68d80
.text C:\Windows\system32\svchost.exe[1536] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Windows\system32\svchost.exe[1536] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Windows\system32\svchost.exe[1536] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Windows\system32\svchost.exe[1536] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Windows\SysWOW64\svchost.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077abfac0 5 bytes JMP 0000000174d68cf0
.text C:\Windows\SysWOW64\svchost.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077abfb58 5 bytes JMP 0000000174d68ea0
.text C:\Windows\SysWOW64\svchost.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ac0038 5 bytes JMP 0000000174d68d80
.text C:\Program Files (x86)\Norton 360\Engine\21.6.0.32\N360.exe[2232] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077abfac0 5 bytes JMP 0000000174d68cf0
.text C:\Program Files (x86)\Norton 360\Engine\21.6.0.32\N360.exe[2232] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077abfb58 5 bytes JMP 0000000174d68ea0
.text C:\Program Files (x86)\Norton 360\Engine\21.6.0.32\N360.exe[2232] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ac0038 5 bytes JMP 0000000174d68d80
.text C:\Windows\System32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Windows\System32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Windows\System32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Windows\System32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Windows\System32\svchost.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Windows\System32\svchost.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Windows\System32\svchost.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Windows\System32\svchost.exe[2292] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077abfac0 5 bytes JMP 0000000174d68cf0
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077abfb58 5 bytes JMP 0000000174d68ea0
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ac0038 5 bytes JMP 0000000174d68d80
.text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[2720] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077abfac0 5 bytes JMP 0000000174d68cf0
.text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[2720] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077abfb58 5 bytes JMP 0000000174d68ea0
.text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[2720] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ac0038 5 bytes JMP 0000000174d68d80
.text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2900] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077abfac0 5 bytes JMP 0000000174d68cf0
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2900] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077abfb58 5 bytes JMP 0000000174d68ea0
.text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2900] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ac0038 5 bytes JMP 0000000174d68d80
? C:\Windows\system32\mssprxy.dll [2900] entry point in ".rdata" section 000000006bce71e6
.text C:\Program Files\TOSHIBA\TECO\TecoService.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Program Files\TOSHIBA\TECO\TecoService.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Program Files\TOSHIBA\TECO\TecoService.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Program Files\TOSHIBA\TECO\TecoService.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[3056] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077abfac0 5 bytes JMP 0000000174d68cf0
.text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[3056] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077abfb58 5 bytes JMP 0000000174d68ea0
.text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[3056] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ac0038 5 bytes JMP 0000000174d68d80
.text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[3056] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075e31465 2 bytes [E3, 75]
.text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[3056] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000075e314bb 2 bytes [E3, 75]
.text ... * 2
.text C:\Windows\system32\wbem\wmiprvse.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Windows\system32\wbem\wmiprvse.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Windows\system32\wbem\wmiprvse.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Windows\system32\wbem\wmiprvse.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3620] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077abfac0 5 bytes JMP 0000000174d68cf0
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3620] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077abfb58 5 bytes JMP 0000000174d68ea0
