Thanks to all the people who donated and ensured the continued development of this software! If you want to donate and keep this software alive, please have a look at the About-Tab. Thanks in advance! USEC Radix V1, 0, 0, 10 [2009/11/28] at your service. ---- Check started at 2.4.2010 14:44:35 ---- Running on: Microsoft Windows NT 5.1 Build 2600 Service Pack 2 Number of Processors: 2, Active Processor Mask: 00000003 Processor: Intel Level 15 Revision 0407 Allocation granularity: 00010000, Page granularity: 00001000 Application space: 00010000-7FFEFFFF [X] Filter common false alarms. 14:44:35 - Performing check: "Hidden files": This check can take some time depending on your harddisk size. You can interrupt it with the ESC key. 14:47:56 - Performing check: "Alternate Data Streams": This check can take some time depending on your harddisk size. You can interrupt it with the ESC key. [*] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP:8FF81EB0:$DATA [*] C:\Dokumente und Einstellungen\All Users\Dokumente\Eigene Bilder\Beispielbilder\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\All Users\Dokumente\Eigene Musik\Beispielmusik\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko:zylomtest:$DATA [*] C:\Dokumente und Einstellungen\Marko:zylomtr{000HQ7FF-AD7A-3FG3-VK8A-25GG67KOIVUV}:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\100MSDCF\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\abc\page\ausfluege\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\abc\page\lol\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\abc\page\party\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\abc\page\sonstige\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\abc\page\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\abc\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\KRIMSKRAMS\Neuer Ordner\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\KRIMSKRAMS\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\KRIMSKRAMS\UPLOAD\Downloads\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\KRIMSKRAMS\UPLOAD\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\LLORET\BERLIN\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\LLORET\IGALO\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\LLORET\paradise\blank_data\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\LLORET\paradise\menderes_data\afr_data\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\LLORET\paradise\menderes_data\b_click_data\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\LLORET\paradise\menderes_data\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\LLORET\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MORUK\chatroulette\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MORUK\dosen\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MORUK\fotoschop\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MORUK\PICDUMP\briefkästen\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MORUK\PICDUMP\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MORUK\PICDUMP\werbung\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MORUK\POSTET\3d postet\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MORUK\POSTET\bier gepostet\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MORUK\POSTET\don gepostet\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MORUK\POSTET\fuss postet\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MORUK\POSTET\sandra postet\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MORUK\POSTET\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MORUK\POSTET\tiere\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MORUK\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MORUK\twister\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MORUK\zwerge\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MUSIK\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\SCHULE LAAAN\GER\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\SCHULE LAAAN\Neuer Ordner\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\SCHULE LAAAN\PORTFOLIO\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\SCHULE LAAAN\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Eigene Dateien\bierpott\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Eigene Dateien\DVDVideoSoft\FreeVideoToJPGConverter\48c9aae0b30c7 (05-11-2009 20-21-02)\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Eigene Dateien\DVDVideoSoft\FreeVideoToJPGConverter\GeileSchnuppe_-_sonntagsmorgen_-_330531 (05-11-2009 13-14-55)\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Eigene Dateien\DVDVideoSoft\FreeVideoToJPGConverter\Nina (22) (04-11-2009 16-31-56)\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Eigene Dateien\Eigene Bilder\2010-01-27\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Eigene Dateien\Eigene Bilder\2010-02-10\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Eigene Dateien\Eigene Bilder\2010-02-11\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Eigene Dateien\Eigene Bilder\2010-02-23\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Eigene Dateien\Eigene Bilder\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Eigene Dateien\Eigene Videos\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Eigene Dateien\Meine empfangenen Dateien\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Eigene Dateien\msn\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Eigene Dateien\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Eigene Dateien\Verlauf\August 2009\Images\Thumbs.db:encryptable:$DATA [-] Error scanning file C:\pagefile.sys: 0x05::0x06: Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird. [*] C:\Programme\Ascaron Entertainment\Sacred 2 - Fallen Angel\system\Thumbs.db:encryptable:$DATA [*] C:\Programme\Ascaron Entertainment\Sacred 2 - Fallen Angel\Thumbs.db:encryptable:$DATA [*] C:\Programme\Click-2U\Pcsx2\compat_list\Thumbs.db:encryptable:$DATA [-] Error scanning file C:\WINDOWS\system32\drivers\vpjrp.sys: 0x05::0x06: Ein an das System angeschlossenes Gerät funktioniert nicht. 62 streams found. 14:49:34 - Performing check: "Hidden Registry entries": --------------------[HKEY_LOCAL_MACHINE\HARDWARE ]------------------- WARNING: Dumping the registry can take quite some time! Be assured that the app doesn't hang while dumping! Dumping...OK. Scanning...DONE. ------------------------------------------------------------------------------- --------------------[HKEY_LOCAL_MACHINE\SAM ]------------------- WARNING: Dumping the registry can take quite some time! Be assured that the app doesn't hang while dumping! Dumping...OK. Scanning...[-] Unable to open key: HKEY_LOCAL_MACHINE\SAM\SAM: Zugriff verweigert DONE. ------------------------------------------------------------------------------- --------------------[HKEY_LOCAL_MACHINE\SECURITY ]------------------- WARNING: Dumping the registry can take quite some time! Be assured that the app doesn't hang while dumping! Dumping...OK. Scanning...[-] Unable to open key: HKEY_LOCAL_MACHINE\SECURITY: Zugriff verweigert DONE. ------------------------------------------------------------------------------- --------------------[HKEY_LOCAL_MACHINE\SOFTWARE ]------------------- WARNING: Dumping the registry can take quite some time! Be assured that the app doesn't hang while dumping! Dumping...OK. Scanning...[-] Unable to open key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Remote Desktop\Pending Help Session: Zugriff verweigert DONE. ------------------------------------------------------------------------------- --------------------[HKEY_LOCAL_MACHINE\SYSTEM ]------------------- WARNING: Dumping the registry can take quite some time! Be assured that the app doesn't hang while dumping! Dumping...OK. Scanning...[-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{59F44B03-CCD2-460B-ACD8-53CBF375D174}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxDAV\EncryptedDirectories: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vpjrp: Ein an das System angeschlossenes Gerät funktioniert nicht. [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{59F44B03-CCD2-460B-ACD8-53CBF375D174}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MRxDAV\EncryptedDirectories: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vpjrp: Ein an das System angeschlossenes Gerät funktioniert nicht. [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{59F44B03-CCD2-460B-ACD8-53CBF375D174}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\MRxDAV\EncryptedDirectories: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\vpjrp: Ein an das System angeschlossenes Gerät funktioniert nicht. DONE. ------------------------------------------------------------------------------- --------------------[HKEY_USERS\.DEFAULT ]------------------- WARNING: Dumping the registry can take quite some time! Be assured that the app doesn't hang while dumping! Dumping...OK. Scanning...DONE. ------------------------------------------------------------------------------- --------------------[HKEY_USERS\S-1-5-19 ]------------------- WARNING: Dumping the registry can take quite some time! Be assured that the app doesn't hang while dumping! Dumping...OK. Scanning...DONE. ------------------------------------------------------------------------------- --------------------[HKEY_USERS\S-1-5-19_Classes ]------------------- WARNING: Dumping the registry can take quite some time! Be assured that the app doesn't hang while dumping! Dumping...OK. Scanning...DONE. ------------------------------------------------------------------------------- --------------------[HKEY_USERS\S-1-5-20 ]------------------- WARNING: Dumping the registry can take quite some time! Be assured that the app doesn't hang while dumping! Dumping...OK. Scanning...DONE. ------------------------------------------------------------------------------- --------------------[HKEY_USERS\S-1-5-20_Classes ]------------------- WARNING: Dumping the registry can take quite some time! Be assured that the app doesn't hang while dumping! Dumping...OK. Scanning...DONE. ------------------------------------------------------------------------------- --------------------[HKEY_USERS\S-1-5-21-1292428093-1532298954-1801674531-1003]------------------- WARNING: Dumping the registry can take quite some time! Be assured that the app doesn't hang while dumping! Dumping...OK. Scanning...[-] Unable to open key: HKEY_USERS\S-1-5-21-1292428093-1532298954-1801674531-1003\Software\Microsoft\Protected Storage System Provider\S-1-5-21-1292428093-1532298954-1801674531-1003: Zugriff verweigert [-] Unable to open key: HKEY_USERS\S-1-5-21-1292428093-1532298954-1801674531-1003\Software\SecuROM\License information: Das System kann die angegebene Datei nicht finden. DONE. ------------------------------------------------------------------------------- --------------------[HKEY_USERS\S-1-5-21-1292428093-1532298954-1801674531-1003_Classes]------------------- WARNING: Dumping the registry can take quite some time! Be assured that the app doesn't hang while dumping! Dumping...OK. Scanning...DONE. ------------------------------------------------------------------------------- --------------------[HKEY_USERS\S-1-5-18 ]------------------- WARNING: Dumping the registry can take quite some time! Be assured that the app doesn't hang while dumping! Dumping...OK. Scanning...DONE. ------------------------------------------------------------------------------- 14:54:26 - Performing check: "Hidden processes": (01) PID: 0 [00000000] (Idle) (53) PID: 4 [8A740660] (System) (191) PID: 468 [8A366438] (hsssrv.exe) (191) PID: 524 [8A279DA0] (hsswd.exe) (191) PID: 540 [8A279B20] (IGDCTRL.EXE) (191) PID: 552 [8A276498] (explorer.exe) (191) PID: 572 [8A21C4B8] (jqs.exe) (175) PID: 684 [8A4AE260] (RegistryWriter.exe) (191) PID: 796 [8A37FBC0] (alg.exe) (175) PID: 832 [8A280B28] (S3DCService.exe) (07) PID: 860 [8A1D91B8] (smss.exe) (175) PID: 916 [895FC8E8] (svchost.exe) (191) PID: 1076 [8A1988E0] (csrss.exe) (191) PID: 1100 [8A22ADA0] (winlogon.exe) (191) PID: 1144 [8A24D150] (services.exe) (191) PID: 1164 [8A2B7150] (lsass.exe) (175) PID: 1284 [895E9620] (jusched.exe) (191) PID: 1352 [8A180DA0] (nvsvc32.exe) (191) PID: 1376 [8A35ABC0] (svchost.exe) (191) PID: 1472 [8A205DA0] (svchost.exe) (191) PID: 1512 [8A1EBB70] (svchost.exe) (191) PID: 1592 [8A19D9E0] (svchost.exe) (191) PID: 1624 [895EF768] (avgnt.exe) (191) PID: 1648 [8A1EE8B0] (svchost.exe) (175) PID: 1724 [8A202620] (spoolsv.exe) (175) PID: 1792 [8A1D0B28] (sched.exe) (175) PID: 1856 [8A22B440] (svchost.exe) (191) PID: 1928 [8A217440] (avguard.exe) (191) PID: 1940 [8A497880] (mDNSResponder.exe) (191) PID: 1952 [8971D620] (msnmsgr.exe) (191) PID: 1992 [8A275588] (openvpnas.exe) (175) PID: 2080 [8A4F7B48] (wscntfy.exe) (191) PID: 2088 [895DB780] (RaUI.exe) (187) PID: 2156 [89718590] (radixgui.exe) (175) PID: 2412 [89785720] (wordpad.exe) (175) PID: 2524 [894DC620] (wuauclt.exe) (175) PID: 2956 [8978E718] (svchost.exe) (175) PID: 3084 [89750BC0] (wmiprvse.exe) 14:54:28 - Performing check: "Selftest": Doing a short selftest... -> Checking IAT PID 2156 - E:\mp3player\radix_installer\radixgui.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) [+] Patching code of LdrLoadDll at 7C925CBB 7C925CBB: Patching FF -> 68 7C925CBC: Patching 25 -> 6C 7C925CBD: Patching 1E -> 02 7C925CBF: Patching 6B -> 00 7C925CC0: Patching 71 -> 68 [+] Wrote patch to process memory. [+] Patching code of LdrUnloadDll at 7C926C83 7C926C83: Patching FF -> 68 7C926C84: Patching 25 -> C4 7C926C85: Patching 1E -> 00 7C926C87: Patching 6E -> 00 7C926C88: Patching 71 -> 68 [+] Wrote patch to process memory. kernel32.dll (7C800000 - 7C907000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) comdlg32.dll (76350000 - 7639A000) SHLWAPI.dll (77F40000 - 77FB6000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) msvcrt.dll (77BE0000 - 77C38000) COMCTL32.dll (5D450000 - 5D4E7000) SHELL32.dll (7E670000 - 7EE90000) ole32.dll (774B0000 - 775EC000) VERSION.dll (77BD0000 - 77BD8000) dbghelp.dll (59DD0000 - 59E71000) comctl32.dll (773A0000 - 774A2000) S3DInjector.dll (10000000 - 10023000) wintrust.dll (76BF0000 - 76C1E000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) IMAGEHLP.dll (76C50000 - 76C78000) NTMARTA.DLL (77660000 - 77681000) WLDAP32.dll (76F20000 - 76F4D000) SAMLIB.dll (71B70000 - 71B83000) uxtheme.dll (5AD70000 - 5ADA8000) Selftest complete. 14:54:30 - Performing check: "MBR": Partition Table: +----+-----+------Start------+--------End------+----------+----------+----+ | Nr | Act | Head Sect Track | Head Sect Track | Offset | Length | OS | +----+-----+-----------------+-----------------+----------+----------+----+ | 1 | Y | 001 01 0000 | 254 63 0255 | 0000003F | 0C34F28D | 07 | | 2 | N | 000 01 0255 | 254 63 0255 | 0C34F2CC | 190DE3F5 | 07 | | 3 | N | 000 00 0000 | 000 00 0000 | 00000000 | 00000000 | 00 | | 4 | N | 000 00 0000 | 000 00 0000 | 00000000 | 00000000 | 00 | +----+-----+-----------------+-----------------+----------+----------+----+ MBR seems to be OK. 14:54:30 - Performing check: "IRP hooks": 00 \Driver\Beep 8A338AC8 Beep.SYS 01 \Driver\NDIS 8A69E030 NDIS.sys 02 \Driver\KSecDD 8A646710 KSecDD.sys 03 \Driver\Raspti 8A4A0570 raspti.sys 04 \Driver\Mouclass 8A3D62E0 mouclass.sys 05 \Driver\taphss 8A49F570 taphss.sys 06 \Driver\avgio 8A2D6030 avgio.sys 07 \Driver\Fips 8A2EAF38 Fips.SYS 08 \Driver\IntcAzAudAddService 8A1722E0 RtkHDAud.sys 09 \Driver\Kbdclass 8A419D58 kbdclass.sys 10 \Driver\VgaSave 8A338838 vga.sys 11 \Driver\NDProxy 8A0F0308 NDProxy.SYS 12 \Driver\Ptilink 8A5D3A48 ptilink.sys 13 \Driver\MountMgr 8A6731F8 MountMgr.sys 14 \Driver\uagp35 8A6DD1C8 uagp35.sys 15 \Driver\wdmaud 8A2B44C8 wdmaud.sys 16 \Driver\{B154377D-700F-42cc-9474-23858FBDF4BD} 8A1D84D0 000.fcl 17 \Driver\iZ3DInjectionDriver 8A33EF38 S3DInjectionDriver.sys 18 \Driver\dmload 8A6A3A30 dmload.sys 19 \Driver\isapnp 8A75B0B8 isapnp.sys 20 \Driver\redbook 8A1E8F38 redbook.sys 20 >\Driver\GEARAspiWDM 8A433F38 GEARAspiWDM.sys 22 (Unknown driver) 8A6C82D8 atapi.sys --[HIDDEN]----[HOOKED]-- This might be a false positive, as I was unable to check. * Majorfunction 00 (IRP_MJ_CREATE) hooked at 8A6E31F8 * Majorfunction 02 (IRP_MJ_CLOSE) hooked at 8A6E31F8 * Majorfunction 0E (IRP_MJ_DEVICE_CONTROL) hooked at 8A6E31F8 * Majorfunction 0F (IRP_MJ_INTERNAL_DEVICE_CONTROL) hooked at 8A6E31F8 * Majorfunction 16 (IRP_MJ_POWER) hooked at 8A6E31F8 * Majorfunction 17 (IRP_MJ_SYSTEM_CONTROL) hooked at 8A6E31F8 * The DriverUnload function points to another module than the start routine. * Unload routine is at B7EECADC by C:\WINDOWS\system32\DRIVERS\spdm.sys ------------------------------------------------------------------------------- Information for module spdm.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spdm.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spdm.sys Warning: Driver file couldn't be found. 