Thanks to all the people who donated and ensured the continued development of this software! If you want to donate and keep this software alive, please have a look at the About-Tab. Thanks in advance! USEC Radix V1, 0, 0, 10 [2009/11/28] at your service. ---- Check started at 2.4.2010 15:29:18 ---- Running on: Microsoft Windows NT 5.1 Build 2600 Service Pack 2 Number of Processors: 2, Active Processor Mask: 00000003 Processor: Intel Level 15 Revision 0407 Allocation granularity: 00010000, Page granularity: 00001000 Application space: 00010000-7FFEFFFF [X] Filter common false alarms. 15:29:18 - Performing check: "Hidden files": This check can take some time depending on your harddisk size. You can interrupt it with the ESC key. 15:32:21 - Performing check: "Alternate Data Streams": This check can take some time depending on your harddisk size. You can interrupt it with the ESC key. [*] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP:8FF81EB0:$DATA [*] C:\Dokumente und Einstellungen\All Users\Dokumente\Eigene Bilder\Beispielbilder\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\All Users\Dokumente\Eigene Musik\Beispielmusik\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko:zylomtest:$DATA [*] C:\Dokumente und Einstellungen\Marko:zylomtr{000HQ7FF-AD7A-3FG3-VK8A-25GG67KOIVUV}:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\100MSDCF\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\abc\page\ausfluege\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\abc\page\lol\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\abc\page\party\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\abc\page\sonstige\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\abc\page\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\abc\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\KRIMSKRAMS\Neuer Ordner\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\KRIMSKRAMS\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\KRIMSKRAMS\UPLOAD\Downloads\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\KRIMSKRAMS\UPLOAD\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\LLORET\BERLIN\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\LLORET\IGALO\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\LLORET\paradise\blank_data\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\LLORET\paradise\menderes_data\afr_data\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\LLORET\paradise\menderes_data\b_click_data\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\LLORET\paradise\menderes_data\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\LLORET\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MORUK\chatroulette\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MORUK\dosen\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MORUK\fotoschop\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MORUK\PICDUMP\briefkästen\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MORUK\PICDUMP\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MORUK\PICDUMP\werbung\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MORUK\POSTET\3d postet\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MORUK\POSTET\bier gepostet\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MORUK\POSTET\don gepostet\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MORUK\POSTET\fuss postet\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MORUK\POSTET\sandra postet\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MORUK\POSTET\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MORUK\POSTET\tiere\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MORUK\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MORUK\twister\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MORUK\zwerge\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\MUSIK\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\SCHULE LAAAN\GER\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\SCHULE LAAAN\Neuer Ordner\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\SCHULE LAAAN\PORTFOLIO\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\SCHULE LAAAN\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Desktop\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Eigene Dateien\bierpott\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Eigene Dateien\DVDVideoSoft\FreeVideoToJPGConverter\48c9aae0b30c7 (05-11-2009 20-21-02)\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Eigene Dateien\DVDVideoSoft\FreeVideoToJPGConverter\GeileSchnuppe_-_sonntagsmorgen_-_330531 (05-11-2009 13-14-55)\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Eigene Dateien\DVDVideoSoft\FreeVideoToJPGConverter\Nina (22) (04-11-2009 16-31-56)\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Eigene Dateien\Eigene Bilder\2010-01-27\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Eigene Dateien\Eigene Bilder\2010-02-10\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Eigene Dateien\Eigene Bilder\2010-02-11\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Eigene Dateien\Eigene Bilder\2010-02-23\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Eigene Dateien\Eigene Bilder\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Eigene Dateien\Eigene Videos\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Eigene Dateien\Meine empfangenen Dateien\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Eigene Dateien\msn\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Eigene Dateien\Thumbs.db:encryptable:$DATA [*] C:\Dokumente und Einstellungen\Marko\Eigene Dateien\Verlauf\August 2009\Images\Thumbs.db:encryptable:$DATA [-] Error scanning file C:\pagefile.sys: 0x05::0x06: Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird. [*] C:\Programme\Ascaron Entertainment\Sacred 2 - Fallen Angel\system\Thumbs.db:encryptable:$DATA [*] C:\Programme\Ascaron Entertainment\Sacred 2 - Fallen Angel\Thumbs.db:encryptable:$DATA [*] C:\Programme\Click-2U\Pcsx2\compat_list\Thumbs.db:encryptable:$DATA [-] Error scanning file C:\WINDOWS\system32\drivers\vpjrp.sys: 0x05::0x06: Ein an das System angeschlossenes Gerät funktioniert nicht. 62 streams found. 