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3620] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ac0038 5 bytes JMP 0000000174d68d80
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3620] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075e31465 2 bytes [E3, 75]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3620] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075e314bb 2 bytes [E3, 75]
.text ... * 2
.text C:\Windows\system32\svchost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Windows\system32\svchost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Windows\system32\svchost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Windows\system32\svchost.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Windows\system32\SearchIndexer.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Windows\system32\SearchIndexer.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Windows\system32\SearchIndexer.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Windows\system32\SearchIndexer.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Windows\system32\taskhost.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Windows\system32\taskhost.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Windows\system32\taskhost.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Windows\system32\taskhost.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Windows\system32\Dwm.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Windows\system32\Dwm.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Windows\system32\Dwm.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Windows\system32\Dwm.exe[5100] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4668] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4668] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4668] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4668] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4696] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4696] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4696] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4696] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4716] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4716] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4716] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4716] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Program Files\TOSHIBA\TECO\Teco.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Program Files\TOSHIBA\TECO\Teco.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Program Files\TOSHIBA\TECO\Teco.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Program Files\TOSHIBA\TECO\Teco.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2580] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Program Files\Windows Sidebar\sidebar.exe[5568] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Program Files\Windows Sidebar\sidebar.exe[5568] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Program Files\Windows Sidebar\sidebar.exe[5568] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Program Files\Windows Sidebar\sidebar.exe[5568] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[5576] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[5576] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[5576] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[5576] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe[5584] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077abfac0 5 bytes JMP 0000000174d68cf0
.text C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe[5584] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077abfb58 5 bytes JMP 0000000174d68ea0
.text C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe[5584] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ac0038 5 bytes JMP 0000000174d68d80
.text C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe[5584] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075e31465 2 bytes [E3, 75]
.text C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe[5584] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000075e314bb 2 bytes [E3, 75]
.text ... * 2
.text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5616] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077abfac0 5 bytes JMP 0000000174d68cf0
.text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5616] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077abfb58 5 bytes JMP 0000000174d68ea0
.text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[5616] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ac0038 5 bytes JMP 0000000174d68d80