22 >\Driver\ACPIver) 8A6E5F38 ACPI.sys 23 >\Driver\Diskver) 8A648A08 disk.sys 24 >\Driver\PartMgr) 8A6A31E0 PartMgr.sys 26 \Driver\RasAcd 8A2E84C0 rasacd.sys 27 \Driver\PSched 8A2F0730 psched.sys 28 \Driver\dmio 8A6A3818 dmio.sys --[HOOKED]-- This might be a false positive, as I was unable to check. * Majorfunction 00 (IRP_MJ_CREATE) hooked at 8A7531F8 * Majorfunction 02 (IRP_MJ_CLOSE) hooked at 8A7531F8 * Majorfunction 03 (IRP_MJ_READ) hooked at 8A7531F8 * Majorfunction 04 (IRP_MJ_WRITE) hooked at 8A7531F8 * Majorfunction 09 (IRP_MJ_FLUSH_BUFFERS) hooked at 8A7531F8 * Majorfunction 0E (IRP_MJ_DEVICE_CONTROL) hooked at 8A7531F8 * Majorfunction 0F (IRP_MJ_INTERNAL_DEVICE_CONTROL) hooked at 8A7531F8 * Majorfunction 10 (IRP_MJ_SHUTDOWN) hooked at 8A7531F8 * Majorfunction 16 (IRP_MJ_POWER) hooked at 8A7531F8 * Majorfunction 17 (IRP_MJ_SYSTEM_CONTROL) hooked at 8A7531F8 * The DriverUnload function points to another module than the start routine. * Unload routine is at B7EECADC by C:\WINDOWS\system32\DRIVERS\spdm.sys ------------------------------------------------------------------------------- Information for module spdm.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spdm.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spdm.sys Warning: Driver file couldn't be found. 29 \Driver\sptd 8A71FAC0 spdm.sys 30 \Driver\IpNat 8A416D58 ipnat.sys 31 \Driver\SDTHelper 8A2C85F0 sdthlpr.sys 32 \Driver\Win32k 8A252658 win32k.sys 33 \Driver\audstub 8A312E40 audstub.sys 34 \Driver\ManyCam 8A49CF38 ManyCam.sys 35 \Driver\usbuhci 8A41B520 usbuhci.sys --[HOOKED]-- This might be a false positive, as I was unable to check. * Majorfunction 00 (IRP_MJ_CREATE) hooked at 8A4101F8 * Majorfunction 02 (IRP_MJ_CLOSE) hooked at 8A4101F8 * Majorfunction 0E (IRP_MJ_DEVICE_CONTROL) hooked at 8A4101F8 * Majorfunction 0F (IRP_MJ_INTERNAL_DEVICE_CONTROL) hooked at 8A4101F8 * Majorfunction 16 (IRP_MJ_POWER) hooked at 8A4101F8 * Majorfunction 17 (IRP_MJ_SYSTEM_CONTROL) hooked at 8A4101F8 * The DriverUnload function points to another module than the start routine. * Unload routine is at B7EECADC by C:\WINDOWS\system32\DRIVERS\spdm.sys ------------------------------------------------------------------------------- Information for module spdm.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spdm.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spdm.sys Warning: Driver file couldn't be found. 35 >\Driver\usbhubi 8A171F38 usbhub.sys 37 \Driver\mouhid 8A2C99E0 mouhid.sys 37 >\Driver\Mouclass 8A3D62E0 mouclass.sys 36 \Driver\usbhub 8A171F38 usbhub.sys 36 >\Driver\hidusb 8A2C8268 hidusb.sys 39 \Driver\swenum 8A5D15D8 swenum.sys 39 >\Driver\sysaudio 8A313168 sysaudio.sys 41 \Driver\rdpdr 8A49DD58 rdpdr.sys 42 \Driver\HTTP 8A679030 HTTP.sys 43 \Driver\RDPCDD 8A179750 RDPCDD.sys 44 \Driver\Update 8A213030 update.sys 45 \Driver\RasPppoe 8A2F3030 raspppoe.sys 46 \Driver\usbccgp 8A2C8360 usbccgp.sys 46 >\Driver\hidusbp 8A2C8268 hidusb.sys 47 \Driver\SCDEmu 8A33DF38 SCDEmu.SYS 48 \Driver\TermDD 8A5D1380 termdd.sys 48 >\Driver\Mouclass 8A3D62E0 mouclass.sys 49 \Driver\Ftdisk 8A6A3F38 ftdisk.sys --[HOOKED]-- This might be a false positive, as I was unable to check. * Majorfunction 00 (IRP_MJ_CREATE) hooked at 8A6E41F8 * Majorfunction 03 (IRP_MJ_READ) hooked at 8A6E41F8 * Majorfunction 04 (IRP_MJ_WRITE) hooked at 8A6E41F8 * Majorfunction 09 (IRP_MJ_FLUSH_BUFFERS) hooked at 8A6E41F8 * Majorfunction 0E (IRP_MJ_DEVICE_CONTROL) hooked at 8A6E41F8 * Majorfunction 0F (IRP_MJ_INTERNAL_DEVICE_CONTROL) hooked at 8A6E41F8 * Majorfunction 10 (IRP_MJ_SHUTDOWN) hooked at 8A6E41F8 * Majorfunction 12 (IRP_MJ_CLEANUP) hooked at 8A6E41F8 * Majorfunction 16 (IRP_MJ_POWER) hooked at 8A6E41F8 * Majorfunction 17 (IRP_MJ_SYSTEM_CONTROL) hooked at 8A6E41F8 * The DriverUnload function points to another module than the start routine. * Unload routine is at B7EECADC by C:\WINDOWS\system32\DRIVERS\spdm.sys ------------------------------------------------------------------------------- Information for module spdm.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spdm.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spdm.sys Warning: Driver file couldn't be found. 49 >\Driver\VolSnap 8A721210 VolSnap.sys 40 \Driver\sysaudio 8A313168 sysaudio.sys 51 \Driver\Rasl2tp 8A2F9218 rasl2tp.sys 52 \Driver\Fdc 8A417F38 fdc.sys 52 >\Driver\Flpydisk 8A3627B8 flpydisk.sys 54 \Driver\videX32 8A692710 videX32.sys --[HOOKED]-- This might be a false positive, as I was unable to check. * Majorfunction 0F (IRP_MJ_INTERNAL_DEVICE_CONTROL) hooked at B832C4F2 by C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS ------------------------------------------------------------------------------- Information for module PCIIDEX.SYS: ------------------------------------------------------------------------------- Index: 12 Base address: B8328000 Size: 00007000 Flags: 0D004000 Load count: 3 Imagename: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS Name: Microsoft® Windows® Operating System Version: 5.1.2600.2180 Company: Microsoft Corporation File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Description: PCI IDE Bus Driver Extension Possible path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS Signed: YES * Majorfunction 16 (IRP_MJ_POWER) hooked at B8328692 by C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS ------------------------------------------------------------------------------- Information for module PCIIDEX.SYS: ------------------------------------------------------------------------------- Index: 12 Base address: B8328000 Size: 00007000 Flags: 0D004000 Load count: 3 Imagename: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS Name: Microsoft® Windows® Operating System Version: 5.1.2600.2180 Company: Microsoft Corporation File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Description: PCI IDE Bus Driver Extension Possible path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS Signed: YES * Majorfunction 17 (IRP_MJ_SYSTEM_CONTROL) hooked at B832C46E by C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS ------------------------------------------------------------------------------- Information for module PCIIDEX.SYS: ------------------------------------------------------------------------------- Index: 12 Base address: B8328000 Size: 00007000 Flags: 0D004000 Load count: 3 Imagename: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS Name: Microsoft® Windows® Operating System Version: 5.1.2600.2180 Company: Microsoft Corporation File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Description: PCI IDE Bus Driver Extension Possible path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS Signed: YES * The DriverUnload function points to another module than the start routine. * Unload routine is at B832C6DC by C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS ------------------------------------------------------------------------------- Information for module PCIIDEX.SYS: ------------------------------------------------------------------------------- Index: 12 Base address: B8328000 Size: 00007000 Flags: 0D004000 Load count: 3 Imagename: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS Name: Microsoft® Windows® Operating System Version: 5.1.2600.2180 Company: Microsoft Corporation File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Description: PCI IDE Bus Driver Extension Possible path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS Signed: YES 54 >\Driver\ACPIX32 8A6E5F38 ACPI.sys 23 >\Driver\atapi32 8A6C82D8 atapi.sys --[HIDDEN]-- 55 \Driver\adfs 8A5D6888 adfs.SYS 55 >\FileSystem\FltMgr 8A6458F8 fltMgr.sys 57 \Driver\PptpMiniport 8A2F1810 raspptp.sys 58 \Driver\serenum 8A3CFD30 serenum.sys 59 \Driver\WMIxWDM 8A75D9B0 ntkrnlpa.exe 60 \Driver\ACPI_HAL 8A75DF38 hal.dll 60 >\Driver\ACPI_HAL 8A6E5F38 ACPI.sys 61 \Driver\Secdrv 8A5D6030 secdrv.sys 62 \Driver\NetBT 8A2EA838 netbt.sys --[HOOKED]-- This might be a false positive, as I was unable to check. * Majorfunction 00 (IRP_MJ_CREATE) hooked at 8A2DE500 * Majorfunction 02 (IRP_MJ_CLOSE) hooked at 8A2DE500 * Majorfunction 0E (IRP_MJ_DEVICE_CONTROL) hooked at 8A2DE500 * Majorfunction 0F (IRP_MJ_INTERNAL_DEVICE_CONTROL) hooked at 8A2DE500 * Majorfunction 12 (IRP_MJ_CLEANUP) hooked at 8A2DE500 * The DriverUnload function points to another module than the start routine. * Unload routine is at B7EECADC by C:\WINDOWS\system32\DRIVERS\spdm.sys ------------------------------------------------------------------------------- Information for module spdm.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spdm.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spdm.sys Warning: Driver file couldn't be found. 63 \Driver\Cdrom 8A479A48 cdrom.sys --[HOOKED]-- This might be a false positive, as I was unable to check. * Majorfunction 00 (IRP_MJ_CREATE) hooked at 8A161500 * Majorfunction 02 (IRP_MJ_CLOSE) hooked at 8A161500 * Majorfunction 03 (IRP_MJ_READ) hooked at 8A161500 * Majorfunction 04 (IRP_MJ_WRITE) hooked at 8A161500 * Majorfunction 09 (IRP_MJ_FLUSH_BUFFERS) hooked at 8A161500 * Majorfunction 0E (IRP_MJ_DEVICE_CONTROL) hooked at 8A161500 * Majorfunction 0F (IRP_MJ_INTERNAL_DEVICE_CONTROL) hooked at 8A161500 * Majorfunction 10 (IRP_MJ_SHUTDOWN) hooked at 8A161500 * Majorfunction 16 (IRP_MJ_POWER) hooked at 8A161500 * Majorfunction 17 (IRP_MJ_SYSTEM_CONTROL) hooked at 8A161500 * The DriverUnload function points to another module than the start routine. * Unload routine is at B7EECADC by C:\WINDOWS\system32\DRIVERS\spdm.sys ------------------------------------------------------------------------------- Information for module spdm.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spdm.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spdm.sys Warning: Driver file couldn't be found. 63 >\Driver\redbook 8A1E8F38 redbook.sys 20 >\Driver\GEARAspiWDM 8A433F38 GEARAspiWDM.sys 64 \Driver\mssmbios 8A316F38 mssmbios.sys 65 \Driver\PCIIde 8A7581E8 pciide.sys 66 \Driver\ViaIde 8A763300 viaide.sys --[HOOKED]-- This might be a false positive, as I was unable to check. * Majorfunction 0F (IRP_MJ_INTERNAL_DEVICE_CONTROL) hooked at B832C4F2 by C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS ------------------------------------------------------------------------------- Information for module PCIIDEX.SYS: ------------------------------------------------------------------------------- Index: 12 Base address: B8328000 Size: 00007000 Flags: 0D004000 Load count: 3 Imagename: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS Name: Microsoft® Windows® Operating System Version: 5.1.2600.2180 Company: Microsoft Corporation File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Description: PCI IDE Bus Driver Extension Possible path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS Signed: YES * Majorfunction 16 (IRP_MJ_POWER) hooked at B8328692 by C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS ------------------------------------------------------------------------------- Information for module PCIIDEX.SYS: ------------------------------------------------------------------------------- Index: 12 Base address: B8328000 Size: 00007000 Flags: 0D004000 Load count: 3 Imagename: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS Name: Microsoft® Windows® Operating System Version: 5.1.2600.2180 Company: Microsoft Corporation File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Description: PCI IDE Bus Driver Extension Possible path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS Signed: YES * Majorfunction 17 (IRP_MJ_SYSTEM_CONTROL) hooked at B832C46E by C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS ------------------------------------------------------------------------------- Information for module PCIIDEX.SYS: ------------------------------------------------------------------------------- Index: 12 Base address: B8328000 Size: 00007000 Flags: 0D004000 Load count: 3 Imagename: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS Name: Microsoft® Windows® Operating System Version: 5.1.2600.2180 Company: Microsoft Corporation File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Description: PCI IDE Bus Driver Extension Possible path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS Signed: YES * The DriverUnload function points to another module than the start routine. * Unload routine is at B832C6DC by C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS ------------------------------------------------------------------------------- Information for module PCIIDEX.SYS: ------------------------------------------------------------------------------- Index: 12 Base address: B8328000 Size: 00007000 Flags: 0D004000 Load count: 3 Imagename: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS Name: Microsoft® Windows® Operating System Version: 5.1.2600.2180 Company: Microsoft Corporation File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Description: PCI IDE Bus Driver Extension Possible path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS Signed: YES 67 \Driver\Wanarp 8A3515D8 wanarp.sys 68 \Driver\Tcpip 8A2E8030 tcpip.sys 69 \Driver\mnmdd 8A1792E0 mnmdd.SYS 70 \Driver\xfilt 8A69F2E8 xfilt.sys 71 \Driver\kbdhid 8A2CA208 kbdhid.sys 71 >\Driver\Kbdclass 8A419D58 kbdclass.sys 50 \Driver\VolSnap 8A721210 VolSnap.sys 72 \Driver\intelppm 8A4A02E0 intelppm.sys 73 \Driver\nv 8A42A780 nv4_mini.sys 74 \Driver\vpjrp 8A720340 vpjrp.sys 75 \Driver\AegisP 8A346218 AegisP.sys 76 \Driver\Null 8A3383C8 Null.SYS 77 \Driver\usbehci 8A418C58 usbehci.sys --[HOOKED]-- This might be a false positive, as I was unable to check. * Majorfunction 00 (IRP_MJ_CREATE) hooked at 8A3E31F8 * Majorfunction 02 (IRP_MJ_CLOSE) hooked at 8A3E31F8 * Majorfunction 0E (IRP_MJ_DEVICE_CONTROL) hooked at 8A3E31F8 * Majorfunction 0F (IRP_MJ_INTERNAL_DEVICE_CONTROL) hooked at 8A3E31F8 * Majorfunction 16 (IRP_MJ_POWER) hooked at 8A3E31F8 * Majorfunction 17 (IRP_MJ_SYSTEM_CONTROL) hooked at 8A3E31F8 * The DriverUnload function points to another module than the start routine. * Unload routine is at B7EECADC by C:\WINDOWS\system32\DRIVERS\spdm.sys ------------------------------------------------------------------------------- Information for module spdm.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spdm.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spdm.sys Warning: Driver file couldn't be found. 77 >\Driver\usbhubi 8A171F38 usbhub.sys 78 \Driver\lirsgt 8A5DD400 lirsgt.sys 79 \Driver\IPSec 8A2E8BC0 ipsec.sys 21 \Driver\GEARAspiWDM 8A433F38 GEARAspiWDM.sys 24 \Driver\Disk 8A648A08 disk.sys --[HOOKED]-- This might be a false positive, as I was unable to check. * The DriverUnload function points to another module than the start routine. * Unload routine is at B7EECADC by C:\WINDOWS\system32\DRIVERS\spdm.sys ------------------------------------------------------------------------------- Information for module spdm.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spdm.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spdm.sys Warning: Driver file couldn't be found. 80 \Driver\PCI 8A6C9828 pci.sys 80 >\Driver\ACPI 8A6E5F38 ACPI.sys 23 >\Driver\HDAudBus 8A3B4030 HDAudBus.sys 82 \Driver\Serial 8A3D45D8 serial.sys 82 >\Driver\serenum 8A3CFD30 serenum.sys 83 \Driver\NdisTapi 8A2F8A80 ndistapi.sys 84 \Driver\NdisWan 8A2F6998 ndiswan.sys 85 \Driver\FETND5BV 8A5C8100 fetnd5bv.sys 25 \Driver\PartMgr 8A6A31E0 PartMgr.sys 86 \Driver\PCI_PNP1940 8A759090 spdm.sys 86 >\Driver\ayh0iouy940 8A49D8C0 ayh0iouy.SYS 88 \Driver\Gpc 8A2EF2B8 msgpc.sys 81 \Driver\HDAudBus 8A3B4030 HDAudBus.sys 81 >\Driver\IntcAzAudAddService 8A1722E0 RtkHDAud.sys 23 \Driver\ACPI 8A6E5F38 ACPI.sys --[HOOKED]-- This might be a false positive, as I was unable to check. * The DriverUnload function points to another module than the start routine. * Unload routine is at B7EECADC by C:\WINDOWS\system32\DRIVERS\spdm.sys ------------------------------------------------------------------------------- Information for module spdm.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spdm.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spdm.sys Warning: Driver file couldn't be found. 23 >\Driver\Disk 8A648A08 disk.sys 24 >\Driver\PartMgr 8A6A31E0 PartMgr.sys 53 \Driver\Flpydisk 8A3627B8 flpydisk.sys 87 \Driver\ayh0iouy 8A49D8C0 ayh0iouy.SYS --[HOOKED]-- This might be a false positive, as I was unable to check. * Majorfunction 00 (IRP_MJ_CREATE) hooked at 8A394500 * Majorfunction 02 (IRP_MJ_CLOSE) hooked at 8A394500 * Majorfunction 0E (IRP_MJ_DEVICE_CONTROL) hooked at 8A394500 * Majorfunction 0F (IRP_MJ_INTERNAL_DEVICE_CONTROL) hooked at 8A394500 * Majorfunction 16 (IRP_MJ_POWER) hooked at 8A394500 * Majorfunction 17 (IRP_MJ_SYSTEM_CONTROL) hooked at 8A394500 * The DriverUnload function points to another module than the start routine. * Unload routine is at B7EECADC by C:\WINDOWS\system32\DRIVERS\spdm.sys ------------------------------------------------------------------------------- Information for module spdm.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spdm.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spdm.sys Warning: Driver file couldn't be found. 