15:34:3 - Performing check: "Hidden Registry entries": --------------------[HKEY_LOCAL_MACHINE\HARDWARE ]------------------- WARNING: Dumping the registry can take quite some time! Be assured that the app doesn't hang while dumping! Dumping...OK. Scanning...DONE. ------------------------------------------------------------------------------- --------------------[HKEY_LOCAL_MACHINE\SAM ]------------------- WARNING: Dumping the registry can take quite some time! Be assured that the app doesn't hang while dumping! Dumping...OK. Scanning...[-] Unable to open key: HKEY_LOCAL_MACHINE\SAM\SAM: Zugriff verweigert DONE. ------------------------------------------------------------------------------- --------------------[HKEY_LOCAL_MACHINE\SECURITY ]------------------- WARNING: Dumping the registry can take quite some time! Be assured that the app doesn't hang while dumping! Dumping...OK. Scanning...[-] Unable to open key: HKEY_LOCAL_MACHINE\SECURITY: Zugriff verweigert DONE. ------------------------------------------------------------------------------- --------------------[HKEY_LOCAL_MACHINE\SOFTWARE ]------------------- WARNING: Dumping the registry can take quite some time! Be assured that the app doesn't hang while dumping! Dumping...OK. Scanning...[-] Unable to open key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Remote Desktop\Pending Help Session: Zugriff verweigert DONE. ------------------------------------------------------------------------------- --------------------[HKEY_LOCAL_MACHINE\SYSTEM ]------------------- WARNING: Dumping the registry can take quite some time! Be assured that the app doesn't hang while dumping! Dumping...OK. Scanning...[-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{59F44B03-CCD2-460B-ACD8-53CBF375D174}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxDAV\EncryptedDirectories: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vpjrp: Ein an das System angeschlossenes Gerät funktioniert nicht. [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{59F44B03-CCD2-460B-ACD8-53CBF375D174}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MRxDAV\EncryptedDirectories: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vpjrp: Ein an das System angeschlossenes Gerät funktioniert nicht. [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{59F44B03-CCD2-460B-ACD8-53CBF375D174}\Properties: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\MRxDAV\EncryptedDirectories: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg: Zugriff verweigert [-] Unable to open key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\vpjrp: Ein an das System angeschlossenes Gerät funktioniert nicht. DONE. ------------------------------------------------------------------------------- --------------------[HKEY_USERS\.DEFAULT ]------------------- WARNING: Dumping the registry can take quite some time! Be assured that the app doesn't hang while dumping! Dumping...OK. Scanning...DONE. ------------------------------------------------------------------------------- --------------------[HKEY_USERS\S-1-5-19 ]------------------- WARNING: Dumping the registry can take quite some time! Be assured that the app doesn't hang while dumping! Dumping...OK. Scanning...DONE. ------------------------------------------------------------------------------- --------------------[HKEY_USERS\S-1-5-19_Classes ]------------------- WARNING: Dumping the registry can take quite some time! Be assured that the app doesn't hang while dumping! Dumping...OK. Scanning...DONE. ------------------------------------------------------------------------------- --------------------[HKEY_USERS\S-1-5-20 ]------------------- WARNING: Dumping the registry can take quite some time! Be assured that the app doesn't hang while dumping! Dumping...OK. Scanning...DONE. ------------------------------------------------------------------------------- --------------------[HKEY_USERS\S-1-5-20_Classes ]------------------- WARNING: Dumping the registry can take quite some time! Be assured that the app doesn't hang while dumping! Dumping...OK. Scanning...DONE. ------------------------------------------------------------------------------- --------------------[HKEY_USERS\S-1-5-21-1292428093-1532298954-1801674531-1003]------------------- WARNING: Dumping the registry can take quite some time! Be assured that the app doesn't hang while dumping! Dumping...OK. Scanning...[-] Unable to open key: HKEY_USERS\S-1-5-21-1292428093-1532298954-1801674531-1003\Software\Microsoft\Protected Storage System Provider\S-1-5-21-1292428093-1532298954-1801674531-1003: Zugriff verweigert [-] Unable to open key: HKEY_USERS\S-1-5-21-1292428093-1532298954-1801674531-1003\Software\SecuROM\License information: Das System kann die angegebene Datei nicht finden. DONE. ------------------------------------------------------------------------------- --------------------[HKEY_USERS\S-1-5-21-1292428093-1532298954-1801674531-1003_Classes]------------------- WARNING: Dumping the registry can take quite some time! Be assured that the app doesn't hang while dumping! Dumping...OK. Scanning...DONE. ------------------------------------------------------------------------------- --------------------[HKEY_USERS\S-1-5-18 ]------------------- WARNING: Dumping the registry can take quite some time! Be assured that the app doesn't hang while dumping! Dumping...OK. Scanning...DONE. ------------------------------------------------------------------------------- 15:37:11 - Performing check: "Hidden processes": (01) PID: 0 [00000000] (Idle) (53) PID: 4 [8A740660] (System) (191) PID: 156 [8A221758] (IGDCTRL.EXE) (191) PID: 192 [8A3296D0] (jqs.exe) (175) PID: 284 [8A3274D8] (RegistryWriter.exe) (175) PID: 472 [8A2C49E8] (S3DCService.exe) (191) PID: 540 [8A2649E0] (svchost.exe) (07) PID: 852 [8A471180] (smss.exe) (191) PID: 1036 [89613440] (alg.exe) (191) PID: 1076 [8A249938] (csrss.exe) (191) PID: 1100 [8A1FDA30] (winlogon.exe) (191) PID: 1144 [8A297A30] (services.exe) (191) PID: 1156 [8A193A30] (lsass.exe) (191) PID: 1276 [8953F370] (wmiprvse.exe) (191) PID: 1336 [8A2229D8] (nvsvc32.exe) (191) PID: 1360 [8A286930] (svchost.exe) (191) PID: 1408 [8A28D030] (svchost.exe) (191) PID: 1476 [8A20DA30] (svchost.exe) (191) PID: 1604 [8A2A24C8] (svchost.exe) (191) PID: 1648 [8A1932A0] (svchost.exe) (175) PID: 1724 [8A1DF640] (spoolsv.exe) (191) PID: 1788 [8A22BDA0] (sched.exe) (191) PID: 1828 [8A2FC838] (svchost.exe) (191) PID: 1888 [8A434388] (avguard.exe) (191) PID: 1900 [8A2C9808] (mDNSResponder.exe) (191) PID: 1944 [8A259800] (openvpnas.exe) (191) PID: 2028 [8A210618] (hsssrv.exe) (191) PID: 2040 [8A1BBDA0] (hsswd.exe) (175) PID: 2268 [89671030] (wuauclt.exe) (191) PID: 2364 [8A3719E0] (explorer.exe) (191) PID: 2508 [89BBB598] (avgnt.exe) (47) PID: 2528 [894F4DA0] (jusched.exe) (191) PID: 2728 [8959C318] (svchost.exe) (191) PID: 2788 [89490890] (RaUI.exe) (63) PID: 3024 [895AB9F0] (radixgui.exe) (187) PID: 3112 [899E4BE8] (wordpad.exe) (191) PID: 3348 [895ABDA0] (wscntfy.exe) 15:37:14 - Performing check: "Selftest": Doing a short selftest... -> Checking IAT PID 3024 - E:\mp3player\radix_installer\radixgui.