.text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[5652] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[5652] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[5652] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[5652] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[5688] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077abfac0 5 bytes JMP 0000000174d68cf0
.text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[5688] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077abfb58 5 bytes JMP 0000000174d68ea0
.text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[5688] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ac0038 5 bytes JMP 0000000174d68d80
.text C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077abfac0 5 bytes JMP 0000000174d68cf0
.text C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077abfb58 5 bytes JMP 0000000174d68ea0
.text C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ac0038 5 bytes JMP 0000000174d68d80
.text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Program Files\TOSHIBA\TOSHIBA Places Icon Utility\TosDIMonitor.exe[5728] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Program Files\TOSHIBA\TOSHIBA Places Icon Utility\TosDIMonitor.exe[5728] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Program Files\TOSHIBA\TOSHIBA Places Icon Utility\TosDIMonitor.exe[5728] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Program Files\TOSHIBA\TOSHIBA Places Icon Utility\TosDIMonitor.exe[5728] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5736] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077abfac0 5 bytes JMP 0000000174d68cf0
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5736] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077abfb58 5 bytes JMP 0000000174d68ea0
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5736] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ac0038 5 bytes JMP 0000000174d68d80
.text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077abfac0 5 bytes JMP 0000000174d68cf0
.text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077abfb58 5 bytes JMP 0000000174d68ea0
.text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[5352] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ac0038 5 bytes JMP 0000000174d68d80
.text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077abfac0 5 bytes JMP 0000000174d68cf0
.text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077abfb58 5 bytes JMP 0000000174d68ea0
.text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ac0038 5 bytes JMP 0000000174d68d80
.text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[872] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077abfac0 5 bytes JMP 0000000174d68cf0
.text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[872] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077abfb58 5 bytes JMP 0000000174d68ea0
.text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[872] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ac0038 5 bytes JMP 0000000174d68d80
.text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[784] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077abfac0 5 bytes JMP 0000000174d68cf0
.text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[784] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077abfb58 5 bytes JMP 0000000174d68ea0
.text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[784] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ac0038 5 bytes JMP 0000000174d68d80
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077abfac0 5 bytes JMP 0000000174d68cf0
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077abfb58 5 bytes JMP 0000000174d68ea0
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ac0038 5 bytes JMP 0000000174d68d80
.text c:\Program Files (x86)\Nero\Update\NASvc.exe[6192] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077abfac0 5 bytes JMP 0000000174d68cf0
.text c:\Program Files (x86)\Nero\Update\NASvc.exe[6192] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077abfb58 5 bytes JMP 0000000174d68ea0
.text c:\Program Files (x86)\Nero\Update\NASvc.exe[6192] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ac0038 5 bytes JMP 0000000174d68d80
.text C:\Windows\System32\svchost.exe[6292] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Windows\System32\svchost.exe[6292] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Windows\System32\svchost.exe[6292] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Windows\System32\svchost.exe[6292] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6536] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077abfac0 5 bytes JMP 0000000174d68cf0
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6536] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077abfb58 5 bytes JMP 0000000174d68ea0
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6536] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ac0038 5 bytes JMP 0000000174d68d80