87 >\Driver\PxHelp20 8A646808 PxHelp20.sys 89 >\Driver\Cdromp20 8A479A48 cdrom.sys 63 >\Driver\redbook0 8A1E8F38 redbook.sys 20 >\Driver\GEARAspiWDM 8A433F38 GEARAspiWDM.sys 90 \Driver\PnpManager 8A728D00 ntkrnlpa.exe 90 >\Driver\mssmbioser 8A316F38 mssmbios.sys 91 \Driver\atksgt 8A5F16B8 atksgt.sys 92 \Driver\AFD 8A3392E0 afd.sys 38 \Driver\hidusb 8A2C8268 hidusb.sys 93 \Driver\avipbb 8A2D6BC0 avipbb.sys 94 \Driver\ssmdrv 8A33DAC8 ssmdrv.sys 89 \Driver\PxHelp20 8A646808 PxHelp20.sys 89 >\Driver\Cdromp20 8A479A48 cdrom.sys 63 >\Driver\redbook0 8A1E8F38 redbook.sys 20 >\Driver\GEARAspiWDM 8A433F38 GEARAspiWDM.sys 95 \FileSystem\Ntfs 8A649810 Ntfs.sys --[HOOKED]-- This might be a false positive, as I was unable to check. * Majorfunction 00 (IRP_MJ_CREATE) hooked at 8A5F9B40 * Majorfunction 02 (IRP_MJ_CLOSE) hooked at 8A6E21F8 * Majorfunction 03 (IRP_MJ_READ) hooked at 8A6E21F8 * Majorfunction 04 (IRP_MJ_WRITE) hooked at 8A6E21F8 * Majorfunction 05 (IRP_MJ_QUERY_INFORMATION) hooked at 8A6E21F8 * Majorfunction 06 (IRP_MJ_SET_INFORMATION) hooked at 8A6E21F8 * Majorfunction 07 (IRP_MJ_QUERY_EA) hooked at 8A6E21F8 * Majorfunction 08 (IRP_MJ_SET_EA) hooked at 8A6E21F8 * Majorfunction 09 (IRP_MJ_FLUSH_BUFFERS) hooked at 8A6E21F8 * Majorfunction 0A (IRP_MJ_QUERY_VOLUME_INFORMATION) hooked at 8A6E21F8 * Majorfunction 0B (IRP_MJ_SET_VOLUME_INFORMATION) hooked at 8A6E21F8 * Majorfunction 0C (IRP_MJ_DIRECTORY_CONTROL) hooked at 8A6E21F8 * Majorfunction 0D (IRP_MJ_FILE_SYSTEM_CONTROL) hooked at 8A6E21F8 * Majorfunction 0E (IRP_MJ_DEVICE_CONTROL) hooked at 8A6E21F8 * Majorfunction 10 (IRP_MJ_SHUTDOWN) hooked at 8A6E21F8 * Majorfunction 11 (IRP_MJ_LOCK_CONTROL) hooked at 8A6E21F8 * Majorfunction 12 (IRP_MJ_CLEANUP) hooked at 8A6E21F8 * Majorfunction 14 (IRP_MJ_QUERY_SECURITY) hooked at 8A6E21F8 * Majorfunction 15 (IRP_MJ_SET_SECURITY) hooked at 8A6E21F8 * Majorfunction 19 (IRP_MJ_QUERY_QUOTA) hooked at 8A6E21F8 * Majorfunction 1A (IRP_MJ_SET_QUOTA) hooked at 8A6E21F8 * The DriverUnload function points to another module than the start routine. * Unload routine is at B7EECADC by C:\WINDOWS\system32\DRIVERS\spdm.sys ------------------------------------------------------------------------------- Information for module spdm.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spdm.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spdm.sys Warning: Driver file couldn't be found. 95 >\FileSystem\srfs 8A6839D0 sr.sys 96 >\FileSystem\FltMgr 8A6458F8 fltMgr.sys 97 \FileSystem\NetBIOS 8A338F38 netbios.sys 96 \FileSystem\sr 8A6839D0 sr.sys 96 >\FileSystem\FltMgr 8A6458F8 fltMgr.sys 98 \FileSystem\Rdbss 8A33E3C8 rdbss.sys 99 \FileSystem\avgntflt 8A36FCC0 avgntflt.sys 100 \FileSystem\Lbd 8A686408 Lbd.sys 101 \FileSystem\Msfs 8A179BC0 Msfs.SYS 102 \FileSystem\MRxSmb 8A33E838 mrxsmb.sys --[HOOKED]-- This might be a false positive, as I was unable to check. * Majorfunction 00 (IRP_MJ_CREATE) hooked at 8A2AC500 * Majorfunction 01 (IRP_MJ_CREATE_NAMED_PIPE) hooked at 8A2AC500 * Majorfunction 02 (IRP_MJ_CLOSE) hooked at 8A2AC500 * Majorfunction 03 (IRP_MJ_READ) hooked at 8A2AC500 * Majorfunction 04 (IRP_MJ_WRITE) hooked at 8A2AC500 * Majorfunction 05 (IRP_MJ_QUERY_INFORMATION) hooked at 8A2AC500 * Majorfunction 06 (IRP_MJ_SET_INFORMATION) hooked at 8A2AC500 * Majorfunction 07 (IRP_MJ_QUERY_EA) hooked at 8A2AC500 * Majorfunction 08 (IRP_MJ_SET_EA) hooked at 8A2AC500 * Majorfunction 09 (IRP_MJ_FLUSH_BUFFERS) hooked at 8A2AC500 * Majorfunction 0A (IRP_MJ_QUERY_VOLUME_INFORMATION) hooked at 8A2AC500 * Majorfunction 0B (IRP_MJ_SET_VOLUME_INFORMATION) hooked at 8A2AC500 * Majorfunction 0C (IRP_MJ_DIRECTORY_CONTROL) hooked at 8A2AC500 * Majorfunction 0D (IRP_MJ_FILE_SYSTEM_CONTROL) hooked at 8A2AC500 * Majorfunction 0E (IRP_MJ_DEVICE_CONTROL) hooked at 8A2AC500 * Majorfunction 0F (IRP_MJ_INTERNAL_DEVICE_CONTROL) hooked at 8A2AC500 * Majorfunction 10 (IRP_MJ_SHUTDOWN) hooked at 8A2AC500 * Majorfunction 11 (IRP_MJ_LOCK_CONTROL) hooked at 8A2AC500 * Majorfunction 12 (IRP_MJ_CLEANUP) hooked at 8A2AC500 * Majorfunction 13 (IRP_MJ_CREATE_MAILSLOT) hooked at 8A2AC500 * Majorfunction 14 (IRP_MJ_QUERY_SECURITY) hooked at 8A2AC500 * Majorfunction 15 (IRP_MJ_SET_SECURITY) hooked at 8A2AC500 * Majorfunction 16 (IRP_MJ_POWER) hooked at 8A2AC500 * Majorfunction 17 (IRP_MJ_SYSTEM_CONTROL) hooked at 8A2AC500 * Majorfunction 18 (IRP_MJ_DEVICE_CHANGE) hooked at 8A2AC500 * Majorfunction 19 (IRP_MJ_QUERY_QUOTA) hooked at 8A2AC500 * Majorfunction 1A (IRP_MJ_SET_QUOTA) hooked at 8A2AC500 * The DriverUnload function points to another module than the start routine. * Unload routine is at B7EECADC by C:\WINDOWS\system32\DRIVERS\spdm.sys ------------------------------------------------------------------------------- Information for module spdm.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spdm.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spdm.sys Warning: Driver file couldn't be found. 103 \FileSystem\Srv 8A5DDD60 srv.sys 104 \FileSystem\Mup 8A69E480 Mup.sys 105 \FileSystem\RAW 8A7221C0 ntkrnlpa.exe 106 \FileSystem\Npfs 8A179030 Npfs.SYS 107 \FileSystem\Fs_Rec 8A1F4A28 Fs_Rec.SYS 108 \FileSystem\Cdfs 8A3B5AA8 Cdfs.SYS --[HOOKED]-- This might be a false positive, as I was unable to check. * Majorfunction 00 (IRP_MJ_CREATE) hooked at 8A1C0500 * Majorfunction 02 (IRP_MJ_CLOSE) hooked at 8A1C0500 * Majorfunction 03 (IRP_MJ_READ) hooked at 8A1C0500 * Majorfunction 05 (IRP_MJ_QUERY_INFORMATION) hooked at 8A1C0500 * Majorfunction 06 (IRP_MJ_SET_INFORMATION) hooked at 8A1C0500 * Majorfunction 0A (IRP_MJ_QUERY_VOLUME_INFORMATION) hooked at 8A1C0500 * Majorfunction 0C (IRP_MJ_DIRECTORY_CONTROL) hooked at 8A1C0500 * Majorfunction 0D (IRP_MJ_FILE_SYSTEM_CONTROL) hooked at 8A1C0500 * Majorfunction 0E (IRP_MJ_DEVICE_CONTROL) hooked at 8A1C0500 * Majorfunction 10 (IRP_MJ_SHUTDOWN) hooked at 8A1C0500 * Majorfunction 11 (IRP_MJ_LOCK_CONTROL) hooked at 8A1C0500 * Majorfunction 12 (IRP_MJ_CLEANUP) hooked at 8A1C0500 * The DriverUnload function points to another module than the start routine. * Unload routine is at B7EECADC by C:\WINDOWS\system32\DRIVERS\spdm.sys ------------------------------------------------------------------------------- Information for module spdm.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spdm.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spdm.sys Warning: Driver file couldn't be found. 108 >\FileSystem\FltMgr 8A6458F8 fltMgr.sys 56 \FileSystem\FltMgr 8A6458F8 fltMgr.sys 109 \FileSystem\MRxDAV 8A313030 mrxdav.sys 109 >\FileSystem\FltMgr 8A6458F8 fltMgr.sys 14:59:1 - Performing check: "Patched modules": Module information: Idx Base Size Module Service Pre Sig Patched 000 804D7000 0020C000 ntkrnlpa.exe YES YES 001 806E3000 00020D00 hal.dll YES YES 002 B85A8000 00002000 KDCOM.DLL YES YES 003 B84B8000 00003000 BOOTVID.dll YES YES 004 B7EA6000 00101000 spdm.sys NO NO 005 B85AA000 00002000 WMILIB.SYS YES YES 006 B7E8E000 00018000 SCSIPORT.SYS YES YES 007 B7E5F000 0002F000 ACPI.sys ACPI YES YES 008 B7E4E000 00011000 pci.sys PCI YES YES 009 B80A8000 00009000 isapnp.sys isapnp YES YES 010 B7D1D000 00131000 vpjrp.sys vpjrp YES NO 011 B8670000 00001000 pciide.sys PCIIde YES YES 012 B8328000 00007000 PCIIDEX.SYS YES YES 013 B85AC000 00002000 viaide.sys ViaIde YES YES 014 B80B8000 0000B000 MountMgr.sys MountMgr YES YES 015 B7CFE000 0001F000 ftdisk.sys Ftdisk YES YES 016 B85AE000 00002000 dmload.sys dmload YES YES 017 B7CD8000 00026000 dmio.sys dmio YES YES 018 B8330000 00005000 PartMgr.sys PartMgr YES YES 019 B8338000 00008000 videX32.sys videX32 YES YES 020 B80C8000 0000E000 VolSnap.sys VolSnap YES YES 021 B7CC0000 00018000 atapi.sys atapi YES YES 022 B80D8000 00009000 disk.sys Disk YES YES 023 B80E8000 0000D000 CLASSPNP.SYS YES YES 024 B7CA1000 0001F000 fltMgr.sys FltMgr YES YES 025 B7C8F000 00012000 sr.sys sr YES YES 026 B80F8000 0000F000 Lbd.sys Lbd YES YES 027 B8108000 00009000 xfilt.sys xfilt YES YES 028 B8118000 0000A000 PxHelp20.sys PxHelp20 YES YES 029 B7C78000 00017000 KSecDD.sys KSecDD YES YES 030 B7BEB000 0008D000 Ntfs.sys Ntfs YES YES 031 B7BBE000 0002D000 NDIS.sys NDIS YES YES 032 B8128000 0000B000 uagp35.sys uagp35 YES YES 033 B7BA3000 0001B000 Mup.sys Mup YES YES 034 B74D1000 0000A000 intelppm.sys intelppm YES YES 035 B6ABD000 009C4000 nv4_mini.sys nv YES YES 036 B6AA9000 00014000 VIDEOPRT.SYS YES YES 037 B8418000 00005000 usbuhci.sys usbuhci YES YES 038 B6A86000 00023000 USBPORT.SYS YES YESThe code of DllUnload at B6A9E62C (0) got patched. Here is the diff: Address New-Original B6A9E62C: E9 - 80 B6A9E62D: A7 - 3D --> JMP DWORD PTR DS:[8A4161D8] [i] Function DllUnload was patched @B6A9E62C probably by C:\WINDOWS\system32\DRIVERS\spdm.sys ------------------------------------------------------------------------------- Information for module spdm.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spdm.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spdm.sys Warning: Driver file couldn't be found. 039 B8420000 00007000 usbehci.sys usbehci YES YES 040 B8428000 00007000 fdc.sys Fdc YES YES 041 B8430000 00007000 kbdclass.sys Kbdclass YES YES 042 B8438000 00006000 mouclass.sys Mouclass YES YES 043 B6A75000 00011000 serial.sys Serial YES YES 044 B7B6F000 00004000 serenum.sys serenum YES YES 045 B74B1000 0000B000 fetnd5bv.sys FETND5BV YES YES 046 B6A50000 00025000 HDAudBus.sys HDAudBus YES YES 047 B6A18000 00038000 ayh0iouy.SYS YES YES 048 B84A0000 00006000 ManyCam.sys ManyCam YES YES 049 B74A1000 0000C000 STREAM.SYS YES YES 050 B69F5000 00023000 ks.sys YES YES 051 B8797000 00001000 audstub.sys audstub YES YES 052 B7491000 0000D000 rasl2tp.sys Rasl2tp YES YES 053 B7B5F000 00003000 ndistapi.sys NdisTapi YES YES 054 B67E7000 00017000 ndiswan.sys NdisWan YES YES 055 B7481000 0000B000 raspppoe.sys RasPppoe YES YES 056 B81A8000 0000C000 raspptp.sys PptpMiniport YES YES 057 B84A8000 00005000 TDI.SYS YES YES 058 B67D6000 00011000 psched.sys PSched YES YES 059 B81B8000 00009000 msgpc.sys Gpc YES YES 060 B84B0000 00005000 ptilink.sys Ptilink YES YES 061 B8348000 00005000 raspti.sys Raspti YES YES 062 B8350000 00007000 taphss.sys taphss YES YES 063 B67A5000 00031000 rdpdr.sys rdpdr YES YES 064 B81D8000 0000A000 termdd.sys TermDD YES YES 065 B85DC000 00002000 swenum.sys swenum YES YES 066 B6771000 00034000 update.sys Update YES YES 067 B77B7000 00004000 mssmbios.sys mssmbios YES YES 068 B81E8000 0000D000 cdrom.sys Cdrom YES YES 069 B81F8000 0000F000 redbook.sys redbook YES YES 070 B8208000 0000A000 GEARAspiWDM.sys GEARAspiWDM YES YES 071 B8218000 0000A000 NDProxy.SYS NDProxy YES YES 072 B8248000 0000F000 usbhub.sys usbhub YES YES 073 B85E8000 00002000 USBD.SYS YES YES 074 B4074000 005D5000 RtkHDAud.sys IntcAzAudAddService YES YES 075 B4052000 00022000 portcls.sys YES YES 076 B8258000 0000F000 drmk.sys YES YES 077 B8398000 00005000 flpydisk.sys Flpydisk YES YES 078 B85F2000 00002000 Fs_Rec.SYS Fs_Rec YES YES 079 B87D8000 00001000 Null.SYS Null YES YES 080 B85F4000 00002000 Beep.SYS Beep YES YES 081 B83A8000 00007000 HIDPARSE.SYS YES YES 082 B83B0000 00006000 vga.sys VgaSave YES YES 083 B85F8000 00002000 mnmdd.SYS mnmdd YES YES 084 B85FA000 00002000 RDPCDD.sys RDPCDD YES YES 085 B83B8000 00005000 Msfs.SYS Msfs YES YES 086 B83C0000 00008000 Npfs.SYS Npfs YES YES 087 B6769000 00003000 rasacd.sys RasAcd YES YES 088 B3F2F000 00013000 ipsec.sys IPSec YES YES 089 B3ED7000 00058000 tcpip.sys Tcpip YES YES 090 B3EAF000 00028000 netbt.sys NetBT YES YES 091 B3E8E000 00021000 ipnat.sys IpNat YES YES 092 B3E6C000 00022000 afd.sys AFD YES YES 093 B8278000 00009000 netbios.sys NetBIOS YES YES 094 B83C8000 00006000 ssmdrv.sys ssmdrv YES YES 095 B8288000 0000B000 SCDEmu.SYS SCDEmu YES NO 096 B8298000 00009000 wanarp.sys Wanarp YES YES 097 B3E18000 0002C000 rdbss.sys Rdbss YES YES 098 B3D81000 0006F000 mrxsmb.sys MRxSmb YES YES 099 B83D0000 00007000 S3DInjectionDriver.sys iZ3DInjectionDriver YES YES 100 B82B8000 00009000 Fips.SYS Fips YES YES 101 B3D65000 0001C000 avipbb.sys avipbb YES YES 102 B85FE000 00002000 avgio.sys avgio YES YES 103 B82D8000 00010000 Cdfs.SYS Cdfs YES YES 104 B83F0000 00008000 usbccgp.sys usbccgp YES YES 105 B401A000 00003000 hidusb.sys hidusb YES YES 106 B82E8000 00009000 HIDCLASS.SYS YES YES 107 B4016000 00003000 mouhid.sys mouhid YES YES 108 B4012000 00004000 kbdhid.sys kbdhid YES YES 109 B3C87000 00018000 dump_atapi.sys NO NO 110 B860E000 00002000 dump_WMILIB.SYS NO NO 111 BF800000 001C4000 win32k.sys YES YES 112 B7B7B000 00003000 Dxapi.sys YES YES 113 B83F8000 00005000 watchdog.sys YES YES 114 BD000000 00012000 dxg.sys YES YES 115 B87BE000 00001000 dxgthk.sys YES YES 116 BD012000 005FE000 nv4_disp.dll YES YES 117 BFFA0000 00046000 ATMFD.DLL YES YES 118 B3AEB000 00014000 avgntflt.sys avgntflt YES YES 119 B8480000 00005000 AegisP.sys AegisP YES NO 120 B37C6000 0002D000 mrxdav.sys MRxDAV YES YES 121 B378D000 00011000 adfs.SYS adfs YES YES 122 B374A000 00043000 atksgt.sys atksgt YES YES 123 B3645000 00015000 wdmaud.sys wdmaud YES YES 124 B3F62000 0000F000 sysaudio.sys sysaudio YES YES 125 B8440000 00005000 lirsgt.sys lirsgt YES YES 126 B327F000 00057000 srv.sys Srv YES YES 127 B322F000 00028000 secdrv.sys Secdrv YES NO 128 B313B000 0002C000 000.fcl {B154377D-700F-42cc-9474-23858FBDF4BD} YES YES 129 B2D3A000 00041000 HTTP.sys HTTP YES YES 130 B1F49000 00004000 sdthlpr.sys SDTHelper YES NO 131 B1D2B000 00023000 Fastfat.SYS Fastfat YES YES 132 B1D01000 0002A000 kmixer.sys kmixer YES YES 133 7C910000 000B9000 ntdll.dll YES YES Number of Module Table entries patched = 1 14:59:29 - Performing check: "SDT hooks": Found KiServiceTable @ 8055B6E0 0 ZwAcceptConnectPort 805A3104 1 ZwAccessCheck 805EF38C 2 ZwAccessCheckAndAuditAlarm 805F2BDA 3 ZwAccessCheckByType 805EF3BE 4 ZwAccessCheckByTypeAndAuditAlarm 805F2C14 5 ZwAccessCheckByTypeResultList 805EF3F4 6 ZwAccessCheckByTypeResultListAndAuditAlarm 805F2C58 7 ZwAccessCheckByTypeResultListAndAuditAlarmByHandle 805F2C9C 8 ZwAddAtom 80613BC8 9 ZwAddBootEntry 8061490A 10 ZwAdjustGroupsToken 805EA73C 11 ZwAdjustPrivilegesToken 805EA394 12 ZwAlertResumeThread 805D33D0 13 ZwAlertThread 805D3380 14 ZwAllocateLocallyUniqueId 806141EE 15 ZwAllocateUserPhysicalPages 805B49F8 16 ZwAllocateUuids 8061380A 17 ZwAllocateVirtualMemory 805A758E 18 ZwAreMappedFilesTheSame 805AF00C 19 ZwAssignProcessToJobObject 805D4E94 20 ZwCallbackReturn 80500DD4 21 ZwCancelDeviceWakeupRequest 806148FC 22 ZwCancelIoFile 80575974 23 ZwCancelTimer 80537E4E 24 ZwClearEvent 8060CE12 25 ZwClose 805BAF72 26 ZwCloseObjectAuditAlarm 805F3114 27 ZwCompactKeys 80621D04 28 ZwCompareTokens 805F7628 29 ZwCompleteConnectPort 805A37F2 30 ZwCompressKey 80621F58 31 ZwConnectPort 805A30A4 32 ZwContinue 80544104 33 ZwCreateDebugObject 8063FF3E 34 ZwCreateDirectoryObject 805BCE26 35 ZwCreateEvent 8060CE62 36 ZwCreateEventPair 80615180 37 ZwCreateFile 80577ED2 38 ZwCreateIoCompletion 80576764 39 ZwCreateJobObject 805D3E58 40 ZwCreateJobSet 805D3B90 41 ZwCreateKey --[HOOKED]-- B87E8026 probably by C:\WINDOWS\system32\DRIVERS\avipbb.sys ------------------------------------------------------------------------------- Information for module avipbb.sys: ------------------------------------------------------------------------------- Index: 101 Base address: B3D65000 Size: 0001C000 Flags: 09104000 Load count: 1 Imagename: \SystemRoot\system32\DRIVERS\avipbb.sys Name: (null) Version: 9.00.00.00 Company: Avira GmbH File Version: 1.0.2.86 Description: Avira Driver for RootKit Detection Possible path: C:\WINDOWS\system32\DRIVERS\avipbb.sys Signed: YES 42 ZwCreateMailslotFile 80577FE0 43 ZwCreateMutant 80615578 44 ZwCreateNamedPipeFile 80577F0C 45 ZwCreatePagingFile 805AA4C2 46 ZwCreatePort 805A3BC0 47 ZwCreateProcess 805CFAE2 48 ZwCreateProcessEx 805CFA2C 49 ZwCreateProfile 80615998 50 ZwCreateSection 805A9E9C 51 ZwCreateSemaphore 80612F28 52 ZwCreateSymbolicLinkObject 805C36A6 53 ZwCreateThread --[HOOKED]-- B87E801C probably by C:\WINDOWS\system32\DRIVERS\avipbb.sys ------------------------------------------------------------------------------- Information for module avipbb.sys: ------------------------------------------------------------------------------- Index: 101 Base address: B3D65000 Size: 0001C000 Flags: 09104000 Load count: 1 Imagename: \SystemRoot\system32\DRIVERS\avipbb.sys Name: (null) Version: 9.00.00.00 Company: Avira GmbH File Version: 1.0.2.86 Description: Avira Driver for RootKit Detection Possible path: C:\WINDOWS\system32\DRIVERS\avipbb.sys Signed: YES 54 ZwCreateTimer 80614E48 55 ZwCreateToken 805F79D0 56 ZwCreateWaitablePort 805A3BE4 57 ZwDebugActiveProcess 8064101A 58 ZwDebugContinue 8064116A 59 ZwDelayExecution 8061484C 60 ZwDeleteAtom 8061407E 61 ZwDeleteBootEntry 806148FC 62 ZwDeleteFile 80575ABA 63 ZwDeleteKey --[HOOKED]-- B87E802B probably by C:\WINDOWS\system32\DRIVERS\avipbb.sys ------------------------------------------------------------------------------- Information for module avipbb.sys: ------------------------------------------------------------------------------- Index: 101 Base address: B3D65000 Size: 0001C000 Flags: 09104000 Load count: 1 Imagename: \SystemRoot\system32\DRIVERS\avipbb.sys Name: (null) Version: 9.00.00.00 Company: Avira GmbH File Version: 1.0.2.86 Description: Avira Driver for RootKit Detection Possible path: C:\WINDOWS\system32\DRIVERS\avipbb.sys Signed: YES 64 ZwDeleteObjectAuditAlarm 805F3220 65 ZwDeleteValueKey --[HOOKED]-- B87E8035 probably by C:\WINDOWS\system32\DRIVERS\avipbb.sys ------------------------------------------------------------------------------- Information for module avipbb.sys: ------------------------------------------------------------------------------- Index: 101 Base address: B3D65000 Size: 0001C000 Flags: 09104000 Load count: 1 Imagename: \SystemRoot\system32\DRIVERS\avipbb.sys Name: (null) Version: 9.00.00.00 Company: Avira GmbH File Version: 1.0.2.86 Description: Avira Driver for RootKit Detection Possible path: C:\WINDOWS\system32\DRIVERS\avipbb.sys Signed: YES 66 ZwDeviceIoControlFile 80578098 67 ZwDisplayString 80610EA6 68 ZwDuplicateObject 805BC94E 69 ZwDuplicateToken 805EB5DA 70 ZwEnumerateBootEntries 8061490A 71 ZwEnumerateKey --[HOOKED]-- B7EC5CA4 probably by C:\WINDOWS\system32\DRIVERS\spdm.sys ------------------------------------------------------------------------------- Information for module spdm.