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) [+] Patching code of LdrLoadDll at 7C925CBB 7C925CBB: Patching FF -> 68 7C925CBC: Patching 25 -> 6C 7C925CBD: Patching 1E -> 02 7C925CBF: Patching 6B -> 00 7C925CC0: Patching 71 -> 68 [+] Wrote patch to process memory. [+] Patching code of LdrUnloadDll at 7C926C83 7C926C83: Patching FF -> 68 7C926C84: Patching 25 -> C4 7C926C85: Patching 1E -> 00 7C926C87: Patching 6E -> 00 7C926C88: Patching 71 -> 68 [+] Wrote patch to process memory. kernel32.dll (7C800000 - 7C907000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) comdlg32.dll (76350000 - 7639A000) SHLWAPI.dll (77F40000 - 77FB6000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) msvcrt.dll (77BE0000 - 77C38000) COMCTL32.dll (5D450000 - 5D4E7000) SHELL32.dll (7E670000 - 7EE90000) ole32.dll (774B0000 - 775EC000) VERSION.dll (77BD0000 - 77BD8000) dbghelp.dll (59DD0000 - 59E71000) comctl32.dll (773A0000 - 774A2000) S3DInjector.dll (10000000 - 10023000) wintrust.dll (76BF0000 - 76C1E000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) IMAGEHLP.dll (76C50000 - 76C78000) NTMARTA.DLL (77660000 - 77681000) WLDAP32.dll (76F20000 - 76F4D000) SAMLIB.dll (71B70000 - 71B83000) uxtheme.dll (5AD70000 - 5ADA8000) Selftest complete. 15:37:16 - Performing check: "MBR": Partition Table: +----+-----+------Start------+--------End------+----------+----------+----+ | Nr | Act | Head Sect Track | Head Sect Track | Offset | Length | OS | +----+-----+-----------------+-----------------+----------+----------+----+ | 1 | Y | 001 01 0000 | 254 63 0255 | 0000003F | 0C34F28D | 07 | | 2 | N | 000 01 0255 | 254 63 0255 | 0C34F2CC | 190DE3F5 | 07 | | 3 | N | 000 00 0000 | 000 00 0000 | 00000000 | 00000000 | 00 | | 4 | N | 000 00 0000 | 000 00 0000 | 00000000 | 00000000 | 00 | +----+-----+-----------------+-----------------+----------+----------+----+ MBR seems to be OK. 15:37:16 - Performing check: "IRP hooks": 00 \Driver\Beep 8A208930 Beep.SYS 01 \Driver\NDIS 8A747238 NDIS.sys 02 \Driver\KSecDD 8A644040 KSecDD.sys 03 \Driver\Raspti 8A46EC48 raspti.sys 04 \Driver\Mouclass 8A3CC6D0 mouclass.sys 05 \Driver\taphss 8A429A60 taphss.sys 06 \Driver\avgio 8A217CA8 avgio.sys 07 \Driver\Fips 8A2A8930 Fips.SYS 08 \Driver\IntcAzAudAddService 8A310430 RtkHDAud.sys 09 \Driver\Kbdclass 8A416980 kbdclass.sys 10 \Driver\VgaSave 8A295410 vga.sys 11 \Driver\NDProxy 8A3468A0 NDProxy.SYS 12 \Driver\acw4zw80 8A377F38 acw4zw80.SYS --[HOOKED]-- This might be a false positive, as I was unable to check. * Majorfunction 00 (IRP_MJ_CREATE) hooked at 8A36F1F8 * Majorfunction 02 (IRP_MJ_CLOSE) hooked at 8A36F1F8 * Majorfunction 0E (IRP_MJ_DEVICE_CONTROL) hooked at 8A36F1F8 * Majorfunction 0F (IRP_MJ_INTERNAL_DEVICE_CONTROL) hooked at 8A36F1F8 * Majorfunction 16 (IRP_MJ_POWER) hooked at 8A36F1F8 * Majorfunction 17 (IRP_MJ_SYSTEM_CONTROL) hooked at 8A36F1F8 * The DriverUnload function points to another module than the start routine. * Unload routine is at B7EECADC by C:\WINDOWS\system32\DRIVERS\spgn.sys ------------------------------------------------------------------------------- Information for module spgn.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spgn.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spgn.sys Warning: Driver file couldn't be found. 12 >\Driver\PxHelp20 8A7491C0 PxHelp20.sys 13 >\Driver\Cdromp20 8A1F9358 cdrom.sys 14 >\Driver\redbook0 8A384C00 redbook.sys 15 >\Driver\GEARAspiWDM 8A366438 GEARAspiWDM.sys 17 \Driver\{B154377D-700F-42cc-9474-23858FBDF4BD} 8962F510 000.fcl 18 \Driver\Ptilink 8A4C8810 ptilink.sys 19 \Driver\MountMgr 8A74C340 MountMgr.sys 20 \Driver\uagp35 8A702408 uagp35.sys 21 \Driver\wdmaud 895EC758 wdmaud.sys 22 \Driver\iZ3DInjectionDriver 8A2C35A8 S3DInjectionDriver.sys 23 \Driver\dmload 8A67CB08 dmload.sys 24 \Driver\isapnp 8A6BA178 isapnp.sys 15 \Driver\redbook 8A384C00 redbook.sys 15 >\Driver\GEARAspiWDM 8A366438 GEARAspiWDM.sys 25 (Unknown driver) 8A6A2328 atapi.sys --[HIDDEN]----[HOOKED]-- This might be a false positive, as I was unable to check. * Majorfunction 00 (IRP_MJ_CREATE) hooked at 8A7541F8 * Majorfunction 02 (IRP_MJ_CLOSE) hooked at 8A7541F8 * Majorfunction 0E (IRP_MJ_DEVICE_CONTROL) hooked at 8A7541F8 * Majorfunction 0F (IRP_MJ_INTERNAL_DEVICE_CONTROL) hooked at 8A7541F8 * Majorfunction 16 (IRP_MJ_POWER) hooked at 8A7541F8 * Majorfunction 17 (IRP_MJ_SYSTEM_CONTROL) hooked at 8A7541F8 * The DriverUnload function points to another module than the start routine. * Unload routine is at B7EECADC by C:\WINDOWS\system32\DRIVERS\spgn.sys ------------------------------------------------------------------------------- Information for module spgn.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spgn.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spgn.sys Warning: Driver file couldn't be found. 25 >\Driver\ACPIver) 8A756F38 ACPI.sys 26 >\Driver\Diskver) 8A7489E8 disk.sys 27 >\Driver\PartMgr) 8A6A28E8 PartMgr.sys 29 \Driver\IpNat 8A2F6B20 ipnat.sys 30 \Driver\RasAcd 8A23EDA0 rasacd.sys 31 \Driver\PSched 8A2DFB78 psched.sys 32 \Driver\dmio 8A67C8D0 dmio.sys --[HOOKED]-- This might be a false positive, as I was unable to check. * Majorfunction 00 (IRP_MJ_CREATE) hooked at 8A6E21F8 * Majorfunction 02 (IRP_MJ_CLOSE) hooked at 8A6E21F8 * Majorfunction 03 (IRP_MJ_READ) hooked at 8A6E21F8 * Majorfunction 04 (IRP_MJ_WRITE) hooked at 8A6E21F8 * Majorfunction 09 (IRP_MJ_FLUSH_BUFFERS) hooked at 8A6E21F8 * Majorfunction 0E (IRP_MJ_DEVICE_CONTROL) hooked at 8A6E21F8 * Majorfunction 0F (IRP_MJ_INTERNAL_DEVICE_CONTROL) hooked at 8A6E21F8 * Majorfunction 10 (IRP_MJ_SHUTDOWN) hooked at 8A6E21F8 * Majorfunction 16 (IRP_MJ_POWER) hooked at 8A6E21F8 * Majorfunction 17 (IRP_MJ_SYSTEM_CONTROL) hooked at 8A6E21F8 * The DriverUnload function points to another module than the start routine. * Unload routine is at B7EECADC by C:\WINDOWS\system32\DRIVERS\spgn.sys ------------------------------------------------------------------------------- Information for module spgn.