.text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[6712] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[6712] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[6712] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[6712] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[6752] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[6784] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[6784] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[6784] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[6784] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Windows\explorer.exe[12872] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Windows\explorer.exe[12872] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Windows\explorer.exe[12872] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Windows\explorer.exe[12872] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Windows\system32\taskeng.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911430 5 bytes JMP 00000001778b0010
.text C:\Windows\system32\taskeng.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077911490 5 bytes JMP 00000001778b0028
.text C:\Windows\system32\taskeng.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779117b0 1 byte JMP 00000001778b0040
.text C:\Windows\system32\taskeng.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 2 00000000779117b2 3 bytes {JMP 0xfffffffffff9e890}
.text C:\Users\Mellie\Desktop\Gmer-19357.exe[35088] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077abfac0 5 bytes JMP 0000000174d68cf0
.text C:\Users\Mellie\Desktop\Gmer-19357.exe[35088] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077abfb58 5 bytes JMP 0000000174d68ea0
.text C:\Users\Mellie\Desktop\Gmer-19357.exe[35088] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ac0038 5 bytes JMP 0000000174d68d80
---- Processes - GMER 2.1 ----
Library c:\users\mellie\appdata\local\temp\7zs0fb2\hpslpsvc64.dll (*** suspicious ***) @ C:\Windows\system32\svchost.exe [3700] (HP Network Devices Support/Hewlett-Packard Co.)(2012-11-19 17:18:09) 0000000180000000
---- Registry - GMER 2.1 ----
Reg HKCU\Software\Microsoft\Windows Live\Communications Clients\Shared\2526914383\Groups@\xaeGoldMembers\xae 1
---- EOF - GMER 2.1 ---- JRT Code:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.2.3 (09.27.2014:1)
OS: Windows 7 Home Premium x64
Ran by Mellie on 30.09.2014 at 12:48:10,22
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services
Successfully stopped: [Service] msgplusservice
Successfully deleted: [Service] msgplusservice
~~~ Registry Values
~~~ Registry Keys
~~~ Files
Successfully deleted: [File] C:\Windows\syswow64\sho9097.tmp
Successfully deleted: [File] C:\Windows\syswow64\shoB634.tmp
~~~ Folders
Successfully deleted: [Folder] "C:\ProgramData\messenger plus! for skype"
Successfully deleted: [Folder] "C:\Program Files (x86)\yuna software"
Successfully deleted: [Empty Folder] C:\Users\Mellie\appdata\local\{09D2A275-89F1-494D-A132-29289B711B96}
Successfully deleted: [Empty Folder] C:\Users\Mellie\appdata\local\{11ADEC4D-05F3-4117-8811-05A3C4882088}
Successfully deleted: [Empty Folder] C:\Users\Mellie\appdata\local\{13659285-46E1-4C21-92E1-F64FCE690E4D}
Successfully deleted: [Empty Folder] C:\Users\Mellie\appdata\local\{1411C5EE-7E3E-4A97-8803-368F16850C67}
Successfully deleted: [Empty Folder] C:\Users\Mellie\appdata\local\{163BDEE5-B519-4FFB-8250-91164ED2A059}
Successfully deleted: [Empty Folder] C:\Users\Mellie\appdata\local\{1C45B7AC-4B26-4CBC-9004-3A7527F81A13}
Successfully deleted: [Empty Folder] C:\Users\Mellie\appdata\local\{2CF4C46E-A6C0-4738-BDDF-B16E2DC13007}
Successfully deleted: [Empty Folder] C:\Users\Mellie\appdata\local\{31DADD32-0718-4623-8B04-C23BABDD9BFD}
Successfully deleted: [Empty Folder] C:\Users\Mellie\appdata\local\{57879A8B-35A3-4F9C-A277-973677063C55}
Successfully deleted: [Empty Folder] C:\Users\Mellie\appdata\local\{59B36E80-B12A-429D-9B14-44B36AD3D1F0}
Successfully deleted: [Empty Folder] C:\Users\Mellie\appdata\local\{5CB480F0-DEFA-47F2-9442-DADADE5FE21D}
Successfully deleted: [Empty Folder] C:\Users\Mellie\appdata\local\{65261EAD-460D-4BC0-8CBB-86F1E232C8C2}
Successfully deleted: [Empty Folder] C:\Users\Mellie\appdata\local\{662FB437-652B-4E49-97BC-5AF51CEEFFB6}
Successfully deleted: [Empty Folder] C:\Users\Mellie\appdata\local\{722B5A1A-E65B-494F-9067-6BD8EFDAEAD0}
Successfully deleted: [Empty Folder] C:\Users\Mellie\appdata\local\{7688B22B-D049-4D6E-8265-C7D49F67B142}
Successfully deleted: [Empty Folder] C:\Users\Mellie\appdata\local\{79A3339E-7FED-43E2-8282-2EFE09D93778}
Successfully deleted: [Empty Folder] C:\Users\Mellie\appdata\local\{8325A43D-B4F9-4D57-B3F5-C43F0AF432E4}