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spdm.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spdm.sys Warning: Driver file couldn't be found. 72 ZwEnumerateSystemEnvironmentValuesEx 806148EE 73 ZwEnumerateValueKey --[HOOKED]-- B7EC6032 probably by C:\WINDOWS\system32\DRIVERS\spdm.sys ------------------------------------------------------------------------------- Information for module spdm.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spdm.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spdm.sys Warning: Driver file couldn't be found. 74 ZwExtendSection 805B2718 75 ZwFilterToken 805EB786 76 ZwFindAtom 80613E32 77 ZwFlushBuffersFile 80575B86 78 ZwFlushInstructionCache 805B528C 79 ZwFlushKey 80622E48 80 ZwFlushVirtualMemory 805AB1D6 81 ZwFlushWriteBuffer 805B522E 82 ZwFreeUserPhysicalPages 805B4D9A 83 ZwFreeVirtualMemory 805B19F4 84 ZwFsControlFile 805780CC 85 ZwGetContextThread 805CFDF4 86 ZwGetDevicePowerState 805C6FC6 87 ZwGetPlugPlayEvent 80597E7E 88 ZwGetWriteWatch 80520498 89 ZwImpersonateAnonymousToken 805F731C 90 ZwImpersonateClientOfPort 805A3C4E 91 ZwImpersonateThread 805D6054 92 ZwInitializeRegistry 8062010C 93 ZwInitiatePowerAction 805C6DAC 94 ZwIsProcessInJob 805D3A54 95 ZwIsSystemResumeAutomatic 805C6FB2 96 ZwListenPort 805A3E5A 97 ZwLoadDriver 80582EAE 98 ZwLoadKey --[HOOKED]-- B87E803A probably by C:\WINDOWS\system32\DRIVERS\avipbb.sys ------------------------------------------------------------------------------- Information for module avipbb.sys: ------------------------------------------------------------------------------- Index: 101 Base address: B3D65000 Size: 0001C000 Flags: 09104000 Load count: 1 Imagename: \SystemRoot\system32\DRIVERS\avipbb.sys Name: (null) Version: 9.00.00.00 Company: Avira GmbH File Version: 1.0.2.86 Description: Avira Driver for RootKit Detection Possible path: C:\WINDOWS\system32\DRIVERS\avipbb.sys Signed: YES 99 ZwLoadKey2 80623AAE 100 ZwLockFile 80578100 101 ZwLockProductActivationKeys 80611498 102 ZwLockRegistryKey 80622004 103 ZwLockVirtualMemory 805B5394 104 ZwMakePermanentObject 805BCC1C 105 ZwMakeTemporaryObject 805BB016 106 ZwMapUserPhysicalPages 805B3E58 107 ZwMapUserPhysicalPagesScatter 805B43A8 108 ZwMapViewOfSection 805B0A7C 109 ZwModifyBootEntry 806148FC 110 ZwNotifyChangeDirectoryFile 80578D18 111 ZwNotifyChangeKey 80623E2E 112 ZwNotifyChangeMultipleKeys 80622F4A 113 ZwOpenDirectoryObject 805BCEF8 114 ZwOpenEvent 8060CF62 115 ZwOpenEventPair 80615258 116 ZwOpenFile 80578FD0 117 ZwOpenIoCompletion 8057683C 118 ZwOpenJobObject 805D3FDE 119 ZwOpenKey --[HOOKED]-- B7EA70C0 probably by C:\WINDOWS\system32\DRIVERS\spdm.sys ------------------------------------------------------------------------------- Information for module spdm.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spdm.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spdm.sys Warning: Driver file couldn't be found. 120 ZwOpenMutant 80615650 121 ZwOpenObjectAuditAlarm 805F2CE2 122 ZwOpenProcess --[HOOKED]-- B87E8008 probably by C:\WINDOWS\system32\DRIVERS\avipbb.sys ------------------------------------------------------------------------------- Information for module avipbb.sys: ------------------------------------------------------------------------------- Index: 101 Base address: B3D65000 Size: 0001C000 Flags: 09104000 Load count: 1 Imagename: \SystemRoot\system32\DRIVERS\avipbb.sys Name: (null) Version: 9.00.00.00 Company: Avira GmbH File Version: 1.0.2.86 Description: Avira Driver for RootKit Detection Possible path: C:\WINDOWS\system32\DRIVERS\avipbb.sys Signed: YES 123 ZwOpenProcessToken 805EBFD2 124 ZwOpenProcessTokenEx 805EBBD8 125 ZwOpenSection 805A8EC0 126 ZwOpenSemaphore 80613022 127 ZwOpenSymbolicLinkObject 805C388C 128 ZwOpenThread --[HOOKED]-- B87E800D probably by C:\WINDOWS\system32\DRIVERS\avipbb.sys ------------------------------------------------------------------------------- Information for module avipbb.sys: ------------------------------------------------------------------------------- Index: 101 Base address: B3D65000 Size: 0001C000 Flags: 09104000 Load count: 1 Imagename: \SystemRoot\system32\DRIVERS\avipbb.sys Name: (null) Version: 9.00.00.00 Company: Avira GmbH File Version: 1.0.2.86 Description: Avira Driver for RootKit Detection Possible path: C:\WINDOWS\system32\DRIVERS\avipbb.sys Signed: YES 129 ZwOpenThreadToken 805EBFF0 130 ZwOpenThreadTokenEx 805EBD48 131 ZwOpenTimer 80614F6A 132 ZwPlugPlayControl 8064320C 133 ZwPowerInformation 805C7DFA 134 ZwPrivilegeCheck 805F63CE 135 ZwPrivilegeObjectAuditAlarm 805F1FF4 136 ZwPrivilegedServiceAuditAlarm 805F21E0 137 ZwProtectVirtualMemory 805B6E60 138 ZwPulseEvent 8060D01A 139 ZwQueryAttributesFile 80575D64 140 ZwQueryBootEntryOrder 8061490A 141 ZwQueryBootOptions 8061490A 142 ZwQueryDebugFilterState 8053EE36 143 ZwQueryDefaultLocale 8060EBEC 144 ZwQueryDefaultUILanguage 8060F84C 145 ZwQueryDirectoryFile 80578CB2 146 ZwQueryDirectoryObject 805BCF98 147 ZwQueryEaFile 80579000 148 ZwQueryEvent 8060D0E2 149 ZwQueryFullAttributesFile 80575E9C 150 ZwQueryInformationAtom 806140A6 151 ZwQueryInformationFile 8057986C 152 ZwQueryInformationJobObject 805D44B0 153 ZwQueryInformationPort 805A3EB8 154 ZwQueryInformationProcess 805CB860 155 ZwQueryInformationThread 805CA48E 156 ZwQueryInformationToken 805EC0D0 157 ZwQueryInstallUILanguage 8060EFEA 158 ZwQueryIntervalProfile 80615E1A 159 ZwQueryIoCompletion 805768E4 160 ZwQueryKey --[HOOKED]-- B7EC610A probably by C:\WINDOWS\system32\DRIVERS\spdm.sys ------------------------------------------------------------------------------- Information for module spdm.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spdm.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spdm.sys Warning: Driver file couldn't be found. 161 ZwQueryMultipleValueKey 80621302 162 ZwQueryMutant 806156F8 163 ZwQueryObject 805C2DC6 164 ZwQueryOpenSubKeys 80621968 165 ZwQueryPerformanceCounter 80615EA8 166 ZwQueryQuotaInformationFile 8057A604 167 ZwQuerySection 805B7022 168 ZwQuerySecurityObject 805BEA84 169 ZwQuerySemaphore 806130DA 170 ZwQuerySymbolicLinkObject 805C392C 171 ZwQuerySystemEnvironmentValue 80614926 172 ZwQuerySystemEnvironmentValueEx 806148E0 173 ZwQuerySystemInformation 8060F8CC 174 ZwQuerySystemTime 80611072 175 ZwQueryTimer 80615022 176 ZwQueryTimerResolution 80611104 177 ZwQueryValueKey --[HOOKED]-- B7EC5F8A probably by C:\WINDOWS\system32\DRIVERS\spdm.sys ------------------------------------------------------------------------------- Information for module spdm.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spdm.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spdm.sys Warning: Driver file couldn't be found. 178 ZwQueryVirtualMemory 805B76B0 179 ZwQueryVolumeInformationFile 8057AAEE 180 ZwQueueApcThread 805CFB40 181 ZwRaiseException 8054414C 182 ZwRaiseHardError 80612D4C 183 ZwReadFile 8057B28E 184 ZwReadFileScatter 8057B7F8 185 ZwReadRequestData 805A4940 186 ZwReadVirtualMemory 805B2D04 187 ZwRegisterThreadTerminatePort 805D0FEA 188 ZwReleaseMutant 80615830 189 ZwReleaseSemaphore 8061320A 190 ZwRemoveIoCompletion 80576BDC 191 ZwRemoveProcessDebug 806410EA 192 ZwRenameKey 80621B5A 193 ZwReplaceKey --[HOOKED]-- B87E8044 probably by C:\WINDOWS\system32\DRIVERS\avipbb.sys ------------------------------------------------------------------------------- Information for module avipbb.sys: ------------------------------------------------------------------------------- Index: 101 Base address: B3D65000 Size: 0001C000 Flags: 09104000 Load count: 1 Imagename: \SystemRoot\system32\DRIVERS\avipbb.sys Name: (null) Version: 9.00.00.00 Company: Avira GmbH File Version: 1.0.2.86 Description: Avira Driver for RootKit Detection Possible path: C:\WINDOWS\system32\DRIVERS\avipbb.sys Signed: YES 194 ZwReplyPort 805A3FC0 195 ZwReplyWaitReceivePort 805A4F88 196 ZwReplyWaitReceivePortEx 805A4990 197 ZwReplyWaitReplyPort 805A42AA 198 ZwRequestDeviceWakeup 805C6F44 199 ZwRequestPort 805A151E 200 ZwRequestWaitReplyPort 805A184A 201 ZwRequestWakeupLatency 805C6D52 202 ZwResetEvent 8060D1F4 203 ZwResetWriteWatch 80520980 204 ZwRestoreKey --[HOOKED]-- B87E803F probably by C:\WINDOWS\system32\DRIVERS\avipbb.sys ------------------------------------------------------------------------------- Information for module avipbb.sys: ------------------------------------------------------------------------------- Index: 101 Base address: B3D65000 Size: 0001C000 Flags: 09104000 Load count: 1 Imagename: \SystemRoot\system32\DRIVERS\avipbb.sys Name: (null) Version: 9.00.00.00 Company: Avira GmbH File Version: 1.0.2.86 Description: Avira Driver for RootKit Detection Possible path: C:\WINDOWS\system32\DRIVERS\avipbb.sys Signed: YES 205 ZwResumeProcess 805D332A 206 ZwResumeThread 805D320C 207 ZwSaveKey 806205DE 208 ZwSaveKeyEx 8062066E 209 ZwSaveMergedKeys 8062073A 210 ZwSecureConnectPort 805A2838 211 ZwSetBootEntryOrder 8061490A 212 ZwSetBootOptions 8061490A 213 ZwSetContextThread 805D0004 214 ZwSetDebugFilterState 80643DA2 215 ZwSetDefaultHardErrorPort 80612BF6 216 ZwSetDefaultLocale 8060ED3C 217 ZwSetDefaultUILanguage 8060F5AE 218 ZwSetEaFile 80579514 219 ZwSetEvent 8060D2B4 220 ZwSetEventBoostPriority 8060D37E 221 ZwSetHighEventPair 80615514 222 ZwSetHighWaitLowEventPair 80615444 223 ZwSetInformationDebugObject 80640AB4 224 ZwSetInformationFile 80579E38 225 ZwSetInformationJobObject 805D51BE 226 ZwSetInformationKey 80620ECE 227 ZwSetInformationObject 805C233C 228 ZwSetInformationProcess 805CC756 229 ZwSetInformationThread 805CA9DA 230 ZwSetInformationToken 805F874A 231 ZwSetIntervalProfile 8061597C 232 ZwSetIoCompletion 80576B7A 233 ZwSetLdtEntries 805D2156 234 ZwSetLowEventPair 806154B0 235 ZwSetLowWaitHighEventPair 806153D8 236 ZwSetQuotaInformationFile 8057A5E2 237 ZwSetSecurityObject 805BE9B8 238 ZwSetSystemEnvironmentValue 80614BAA 239 ZwSetSystemEnvironmentValueEx 806148E0 240 ZwSetSystemInformation 8060DC1A 241 ZwSetSystemPowerState 80650E26 242 ZwSetSystemTime 8061237A 243 ZwSetThreadExecutionState 805C6C66 244 ZwSetTimer 80537FDE 245 ZwSetTimerResolution 8061184C 246 ZwSetUuidSeed 806136C0 247 ZwSetValueKey --[HOOKED]-- B87E8030 probably by C:\WINDOWS\system32\DRIVERS\avipbb.sys ------------------------------------------------------------------------------- Information for module avipbb.sys: ------------------------------------------------------------------------------- Index: 101 Base address: B3D65000 Size: 0001C000 Flags: 09104000 Load count: 1 Imagename: \SystemRoot\system32\DRIVERS\avipbb.sys Name: (null) Version: 9.00.00.00 Company: Avira GmbH File Version: 1.0.2.86 Description: Avira Driver for RootKit Detection Possible path: C:\WINDOWS\system32\DRIVERS\avipbb.sys Signed: YES 248 ZwSetVolumeInformationFile 8057AEF8 249 ZwShutdownSystem 80610E6A 250 ZwSignalAndWaitForSingleObject 80525A60 251 ZwStartProfile 80615BC6 252 ZwStopProfile 80615D70 253 ZwSuspendProcess 805D32D4 254 ZwSuspendThread 805D3146 255 ZwSystemDebugControl 80615F94 256 ZwTerminateJobObject 805D5D52 257 ZwTerminateProcess --[HOOKED]-- B87E8017 probably by C:\WINDOWS\system32\DRIVERS\avipbb.sys ------------------------------------------------------------------------------- Information for module avipbb.sys: ------------------------------------------------------------------------------- Index: 101 Base address: B3D65000 Size: 0001C000 Flags: 09104000 Load count: 1 Imagename: \SystemRoot\system32\DRIVERS\avipbb.sys Name: (null) Version: 9.00.00.00 Company: Avira GmbH File Version: 1.0.2.86 Description: Avira Driver for RootKit Detection Possible path: C:\WINDOWS\system32\DRIVERS\avipbb.sys Signed: YES 258 ZwTerminateThread 805D142E 259 ZwTestAlert 805D3494 260 ZwTraceEvent 80534374 261 ZwTranslateFilePath 80614918 262 ZwUnloadDriver 80583042 263 ZwUnloadKey 80620ABC 264 ZwUnloadKeyEx 80620CAA 265 ZwUnlockFile 805784A4 266 ZwUnlockVirtualMemory 805B5922 267 ZwUnmapViewOfSection 805B188A 268 ZwVdmControl 805F9B02 269 ZwWaitForDebugEvent 8064081C 270 ZwWaitForMultipleObjects 805BF0DA 271 ZwWaitForSingleObject 805BEFF0 272 ZwWaitHighEventPair 80615374 273 ZwWaitLowEventPair 80615310 274 ZwWriteFile 8057BCF6 275 ZwWriteFileGather 8057C2DA 276 ZwWriteRequestData 805A4968 277 ZwWriteVirtualMemory 805B2E0E 278 ZwYieldExecution 80503FF4 279 ZwCreateKeyedEvent 806163EC 280 ZwOpenKeyedEvent 806164D6 281 ZwReleaseKeyedEvent 80616588 282 ZwWaitForKeyedEvent 806167E4 283 ZwQueryPortInformationProcess 805CA20E Number of Service Table entries hooked = 16 Number of Service Table entries patched = 0 14:59:35 - Performing check: "IDT hooks": IDT offset in kernel: 0x01F78F50 IDT address: 0x8003F400 (phys.: 0x0152F400) INT# SegType DPL ISR 000(00) IntG32 00 0008:80541420 001(01) IntG32 00 0008:8054159C 002(02) TaskG32 00 0058:80551896 003(03) IntG32 03 0008:805419B0 004(04) IntG32 03 0008:80541B30 005(05) IntG32 00 0008:80541C90 006(06) IntG32 00 0008:80541E04 007(07) IntG32 00 0008:8054247C 008(08) TaskG32 00 0050:80551888 009(09) IntG32 00 0008:80542880 010(0A) IntG32 00 0008:805429A0 011(0B) IntG32 00 0008:80542AE0 012(0C) IntG32 00 0008:80542D40 013(0D) IntG32 00 0008:8054302C 014(0E) IntG32 00 0008:80543740 015(0F) IntG32 00 0008:80543A78 016(10) IntG32 00 0008:80543B98 017(11) IntG32 00 0008:80543CD4 018(12) TaskG32 00 00A0:0AC79B30 (hooked) 019(13) IntG32 00 0008:80543E3C 020(14) IntG32 00 0008:80543A78 021(15) IntG32 00 0008:80543A78 022(16) IntG32 00 0008:80543A78 023(17) IntG32 00 0008:80543A78 024(18) IntG32 00 0008:80543A78 025(19) IntG32 00 0008:80543A78 026(1A) IntG32 00 0008:80543A78 027(1B) IntG32 00 0008:80543A78 028(1C) IntG32 00 0008:80543A78 029(1D) IntG32 00 0008:80543A78 030(1E) IntG32 00 0008:80543A78 031(1F) IntG32 00 0008:806E510C 032(20) Not present 033(21) Not present 034(22) Not present 035(23) Not present 036(24) Not present 037(25) Not present 038(26) Not present 039(27) Not present 040(28) Not present 041(29) Not present 042(2A) IntG32 03 0008:80540C4E 043(2B) IntG32 03 0008:80540D50 044(2C) IntG32 03 0008:80540F00 045(2D) IntG32 03 0008:8054188C 046(2E) IntG32 03 0008:805406D1 047(2F) IntG32 00 0008:80543A78 048(30) IntG32 00 0008:8053FD90 049(31) IntG32 00 0008:8053FD9A 050(32) IntG32 00 0008:8053FDA4 051(33) IntG32 00 0008:8053FDAE 052(34) IntG32 00 0008:8053FDB8 053(35) IntG32 00 0008:8053FDC2 054(36) IntG32 00 0008:8053FDCC 055(37) IntG32 00 0008:806E4864 056(38) IntG32 00 0008:8053FDE0 057(39) IntG32 00 0008:8053FDEA 058(3A) IntG32 00 0008:8053FDF4 059(3B) IntG32 00 0008:8053FDFE 060(3C) IntG32 00 0008:8053FE08 061(3D) IntG32 00 0008:806E5E2C 062(3E) IntG32 00 0008:8053FE1C 063(3F) IntG32 00 0008:8053FE26 064(40) IntG32 00 0008:8053FE30 065(41) IntG32 00 0008:806E5C88 066(42) IntG32 00 0008:8053FE44 067(43) IntG32 00 0008:8053FE4E 068(44) IntG32 00 0008:8053FE58 069(45) IntG32 00 0008:8053FE62 070(46) IntG32 00 0008:8053FE6C 071(47) IntG32 00 0008:8053FE76 072(48) IntG32 00 0008:8053FE80 073(49) IntG32 00 0008:8053FE8A 074(4A) IntG32 00 0008:8053FE94 075(4B) IntG32 00 0008:8053FE9E 076(4C) IntG32 00 0008:8053FEA8 077(4D) IntG32 00 0008:8053FEB2 078(4E) IntG32 00 0008:8053FEBC 079(4F) IntG32 00 0008:8053FEC6 080(50) IntG32 00 0008:806E493C 081(51) IntG32 00 0008:8053FEDA 082(52) IntG32 00 0008:8053FEE4 083(53) IntG32 00 0008:8053FEEE 084(54) IntG32 00 0008:8053FEF8 085(55) IntG32 00 0008:8053FF02 086(56) IntG32 00 0008:8053FF0C 087(57) IntG32 00 0008:8053FF16 088(58) IntG32 00 0008:8053FF20 089(59) IntG32 00 0008:8053FF2A 090(5A) IntG32 00 0008:8053FF34 091(5B) IntG32 00 0008:8053FF3E 092(5C) IntG32 00 0008:8053FF48 093(5D) IntG32 00 0008:8053FF52 094(5E) IntG32 00 0008:8053FF5C 095(5F) IntG32 00 0008:8053FF66 096(60) IntG32 00 0008:8053FF70 097(61) IntG32 00 0008:8053FF7A 098(62) IntG32 00 0008:8A690954 (hooked) 099(63) IntG32 00 0008:8A66F794 (hooked) 100(64) IntG32 00 0008:8053FF98 101(65) IntG32 00 0008:8053FFA2 102(66) IntG32 00 0008:8053FFAC 103(67) IntG32 00 0008:8053FFB6 104(68) IntG32 00 0008:8053FFC0 105(69) IntG32 00 0008:8053FFCA 106(6A) IntG32 00 0008:8053FFD4 107(6B) IntG32 