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spgn.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spgn.sys Warning: Driver file couldn't be found. 33 \Driver\sptd 8A721458 spgn.sys 34 \Driver\SDTHelper 894B0930 sdthlpr.sys 35 \Driver\Win32k 8A228400 win32k.sys 36 \Driver\audstub 8A2EAA00 audstub.sys 37 \Driver\ManyCam 8A2EBB78 ManyCam.sys 38 \Driver\usbuhci 8A419888 usbuhci.sys --[HOOKED]-- This might be a false positive, as I was unable to check. * Majorfunction 00 (IRP_MJ_CREATE) hooked at 8A40F1F8 * Majorfunction 02 (IRP_MJ_CLOSE) hooked at 8A40F1F8 * Majorfunction 0E (IRP_MJ_DEVICE_CONTROL) hooked at 8A40F1F8 * Majorfunction 0F (IRP_MJ_INTERNAL_DEVICE_CONTROL) hooked at 8A40F1F8 * Majorfunction 16 (IRP_MJ_POWER) hooked at 8A40F1F8 * Majorfunction 17 (IRP_MJ_SYSTEM_CONTROL) hooked at 8A40F1F8 * The DriverUnload function points to another module than the start routine. * Unload routine is at B7EECADC by C:\WINDOWS\system32\DRIVERS\spgn.sys ------------------------------------------------------------------------------- Information for module spgn.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spgn.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spgn.sys Warning: Driver file couldn't be found. 38 >\Driver\usbhubi 8A469040 usbhub.sys 40 \Driver\mouhid 8A416E60 mouhid.sys 40 >\Driver\Mouclass 8A3CC6D0 mouclass.sys 39 \Driver\usbhub 8A469040 usbhub.sys 39 >\Driver\hidusb 8A31A2A0 hidusb.sys 42 \Driver\swenum 8A3CE688 swenum.sys 42 >\Driver\sysaudio 894C2378 sysaudio.sys 44 \Driver\rdpdr 8A36ADE8 rdpdr.sys 45 \Driver\RDPCDD 8A3D2278 RDPCDD.sys 46 \Driver\Update 8A297DA0 update.sys 47 \Driver\RasPppoe 8A2E3D58 raspppoe.sys 48 \Driver\usbccgp 8A21F040 usbccgp.sys 48 >\Driver\hidusbp 8A31A2A0 hidusb.sys 49 \Driver\HTTP 89523F38 HTTP.sys 50 \Driver\SCDEmu 8A2AB5A8 SCDEmu.SYS 51 \Driver\TermDD 8A455B10 termdd.sys 51 >\Driver\Mouclass 8A3CC6D0 mouclass.sys 52 \Driver\Ftdisk 8A67C040 ftdisk.sys --[HOOKED]-- This might be a false positive, as I was unable to check. * Majorfunction 00 (IRP_MJ_CREATE) hooked at 8A7551F8 * Majorfunction 03 (IRP_MJ_READ) hooked at 8A7551F8 * Majorfunction 04 (IRP_MJ_WRITE) hooked at 8A7551F8 * Majorfunction 09 (IRP_MJ_FLUSH_BUFFERS) hooked at 8A7551F8 * Majorfunction 0E (IRP_MJ_DEVICE_CONTROL) hooked at 8A7551F8 * Majorfunction 0F (IRP_MJ_INTERNAL_DEVICE_CONTROL) hooked at 8A7551F8 * Majorfunction 10 (IRP_MJ_SHUTDOWN) hooked at 8A7551F8 * Majorfunction 12 (IRP_MJ_CLEANUP) hooked at 8A7551F8 * Majorfunction 16 (IRP_MJ_POWER) hooked at 8A7551F8 * Majorfunction 17 (IRP_MJ_SYSTEM_CONTROL) hooked at 8A7551F8 * The DriverUnload function points to another module than the start routine. * Unload routine is at B7EECADC by C:\WINDOWS\system32\DRIVERS\spgn.sys ------------------------------------------------------------------------------- Information for module spgn.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spgn.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spgn.sys Warning: Driver file couldn't be found. 52 >\Driver\VolSnap 8A6A2430 VolSnap.sys 43 \Driver\sysaudio 894C2378 sysaudio.sys 54 \Driver\Rasl2tp 8A2E8F38 rasl2tp.sys 55 \Driver\Fdc 8A417CB0 fdc.sys 55 >\Driver\Flpydisk 8A1CF298 flpydisk.sys 57 \Driver\videX32 8A6A27E0 videX32.sys --[HOOKED]-- This might be a false positive, as I was unable to check. * Majorfunction 0F (IRP_MJ_INTERNAL_DEVICE_CONTROL) hooked at B832C4F2 by C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS ------------------------------------------------------------------------------- Information for module PCIIDEX.SYS: ------------------------------------------------------------------------------- Index: 12 Base address: B8328000 Size: 00007000 Flags: 0D004000 Load count: 3 Imagename: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS Name: Microsoft® Windows® Operating System Version: 5.1.2600.2180 Company: Microsoft Corporation File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Description: PCI IDE Bus Driver Extension Possible path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS Signed: YES * Majorfunction 16 (IRP_MJ_POWER) hooked at B8328692 by C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS ------------------------------------------------------------------------------- Information for module PCIIDEX.SYS: ------------------------------------------------------------------------------- Index: 12 Base address: B8328000 Size: 00007000 Flags: 0D004000 Load count: 3 Imagename: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS Name: Microsoft® Windows® Operating System Version: 5.1.2600.2180 Company: Microsoft Corporation File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Description: PCI IDE Bus Driver Extension Possible path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS Signed: YES * Majorfunction 17 (IRP_MJ_SYSTEM_CONTROL) hooked at B832C46E by C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS ------------------------------------------------------------------------------- Information for module PCIIDEX.SYS: ------------------------------------------------------------------------------- Index: 12 Base address: B8328000 Size: 00007000 Flags: 0D004000 Load count: 3 Imagename: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS Name: Microsoft® Windows® Operating System Version: 5.1.2600.2180 Company: Microsoft Corporation File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Description: PCI IDE Bus Driver Extension Possible path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS Signed: YES * The DriverUnload function points to another module than the start routine. * Unload routine is at B832C6DC by C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS ------------------------------------------------------------------------------- Information for module PCIIDEX.SYS: ------------------------------------------------------------------------------- Index: 12 Base address: B8328000 Size: 00007000 Flags: 0D004000 Load count: 3 Imagename: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS Name: Microsoft® Windows® Operating System Version: 5.1.2600.2180 Company: Microsoft Corporation File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Description: PCI IDE Bus Driver Extension Possible path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS Signed: YES 57 >\Driver\ACPIX32 8A756F38 ACPI.sys 26 >\Driver\atapi32 8A6A2328 atapi.sys --[HIDDEN]-- 58 \Driver\Secdrv 8A2077B8 secdrv.sys 59 \Driver\adfs 8A1F0708 adfs.SYS 59 >\FileSystem\FltMgr 8A642A60 fltMgr.sys 61 \Driver\PptpMiniport 8A2E13C8 raspptp.sys 62 \Driver\serenum 8A3A8BD8 serenum.sys 63 \Driver\WMIxWDM 8A75D170 ntkrnlpa.exe 64 \Driver\ACPI_HAL 8A75D3A8 hal.dll 64 >\Driver\ACPI_HAL 8A756F38 ACPI.sys 65 \Driver\NetBT 8A1F22A0 netbt.sys --[HOOKED]-- This might be a false positive, as I was unable to check. * Majorfunction 00 (IRP_MJ_CREATE) hooked at 8A2B3500 * Majorfunction 02 (IRP_MJ_CLOSE) hooked at 8A2B3500 * Majorfunction 0E (IRP_MJ_DEVICE_CONTROL) hooked at 8A2B3500 * Majorfunction 0F (IRP_MJ_INTERNAL_DEVICE_CONTROL) hooked at 8A2B3500 * Majorfunction 12 (IRP_MJ_CLEANUP) hooked at 8A2B3500 * The DriverUnload function points to another module than the start routine. * Unload routine is at B7EECADC by C:\WINDOWS\system32\DRIVERS\spgn.sys ------------------------------------------------------------------------------- Information for module spgn.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spgn.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spgn.sys Warning: Driver file couldn't be found. 66 \Driver\PCI_PNP9822 8A6E5848 spgn.sys 66 >\Driver\acw4zw80822 8A377F38 acw4zw80.SYS 14 \Driver\Cdrom 8A1F9358 cdrom.sys --[HOOKED]-- This might be a false positive, as I was unable to check. * Majorfunction 00 (IRP_MJ_CREATE) hooked at 8A0D51F8 * Majorfunction 02 (IRP_MJ_CLOSE) hooked at 8A0D51F8 * Majorfunction 03 (IRP_MJ_READ) hooked at 8A0D51F8 * Majorfunction 04 (IRP_MJ_WRITE) hooked at 8A0D51F8 * Majorfunction 09 (IRP_MJ_FLUSH_BUFFERS) hooked at 8A0D51F8 * Majorfunction 0E (IRP_MJ_DEVICE_CONTROL) hooked at 8A0D51F8 * Majorfunction 0F (IRP_MJ_INTERNAL_DEVICE_CONTROL) hooked at 8A0D51F8 * Majorfunction 10 (IRP_MJ_SHUTDOWN) hooked at 8A0D51F8 * Majorfunction 16 (IRP_MJ_POWER) hooked at 8A0D51F8 * Majorfunction 17 (IRP_MJ_SYSTEM_CONTROL) hooked at 8A0D51F8 * The DriverUnload function points to another module than the start routine. * Unload routine is at B7EECADC by C:\WINDOWS\system32\DRIVERS\spgn.sys ------------------------------------------------------------------------------- Information for module spgn.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spgn.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spgn.sys Warning: Driver file couldn't be found. 14 >\Driver\redbook 8A384C00 redbook.sys 15 >\Driver\GEARAspiWDM 8A366438 GEARAspiWDM.sys 67 \Driver\mssmbios 8A1FDDA0 mssmbios.sys 68 \Driver\PCIIde 8A74C550 pciide.sys 69 \Driver\ViaIde 8A74C448 viaide.sys --[HOOKED]-- This might be a false positive, as I was unable to check. * Majorfunction 0F (IRP_MJ_INTERNAL_DEVICE_CONTROL) hooked at B832C4F2 by C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS ------------------------------------------------------------------------------- Information for module PCIIDEX.SYS: ------------------------------------------------------------------------------- Index: 12 Base address: B8328000 Size: 00007000 Flags: 0D004000 Load count: 3 Imagename: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS Name: Microsoft® Windows® Operating System Version: 5.1.2600.2180 Company: Microsoft Corporation File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Description: PCI IDE Bus Driver Extension Possible path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS Signed: YES * Majorfunction 16 (IRP_MJ_POWER) hooked at B8328692 by C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS ------------------------------------------------------------------------------- Information for module PCIIDEX.SYS: ------------------------------------------------------------------------------- Index: 12 Base address: B8328000 Size: 00007000 Flags: 0D004000 Load count: 3 Imagename: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS Name: Microsoft® Windows® Operating System Version: 5.1.2600.2180 Company: Microsoft Corporation File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Description: PCI IDE Bus Driver Extension Possible path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS Signed: YES * Majorfunction 17 (IRP_MJ_SYSTEM_CONTROL) hooked at B832C46E by C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS ------------------------------------------------------------------------------- Information for module PCIIDEX.SYS: ------------------------------------------------------------------------------- Index: 12 Base address: B8328000 Size: 00007000 Flags: 0D004000 Load count: 3 Imagename: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS Name: Microsoft® Windows® Operating System Version: 5.1.2600.2180 Company: Microsoft Corporation File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Description: PCI IDE Bus Driver Extension Possible path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS Signed: YES * The DriverUnload function points to another module than the start routine. * Unload routine is at B832C6DC by C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS ------------------------------------------------------------------------------- Information for module PCIIDEX.SYS: ------------------------------------------------------------------------------- Index: 12 Base address: B8328000 Size: 00007000 Flags: 0D004000 Load count: 3 Imagename: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS Name: Microsoft® Windows® Operating System Version: 5.1.2600.2180 Company: Microsoft Corporation File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Description: PCI IDE Bus Driver Extension Possible