Successfully deleted: [Empty Folder] C:\Users\Mellie\appdata\local\{8AD242C6-2C1F-4F4A-957B-243C05B0F1F0}
Successfully deleted: [Empty Folder] C:\Users\Mellie\appdata\local\{9A67E614-D57D-43E6-A231-79226286F158}
Successfully deleted: [Empty Folder] C:\Users\Mellie\appdata\local\{A6D99096-D630-4294-927B-94F3228DEEB6}
Successfully deleted: [Empty Folder] C:\Users\Mellie\appdata\local\{BEDA2325-A6BA-4132-BBCC-37CB20F0EA28}
Successfully deleted: [Empty Folder] C:\Users\Mellie\appdata\local\{C5008002-05D3-41F2-BBA6-61D0601DD2B8}
Successfully deleted: [Empty Folder] C:\Users\Mellie\appdata\local\{C6D31071-791E-4328-AEB7-223AFF4FF681}
Successfully deleted: [Empty Folder] C:\Users\Mellie\appdata\local\{C6F05C2D-894B-42B5-8424-0C67C49444B6}
Successfully deleted: [Empty Folder] C:\Users\Mellie\appdata\local\{C7A17DF4-D87D-4F07-96B3-20EF68372085}
Successfully deleted: [Empty Folder] C:\Users\Mellie\appdata\local\{D1E9AC68-47C0-4DF8-B81A-02EFC4F56BA3}
Successfully deleted: [Empty Folder] C:\Users\Mellie\appdata\local\{E8C9F9A5-0F88-4E0D-B0BA-AD54F1F80A71}
Successfully deleted: [Empty Folder] C:\Users\Mellie\appdata\local\{F2B6B547-D5B3-4577-90D3-F6F4CC5D272C}
Successfully deleted: [Empty Folder] C:\Users\Mellie\appdata\local\{F9C448B7-5C47-4404-9A34-6BF60CB67D90}
~~~ FireFox
Emptied folder: C:\Users\Mellie\AppData\Roaming\mozilla\firefox\profiles\1eah8kqb.default\minidumps [57 files]
~~~ Event Viewer Logs were cleared
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 30.09.2014 at 12:57:49,46
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mbam Code:
Malwarebytes Anti-Malware
www.malwarebytes.org
Suchlauf Datum: 30.09.2014
Suchlauf-Zeit: 12:08:18
Logdatei: mbam30.9..txt
Administrator: Ja
Version: 2.00.2.1012
Malware Datenbank: v2014.09.30.03
Rootkit Datenbank: v2014.09.19.01
Lizenz: Kostenlos
Malware Schutz: Deaktiviert
Bösartiger Webseiten Schutz: Deaktiviert
Self-protection: Deaktiviert
Betriebssystem: Windows 7 Service Pack 1
CPU: x64
Dateisystem: NTFS
Benutzer: Mellie
Suchlauf-Art: Bedrohungs-Suchlauf
Ergebnis: Abgeschlossen
Durchsuchte Objekte: 333599
Verstrichene Zeit: 16 Min, 5 Sek
Speicher: Aktiviert
Autostart: Aktiviert
Dateisystem: Aktiviert
Archive: Aktiviert
Rootkits: Deaktiviert
Heuristics: Aktiviert
PUP: Warnen
PUM: Aktiviert
Prozesse: 0
(No malicious items detected)
Module: 0
(No malicious items detected)
Registrierungsschlüssel: 6
PUP.Optional.CinemaHQ.A, HKLM\SOFTWARE\WOW6432NODE\HQ-V1.3, In Quarantäne, [02c9ed06601bc571b74ed4447c87f010],
PUP.Optional.WindowsProtectManger.A, HKLM\SOFTWARE\WOW6432NODE\supWindowsProtectManger, In Quarantäne, [14b749aa82f98aac3a59e23c7a89857b],
PUP.Optional.GlobalUpdate.T, HKLM\SOFTWARE\WOW6432NODE\GLOBALUPDATE\UPDATE, In Quarantäne, [8a41668de4971a1c6316c05bad56728e],
PUP.Optional.CinemaHQ.A, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\HQ-V1.3, In Quarantäne, [14b710e323583ff79b6c2aeeb25133cd],
PUP.Optional.CinemaHQ.A, HKU\S-1-5-21-3547617622-2166199306-444984410-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\HQ-V1.3, In Quarantäne, [c30812e1d0ab6dc967a0ca4eb152916f],
PUP.Optional.FastStart.A, HKU\S-1-5-21-3547617622-2166199306-444984410-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MOZILLA\EXTENDS, In Quarantäne, [2f9cad4690eba98dac7f0e029f647f81],
Registrierungswerte: 3
PUP.Optional.GlobalUpdate.T, HKLM\SOFTWARE\WOW6432NODE\GLOBALUPDATE\UPDATE|path, C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe, In Quarantäne, [8a41668de4971a1c6316c05bad56728e]
PUP.Optional.FastStart.A, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\EXTENSIONS|faststartff@gmail.com, C:\Users\Mellie\AppData\Roaming\Mozilla\Firefox\Profiles\1eah8kqb.default\extensions\faststartff@gmail.com, In Quarantäne, [dbf0ba394833ff375c0090e8f50ff010]
PUP.Optional.FastStart.A, HKU\S-1-5-21-3547617622-2166199306-444984410-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MOZILLA\EXTENDS|appid, faststartff@gmail.com, In Quarantäne, [2f9cad4690eba98dac7f0e029f647f81]
Registrierungsdaten: 1
PUP.Optional.Qone8, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES|DefaultScope, {33BB0A4E-99AF-4226-BDF6-49120163DE86}, Gut: ({0633EE93-D776-472f-A0FF-E1416B8B2E3A}), Schlecht: ({33BB0A4E-99AF-4226-BDF6-49120163DE86}),Ersetzt,[fad12ec5b0cb60d65fcea0721ee759a7]
Ordner: 0
(No malicious items detected)
Dateien: 1
PUP.Optional.QuickStart.A, C:\Users\Mellie\AppData\Roaming\Mozilla\Firefox\Profiles\1eah8kqb.default\prefs.js, Gut: (), Schlecht: (user_pref("browser.newtab.url", "chrome://quick_start/content/index.html");), Ersetzt,[1dae7b789fdcc274cfbbca7a3ec7a15f]
Physische Sektoren: 0
(No malicious items detected)
(end) Oh, und die Defogger Code:
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 13:04 on 30/09/2014 (Mellie)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
-=E.O.F=- |