00 0008:8053FFDE 108(6C) IntG32 00 0008:8053FFE8 109(6D) IntG32 00 0008:8053FFF2 110(6E) IntG32 00 0008:8053FFFC 111(6F) IntG32 00 0008:80540006 112(70) IntG32 00 0008:80540010 113(71) IntG32 00 0008:8054001A 114(72) IntG32 00 0008:80540024 115(73) IntG32 00 0008:8054002E 116(74) IntG32 00 0008:8A35E044 (hooked) 117(75) IntG32 00 0008:80540042 118(76) IntG32 00 0008:8054004C 119(77) IntG32 00 0008:80540056 120(78) IntG32 00 0008:80540060 121(79) IntG32 00 0008:8054006A 122(7A) IntG32 00 0008:80540074 123(7B) IntG32 00 0008:8054007E 124(7C) IntG32 00 0008:80540088 125(7D) IntG32 00 0008:80540092 126(7E) IntG32 00 0008:8054009C 127(7F) IntG32 00 0008:805400A6 128(80) IntG32 00 0008:805400B0 129(81) IntG32 00 0008:805400BA 130(82) IntG32 00 0008:8A649954 (hooked) 131(83) IntG32 00 0008:805400CE 132(84) IntG32 00 0008:8A2D79E4 (hooked) 133(85) IntG32 00 0008:805400E2 134(86) IntG32 00 0008:805400EC 135(87) IntG32 00 0008:805400F6 136(88) IntG32 00 0008:80540100 137(89) IntG32 00 0008:8054010A 138(8A) IntG32 00 0008:80540114 139(8B) IntG32 00 0008:8054011E 140(8C) IntG32 00 0008:80540128 141(8D) IntG32 00 0008:80540132 142(8E) IntG32 00 0008:8054013C 143(8F) IntG32 00 0008:80540146 144(90) IntG32 00 0008:80540150 145(91) IntG32 00 0008:8054015A 146(92) IntG32 00 0008:8A1F4BEC (hooked) 147(93) IntG32 00 0008:8054016E 148(94) IntG32 00 0008:8A2CD4EC (hooked) 149(95) IntG32 00 0008:80540182 150(96) IntG32 00 0008:8054018C 151(97) IntG32 00 0008:80540196 152(98) IntG32 00 0008:805401A0 153(99) IntG32 00 0008:805401AA 154(9A) IntG32 00 0008:805401B4 155(9B) IntG32 00 0008:805401BE 156(9C) IntG32 00 0008:805401C8 157(9D) IntG32 00 0008:805401D2 158(9E) IntG32 00 0008:805401DC 159(9F) IntG32 00 0008:805401E6 160(A0) IntG32 00 0008:805401F0 161(A1) IntG32 00 0008:805401FA 162(A2) IntG32 00 0008:80540204 163(A3) IntG32 00 0008:8054020E 164(A4) IntG32 00 0008:8A2CDBEC (hooked) 165(A5) IntG32 00 0008:80540222 166(A6) IntG32 00 0008:8054022C 167(A7) IntG32 00 0008:80540236 168(A8) IntG32 00 0008:80540240 169(A9) IntG32 00 0008:8054024A 170(AA) IntG32 00 0008:80540254 171(AB) IntG32 00 0008:8054025E 172(AC) IntG32 00 0008:80540268 173(AD) IntG32 00 0008:80540272 174(AE) IntG32 00 0008:8054027C 175(AF) IntG32 00 0008:80540286 176(B0) IntG32 00 0008:80540290 177(B1) IntG32 00 0008:8A695AAC (hooked) 178(B2) IntG32 00 0008:805402A4 179(B3) IntG32 00 0008:805402AE 180(B4) IntG32 00 0008:8A2B930C (hooked) 181(B5) IntG32 00 0008:805402C2 182(B6) IntG32 00 0008:805402CC 183(B7) IntG32 00 0008:805402D6 184(B8) IntG32 00 0008:805402E0 185(B9) IntG32 00 0008:805402EA 186(BA) IntG32 00 0008:805402F4 187(BB) IntG32 00 0008:805402FE 188(BC) IntG32 00 0008:80540308 189(BD) IntG32 00 0008:80540312 190(BE) IntG32 00 0008:8054031C 191(BF) IntG32 00 0008:80540326 192(C0) IntG32 00 0008:80540330 193(C1) IntG32 00 0008:806E4AC0 194(C2) IntG32 00 0008:80540344 195(C3) IntG32 00 0008:8054034E 196(C4) IntG32 00 0008:80540358 197(C5) IntG32 00 0008:80540362 198(C6) IntG32 00 0008:8054036C 199(C7) IntG32 00 0008:80540376 200(C8) IntG32 00 0008:80540380 201(C9) IntG32 00 0008:8054038A 202(CA) IntG32 00 0008:80540394 203(CB) IntG32 00 0008:8054039E 204(CC) IntG32 00 0008:805403A8 205(CD) IntG32 00 0008:805403B2 206(CE) IntG32 00 0008:805403BC 207(CF) IntG32 00 0008:805403C6 208(D0) IntG32 00 0008:805403D0 209(D1) IntG32 00 0008:806E3E54 210(D2) IntG32 00 0008:805403E4 211(D3) IntG32 00 0008:805403EE 212(D4) IntG32 00 0008:805403F8 213(D5) IntG32 00 0008:80540402 214(D6) IntG32 00 0008:8054040C 215(D7) IntG32 00 0008:80540416 216(D8) IntG32 00 0008:80540420 217(D9) IntG32 00 0008:8054042A 218(DA) IntG32 00 0008:80540434 219(DB) IntG32 00 0008:8054043E 220(DC) IntG32 00 0008:80540448 221(DD) IntG32 00 0008:80540452 222(DE) IntG32 00 0008:8054045C 223(DF) IntG32 00 0008:80540466 224(E0) IntG32 00 0008:80540470 225(E1) IntG32 00 0008:806E5048 226(E2) IntG32 00 0008:80540484 227(E3) IntG32 00 0008:806E4DAC 228(E4) IntG32 00 0008:80540498 229(E5) IntG32 00 0008:805404A2 230(E6) IntG32 00 0008:805404AC 231(E7) IntG32 00 0008:805404B6 232(E8) IntG32 00 0008:805404C0 233(E9) IntG32 00 0008:805404CA 234(EA) IntG32 00 0008:805404D4 235(EB) IntG32 00 0008:805404DE 236(EC) IntG32 00 0008:805404E8 237(ED) IntG32 00 0008:805404F2 238(EE) IntG32 00 0008:805404F9 239(EF) IntG32 00 0008:80540500 240(F0) IntG32 00 0008:80540507 241(F1) IntG32 00 0008:8054050E 242(F2) IntG32 00 0008:80540515 243(F3) IntG32 00 0008:8054051C 244(F4) IntG32 00 0008:80540523 245(F5) IntG32 00 0008:8054052A 246(F6) IntG32 00 0008:80540531 247(F7) IntG32 00 0008:80540538 248(F8) IntG32 00 0008:8054053F 249(F9) IntG32 00 0008:80540546 250(FA) IntG32 00 0008:8054054D 251(FB) IntG32 00 0008:80540554 252(FC) IntG32 00 0008:8054055B 253(FD) IntG32 00 0008:806E55A8 254(FE) IntG32 00 0008:806E5748 255(FF) IntG32 00 0008:80540570 14:59:44 - Performing check: "SYSENTER hook": SYSENTER offset in kernel: 0x004697A0 (=0x805407A0) SYSENTER EIP: 0008:805407A0 [OK] 14:59:44 - Performing check: "IAT hooks": PID 860 - C:\WINDOWS\System32\smss.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) PID 1076 - C:\WINDOWS\system32\csrss.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) CSRSRV.dll (75AE0000 - 75AEB000) basesrv.dll (75AF0000 - 75B00000) winsrv.dll (75B00000 - 75B4A000) USER32.dll (77D10000 - 77DA0000) KERNEL32.dll (7C800000 - 7C907000) GDI32.dll (77EF0000 - 77F38000) sxs.dll (76970000 - 76A21000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) PID 1100 - C:\WINDOWS\system32\winlogon.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) AUTHZ.dll (77690000 - 776A1000) msvcrt.dll (77BE0000 - 77C38000) CRYPT32.dll (77A50000 - 77AE5000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) MSASN1.dll (77AF0000 - 77B02000) NDdeApi.dll (758E0000 - 758E8000) PROFMAP.dll (758D0000 - 758DA000) NETAPI32.dll (597D0000 - 59824000) USERENV.dll (76620000 - 766D5000) PSAPI.DLL (76BB0000 - 76BBB000) REGAPI.dll (76B70000 - 76B7F000) SETUPAPI.dll (778F0000 - 779E4000) VERSION.dll (77BD0000 - 77BD8000) WINSTA.dll (76300000 - 76310000) WINTRUST.dll (76BF0000 - 76C1E000) IMAGEHLP.dll (76C50000 - 76C78000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) MSGINA.dll (75910000 - 75A09000) SHELL32.dll (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) COMCTL32.dll (5D450000 - 5D4E7000) ODBC32.dll (745D0000 - 7460D000) comdlg32.dll (76350000 - 7639A000) comctl32.dll (773A0000 - 774A2000) odbcint.dll (20000000 - 20019000) SHSVCS.dll (776B0000 - 776D4000) sfc.dll (76B60000 - 76B65000) sfc_os.dll (76C20000 - 76C4A000) ole32.dll (774B0000 - 775EC000) Apphelp.dll (77B10000 - 77B32000) WINSCARD.DLL (72360000 - 7237C000) WTSAPI32.dll (76F10000 - 76F18000) sxs.dll (76970000 - 76A21000) WINMM.dll (76AF0000 - 76B1E000) uxtheme.dll (5AD70000 - 5ADA8000) cscdll.dll (765A0000 - 765BD000) WlNotify.dll (758F0000 - 7590B000) WINSPOOL.DRV (72F70000 - 72F96000) MPR.dll (71A80000 - 71A92000) rsaenh.dll (0FFD0000 - 0FFF8000) WgaLogon.dll (012C0000 - 01302000) OLEAUT32.dll (770F0000 - 7717C000) NTMARTA.DLL (77660000 - 77681000) WLDAP32.dll (76F20000 - 76F4D000) SAMLIB.dll (71B70000 - 71B83000) CLBCATQ.DLL (76F90000 - 7700F000) COMRes.dll (77010000 - 770E3000) msv1_0.dll (77C40000 - 77C64000) cryptdll.dll (76740000 - 7674C000) iphlpapi.dll (76D20000 - 76D39000) AdobeDriveCS4_NP.dll(10000000 - 10013000) cscui.dll (779F0000 - 77A46000) xpsp2res.dll (01590000 - 01869000) wdmaud.drv (72C90000 - 72C99000) msacm32.drv (72C80000 - 72C88000) MSACM32.dll (77BB0000 - 77BC5000) midimap.dll (77BA0000 - 77BA7000) PID 1144 - C:\WINDOWS\system32\services.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) msvcrt.dll (77BE0000 - 77C38000) NCObjAPI.DLL (5FB60000 - 5FB6C000) MSVCP60.dll (76020000 - 76085000) SCESRV.dll (77B40000 - 77B93000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) USERENV.dll (76620000 - 766D5000) AUTHZ.dll (77690000 - 776A1000) umpnpmgr.dll (75850000 - 7586F000) WINSTA.dll (76300000 - 76310000) NETAPI32.dll (597D0000 - 59824000) ShimEng.dll (5CF00000 - 5CF26000) AcGenral.DLL (6FD90000 - 6FF5A000) WINMM.dll (76AF0000 - 76B1E000) ole32.dll (774B0000 - 775EC000) OLEAUT32.dll (770F0000 - 7717C000) MSACM32.dll (77BB0000 - 77BC5000) VERSION.dll (77BD0000 - 77BD8000) SHELL32.dll (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) UxTheme.dll (5AD70000 - 5ADA8000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) Apphelp.dll (77B10000 - 77B32000) eventlog.dll (772D0000 - 772E1000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) PSAPI.DLL (76BB0000 - 76BBB000) DNSAPI.dll (76EE0000 - 76F07000) imagehlp.dll (76C50000 - 76C78000) WININET.dll (77180000 - 77229000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) rsaenh.dll (0FFD0000 - 0FFF8000) mswsock.dll (719B0000 - 719F0000) iphlpapi.dll (76D20000 - 76D39000) winrnr.dll (76F70000 - 76F78000) WLDAP32.dll (76F20000 - 76F4D000) mdnsNSP.dll (16080000 - 160A5000) rasadhlp.dll (76F80000 - 76F86000) wtsapi32.dll (76F10000 - 76F18000) hnetcfg.dll (66710000 - 66769000) wshtcpip.dll (719F0000 - 719F8000) schannel.dll (767A0000 - 767CD000) dssenh.dll (68100000 - 68124000) wsock32.dll (71A30000 - 71A3A000) RASAPI32.DLL (76EA0000 - 76EDC000) rasman.dll (76E50000 - 76E62000) TAPI32.dll (76E70000 - 76E9F000) rtutils.dll (76E40000 - 76E4E000) msv1_0.dll (77C40000 - 77C64000) cryptdll.dll (76740000 - 7674C000) sensapi.dll (72240000 - 72245000) urlmon.dll (7DF20000 - 7DFC3000) PID 1164 - C:\WINDOWS\system32\lsass.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) LSASRV.dll (753D0000 - 75486000) MPR.dll (71A80000 - 71A92000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) MSASN1.dll (77AF0000 - 77B02000) msvcrt.dll (77BE0000 - 77C38000) NETAPI32.dll (597D0000 - 59824000) NTDSAPI.dll (76750000 - 76763000) DNSAPI.dll (76EE0000 - 76F07000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) WLDAP32.dll (76F20000 - 76F4D000) SAMLIB.dll (71B70000 - 71B83000) SAMSRV.dll (743C0000 - 7442E000) cryptdll.dll (76740000 - 7674C000) ShimEng.dll (5CF00000 - 5CF26000) AcGenral.DLL (6FD90000 - 6FF5A000) WINMM.dll (76AF0000 - 76B1E000) ole32.dll (774B0000 - 775EC000) OLEAUT32.dll (770F0000 - 7717C000) MSACM32.dll (77BB0000 - 77BC5000) VERSION.dll (77BD0000 - 77BD8000) SHELL32.dll (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) USERENV.dll (76620000 - 766D5000) UxTheme.dll (5AD70000 - 5ADA8000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) msprivs.dll (20000000 - 2000E000) kerberos.dll (71C70000 - 71CBB000) msv1_0.dll (77C40000 - 77C64000) iphlpapi.dll (76D20000 - 76D39000) netlogon.dll (74430000 - 74495000) w32time.dll (76770000 - 7679D000) MSVCP60.dll (76020000 - 76085000) schannel.dll (767A0000 - 767CD000) CRYPT32.dll (77A50000 - 77AE5000) wdigest.dll (7F000000 - 7F012000) rsaenh.dll (0FFD0000 - 0FFF8000) setupapi.dll (778F0000 - 779E4000) scecli.dll (74380000 - 743B0000) ipsecsvc.dll (74350000 - 74380000) AUTHZ.dll (77690000 - 776A1000) oakley.DLL (756C0000 - 7578E000) WINIPSEC.DLL (742E0000 - 742EB000) mswsock.dll (719B0000 - 719F0000) hnetcfg.dll (66710000 - 66769000) wshtcpip.dll (719F0000 - 719F8000) pstorsvc.dll (74310000 - 7431B000) dssenh.dll (68100000 - 68124000) psbase.dll (74330000 - 7434B000) PID 1352 - C:\WINDOWS\system32\nvsvc32.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) USERENV.dll (76620000 - 766D5000) msvcrt.dll (77BE0000 - 77C38000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) POWRPROF.dll (74A50000 - 74A58000) SETUPAPI.dll (778F0000 - 779E4000) wtsapi32.dll (76F10000 - 76F18000) WINSTA.dll (76300000 - 76310000) NETAPI32.dll (597D0000 - 59824000) VERSION.dll (77BD0000 - 77BD8000) SHLWAPI.dll (77F40000 - 77FB6000) COMCTL32.dll (5D450000 - 5D4E7000) SHELL32.dll (7E670000 - 7EE90000) ole32.dll (774B0000 - 775EC000) OLEAUT32.dll (770F0000 - 7717C000) comctl32.dll (773A0000 - 774A2000) nvapi.dll (00940000 - 00A4A000) WINTRUST.dll (76BF0000 - 76C1E000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) IMAGEHLP.dll (76C50000 - 76C78000) msv1_0.dll (77C40000 - 77C64000) cryptdll.dll (76740000 - 7674C000) iphlpapi.dll (76D20000 - 76D39000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) NTMARTA.DLL (77660000 - 77681000) WLDAP32.dll (76F20000 - 76F4D000) SAMLIB.dll (71B70000 - 71B83000) uxtheme.dll (5AD70000 - 5ADA8000) Apphelp.dll (77B10000 - 77B32000) PID 1376 - C:\WINDOWS\system32\svchost.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) ShimEng.dll (5CF00000 - 5CF26000) AcGenral.DLL (6FD90000 - 6FF5A000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) WINMM.dll (76AF0000 - 76B1E000) ole32.dll (774B0000 - 775EC000) msvcrt.dll (77BE0000 - 77C38000) OLEAUT32.dll (770F0000 - 7717C000) MSACM32.dll (77BB0000 - 77BC5000) VERSION.dll (77BD0000 - 77BD8000) SHELL32.dll (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) USERENV.dll (76620000 - 766D5000) UxTheme.dll (5AD70000 - 5ADA8000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) NTMARTA.DLL (77660000 - 77681000) WLDAP32.dll (76F20000 - 76F4D000) SAMLIB.dll (71B70000 - 71B83000) rpcss.dll (76A30000 - 76A94000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) xpsp2res.dll (20000000 - 202D9000) CLBCATQ.DLL (76F90000 - 7700F000) COMRes.dll (77010000 - 770E3000) Apphelp.dll (77B10000 - 77B32000) termsrv.dll (761D0000 - 76224000) ICAAPI.dll (74EF0000 - 74EF6000) SETUPAPI.dll (778F0000 - 779E4000) WINTRUST.dll (76BF0000 - 76C1E000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) IMAGEHLP.dll (76C50000 - 76C78000) AUTHZ.dll (77690000 - 776A1000) mstlsapi.dll (75090000 - 750AF000) ACTIVEDS.dll (77C90000 - 77CC3000) adsldpc.dll (76DD0000 - 76DF5000) NETAPI32.dll (597D0000 - 59824000) ATL.DLL (76AD0000 - 76AE1000) REGAPI.dll (76B70000 - 76B7F000) rsaenh.dll (0FFD0000 - 0FFF8000) PID 1472 - C:\WINDOWS\system32\svchost.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) ShimEng.dll (5CF00000 - 5CF26000) AcGenral.DLL (6FD90000 - 6FF5A000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) WINMM.dll (76AF0000 - 76B1E000) ole32.dll (774B0000 - 775EC000) msvcrt.dll (77BE0000 - 77C38000) OLEAUT32.dll (770F0000 - 7717C000) MSACM32.dll (77BB0000 - 77BC5000) VERSION.dll (77BD0000 - 77BD8000) SHELL32.dll (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) USERENV.dll (76620000 - 766D5000) UxTheme.dll (5AD70000 - 5ADA8000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) rpcss.dll (76A30000 - 76A94000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) xpsp2res.dll (20000000 - 202D9000) rsaenh.dll (0FFD0000 - 0FFF8000) mswsock.dll (719B0000 - 719F0000) hnetcfg.dll (66710000 - 66769000) wshtcpip.dll (719F0000 - 719F8000) DNSAPI.dll (76EE0000 - 76F07000) iphlpapi.dll (76D20000 - 76D39000) winrnr.dll (76F70000 - 76F78000) WLDAP32.dll (76F20000 - 76F4D000) mdnsNSP.dll (16080000 - 160A5000) rasadhlp.dll (76F80000 - 76F86000) CLBCATQ.DLL (76F90000 - 7700F000) COMRes.dll (77010000 - 770E3000) PID 1512 - C:\WINDOWS\System32\svchost.