path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS Signed: YES 70 \Driver\Wanarp 8A344B20 wanarp.sys 71 \Driver\Tcpip 8A27C5F0 tcpip.sys 72 \Driver\mnmdd 8A2002C0 mnmdd.SYS 73 \Driver\xfilt 8A7492C8 xfilt.sys 74 \Driver\kbdhid 8A5FBF38 kbdhid.sys 74 >\Driver\Kbdclass 8A416980 kbdclass.sys 53 \Driver\VolSnap 8A6A2430 VolSnap.sys 75 \Driver\intelppm 8A49BCF8 intelppm.sys 76 \Driver\nv 8A415BD8 nv4_mini.sys 77 \Driver\vpjrp 8A74CBD8 vpjrp.sys 78 \Driver\AegisP 8A2BBF38 AegisP.sys 79 \Driver\lirsgt 8A180D58 lirsgt.sys 80 \Driver\Null 8A169298 Null.SYS 81 \Driver\usbehci 8A3DED58 usbehci.sys --[HOOKED]-- This might be a false positive, as I was unable to check. * Majorfunction 00 (IRP_MJ_CREATE) hooked at 8A3DE1F8 * Majorfunction 02 (IRP_MJ_CLOSE) hooked at 8A3DE1F8 * Majorfunction 0E (IRP_MJ_DEVICE_CONTROL) hooked at 8A3DE1F8 * Majorfunction 0F (IRP_MJ_INTERNAL_DEVICE_CONTROL) hooked at 8A3DE1F8 * Majorfunction 16 (IRP_MJ_POWER) hooked at 8A3DE1F8 * Majorfunction 17 (IRP_MJ_SYSTEM_CONTROL) hooked at 8A3DE1F8 * The DriverUnload function points to another module than the start routine. * Unload routine is at B7EECADC by C:\WINDOWS\system32\DRIVERS\spgn.sys ------------------------------------------------------------------------------- Information for module spgn.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spgn.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spgn.sys Warning: Driver file couldn't be found. 81 >\Driver\usbhubi 8A469040 usbhub.sys 82 \Driver\IPSec 8A242AC8 ipsec.sys 16 \Driver\GEARAspiWDM 8A366438 GEARAspiWDM.sys 27 \Driver\Disk 8A7489E8 disk.sys --[HOOKED]-- This might be a false positive, as I was unable to check. * The DriverUnload function points to another module than the start routine. * Unload routine is at B7EECADC by C:\WINDOWS\system32\DRIVERS\spgn.sys ------------------------------------------------------------------------------- Information for module spgn.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spgn.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spgn.sys Warning: Driver file couldn't be found. 83 \Driver\PCI 8A720340 pci.sys 83 >\Driver\ACPI 8A756F38 ACPI.sys 26 >\Driver\HDAudBus 8A39BF10 HDAudBus.sys 85 \Driver\Serial 8A3B9318 serial.sys 85 >\Driver\serenum 8A3A8BD8 serenum.sys 86 \Driver\NdisTapi 8A2E77B8 ndistapi.sys 87 \Driver\NdisWan 8A2E6748 ndiswan.sys 88 \Driver\FETND5BV 8A3B0E18 fetnd5bv.sys 28 \Driver\PartMgr 8A6A28E8 PartMgr.sys 89 \Driver\Gpc 8A2DF2B0 msgpc.sys 84 \Driver\HDAudBus 8A39BF10 HDAudBus.sys 84 >\Driver\IntcAzAudAddService 8A310430 RtkHDAud.sys 26 \Driver\ACPI 8A756F38 ACPI.sys --[HOOKED]-- This might be a false positive, as I was unable to check. * The DriverUnload function points to another module than the start routine. * Unload routine is at B7EECADC by C:\WINDOWS\system32\DRIVERS\spgn.sys ------------------------------------------------------------------------------- Information for module spgn.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spgn.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spgn.sys Warning: Driver file couldn't be found. 26 >\Driver\Disk 8A7489E8 disk.sys 27 >\Driver\PartMgr 8A6A28E8 PartMgr.sys 56 \Driver\Flpydisk 8A1CF298 flpydisk.sys 90 \Driver\PnpManager 8A7632E0 ntkrnlpa.exe 90 >\Driver\mssmbioser 8A1FDDA0 mssmbios.sys 91 \Driver\atksgt 8A4A2308 atksgt.sys 92 \Driver\AFD 8A346B20 afd.sys 41 \Driver\hidusb 8A31A2A0 hidusb.sys 93 \Driver\avipbb 8A2AA788 avipbb.sys 94 \Driver\ssmdrv 8A2BB930 ssmdrv.sys 13 \Driver\PxHelp20 8A7491C0 PxHelp20.sys 13 >\Driver\Cdromp20 8A1F9358 cdrom.sys 14 >\Driver\redbook0 8A384C00 redbook.sys 15 >\Driver\GEARAspiWDM 8A366438 GEARAspiWDM.sys 95 \FileSystem\Ntfs 8A6441C8 Ntfs.sys --[HOOKED]-- This might be a false positive, as I was unable to check. * Majorfunction 00 (IRP_MJ_CREATE) hooked at 8A6B1960 * Majorfunction 02 (IRP_MJ_CLOSE) hooked at 8A7531F8 * Majorfunction 03 (IRP_MJ_READ) hooked at 8A7531F8 * Majorfunction 04 (IRP_MJ_WRITE) hooked at 8A7531F8 * Majorfunction 05 (IRP_MJ_QUERY_INFORMATION) hooked at 8A7531F8 * Majorfunction 06 (IRP_MJ_SET_INFORMATION) hooked at 8A7531F8 * Majorfunction 07 (IRP_MJ_QUERY_EA) hooked at 8A7531F8 * Majorfunction 08 (IRP_MJ_SET_EA) hooked at 8A7531F8 * Majorfunction 09 (IRP_MJ_FLUSH_BUFFERS) hooked at 8A7531F8 * Majorfunction 0A (IRP_MJ_QUERY_VOLUME_INFORMATION) hooked at 8A7531F8 * Majorfunction 0B (IRP_MJ_SET_VOLUME_INFORMATION) hooked at 8A7531F8 * Majorfunction 0C (IRP_MJ_DIRECTORY_CONTROL) hooked at 8A7531F8 * Majorfunction 0D (IRP_MJ_FILE_SYSTEM_CONTROL) hooked at 8A7531F8 * Majorfunction 0E (IRP_MJ_DEVICE_CONTROL) hooked at 8A7531F8 * Majorfunction 10 (IRP_MJ_SHUTDOWN) hooked at 8A7531F8 * Majorfunction 11 (IRP_MJ_LOCK_CONTROL) hooked at 8A7531F8 * Majorfunction 12 (IRP_MJ_CLEANUP) hooked at 8A7531F8 * Majorfunction 14 (IRP_MJ_QUERY_SECURITY) hooked at 8A7531F8 * Majorfunction 15 (IRP_MJ_SET_SECURITY) hooked at 8A7531F8 * Majorfunction 19 (IRP_MJ_QUERY_QUOTA) hooked at 8A7531F8 * Majorfunction 1A (IRP_MJ_SET_QUOTA) hooked at 8A7531F8 * The DriverUnload function points to another module than the start routine. * Unload routine is at B7EECADC by C:\WINDOWS\system32\DRIVERS\spgn.sys ------------------------------------------------------------------------------- Information for module spgn.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spgn.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spgn.sys Warning: Driver file couldn't be found. 