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) ShimEng.dll (5CF00000 - 5CF26000) AcGenral.DLL (6FD90000 - 6FF5A000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) WINMM.dll (76AF0000 - 76B1E000) ole32.dll (774B0000 - 775EC000) msvcrt.dll (77BE0000 - 77C38000) OLEAUT32.dll (770F0000 - 7717C000) MSACM32.dll (77BB0000 - 77BC5000) VERSION.dll (77BD0000 - 77BD8000) SHELL32.dll (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) USERENV.dll (76620000 - 766D5000) UxTheme.dll (5AD70000 - 5ADA8000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) NTMARTA.DLL (77660000 - 77681000) WLDAP32.dll (76F20000 - 76F4D000) SAMLIB.dll (71B70000 - 71B83000) xpsp2res.dll (20000000 - 202D9000) shsvcs.dll (776B0000 - 776D4000) WINSTA.dll (76300000 - 76310000) NETAPI32.dll (597D0000 - 59824000) dhcpcsvc.dll (76D40000 - 76D5E000) DNSAPI.dll (76EE0000 - 76F07000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) iphlpapi.dll (76D20000 - 76D39000) CLBCATQ.DLL (76F90000 - 7700F000) COMRes.dll (77010000 - 770E3000) schedsvc.dll (76B20000 - 76B53000) NTDSAPI.dll (76750000 - 76763000) IMAGEHLP.dll (76C50000 - 76C78000) WTSAPI32.dll (76F10000 - 76F18000) msv1_0.dll (77C40000 - 77C64000) cryptdll.dll (76740000 - 7674C000) MSIDLE.DLL (74ED0000 - 74ED5000) SETUPAPI.dll (778F0000 - 779E4000) audiosrv.dll (70DC0000 - 70DCD000) WINTRUST.dll (76BF0000 - 76C1E000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) wkssvc.dll (76E00000 - 76E23000) cryptsvc.dll (76CD0000 - 76CE2000) certcli.dll (752D0000 - 75303000) ATL.DLL (76AD0000 - 76AE1000) CRYPTUI.dll (76880000 - 76905000) WININET.dll (77180000 - 77229000) ESENT.dll (5E200000 - 5E310000) ersvc.dll (74F00000 - 74F09000) pchsvc.dll (74EC0000 - 74ECC000) hidserv.dll (68D80000 - 68D89000) HID.DLL (68D90000 - 68D99000) es.dll (776E0000 - 77724000) rsaenh.dll (0FFD0000 - 0FFF8000) dmserver.dll (74F10000 - 74F19000) srvsvc.dll (75010000 - 7502A000) netman.dll (77CD0000 - 77D03000) netshell.dll (763A0000 - 7654B000) rtutils.dll (76E40000 - 76E4E000) credui.dll (76BC0000 - 76BEF000) MPRAPI.dll (76D00000 - 76D18000) ACTIVEDS.dll (77C90000 - 77CC3000) adsldpc.dll (76DD0000 - 76DF5000) RASAPI32.dll (76EA0000 - 76EDC000) rasman.dll (76E50000 - 76E62000) TAPI32.dll (76E70000 - 76E9F000) WZCSvc.DLL (775F0000 - 7765E000) WMI.dll (76CF0000 - 76CF4000) WZCSAPI.DLL (72FA0000 - 72FB0000) HNETCFG.DLL (66710000 - 66769000) seclogon.dll (73C90000 - 73C98000) srsvc.dll (75120000 - 7514E000) POWRPROF.dll (74A50000 - 74A58000) sens.dll (72260000 - 7226D000) trkwks.dll (74FF0000 - 75009000) w32time.dll (76770000 - 7679D000) MSVCP60.dll (76020000 - 76085000) wmisvc.dll (4F110000 - 4F138000) VSSAPI.DLL (75360000 - 753CD000) wuauserv.dll (50000000 - 50005000) wuaueng.dll (50040000 - 50219000) WINSPOOL.DRV (72F70000 - 72F96000) WINHTTP.dll (4D5C0000 - 4D619000) Cabinet.dll (750D0000 - 750E4000) mspatcha.dll (604A0000 - 604AB000) SXS.DLL (76970000 - 76A21000) mswsock.dll (719B0000 - 719F0000) wshtcpip.dll (719F0000 - 719F8000) browser.dll (772F0000 - 77305000) sfc.dll (76B60000 - 76B65000) sfc_os.dll (76C20000 - 76C4A000) ipnathlp.dll (668D0000 - 66926000) AUTHZ.dll (77690000 - 776A1000) wscsvc.dll (4C170000 - 4C187000) msi.dll (745E0000 - 748A6000) wbemcomn.dll (75210000 - 75247000) wbemcore.dll (76260000 - 762E5000) esscli.dll (75290000 - 752CF000) FastProx.dll (75620000 - 75696000) comsvcs.dll (76090000 - 761CA000) MTXCLU.DLL (75070000 - 75083000) WSOCK32.dll (71A30000 - 71A3A000) colbact.DLL (750B0000 - 750C4000) CLUSAPI.DLL (76D60000 - 76D71000) RESUTILS.DLL (75030000 - 75042000) Apphelp.dll (77B10000 - 77B32000) wbemsvc.dll (74E50000 - 74E5E000) wmiutils.dll (74FA0000 - 74FBC000) repdrvfs.dll (75180000 - 751AE000) wmiprvsd.dll (42BC0000 - 42C32000) NCObjAPI.DLL (5FB60000 - 5FB6C000) wbemess.dll (75310000 - 75356000) ncprov.dll (5FB30000 - 5FB3E000) upnp.dll (76DA0000 - 76DC3000) SSDPAPI.dll (74E80000 - 74E8C000) wups2.dll (50F00000 - 50F0D000) netcfgx.dll (75580000 - 7561D000) rasadhlp.dll (76F80000 - 76F86000) RASDLG.dll (754D0000 - 7557B000) urlmon.dll (7DF20000 - 7DFC3000) rasmans.dll (723F0000 - 72420000) WINIPSEC.DLL (742E0000 - 742EB000) tapisrv.dll (73350000 - 7338F000) PSAPI.DLL (76BB0000 - 76BBB000) rastapi.dll (75490000 - 754A1000) unimdm.tsp (58030000 - 58066000) uniplat.dll (71F90000 - 71F97000) kmddsp.tsp (580B0000 - 580BB000) ndptsp.tsp (58090000 - 580A0000) ipconf.tsp (580C0000 - 580C8000) h323.tsp (580E0000 - 58126000) hidphone.tsp (580D0000 - 580DA000) rasppp.dll (721D0000 - 72205000) ntlsapi.dll (72420000 - 72426000) kerberos.dll (71C70000 - 71CBB000) raschap.dll (76CA0000 - 76CB4000) rastls.dll (76B80000 - 76B9F000) SCHANNEL.dll (767A0000 - 767CD000) WinSCard.dll (72360000 - 7237C000) PID 1592 - C:\WINDOWS\system32\svchost.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) ShimEng.dll (5CF00000 - 5CF26000) AcGenral.DLL (6FD90000 - 6FF5A000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) WINMM.dll (76AF0000 - 76B1E000) ole32.dll (774B0000 - 775EC000) msvcrt.dll (77BE0000 - 77C38000) OLEAUT32.dll (770F0000 - 7717C000) MSACM32.dll (77BB0000 - 77BC5000) VERSION.dll (77BD0000 - 77BD8000) SHELL32.dll (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) USERENV.dll (76620000 - 766D5000) UxTheme.dll (5AD70000 - 5ADA8000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) dnsrslvr.dll (76720000 - 7672D000) DNSAPI.dll (76EE0000 - 76F07000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) iphlpapi.dll (76D20000 - 76D39000) rsaenh.dll (0FFD0000 - 0FFF8000) mswsock.dll (719B0000 - 719F0000) hnetcfg.dll (66710000 - 66769000) wshtcpip.dll (719F0000 - 719F8000) PID 1648 - C:\WINDOWS\system32\svchost.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) ShimEng.dll (5CF00000 - 5CF26000) AcGenral.DLL (6FD90000 - 6FF5A000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) WINMM.dll (76AF0000 - 76B1E000) ole32.dll (774B0000 - 775EC000) msvcrt.dll (77BE0000 - 77C38000) OLEAUT32.dll (770F0000 - 7717C000) MSACM32.dll (77BB0000 - 77BC5000) VERSION.dll (77BD0000 - 77BD8000) SHELL32.dll (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) USERENV.dll (76620000 - 766D5000) UxTheme.dll (5AD70000 - 5ADA8000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) NTMARTA.DLL (77660000 - 77681000) WLDAP32.dll (76F20000 - 76F4D000) SAMLIB.dll (71B70000 - 71B83000) xpsp2res.dll (20000000 - 202D9000) lmhsvc.dll (74BC0000 - 74BC6000) iphlpapi.dll (76D20000 - 76D39000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) regsvc.dll (76AA0000 - 76AB2000) ssdpsrv.dll (76910000 - 76924000) hnetcfg.dll (66710000 - 66769000) CLBCATQ.DLL (76F90000 - 7700F000) COMRes.dll (77010000 - 770E3000) mswsock.dll (719B0000 - 719F0000) wshtcpip.dll (719F0000 - 719F8000) rsaenh.dll (0FFD0000 - 0FFF8000) httpapi.dll (67A10000 - 67A1A000) WINHTTP.dll (4D5C0000 - 4D619000) PID 1724 - C:\WINDOWS\system32\spoolsv.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) msvcrt.dll (77BE0000 - 77C38000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) GDI32.dll (77EF0000 - 77F38000) USER32.dll (77D10000 - 77DA0000) ShimEng.dll (5CF00000 - 5CF26000) AcGenral.DLL (6FD90000 - 6FF5A000) WINMM.dll (76AF0000 - 76B1E000) ole32.dll (774B0000 - 775EC000) OLEAUT32.dll (770F0000 - 7717C000) MSACM32.dll (77BB0000 - 77BC5000) VERSION.dll (77BD0000 - 77BD8000) SHELL32.dll (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) USERENV.dll (76620000 - 766D5000) UxTheme.dll (5AD70000 - 5ADA8000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) SPOOLSS.DLL (74250000 - 74265000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) DNSAPI.dll (76EE0000 - 76F07000) iphlpapi.dll (76D20000 - 76D39000) rasadhlp.dll (76F80000 - 76F86000) localspl.dll (75E60000 - 75EB8000) sfc_os.dll (76C20000 - 76C4A000) WINTRUST.dll (76BF0000 - 76C1E000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) IMAGEHLP.dll (76C50000 - 76C78000) winspool.drv (72F70000 - 72F96000) netapi32.dll (597D0000 - 59824000) avmprmon.dll (00970000 - 00977000) cnbjmon.dll (74200000 - 7420F000) ZLhp1020.DLL (10000000 - 1001B000) ZLM.dll (00980000 - 00987000) pjlmon.dll (741E0000 - 741E7000) tcpmon.dll (72390000 - 7239F000) usbmon.dll (72380000 - 72387000) IMFPrint.DLL (715E0000 - 715ED000) Imf32.dll (71600000 - 71607000) ZTAG32.dll (715D0000 - 715D6000) ZSPOOL.dll (71130000 - 71145000) filterpipelineprintproc.dll(3F420000 - 3F43B000) mswsock.dll (719B0000 - 719F0000) winrnr.dll (76F70000 - 76F78000) WLDAP32.dll (76F20000 - 76F4D000) mdnsNSP.dll (16080000 - 160A5000) win32spl.dll (76550000 - 76573000) NETRAP.dll (71C00000 - 71C07000) NTDSAPI.dll (76750000 - 76763000) CLBCATQ.DLL (76F90000 - 7700F000) COMRes.dll (77010000 - 770E3000) inetpp.dll (74270000 - 74285000) xpsp2res.dll (20000000 - 202D9000) PID 1792 - C:\Programme\Avira\AntiVir Desktop\sched.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) IPHLPAPI.DLL (76D20000 - 76D39000) msvcrt.dll (77BE0000 - 77C38000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) MSVCR90.dll (78520000 - 785C3000) MSVCP90.dll (78480000 - 7850E000) VERSION.dll (77BD0000 - 77BD8000) SHELL32.dll (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) schedr.dll (10000000 - 10004000) WTSAPI32.DLL (76F10000 - 76F18000) WINSTA.dll (76300000 - 76310000) NETAPI32.dll (597D0000 - 59824000) rasapi32.dll (76EA0000 - 76EDC000) rasman.dll (76E50000 - 76E62000) TAPI32.dll (76E70000 - 76E9F000) rtutils.dll (76E40000 - 76E4E000) WINMM.dll (76AF0000 - 76B1E000) avevtlog.dll (00B90000 - 00BBE000) sqlite3.dll (00CF0000 - 00D43000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) xpsp2res.dll (20000000 - 202D9000) rsaenh.dll (0FFD0000 - 0FFF8000) uxtheme.dll (5AD70000 - 5ADA8000) userenv.dll (76620000 - 766D5000) cryptnet.dll (76580000 - 76593000) WLDAP32.dll (76F20000 - 76F4D000) WINHTTP.dll (4D5C0000 - 4D619000) SensApi.dll (72240000 - 72245000) PID 1856 - C:\WINDOWS\system32\svchost.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) ShimEng.dll (5CF00000 - 5CF26000) AcGenral.DLL (6FD90000 - 6FF5A000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) WINMM.dll (76AF0000 - 76B1E000) ole32.dll (774B0000 - 775EC000) msvcrt.dll (77BE0000 - 77C38000) OLEAUT32.dll (770F0000 - 7717C000) MSACM32.dll (77BB0000 - 77BC5000) VERSION.dll (77BD0000 - 77BD8000) SHELL32.dll (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) USERENV.dll (76620000 - 766D5000) UxTheme.dll (5AD70000 - 5ADA8000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) NTMARTA.DLL (77660000 - 77681000) WLDAP32.dll (76F20000 - 76F4D000) SAMLIB.dll (71B70000 - 71B83000) xpsp2res.dll (20000000 - 202D9000) webclnt.dll (5AA50000 - 5AA65000) WININET.dll (77180000 - 77229000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) wsock32.dll (71A30000 - 71A3A000) PID 1928 - C:\Programme\Avira\AntiVir Desktop\avguard.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) MSVCR90.dll (78520000 - 785C3000) MSVCP90.dll (78480000 - 7850E000) VERSION.dll (77BD0000 - 77BD8000) SHELL32.dll (7E670000 - 7EE90000) msvcrt.dll (77BE0000 - 77C38000) SHLWAPI.dll (77F40000 - 77FB6000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) WTSAPI32.DLL (76F10000 - 76F18000) WINSTA.dll (76300000 - 76310000) NETAPI32.dll (597D0000 - 59824000) AVEvtLog.dll (10000000 - 1002E000) guardmsg.dll (00BF0000 - 00BF9000) sqlite3.dll (00C10000 - 00C63000) AVPREF.DLL (00D80000 - 00D8D000) SMTPLIB.DLL (00DA0000 - 00DAB000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) wintrust.dll (76BF0000 - 76C1E000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) IMAGEHLP.dll (76C50000 - 76C78000) AVGIO.DLL (01000000 - 01016000) FLTLIB.DLL (5E160000 - 5E168000) aecore.dll (01030000 - 01060000) aevdf.dll (01070000 - 0108B000) aescript.dll (013D0000 - 0150A000) aescn.dll (01510000 - 01530000) aesbx.dll (01530000 - 0156F000) aerdl.dll (01580000 - 01606000) aepack.dll (01620000 - 0168D000) unacev2.dll (016A0000 - 016EB000) aeoffice.dll (01700000 - 01733000) aeheur.dll (01750000 - 019B4000) aehelp.dll (019D0000 - 01A0D000) aegen.dll (01A20000 - 01A7D000) aeemu.dll (01A90000 - 01AF1000) aebb.dll (01B10000 - 01B1E000) avipc.dll (01CA0000 - 01CB2000) PID 1940 - C:\Programme\Bonjour\mDNSResponder.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) WS2_32.dll (71A10000 - 71A27000) msvcrt.dll (77BE0000 - 77C38000) WS2HELP.dll (71A00000 - 71A08000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) IPHLPAPI.DLL (76D20000 - 76D39000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) ole32.dll (774B0000 - 775EC000) OLEAUT32.dll (770F0000 - 7717C000) rsaenh.dll (0FFD0000 - 0FFF8000) SHELL32.dll (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) mswsock.dll (719B0000 - 719F0000) hnetcfg.dll (66710000 - 66769000) wshtcpip.dll (719F0000 - 719F8000) MPRAPI.dll (76D00000 - 76D18000) ACTIVEDS.dll (77C90000 - 77CC3000) adsldpc.dll (76DD0000 - 76DF5000) NETAPI32.dll (597D0000 - 59824000) WLDAP32.dll (76F20000 - 76F4D000) ATL.DLL (76AD0000 - 76AE1000) rtutils.dll (76E40000 - 76E4E000) SAMLIB.dll (71B70000 - 71B83000) SETUPAPI.dll (778F0000 - 779E4000) PID 1992 - C:\Programme\Hotspot Shield\bin\openvpnas.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) libcurl.dll (6B240000 - 6B2AF000) msvcrt.dll (77BE0000 - 77C38000) wldap32.dll (76F20000 - 76F4D000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) WS2_32.DLL (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) libidn-11.dll (69540000 - 69586000) libeay32.dll (61D80000 - 61EA8000) GDI32.dll (77EF0000 - 77F38000) USER32.dll (77D10000 - 77DA0000) WSOCK32.DLL (71A30000 - 71A3A000) libssl32.dll (6B080000 - 6B0BD000) WINMM.DLL (76AF0000 - 76B1E000) IPHLPAPI.DLL (76D20000 - 76D39000) SHELL32.DLL (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) mswsock.dll (719B0000 - 719F0000) hnetcfg.dll (66710000 - 66769000) wshtcpip.dll (719F0000 - 719F8000) USERENV.dll (76620000 - 766D5000) PID 468 - C:\Programme\Hotspot Shield\HssWPR\hsssrv.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) WSOCK32.dll (71A30000 - 71A3A000) WS2_32.dll (71A10000 - 71A27000) msvcrt.dll (77BE0000 - 77C38000) WS2HELP.dll (71A00000 - 71A08000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) OLEAUT32.dll (770F0000 - 7717C000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) ole32.dll (774B0000 - 775EC000) WININET.dll (77180000 - 77229000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) SHLWAPI.dll (77F40000 - 77FB6000) SHELL32.dll (7E670000 - 7EE90000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) Iphlpapi.dll (76D20000 - 76D39000) USERENV.dll (76620000 - 766D5000) mswsock.dll (719B0000 - 719F0000) hnetcfg.dll (66710000 - 66769000) wshtcpip.dll (719F0000 - 719F8000) uxtheme.dll (5AD70000 - 5ADA8000) CLBCATQ.DLL (76F90000 - 7700F000) COMRes.dll (77010000 - 770E3000) VERSION.dll (77BD0000 - 77BD8000) msxml3.dll (74900000 - 74A23000) urlmon.dll (7DF20000 - 7DFC3000) mlang.dll (75DC0000 - 75E51000) MPRAPI.dll (76D00000 - 76D18000) ACTIVEDS.dll (77C90000 - 77CC3000) adsldpc.dll (76DD0000 - 76DF5000) NETAPI32.dll (597D0000 - 59824000) WLDAP32.dll (76F20000 - 76F4D000) ATL.DLL (76AD0000 - 76AE1000) rtutils.dll (76E40000 - 76E4E000) SAMLIB.dll (71B70000 - 71B83000) SETUPAPI.dll (778F0000 - 779E4000) PID 524 - C:\Programme\Hotspot Shield\bin\hsswd.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) WS2_32.dll (71A10000 - 71A27000) msvcrt.dll (77BE0000 - 77C38000) WS2HELP.dll (71A00000 - 71A08000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) SHELL32.dll (7E670000 - 7EE90000) GDI32.dll (77EF0000 - 77F38000) USER32.dll (77D10000 - 77DA0000) SHLWAPI.dll (77F40000 - 77FB6000) OLEAUT32.dll (770F0000 - 7717C000) ole32.dll (774B0000 - 775EC000) PSAPI.DLL (76BB0000 - 76BBB000) curllib.dll (10000000 - 10032000) SSLEAY32.dll (00340000 - 00373000) LIBEAY32.dll (61D80000 - 61EA8000) WSOCK32.DLL (71A30000 - 71A3A000) MSVCR90.dll (78520000 - 785C3000) OpenLDAP.dll (00390000 - 003AB000) libsasl.dll (003B0000 - 003C3000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) Iphlpapi.dll (76D20000 - 76D39000) USERENV.dll (76620000 - 766D5000) mswsock.dll (719B0000 - 719F0000) hnetcfg.dll (66710000 - 66769000) wshtcpip.dll (719F0000 - 719F8000) PID 540 - C:\Programme\FRITZ!DSL\IGDCTRL.EXE ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) avmcsock.dll (10000000 - 10043000) WSOCK32.dll (71A30000 - 71A3A000) WS2_32.dll (71A10000 - 71A27000) msvcrt.dll (77BE0000 - 77C38000) WS2HELP.dll (71A00000 - 71A08000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) MSVCR71.dll (7C340000 - 7C396000) avmigd.dll (00330000 - 00337000) upnpapicli.dll (00340000 - 0036B000) avmufc.dll (00370000 - 0037A000) MFC71.DLL (7C140000 - 7C243000) GDI32.dll (77EF0000 - 77F38000) USER32.dll (77D10000 - 77DA0000) SHLWAPI.dll (77F40000 - 77FB6000) COMCTL32.dll (773A0000 - 774A2000) igdapi.dll (00380000 - 00391000) ole32.dll (774B0000 - 775EC000) OLEAUT32.dll (770F0000 - 7717C000) MFC71DEU.DLL (5D360000 - 5D370000) uxtheme.dll (5AD70000 - 5ADA8000) CLBCATQ.DLL (76F90000 - 7700F000) COMRes.dll (77010000 - 770E3000) VERSION.dll (77BD0000 - 77BD8000) AVMCONN.DLL (01FA0000 - 01FBA000) SXS.DLL (76970000 - 76A21000) avmssl.dll (02100000 - 02107000) SSLEAY32.dll (02110000 - 02140000) LIBEAY32.dll (02140000 - 0223B000) mswsock.dll (719B0000 - 719F0000) DNSAPI.dll (76EE0000 - 76F07000) iphlpapi.dll (76D20000 - 76D39000) winrnr.dll (76F70000 - 76F78000) WLDAP32.dll (76F20000 - 76F4D000) mdnsNSP.dll (16080000 - 160A5000) rasadhlp.dll (76F80000 - 76F86000) hnetcfg.dll (66710000 - 66769000) wshtcpip.dll (719F0000 - 719F8000) PID 552 - C:\WINDOWS\Explorer.EXE ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) msvcrt.dll (77BE0000 - 77C38000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) GDI32.dll (77EF0000 - 77F38000) USER32.dll (77D10000 - 77DA0000) SHLWAPI.dll (77F40000 - 77FB6000) SHELL32.dll (7E670000 - 7EE90000) ole32.dll (774B0000 - 775EC000) OLEAUT32.dll (770F0000 - 7717C000) BROWSEUI.dll (75F20000 - 7601D000) SHDOCVW.dll (7E1E0000 - 7E352000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) CRYPTUI.dll (76880000 - 76905000) WINTRUST.dll (76BF0000 - 76C1E000) IMAGEHLP.dll (76C50000 - 76C78000) NETAPI32.dll (597D0000 - 59824000) WININET.dll (77180000 - 77229000) WLDAP32.dll (76F20000 - 76F4D000) VERSION.dll (77BD0000 - 77BD8000) UxTheme.dll (5AD70000 - 5ADA8000) ShimEng.dll (5CF00000 - 5CF26000) AcGenral.DLL (6FD90000 - 6FF5A000) WINMM.dll (76AF0000 - 76B1E000) MSACM32.dll (77BB0000 - 77BC5000) USERENV.dll (76620000 - 766D5000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) appHelp.dll (77B10000 - 77B32000) CLBCATQ.DLL (76F90000 - 7700F000) COMRes.dll (77010000 - 770E3000) cscui.dll (779F0000 - 77A46000) CSCDLL.dll (765A0000 - 765BD000) themeui.dll (5B9B0000 - 5BA22000) MSIMG32.dll (76320000 - 76325000) xpsp2res.dll (20000000 - 202D9000) msutb.dll (60010000 - 60043000) MSCTF.dll (746A0000 - 746EB000) SAMLIB.dll (71B70000 - 71B83000) ntshrui.dll (76940000 - 76966000) ATL.DLL (76AD0000 - 76AE1000) LINKINFO.dll (76930000 - 76938000) SETUPAPI.dll (778F0000 - 779E4000) urlmon.dll (7DF20000 - 7DFC3000) NETSHELL.dll (763A0000 - 7654B000) rtutils.dll (76E40000 - 76E4E000) credui.dll (76BC0000 - 76BEF000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) iphlpapi.dll (76D20000 - 76D39000) msi.dll (014D0000 - 01796000) rsaenh.dll (0FFD0000 - 0FFF8000) WINSTA.dll (76300000 - 76310000) webcheck.dll (74AB0000 - 74AF8000) WSOCK32.dll (71A30000 - 71A3A000) stobject.dll (765C0000 - 765E1000) BatMeter.dll (74A70000 - 74A7A000) POWRPROF.dll (74A50000 - 74A58000) WTSAPI32.dll (76F10000 - 76F18000) WPDShServiceObj.dll (164A0000 - 164C3000) WINHTTP.dll (4D5C0000 - 4D619000) mydocs.dll (723A0000 - 723BA000) PortableDeviceTypes.dll(109C0000 - 109EC000) PortableDeviceApi.dll(10930000 - 10979000) wdmaud.drv (72C90000 - 72C99000) msacm32.drv (72C80000 - 72C88000) midimap.dll (77BA0000 - 77BA7000) WZCSAPI.DLL (72FA0000 - 72FB0000) wzcdlg.dll (4F4A0000 - 4F4FF000) MPR.dll (71A80000 - 71A92000) AdobeDriveCS4_NP.dll(10000000 - 10013000) drprov.dll (75F00000 - 75F07000) ntlanman.dll (71B90000 - 71B9E000) NETUI0.dll (71C50000 - 71C67000) NETUI1.dll (71C10000 - 71C50000) NETRAP.dll (71C00000 - 71C07000) davclnt.dll (75F10000 - 75F19000) rarext.dll (00D30000 - 00D5E000) shlext.dll (013D0000 - 0141C000) WINSPOOL.DRV (72F70000 - 72F96000) PWRISOSH.DLL (00FA0000 - 00FDC000) comdlg32.dll (76350000 - 7639A000) mbamext.dll (00DB0000 - 00DC8000) ShellExt.dll (012D0000 - 012E8000) MSVCP90.dll (78480000 - 7850E000) MSVCR90.dll (78520000 - 785C3000) ATL90.DLL (78E20000 - 78E4B000) PSAPI.DLL (76BB0000 - 76BBB000) browselc.dll (01470000 - 01483000) SDHelper.dll (026A0000 - 02876000) faultrep.dll (69900000 - 69916000) olepro32.dll (5F1A0000 - 5F1B7000) jsproxy.dll (65F40000 - 65F47000) DUSER.dll (6C670000 - 6C6BD000) MSGINA.dll (75910000 - 75A09000) ODBC32.dll (745D0000 - 7460D000) odbcint.dll (01BD0000 - 01BE9000) sti.dll (73B10000 - 73B24000) CFGMGR32.dll (74A60000 - 74A67000) MLANG.dll (75DC0000 - 75E51000) shdoclc.dll (031D0000 - 0325E000) gdiplus.dll (4EBA0000 - 4ED4B000) shlxthdl.dll (5EE60000 - 5EEBF000) stlport_vc7145.dll (5E470000 - 5E507000) PDFShell.dll (032C0000 - 0331B000) MSVCR80.dll (78130000 - 781CB000) PDFShell.DEU (03340000 - 0338C000) PID 572 - C:\Programme\Java\jre6\bin\jqs.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) WS2_32.dll (71A10000 - 71A27000) msvcrt.dll (77BE0000 - 77C38000) WS2HELP.dll (71A00000 - 71A08000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) ole32.dll (774B0000 - 775EC000) GDI32.dll (77EF0000 - 77F38000) USER32.dll (77D10000 - 77DA0000) MSVCR71.dll (7C340000 - 7C396000) psapi.dll (76BB0000 - 76BBB000) pdh.dll (74C30000 - 74C87000) comdlg32.dll (76350000 - 7639A000) SHLWAPI.dll (77F40000 - 77FB6000) COMCTL32.dll (5D450000 - 5D4E7000) SHELL32.dll (7E670000 - 7EE90000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) ODBC32.dll (745D0000 - 7460D000) odbcbcp.dll (66B40000 - 66B46000) VERSION.dll (77BD0000 - 77BD8000) OLEAUT32.dll (770F0000 - 7717C000) comctl32.dll (773A0000 - 774A2000) odbcint.dll (20000000 - 20019000) mswsock.dll (719B0000 - 719F0000) hnetcfg.dll (66710000 - 66769000) wshtcpip.dll (719F0000 - 719F8000) netfxperf.dll (79FD0000 - 79FD8000) mscoree.dll (79000000 - 79046000) perfcounter.dll (640D0000 - 640E6000) MSVCR80.dll (78130000 - 781CB000) mscorwks.dll (00DF0000 - 01380000) CorperfmonExt.dll (60310000 - 60327000) aspnet_perf.dll (60080000 - 60089000) aspnet_isapi.dll (79E60000 - 79EA2000) USERENV.dll (76620000 - 766D5000) query.dll (7D9B0000 - 7DB17000) msdtcuiu.DLL (61070000 - 6109B000) ATL.DLL (76AD0000 - 76AE1000) MFC42u.DLL (727A0000 - 7289E000) MPR.dll (71A80000 - 71A92000) MSDTCPRX.dll (6DA00000 - 6DA6D000) MSVCP60.dll (76020000 - 76085000) MTXCLU.DLL (75070000 - 75083000) COMRes.dll (77010000 - 770E3000) WSOCK32.dll (71A30000 - 71A3A000) NETAPI32.dll (597D0000 - 59824000) MFC42LOC.DLL (61DC0000 - 61DCE000) CLUSAPI.DLL (76D60000 - 76D71000) RESUTILS.DLL (75030000 - 75042000) NTMARTA.DLL (77660000 - 77681000) WLDAP32.dll (76F20000 - 76F4D000) SAMLIB.dll (71B70000 - 71B83000) perfdisk.dll (5EB60000 - 5EB69000) perfnet.dll (5EB50000 - 5EB58000) perfos.dll (5EB30000 - 5EB3A000) perfproc.dll (5EB20000 - 5EB2D000) pschdprf.dll (5E5B0000 - 5E5B6000) TRAFFIC.dll (73500000 - 7350B000) iphlpapi.dll (76D20000 - 76D39000) WMI.dll (76CF0000 - 76CF4000) rsvpperf.dll (5D7C0000 - 5D7C6000) winspool.drv (72F70000 - 72F96000) tapiperf.dll (5BB60000 - 5BB65000) Perfctrs.dll (5EB70000 - 5EB7D000) MPRAPI.dll (76D00000 - 76D18000) ACTIVEDS.dll (77C90000 - 77CC3000) adsldpc.dll (76DD0000 - 76DF5000) rtutils.dll (76E40000 - 76E4E000) SETUPAPI.dll (778F0000 - 779E4000) perfts.dll (5EB10000 - 5EB16000) WINSTA.dll (76300000 - 76310000) UTILDLL.dll (5B130000 - 5B13A000) TAPI32.dll (76E70000 - 76E9F000) WINMM.dll (76AF0000 - 76B1E000) wmiaprpl.dll (59D20000 - 59D39000) loadperf.dll (72ED0000 - 72EEC000) wbemcomn.dll (75210000 - 75247000) uxtheme.dll (5AD70000 - 5ADA8000) PID 684 - C:\Programme\Sitecom\Common\RegistryWriter.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) SETUPAPI.dll (778F0000 - 779E4000) msvcrt.dll (77BE0000 - 77C38000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) GDI32.dll (77EF0000 - 77F38000) USER32.dll (77D10000 - 77DA0000) SHLWAPI.dll (77F40000 - 77FB6000) PID 832 - C:\Programme\iZ3D Driver\Win32\S3DCService.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) WINMM.dll (76AF0000 - 76B1E000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) SHLWAPI.dll (77F40000 - 77FB6000) msvcrt.dll (77BE0000 - 77C38000) SHELL32.dll (7E670000 - 7EE90000) ole32.dll (774B0000 - 775EC000) OLEAUT32.dll (770F0000 - 7717C000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) xpsp2res.dll (20000000 - 202D9000) CLBCATQ.DLL (76F90000 - 7700F000) COMRes.dll (77010000 - 770E3000) VERSION.dll (77BD0000 - 77BD8000) PID 916 - C:\WINDOWS\system32\svchost.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) ShimEng.dll (5CF00000 - 5CF26000) AcGenral.DLL (6FD90000 - 6FF5A000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) WINMM.dll (76AF0000 - 76B1E000) ole32.dll (774B0000 - 775EC000) msvcrt.dll (77BE0000 - 77C38000) OLEAUT32.dll (770F0000 - 7717C000) MSACM32.dll (77BB0000 - 77BC5000) VERSION.dll (77BD0000 - 77BD8000) SHELL32.dll (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) USERENV.dll (76620000 - 766D5000) UxTheme.dll (5AD70000 - 5ADA8000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) wiaservc.dll (75B50000 - 75BA5000) CFGMGR32.dll (74A60000 - 74A67000) setupapi.DLL (778F0000 - 779E4000) mscms.dll (73AA0000 - 73AB5000) WINSPOOL.DRV (72F70000 - 72F96000) WINSTA.dll (76300000 - 76310000) NETAPI32.dll (597D0000 - 59824000) xpsp2res.dll (20000000 - 202D9000) CLBCATQ.DLL (76F90000 - 7700F000) COMRes.dll (77010000 - 770E3000) WINTRUST.dll (76BF0000 - 76C1E000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) IMAGEHLP.dll (76C50000 - 76C78000) actxprxy.dll (71CC0000 - 71CDC000) sti.dll (73B10000 - 73B24000) PID 1624 - C:\Programme\Avira\AntiVir Desktop\avgnt.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) mfc90u.dll (789E0000 - 78D81000) MSVCR90.dll (78520000 - 785C3000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) SHLWAPI.dll (77F40000 - 77FB6000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) msvcrt.dll (77BE0000 - 77C38000) COMCTL32.dll (773A0000 - 774A2000) MSIMG32.dll (76320000 - 76325000) SHELL32.dll (7E670000 - 7EE90000) cclib.dll (10000000 - 10038000) VERSION.dll (77BD0000 - 77BD8000) MSVCP90.dll (78480000 - 7850E000) UxTheme.dll (5AD70000 - 5ADA8000) MFC90DEU.DLL (5D360000 - 5D36F000) ccgen.dll (00AF0000 - 00B60000) ole32.dll (774B0000 - 775EC000) ccgenrc.dll (00B60000 - 00B69000) ccguard.dll (00B80000 - 00BBA000) ccgrdrc.dll (00BE0000 - 00BE8000) avipc.dll (00C00000 - 00C12000) ccupdate.dll (00C30000 - 00C5C000) ccupdrc.dll (00C80000 - 00C86000) cclic.dll (00CA0000 - 00CB1000) cclicrc.dll (00CE0000 - 00CE3000) ccmsg.dll (00D20000 - 00D4D000) wtsapi32.dll (76F10000 - 76F18000) WINSTA.dll (76300000 - 76310000) NETAPI32.dll (597D0000 - 59824000) PID 1284 - C:\Programme\Java\jre6\bin\jusched.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) GDI32.dll (77EF0000 - 77F38000) USER32.dll (77D10000 - 77DA0000) WININET.dll (77180000 - 77229000) CRYPT32.dll (77A50000 - 77AE5000) msvcrt.dll (77BE0000 - 77C38000) MSASN1.dll (77AF0000 - 77B02000) OLEAUT32.dll (770F0000 - 7717C000) ole32.dll (774B0000 - 775EC000) SHLWAPI.dll (77F40000 - 77FB6000) SHELL32.dll (7E670000 - 7EE90000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) uxtheme.dll (5AD70000 - 5ADA8000) PID 1952 - C:\Programme\Windows Live\Messenger\msnmsgr.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) The code of CreateEventA at 7C8308C9 (0) got patched. Here is the diff: Address New-Original 7C8308C9: E9 - 8B 7C8308CA: 82 - FF 7C8308CB: 0F - 55 7C8308CC: 7D - 8B 7C8308CD: AB - EC --> JMP DWORD PTR DS:[28001850] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of FindResourceA at 7C80BE99 (0) got patched. Here is the diff: Address New-Original 7C80BE99: E9 - 6A 7C80BE9A: 62 - 20 7C80BE9B: 5E - 68 --> JMP DWORD PTR DS:[28001D00] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of FindResourceExA at 7C835FC0 (0) got patched. Here is the diff: Address New-Original 7C835FC0: E9 - 6A 7C835FC1: CB - 20 7C835FC2: BD - 68 --> JMP DWORD PTR DS:[28001D90] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of FindResourceExW at 7C80AC98 (0) got patched. Here is the diff: Address New-Original 7C80AC98: E9 - 6A 7C80AC99: D3 - 20 7C80AC9A: 6F - 68 --> JMP DWORD PTR DS:[28001C70] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of FindResourceW at 7C80BBDE (0) got patched. Here is the diff: Address New-Original 7C80BBDE: E9 - 6A 7C80BBDF: 0D - 20 7C80BBE0: 60 - 68 --> JMP DWORD PTR DS:[28001BF0] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of LoadResource at 7C809FC5 (0) got patched. Here is the diff: Address New-Original 7C809FC5: E9 - 6A 7C809FC6: 66 - 14 7C809FC7: 7E - 68 --> JMP DWORD PTR DS:[28001E30] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of LockResource at 7C80CCA7 (0) got patched. Here is the diff: Address New-Original 7C80CCA7: E9 - 8B 7C80CCA8: B4 - FF 7C80CCA9: 52 - 55 7C80CCAA: 7F - 8B 7C80CCAB: AB - EC --> JMP DWORD PTR DS:[28001F60] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of SetHandleCount at 7C80CCA7 (0) got patched. Here is the diff: Address New-Original 7C80CCA7: E9 - 8B 7C80CCA8: B4 - FF 7C80CCA9: 52 - 55 7C80CCAA: 7F - 8B 7C80CCAB: AB - EC --> JMP DWORD PTR DS:[28001F60] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of SizeofResource at 7C80BC79 (0) got patched. Here is the diff: Address New-Original 7C80BC79: E9 - 6A 7C80BC7A: 72 - 14 7C80BC7B: 62 - 68 --> JMP DWORD PTR DS:[28001EF0] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ADVAPI32.dll (77DA0000 - 77E4A000) The code of CryptDecrypt at 77DBA2D1 (0) got patched. Here is the diff: Address New-Original 77DBA2D1: E9 - 6A 77DBA2D2: 8A - 24 77DBA2D3: 6D - 68 --> JMP DWORD PTR DS:[28001060] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of CryptDeriveKey at 77DBA1A5 (0) got patched. Here is the diff: Address New-Original 77DBA1A5: E9 - 6A 77DBA1A6: 56 - 30 77DBA1A7: 6E - 68 --> JMP DWORD PTR DS:[28001000] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) GDI32.dll (77EF0000 - 77F38000) USER32.dll (77D10000 - 77DA0000) The code of CreateDialogParamW at 77D3629F (0) got patched. Here is the diff: Address New-Original 77D3629F: E9 - 8B 77D362A0: 6C - FF 77D362A1: FE - 55 77D362A2: 2C - 8B 77D362A3: B0 - EC --> JMP DWORD PTR DS:[28006110] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of CreateWindowExW at 77D21AD5 (0) got patched. Here is the diff: Address New-Original 77D21AD5: E9 - 8B 77D21AD6: 06 - FF 77D21AD7: 22 - 55 77D21AD8: 2E - 8B 77D21AD9: B0 - EC --> JMP DWORD PTR DS:[28003CE0] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of GetWindowLongW at 77D1887E (0) got patched. Here is the diff: Address New-Original 77D1887E: E9 - 6A 77D1887F: 6D - 08 77D18880: E2 - 68 --> JMP DWORD PTR DS:[28006AF0] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of LoadIconW at 77D22174 (0) got patched. Here is the diff: Address New-Original 77D22174: E9 - 8B 77D22175: D7 - FF 77D22176: 47 - 55 77D22177: 2E - 8B 77D22178: B0 - EC --> JMP DWORD PTR DS:[28006950] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of LoadImageW at 77D242A4 (0) got patched. Here is the diff: Address New-Original 77D242A4: E9 - 8B 77D242A5: B7 - FF 77D242A6: 24 - 55 77D242A7: 2E - 8B 77D242A8: B0 - EC --> JMP DWORD PTR DS:[28006760] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of MessageBoxIndirectW at 77D660B7 (0) got patched. Here is the diff: Address New-Original 77D660B7: E9 - 8B 77D660B8: 44 - FF 77D660B9: 02 - 55 77D660BA: 2A - 8B 77D660BB: B0 - EC --> JMP DWORD PTR DS:[28006300] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of PeekMessageW at 77D19278 (0) got patched. Here is the diff: Address New-Original 77D19278: E9 - 8B 77D19279: 33 - FF 77D1927A: B4 - 55 77D1927B: 2E - 8B 77D1927C: B0 - EC --> JMP DWORD PTR DS:[280046B0] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of SetWindowPlacement at 77D3FBEA (0) got patched. Here is the diff: Address New-Original 77D3FBEA: E9 - B8 77D3FBEB: A1 - 21 77D3FBEC: 62 - 12 77D3FBED: 2C - 00 77D3FBEE: B0 - 00 --> JMP DWORD PTR DS:[28005E90] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of SetWindowRgn at 77D21DE0 (0) got patched. Here is the diff: Address New-Original 77D21DE0: E9 - 6A 77D21DE1: EB - 10 77D21DE2: 41 - 68 --> JMP DWORD PTR DS:[28005FD0] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of TrackPopupMenuEx at 77D6CAFE (0) got patched. Here is the diff: Address New-Original 77D6CAFE: E9 - B8 77D6CAFF: 8D - 35 77D6CB00: 84 - 12 77D6CB01: 29 - 00 77D6CB02: B0 - 00 --> JMP DWORD PTR DS:[28004F90] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: MSVCR80.dll (78130000 - 781CB000) msvcrt.dll (77BE0000 - 77C38000) WSOCK32.dll (71A30000 - 71A3A000) PresenceIM.dlOrdinal 019 --[HOOKED]-- @2800B440 by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: PresenceIM.dlOrdinal 016 --[HOOKED]-- @2800B080 by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: PresenceIM.dlOrdinal 003 --[HOOKED]-- @2800B860 by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) NETAPI32.dll (597D0000 - 59824000) SHELL32.dll (7E670000 - 7EE90000) The code of Shell_NotifyIconW at 7E6D1BEA (0) got patched. Here is the diff: Address New-Original 7E6D1BEA: E9 - 8B 7E6D1BEB: 41 - FF 7E6D1BEC: 18 - 55 7E6D1BED: 93 - 8B 7E6D1BEE: A9 - EC --> JMP DWORD PTR DS:[28003430] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: SHLWAPI.dll (77F40000 - 77FB6000) ole32.dll (774B0000 - 775EC000) The code of CoCreateInstance at 774F6009 (0) got patched. Here is the diff: Address New-Original 774F6009: E9 - 8B 774F600A: 02 - FF 774F600B: C6 - 55 774F600C: B0 - 8B 774F600D: B0 - EC --> JMP DWORD PTR DS:[28002610] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of CoInitializeEx at 774C42F3 (0) got patched. Here is the diff: Address New-Original 774C42F3: E9 - 8B 774C42F4: 78 - FF 774C42F5: DF - 55 774C42F6: B3 - 8B 774C42F7: B0 - EC --> JMP DWORD PTR DS:[28002270] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of CoRegisterClassObject at 77511BFC (0) got patched. Here is the diff: Address New-Original 77511BFC: E9 - 8B 77511BFD: 6F - FF 77511BFE: 07 - 55 77511BFF: AF - 8B 77511C00: B0 - EC --> JMP DWORD PTR DS:[28002370] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: OLEAUT32.dll (770F0000 - 7717C000) gdiplus.dll (4EBA0000 - 4ED4B000) UXCore.dll (70300000 - 70554000) The code of ?IsCompositionEnabled@@YGJPA_N@Z at 703BC3F9 (0) got patched. Here is the diff: Address New-Original 703BC3F9: E9 - 8B 703BC3FA: A2 - FF 703BC3FB: D2 - 55 703BC3FC: C4 - 8B 703BC3FD: B7 - EC --> JMP DWORD PTR DS:[280096A0] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of ?UpdateFrame@UXFramelessManager@@QAEJ_N@Z at 7033DFF6 (0) got patched. Here is the diff: Address New-Original 7033DFF6: E9 - 8B 7033DFF7: 95 - FF 7033DFF8: B7 - 55 7033DFF9: CC - 8B 7033DFFA: B7 - EC --> JMP DWORD PTR DS:[28009790] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of ?