95 >\FileSystem\srfs 8A645810 sr.sys 96 >\FileSystem\FltMgr 8A642A60 fltMgr.sys 97 \FileSystem\NetBIOS 8A3084E0 netbios.sys 96 \FileSystem\sr 8A645810 sr.sys 96 >\FileSystem\FltMgr 8A642A60 fltMgr.sys 98 \FileSystem\Rdbss 8A2CEDA0 rdbss.sys 99 \FileSystem\avgntflt 8A2AC5B0 avgntflt.sys 100 \FileSystem\Lbd 8A6455E0 Lbd.sys 101 \FileSystem\Msfs 8A2553C8 Msfs.SYS 102 \FileSystem\MRxSmb 8A2CDAC8 mrxsmb.sys --[HOOKED]-- This might be a false positive, as I was unable to check. * Majorfunction 00 (IRP_MJ_CREATE) hooked at 89BB91F8 * Majorfunction 01 (IRP_MJ_CREATE_NAMED_PIPE) hooked at 89BB91F8 * Majorfunction 02 (IRP_MJ_CLOSE) hooked at 89BB91F8 * Majorfunction 03 (IRP_MJ_READ) hooked at 89BB91F8 * Majorfunction 04 (IRP_MJ_WRITE) hooked at 89BB91F8 * Majorfunction 05 (IRP_MJ_QUERY_INFORMATION) hooked at 89BB91F8 * Majorfunction 06 (IRP_MJ_SET_INFORMATION) hooked at 89BB91F8 * Majorfunction 07 (IRP_MJ_QUERY_EA) hooked at 89BB91F8 * Majorfunction 08 (IRP_MJ_SET_EA) hooked at 89BB91F8 * Majorfunction 09 (IRP_MJ_FLUSH_BUFFERS) hooked at 89BB91F8 * Majorfunction 0A (IRP_MJ_QUERY_VOLUME_INFORMATION) hooked at 89BB91F8 * Majorfunction 0B (IRP_MJ_SET_VOLUME_INFORMATION) hooked at 89BB91F8 * Majorfunction 0C (IRP_MJ_DIRECTORY_CONTROL) hooked at 89BB91F8 * Majorfunction 0D (IRP_MJ_FILE_SYSTEM_CONTROL) hooked at 89BB91F8 * Majorfunction 0E (IRP_MJ_DEVICE_CONTROL) hooked at 89BB91F8 * Majorfunction 0F (IRP_MJ_INTERNAL_DEVICE_CONTROL) hooked at 89BB91F8 * Majorfunction 10 (IRP_MJ_SHUTDOWN) hooked at 89BB91F8 * Majorfunction 11 (IRP_MJ_LOCK_CONTROL) hooked at 89BB91F8 * Majorfunction 12 (IRP_MJ_CLEANUP) hooked at 89BB91F8 * Majorfunction 13 (IRP_MJ_CREATE_MAILSLOT) hooked at 89BB91F8 * Majorfunction 14 (IRP_MJ_QUERY_SECURITY) hooked at 89BB91F8 * Majorfunction 15 (IRP_MJ_SET_SECURITY) hooked at 89BB91F8 * Majorfunction 16 (IRP_MJ_POWER) hooked at 89BB91F8 * Majorfunction 17 (IRP_MJ_SYSTEM_CONTROL) hooked at 89BB91F8 * Majorfunction 18 (IRP_MJ_DEVICE_CHANGE) hooked at 89BB91F8 * Majorfunction 19 (IRP_MJ_QUERY_QUOTA) hooked at 89BB91F8 * Majorfunction 1A (IRP_MJ_SET_QUOTA) hooked at 89BB91F8 * The DriverUnload function points to another module than the start routine. * Unload routine is at B7EECADC by C:\WINDOWS\system32\DRIVERS\spgn.sys ------------------------------------------------------------------------------- Information for module spgn.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spgn.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spgn.sys Warning: Driver file couldn't be found. 103 \FileSystem\Srv 8A325F38 srv.sys 104 \FileSystem\Mup 8A6425A0 Mup.sys 105 \FileSystem\RAW 8A722170 ntkrnlpa.exe 106 \FileSystem\Npfs 8A253DA0 Npfs.SYS 107 \FileSystem\Fs_Rec 8A2B02A0 Fs_Rec.SYS 108 \FileSystem\Cdfs 8A23E040 Cdfs.SYS --[HOOKED]-- This might be a false positive, as I was unable to check. * Majorfunction 00 (IRP_MJ_CREATE) hooked at 8A289500 * Majorfunction 02 (IRP_MJ_CLOSE) hooked at 8A289500 * Majorfunction 03 (IRP_MJ_READ) hooked at 8A289500 * Majorfunction 05 (IRP_MJ_QUERY_INFORMATION) hooked at 8A289500 * Majorfunction 06 (IRP_MJ_SET_INFORMATION) hooked at 8A289500 * Majorfunction 0A (IRP_MJ_QUERY_VOLUME_INFORMATION) hooked at 8A289500 * Majorfunction 0C (IRP_MJ_DIRECTORY_CONTROL) hooked at 8A289500 * Majorfunction 0D (IRP_MJ_FILE_SYSTEM_CONTROL) hooked at 8A289500 * Majorfunction 0E (IRP_MJ_DEVICE_CONTROL) hooked at 8A289500 * Majorfunction 10 (IRP_MJ_SHUTDOWN) hooked at 8A289500 * Majorfunction 11 (IRP_MJ_LOCK_CONTROL) hooked at 8A289500 * Majorfunction 12 (IRP_MJ_CLEANUP) hooked at 8A289500 * The DriverUnload function points to another module than the start routine. * Unload routine is at B7EECADC by C:\WINDOWS\system32\DRIVERS\spgn.sys ------------------------------------------------------------------------------- Information for module spgn.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spgn.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spgn.sys Warning: Driver file couldn't be found. 108 >\FileSystem\FltMgr 8A642A60 fltMgr.sys 60 \FileSystem\FltMgr 8A642A60 fltMgr.sys 109 \FileSystem\MRxDAV 8A313360 mrxdav.sys 109 >\FileSystem\FltMgr 8A642A60 fltMgr.sys 34 \Driver\SDTHelper 899E1750 sdthlpr.sys 110 \FileSystem\Fastfat 899D9F38 Fastfat.SYS --[HOOKED]-- This might be a false positive, as I was unable to check. * Majorfunction 00 (IRP_MJ_CREATE) hooked at 8A2B63D0 * Majorfunction 02 (IRP_MJ_CLOSE) hooked at 8A2B63D0 * Majorfunction 03 (IRP_MJ_READ) hooked at 8A2B63D0 * Majorfunction 04 (IRP_MJ_WRITE) hooked at 8A2B63D0 * Majorfunction 05 (IRP_MJ_QUERY_INFORMATION) hooked at 8A2B63D0 * Majorfunction 06 (IRP_MJ_SET_INFORMATION) hooked at 8A2B63D0 * Majorfunction 07 (IRP_MJ_QUERY_EA) hooked at 8A2B63D0 * Majorfunction 08 (IRP_MJ_SET_EA) hooked at 8A2B63D0 * Majorfunction 09 (IRP_MJ_FLUSH_BUFFERS) hooked at 8A2B63D0 * Majorfunction 0A (IRP_MJ_QUERY_VOLUME_INFORMATION) hooked at 8A2B63D0 * Majorfunction 0B (IRP_MJ_SET_VOLUME_INFORMATION) hooked at 8A2B63D0 * Majorfunction 0C (IRP_MJ_DIRECTORY_CONTROL) hooked at 8A2B63D0 * Majorfunction 0D (IRP_MJ_FILE_SYSTEM_CONTROL) hooked at 8A2B63D0 * Majorfunction 0E (IRP_MJ_DEVICE_CONTROL) hooked at 8A2B63D0 * Majorfunction 10 (IRP_MJ_SHUTDOWN) hooked at 8A2B63D0 * Majorfunction 11 (IRP_MJ_LOCK_CONTROL) hooked at 8A2B63D0 * Majorfunction 12 (IRP_MJ_CLEANUP) hooked at 8A2B63D0 * The DriverUnload function points to another module than the start routine. * Unload routine is at B7EECADC by C:\WINDOWS\system32\DRIVERS\spgn.sys ------------------------------------------------------------------------------- Information for module spgn.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spgn.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spgn.sys Warning: Driver file couldn't be found. 110 >\FileSystem\FltMgrt 8A642A60 fltMgr.sys 111 \Driver\kmixer 8A763D00 kmixer.sys 15:38:47 - Performing check: "Patched modules": Module information: Idx Base Size Module Service Pre Sig Patched 000 804D7000 0020C000 ntkrnlpa.exe YES YES 001 806E3000 00020D00 hal.dll YES YES 002 B85A8000 00002000 KDCOM.DLL YES YES 003 B84B8000 00003000 BOOTVID.dll YES YES 004 B7EA6000 00101000 spgn.sys NO NO 005 B85AA000 00002000 WMILIB.SYS YES YES 006 B7E8E000 00018000 SCSIPORT.SYS YES YES 007 B7E5F000 0002F000 ACPI.sys ACPI YES YES 008 B7E4E000 00011000 pci.sys PCI YES YES 009 B80A8000 00009000 isapnp.sys isapnp YES YES 010 B7D1D000 00131000 vpjrp.sys vpjrp YES NO 011 B8670000 00001000 pciide.sys PCIIde YES YES 012 B8328000 00007000 PCIIDEX.SYS YES YES 013 B85AC000 00002000 viaide.sys ViaIde YES YES 014 B80B8000 0000B000 MountMgr.sys MountMgr YES YES 015 B7CFE000 0001F000 ftdisk.sys Ftdisk YES YES 016 B85AE000 00002000 dmload.sys dmload YES YES 017 B7CD8000 00026000 dmio.sys dmio YES YES 018 B8330000 00005000 PartMgr.sys PartMgr YES YES 019 B8338000 00008000 videX32.sys videX32 YES YES 020 B80C8000 0000E000 VolSnap.sys VolSnap YES YES 021 B7CC0000 00018000 atapi.sys atapi YES YES 022 B80D8000 00009000 disk.sys Disk YES YES 023 B80E8000 0000D000 CLASSPNP.SYS YES YES 024 B7CA1000 0001F000 fltMgr.sys