_FireClickEvent@DirectUI@@YGXPAVButton@1@PBUtagClickInfo@1@@Z at 703549C4 (0) got patched. Here is the diff: Address New-Original 703549C4: E9 - 8B 703549C5: B7 - FF 703549C6: 49 - 55 703549C7: CB - 8B 703549C8: B7 - EC --> JMP DWORD PTR DS:[28009380] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: comdlg32.dll (76350000 - 7639A000) The code of ChooseFontW at 7636C4A9 (0) got patched. Here is the diff: Address New-Original 7636C4A9: E9 - 8B 7636C4AA: C2 - FF 7636C4AB: 4D - 55 7636C4AC: C9 - 8B 7636C4AD: B1 - EC --> JMP DWORD PTR DS:[28001270] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of GetOpenFileNameW at 76367C65 (0) got patched. Here is the diff: Address New-Original 76367C65: E9 - 8B 76367C66: 26 - FF 76367C67: 97 - 55 76367C68: C9 - 8B 76367C69: B1 - EC --> JMP DWORD PTR DS:[28001390] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: COMCTL32.dll (773A0000 - 774A2000) MSIMG32.dll (26000000 - 26011000) IMM32.dll (76330000 - 7634D000) SETUPAPI.dll (778F0000 - 779E4000) WLDCore.dll (70A00000 - 70A0E000) USP10.dll (75790000 - 757FB000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) WINTRUST.dll (76BF0000 - 76C1E000) IMAGEHLP.dll (76C50000 - 76C78000) VERSION.dll (77BD0000 - 77BD8000) WINMM.dll (76AF0000 - 76B1E000) WININET.dll (77180000 - 77229000) The code of HttpOpenRequestA at 77193674 (0) got patched. Here is the diff: Address New-Original 77193674: E9 - 8B 77193675: D7 - FF 77193676: 68 - 55 77193677: E7 - 8B 77193678: B0 - EC --> JMP DWORD PTR DS:[28009F50] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of HttpSendRequestA at 771960C9 (0) got patched. Here is the diff: Address New-Original 771960C9: E9 - 8B 771960CA: F2 - FF 771960CB: 40 - 55 771960CC: E7 - 8B 771960CD: B0 - EC --> JMP DWORD PTR DS:[2800A1C0] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of InternetCloseHandle at 77194D3C (0) got patched. Here is the diff: Address New-Original 77194D3C: E9 - 8B 77194D3D: 4F - FF 77194D3F: E7 - 8B 77194D40: B0 - EC --> JMP DWORD PTR DS:[2800A290] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of InternetReadFile at 7719827C (0) got patched. Here is the diff: Address New-Original 7719827C: E9 - 8B 7719827D: 5F - FF 7719827E: 1E - 55 7719827F: E7 - 8B 77198280: B0 - EC --> JMP DWORD PTR DS:[2800A0E0] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: iphlpapi.dll (76D20000 - 76D39000) UxTheme.dll (5AD70000 - 5ADA8000) MSACM32.dll (77BB0000 - 77BC5000) msidcrl40.dll (27500000 - 2761A000) OLEACC.dll (74C00000 - 74C2C000) MSVCP60.dll (76020000 - 76085000) SensApi.dll (72240000 - 72245000) PSAPI.DLL (76BB0000 - 76BBB000) wldlog.dll (5FC00000 - 5FC0B000) uxcontacts.dll (70C00000 - 70C86000) UXCalendar.dll (70F00000 - 70F1B000) LiveNatTrav.dll (5F500000 - 5F53A000) LiveTransport.dll (5F300000 - 5F38A000) CRYPTNET.dll (76580000 - 76593000) WLDAP32.dll (76F20000 - 76F4D000) WINHTTP.dll (4D5C0000 - 4D619000) USERENV.dll (76620000 - 766D5000) PresenceIM.dll (5F100000 - 5F16C000) MsImg32.dll (76320000 - 76325000) MsgPlusLive.dll (28000000 - 28379000) WTSAPI32.dll (76F10000 - 76F18000) WINSTA.dll (76300000 - 76310000) Detoured.dll (0F000000 - 0F006000) rsaenh.dll (0FFD0000 - 0FFF8000) NTMARTA.DLL (77660000 - 77681000) SAMLIB.dll (71B70000 - 71B83000) msgslang.14.0.8089.0726.dll(59300000 - 5935C000) msgsres.dll (60400000 - 60EE1000) [-] Unable to load module C:\Programme\Windows Live\Messenger\msgsres.dll for checking Riched20.dll (74DB0000 - 74E1C000) The code of CreateTextServices at 74DFD3BE (0) got patched. Here is the diff: Address New-Original 74DFD3BE: E9 - 8B 74DFD3BF: 4D - FF 74DFD3C1: 20 - 8B 74DFD3C2: B3 - EC --> JMP DWORD PTR DS:[28002910] Patched by C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\Messenger Plus! Live\MsgPlusLive.dll!WindowDataTransform+0xD7FB0360: Base address: 28000000 Size: 00379000 Flags: 80084004 Load count: 1 Name: Messenger Plus! Live Prod. Version: 4, 83, 0, 372 Company: Yuna Software File Version: 4, 83, 0, 372 Description: Messenger Plus! Live Add-On Location: C:\Programme\Messenger Plus! Live\MsgPlusLive.dll Signed: YES ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: CLBCATQ.DLL (76F90000 - 7700F000) COMRes.dll (77010000 - 770E3000) msxml3.dll (74900000 - 74A23000) MsgPlusLiveRes.dll (29000000 - 291CA000) xpsp2res.dll (20000000 - 202D9000) inetcomm.dll (75C90000 - 75D3B000) MSOERT2.dll (76830000 - 76852000) inetres.dll (01B10000 - 01B1F000) sqmapi.dll (6CD00000 - 6CD24000) es.dll (776E0000 - 77724000) urlmon.dll (7DF20000 - 7DFC3000) vvpltfrm.dll (5B200000 - 5B26D000) DSOUND.dll (73E70000 - 73ECC000) uccapi.dll (23780000 - 23C1F000) MSVCR90.dll (78520000 - 785C3000) MSVCP90.dll (78480000 - 7850E000) RTMPLTFM.dll (24780000 - 24D87000) wdmaud.drv (72C90000 - 72C99000) msacm32.drv (72C80000 - 72C88000) midimap.dll (77BA0000 - 77BA7000) devenum.dll (765F0000 - 76601000) msdmo.dll (73620000 - 73627000) quartz.dll (74790000 - 748FE000) DDRAW.dll (736D0000 - 73719000) DCIMAN32.dll (73B30000 - 73B36000) D3DIM700.DLL (738B0000 - 73980000) hid.dll (68D90000 - 68D99000) dnsapi.dll (76EE0000 - 76F07000) mswsock.dll (719B0000 - 719F0000) hnetcfg.dll (66710000 - 66769000) wshtcpip.dll (719F0000 - 719F8000) schannel.dll (767A0000 - 767CD000) msgswcam.dll (5B600000 - 5B66E000) sirenacm.dll (02D40000 - 02D53000) SXS.DLL (76970000 - 76A21000) msi.dll (02E30000 - 030F6000) PID 2088 - C:\Programme\Sitecom\Common\RaUI.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) NETAPI32.dll (597D0000 - 59824000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) msvcrt.dll (77BE0000 - 77C38000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) CRYPT32.dll (77A50000 - 77AE5000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) MSASN1.dll (77AF0000 - 77B02000) acAuth.dll (10000000 - 10122000) SETUPAPI.dll (778F0000 - 779E4000) iphlpapi.dll (76D20000 - 76D39000) ole32.dll (774B0000 - 775EC000) SHLWAPI.dll (77F40000 - 77FB6000) VERSION.dll (77BD0000 - 77BD8000) comdlg32.dll (76350000 - 7639A000) COMCTL32.dll (5D450000 - 5D4E7000) SHELL32.dll (7E670000 - 7EE90000) WINSPOOL.DRV (72F70000 - 72F96000) oledlg.dll (74CB0000 - 74CD1000) OLEAUT32.dll (770F0000 - 7717C000) WINMM.dll (76AF0000 - 76B1E000) comctl32.dll (773A0000 - 774A2000) uxtheme.dll (5AD70000 - 5ADA8000) WINTRUST.dll (76BF0000 - 76C1E000) IMAGEHLP.dll (76C50000 - 76C78000) xpsp2res.dll (20000000 - 202D9000) CLBCATQ.DLL (76F90000 - 7700F000) COMRes.dll (77010000 - 770E3000) wbemprox.dll (74E70000 - 74E78000) wbemcomn.dll (75210000 - 75247000) wbemsvc.dll (74E50000 - 74E5E000) fastprox.dll (75620000 - 75696000) MSVCP60.dll (76020000 - 76085000) NTDSAPI.dll (76750000 - 76763000) DNSAPI.dll (76EE0000 - 76F07000) WLDAP32.dll (76F20000 - 76F4D000) rsaenh.dll (0FFD0000 - 0FFF8000) DHCPCSVC.DLL (76D40000 - 76D5E000) PID 3084 - C:\WINDOWS\system32\wbem\wmiprvse.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) msvcrt.dll (77BE0000 - 77C38000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) wbemcomn.dll (75210000 - 75247000) OLEAUT32.dll (770F0000 - 7717C000) ole32.dll (774B0000 - 775EC000) FastProx.dll (75620000 - 75696000) MSVCP60.dll (76020000 - 76085000) NTDSAPI.dll (76750000 - 76763000) DNSAPI.dll (76EE0000 - 76F07000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) WLDAP32.dll (76F20000 - 76F4D000) NETAPI32.dll (597D0000 - 59824000) NCObjAPI.DLL (5FB60000 - 5FB6C000) ShimEng.dll (5CF00000 - 5CF26000) AcGenral.DLL (6FD90000 - 6FF5A000) WINMM.dll (76AF0000 - 76B1E000) MSACM32.dll (77BB0000 - 77BC5000) VERSION.dll (77BD0000 - 77BD8000) SHELL32.dll (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) USERENV.dll (76620000 - 766D5000) UxTheme.dll (5AD70000 - 5ADA8000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) xpsp2res.dll (20000000 - 202D9000) CLBCATQ.DLL (76F90000 - 7700F000) COMRes.dll (77010000 - 770E3000) wbemsvc.dll (74E50000 - 74E5E000) wmiutils.dll (74FA0000 - 74FBC000) wmiprov.dll (72E90000 - 72EB8000) WMI.dll (76CF0000 - 76CF4000) esscli.dll (75290000 - 752CF000) PID 796 - C:\WINDOWS\System32\alg.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) msvcrt.dll (77BE0000 - 77C38000) ATL.DLL (76AD0000 - 76AE1000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) ole32.dll (774B0000 - 775EC000) OLEAUT32.dll (770F0000 - 7717C000) WSOCK32.dll (71A30000 - 71A3A000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) MSWSOCK.DLL (719B0000 - 719F0000) ShimEng.dll (5CF00000 - 5CF26000) AcGenral.DLL (6FD90000 - 6FF5A000) WINMM.dll (76AF0000 - 76B1E000) MSACM32.dll (77BB0000 - 77BC5000) VERSION.dll (77BD0000 - 77BD8000) SHELL32.dll (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) USERENV.dll (76620000 - 766D5000) UxTheme.dll (5AD70000 - 5ADA8000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) CLBCATQ.DLL (76F90000 - 7700F000) COMRes.dll (77010000 - 770E3000) xpsp2res.dll (20000000 - 202D9000) hnetcfg.dll (66710000 - 66769000) wshtcpip.dll (719F0000 - 719F8000) PID 2956 - C:\WINDOWS\System32\svchost.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) ShimEng.dll (5CF00000 - 5CF26000) AcGenral.DLL (6FD90000 - 6FF5A000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) WINMM.dll (76AF0000 - 76B1E000) ole32.dll (774B0000 - 775EC000) msvcrt.dll (77BE0000 - 77C38000) OLEAUT32.dll (770F0000 - 7717C000) MSACM32.dll (77BB0000 - 77BC5000) VERSION.dll (77BD0000 - 77BD8000) SHELL32.dll (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) USERENV.dll (76620000 - 766D5000) UxTheme.dll (5AD70000 - 5ADA8000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) NTMARTA.DLL (77660000 - 77681000) WLDAP32.dll (76F20000 - 76F4D000) SAMLIB.dll (71B70000 - 71B83000) xpsp2res.dll (20000000 - 202D9000) w3ssl.dll (5AE00000 - 5AE07000) strmfilt.dll (66E40000 - 66E56000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) HTTPAPI.dll (67A10000 - 67A1A000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) PID 2524 - C:\WINDOWS\system32\wuauclt.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) The code of LdrLoadDll at 7C925CBB (0) got patched. Here is the diff: Address New-Original 7C925CBB: FF - 68 7C925CBC: 25 - 6C 7C925CBD: 1E - 02 7C925CBF: 6B - 00 7C925CC0: 71 - 68 --> JMP DWORD PTR DS:[716B001E] --> JMP 716C000A Patched by C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1BA0 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1BA0: Base address: 10000000 Size: 00023000 Flags: 800C4004 Load count: 1 Name: iZ3D Driver Prod. Version: 1.99.0038 Company: iZ3D Inc. File Version: 1.0.151.2547 Description: S3DInjector Location: C:\Programme\iZ3D Driver\Win32\S3DInjector.dll Signed: > NO! < ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of LdrUnloadDll at 7C926C83 (0) got patched. Here is the diff: Address New-Original 7C926C83: FF - 68 7C926C84: 25 - C4 7C926C85: 1E - 00 7C926C87: 6E - 00 7C926C88: 71 - 68 --> JMP DWORD PTR DS:[716E001E] --> JMP 716F000A Patched by C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1C90 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1C90: Base address: 10000000 Size: 00023000 Flags: 800C4004 Load count: 1 Name: iZ3D Driver Prod. Version: 1.99.0038 Company: iZ3D Inc. File Version: 1.0.151.2547 Description: S3DInjector Location: C:\Programme\iZ3D Driver\Win32\S3DInjector.dll Signed: > NO! < ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: kernel32.dll (7C800000 - 7C907000) msvcrt.dll (77BE0000 - 77C38000) ole32.dll (774B0000 - 775EC000) GDI32.dll (77EF0000 - 77F38000) USER32.dll (77D10000 - 77DA0000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) OLEAUT32.dll (770F0000 - 7717C000) SHLWAPI.dll (77F40000 - 77FB6000) ShimEng.dll (5CF00000 - 5CF26000) AcGenral.DLL (6FD90000 - 6FF5A000) WINMM.dll (76AF0000 - 76B1E000) MSACM32.dll (77BB0000 - 77BC5000) VERSION.dll (77BD0000 - 77BD8000) SHELL32.dll (7E670000 - 7EE90000) USERENV.dll (76620000 - 766D5000) UxTheme.dll (5AD70000 - 5ADA8000) comctl32.dll (773A0000 - 774A2000) S3DInjector.dll (10000000 - 10023000) wucltui.dll (507E0000 - 50832000) MSIMG32.dll (76320000 - 76325000) Cabinet.dll (750D0000 - 750E4000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) WINTRUST.dll (76BF0000 - 76C1E000) IMAGEHLP.dll (76C50000 - 76C78000) CLBCATQ.DLL (76F90000 - 7700F000) COMRes.dll (77010000 - 770E3000) xpsp2res.dll (20000000 - 202D9000) wups2.dll (50F00000 - 50F0D000) wuaucpl.cpl (508E0000 - 50917000) mucltui.dll (509E0000 - 50A25000) PID 2412 - C:\Programme\Windows NT\Zubehör\wordpad.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) The code of LdrLoadDll at 7C925CBB (0) got patched. Here is the diff: Address New-Original 7C925CBB: FF - 68 7C925CBC: 25 - 6C 7C925CBD: 1E - 02 7C925CBF: 6B - 00 7C925CC0: 71 - 68 --> JMP DWORD PTR DS:[716B001E] --> JMP 716C000A Patched by C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1BA0 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1BA0: Base address: 10000000 Size: 00023000 Flags: 800C4004 Load count: 1 Name: iZ3D Driver Prod. Version: 1.99.0038 Company: iZ3D Inc. File Version: 1.0.151.2547 Description: S3DInjector Location: C:\Programme\iZ3D Driver\Win32\S3DInjector.dll Signed: > NO! < ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of LdrUnloadDll at 7C926C83 (0) got patched. Here is the diff: Address New-Original 7C926C83: FF - 68 7C926C84: 25 - C4 7C926C85: 1E - 00 7C926C87: 6E - 00 7C926C88: 71 - 68 --> JMP DWORD PTR DS:[716E001E] --> JMP 716F000A Patched by C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1C90 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1C90: Base address: 10000000 Size: 00023000 Flags: 800C4004 Load count: 1 Name: iZ3D Driver Prod. Version: 1.99.0038 Company: iZ3D Inc. File Version: 1.0.151.2547 Description: S3DInjector Location: C:\Programme\iZ3D Driver\Win32\S3DInjector.dll Signed: > NO! < ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: kernel32.dll (7C800000 - 7C907000) MFC42u.DLL (727A0000 - 7289E000) msvcrt.dll (77BE0000 - 77C38000) GDI32.dll (77EF0000 - 77F38000) USER32.dll (77D10000 - 77DA0000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) comdlg32.dll (76350000 - 7639A000) SHLWAPI.dll (77F40000 - 77FB6000) COMCTL32.dll (773A0000 - 774A2000) SHELL32.dll (7E670000 - 7EE90000) ole32.dll (774B0000 - 775EC000) MFC42LOC.DLL (61DC0000 - 61DCE000) S3DInjector.dll (10000000 - 10023000) uxtheme.dll (5AD70000 - 5ADA8000) MSFTEDIT.DLL (4B4D0000 - 4B556000) WINSPOOL.DRV (72F70000 - 72F96000) unidrvui.dll (7E5A0000 - 7E65A000) VERSION.dll (77BD0000 - 77BD8000) OLEAUT32.dll (770F0000 - 7717C000) CLBCATQ.DLL (76F90000 - 7700F000) COMRes.dll (77010000 - 770E3000) mxdwdrv.dll (3F500000 - 3F5C0000) FontSub.dll (697C0000 - 697D7000) xpsp2res.dll (20000000 - 202D9000) oledlg.dll (74CB0000 - 74CD1000) appHelp.dll (77B10000 - 77B32000) SETUPAPI.dll (778F0000 - 779E4000) ntshrui.dll (76940000 - 76966000) ATL.DLL (76AD0000 - 76AE1000) NETAPI32.dll (597D0000 - 59824000) USERENV.dll (76620000 - 766D5000) LINKINFO.dll (76930000 - 76938000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) WINTRUST.dll (76BF0000 - 76C1E000) IMAGEHLP.dll (76C50000 - 76C78000) MPR.dll (71A80000 - 71A92000) AdobeDriveCS4_NP.dll(01230000 - 01243000) drprov.dll (75F00000 - 75F07000) ntlanman.dll (71B90000 - 71B9E000) NETUI0.dll (71C50000 - 71C67000) NETUI1.dll (71C10000 - 71C50000) NETRAP.dll (71C00000 - 71C07000) SAMLIB.dll (71B70000 - 71B83000) davclnt.dll (75F10000 - 75F19000) PortableDeviceApi.dll(10930000 - 10979000) MSGINA.dll (75910000 - 75A09000) WINSTA.dll (76300000 - 76310000) ODBC32.dll (745D0000 - 7460D000) odbcint.dll (01310000 - 01329000) sti.dll (73B10000 - 73B24000) CFGMGR32.dll (74A60000 - 74A67000) PID 2080 - C:\WINDOWS\system32\wscntfy.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) The code of LdrLoadDll at 7C925CBB (0) got patched. Here is the diff: Address New-Original 7C925CBB: FF - 68 7C925CBC: 25 - 6C 7C925CBD: 1E - 02 7C925CBF: 6B - 00 7C925CC0: 71 - 68 --> JMP DWORD PTR DS:[716B001E] --> JMP 716C000A Patched by C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1BA0 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1BA0: Base address: 10000000 Size: 00023000 Flags: 800C4004 Load count: 1 Name: iZ3D Driver Prod. Version: 1.99.0038 Company: iZ3D Inc. File Version: 1.0.151.2547 Description: S3DInjector Location: C:\Programme\iZ3D Driver\Win32\S3DInjector.dll Signed: > NO! < ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of LdrUnloadDll at 7C926C83 (0) got patched. Here is the diff: Address New-Original 7C926C83: FF - 68 7C926C84: 25 - C4 7C926C85: 1E - 00 7C926C87: 6E - 00 7C926C88: 71 - 68 --> JMP DWORD PTR DS:[716E001E] --> JMP 716F000A Patched by C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1C90 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1C90: Base address: 10000000 Size: 00023000 Flags: 800C4004 Load count: 1 Name: iZ3D Driver Prod. Version: 1.99.0038 Company: iZ3D Inc. File Version: 1.0.151.2547 Description: S3DInjector Location: C:\Programme\iZ3D Driver\Win32\S3DInjector.dll Signed: > NO! < ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: kernel32.dll (7C800000 - 7C907000) msvcrt.dll (77BE0000 - 77C38000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) SHELL32.dll (7E670000 - 7EE90000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) SHLWAPI.dll (77F40000 - 77FB6000) comctl32.dll (773A0000 - 774A2000) S3DInjector.dll (10000000 - 10023000) xpsp2res.dll (20000000 - 202D9000) uxtheme.dll (5AD70000 - 5ADA8000) PID 2156 - E:\mp3player\radix_installer\radixgui.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) comdlg32.dll (76350000 - 7639A000) SHLWAPI.dll (77F40000 - 77FB6000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) msvcrt.dll (77BE0000 - 77C38000) COMCTL32.dll (5D450000 - 5D4E7000) SHELL32.dll (7E670000 - 7EE90000) ole32.dll (774B0000 - 775EC000) VERSION.dll (77BD0000 - 77BD8000) dbghelp.dll (59DD0000 - 59E71000) comctl32.dll (773A0000 - 774A2000) S3DInjector.dll (10000000 - 10023000) wintrust.dll (76BF0000 - 76C1E000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) IMAGEHLP.dll (76C50000 - 76C78000) NTMARTA.DLL (77660000 - 77681000) WLDAP32.dll (76F20000 - 76F4D000) SAMLIB.dll (71B70000 - 71B83000) uxtheme.dll (5AD70000 - 5ADA8000) xpsp2res.dll (20000000 - 202D9000) rsaenh.dll (0FFD0000 - 0FFF8000) userenv.dll (76620000 - 766D5000) netapi32.dll (597D0000 - 59824000) cryptnet.dll (76580000 - 76593000) WINHTTP.dll (4D5C0000 - 4D619000) SensApi.dll (72240000 - 72245000) ---- Check ended at 2.4.2010 15:1:5 ----