FltMgr YES YES 025 B7C8F000 00012000 sr.sys sr YES YES 026 B80F8000 0000F000 Lbd.sys Lbd YES YES 027 B8108000 00009000 xfilt.sys xfilt YES YES 028 B8118000 0000A000 PxHelp20.sys PxHelp20 YES YES 029 B7C78000 00017000 KSecDD.sys KSecDD YES YES 030 B7BEB000 0008D000 Ntfs.sys Ntfs YES YES 031 B7BBE000 0002D000 NDIS.sys NDIS YES YES 032 B8128000 0000B000 uagp35.sys uagp35 YES YES 033 B7BA3000 0001B000 Mup.sys Mup YES YES 034 B755C000 0000A000 intelppm.sys intelppm YES YES 035 B6B98000 009C4000 nv4_mini.sys nv YES YES 036 B6B84000 00014000 VIDEOPRT.SYS YES YES 037 B8418000 00005000 usbuhci.sys usbuhci YES YES 038 B6B61000 00023000 USBPORT.SYS YES YESThe code of DllUnload at B6B7962C (0) got patched. Here is the diff: Address New-Original B6B7962C: E9 - 80 B6B7962D: A7 - 3D --> JMP DWORD PTR DS:[8A4101D8] [i] Function DllUnload was patched @B6B7962C probably by C:\WINDOWS\system32\DRIVERS\spgn.sys ------------------------------------------------------------------------------- Information for module spgn.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spgn.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spgn.sys Warning: Driver file couldn't be found. 039 B8420000 00007000 usbehci.sys usbehci YES YES 040 B8428000 00007000 fdc.sys Fdc YES YES 041 B8430000 00007000 kbdclass.sys Kbdclass YES YES 042 B8438000 00006000 mouclass.sys Mouclass YES YES 043 B6B50000 00011000 serial.sys Serial YES YES 044 B7B6F000 00004000 serenum.sys serenum YES YES 045 B81A8000 0000B000 fetnd5bv.sys FETND5BV YES YES 046 B6B2B000 00025000 HDAudBus.sys HDAudBus YES YES 047 B6AF3000 00038000 acw4zw80.SYS YES YES 048 B84A0000 00006000 ManyCam.sys ManyCam YES YES 049 B81B8000 0000C000 STREAM.SYS YES YES 050 B6AD0000 00023000 ks.sys YES YES 051 B879E000 00001000 audstub.sys audstub YES YES 052 B81C8000 0000D000 rasl2tp.sys Rasl2tp YES YES 053 B7B5F000 00003000 ndistapi.sys NdisTapi YES YES 054 B68C2000 00017000 ndiswan.sys NdisWan YES YES 055 B81D8000 0000B000 raspppoe.sys RasPppoe YES YES 056 B81E8000 0000C000 raspptp.sys PptpMiniport YES YES 057 B84A8000 00005000 TDI.SYS YES YES 058 B68B1000 00011000 psched.sys PSched YES YES 059 B81F8000 00009000 msgpc.sys Gpc YES YES 060 B84B0000 00005000 ptilink.sys Ptilink YES YES 061 B8348000 00005000 raspti.sys Raspti YES YES 062 B8350000 00007000 taphss.sys taphss YES YES 063 B6880000 00031000 rdpdr.sys rdpdr YES YES 064 B8208000 0000A000 termdd.sys TermDD YES YES 065 B85DE000 00002000 swenum.sys swenum YES YES 066 B684C000 00034000 update.sys Update YES YES 067 B7807000 00004000 mssmbios.sys mssmbios YES YES 068 B8218000 0000D000 cdrom.sys Cdrom YES YES 069 B8228000 0000F000 redbook.sys redbook YES YES 070 B8238000 0000A000 GEARAspiWDM.sys GEARAspiWDM YES YES 071 B8258000 0000A000 NDProxy.SYS NDProxy YES YES 072 B8278000 0000F000 usbhub.sys usbhub YES YES 073 B85EC000 00002000 USBD.SYS YES YES 074 B414F000 005D5000 RtkHDAud.sys IntcAzAudAddService YES YES 075 B412D000 00022000 portcls.sys YES YES 076 B8288000 0000F000 drmk.sys YES YES 077 B83A0000 00005000 flpydisk.sys Flpydisk YES YES 078 B85F8000 00002000 Fs_Rec.SYS Fs_Rec YES YES 079 B8750000 00001000 Null.SYS Null YES YES 080 B85FA000 00002000 Beep.SYS Beep YES YES 081 B83B0000 00007000 HIDPARSE.SYS YES YES 082 B83B8000 00006000 vga.sys VgaSave YES YES 083 B85FE000 00002000 mnmdd.SYS mnmdd YES YES 084 B8600000 00002000 RDPCDD.sys RDPCDD YES YES 085 B83C0000 00005000 Msfs.SYS Msfs YES YES 086 B83C8000 00008000 Npfs.SYS Npfs YES YES 087 B6840000 00003000 rasacd.sys RasAcd YES YES 088 B400A000 00013000 ipsec.sys IPSec YES YES 089 B3FB2000 00058000 tcpip.sys Tcpip YES YES 090 B3F8A000 00028000 netbt.sys NetBT YES YES 091 B3F69000 00021000 ipnat.sys IpNat YES YES 092 B3F47000 00022000 afd.sys AFD YES YES 093 B82A8000 00009000 netbios.sys NetBIOS YES YES 094 B82B8000 00009000 wanarp.sys Wanarp YES YES 095 B83D0000 00006000 ssmdrv.sys ssmdrv YES YES 096 B82C8000 0000B000 SCDEmu.SYS SCDEmu YES NO 097 B3EF3000 0002C000 rdbss.sys Rdbss YES YES 098 B3E84000 0006F000 mrxsmb.sys MRxSmb YES YES 099 B83D8000 00007000 S3DInjectionDriver.sys iZ3DInjectionDriver YES YES 100 B82E8000 00009000 Fips.SYS Fips YES YES 101 B3E68000 0001C000 avipbb.sys avipbb YES YES 102 B8604000 00002000 avgio.sys avgio YES YES 103 B8308000 00010000 Cdfs.SYS Cdfs YES YES 104 B83E8000 00008000 usbccgp.sys usbccgp YES YES 105 B40E9000 00003000 hidusb.sys hidusb YES YES 106 B75EC000 00009000 HIDCLASS.SYS YES YES 107 B40E5000 00003000 mouhid.sys mouhid YES YES 108 B40E1000 00004000 kbdhid.sys kbdhid YES YES 109 B3D62000 00018000 dump_atapi.sys NO NO 110 B860A000 00002000 dump_WMILIB.SYS NO NO 111 BF800000 001C4000 win32k.sys YES YES 112 B3F43000 00003000 Dxapi.sys YES YES 113 B83F8000 00005000 watchdog.sys YES YES 114 BD000000 00012000 dxg.sys YES YES 115 B87DF000 00001000 dxgthk.sys YES YES 116 BD012000 005FE000 nv4_disp.dll YES YES 117 BFFA0000 00046000 ATMFD.DLL YES YES 118 B3C16000 00014000 avgntflt.sys avgntflt YES YES 119 B8460000 00005000 AegisP.sys AegisP YES NO 120 B38C9000 0002D000 mrxdav.sys MRxDAV YES YES 121 B3868000 00011000 adfs.SYS adfs YES YES 122 B3825000 00043000 atksgt.sys atksgt YES YES 123 B8398000 00005000 lirsgt.sys lirsgt YES YES 124 B35C6000 00057000 srv.sys Srv YES YES 125 B3576000 00028000 secdrv.sys Secdrv YES NO 126 B3522000 0002C000 000.fcl {B154377D-700F-42cc-9474-23858FBDF4BD} YES YES 127 B314D000 00015000 wdmaud.sys wdmaud YES YES 128 B321A000 0000F000 sysaudio.sys sysaudio YES YES 129 B2E04000 00041000 HTTP.sys HTTP YES YES 130 B3C36000 00004000 sdthlpr.sys SDTHelper YES NO 131 B19FC000 00023000 Fastfat.SYS Fastfat YES YES 132 B19D2000 0002A000 kmixer.sys kmixer YES YES 133 7C910000 000B9000 ntdll.dll YES YES Number of Module Table entries patched = 1 15:39:16 - Performing check: "SDT hooks": Found KiServiceTable @ 8055B6E0 0 ZwAcceptConnectPort 805A3104 1 ZwAccessCheck 805EF38C 2 ZwAccessCheckAndAuditAlarm 805F2BDA 3 ZwAccessCheckByType 805EF3BE 4 ZwAccessCheckByTypeAndAuditAlarm 805F2C14 5 ZwAccessCheckByTypeResultList 805EF3F4 6 ZwAccessCheckByTypeResultListAndAuditAlarm 805F2C58 7 ZwAccessCheckByTypeResultListAndAuditAlarmByHandle 805F2C9C 8 ZwAddAtom 80613BC8 9 ZwAddBootEntry 8061490A 10 ZwAdjustGroupsToken 805EA73C 11 ZwAdjustPrivilegesToken 805EA394 12 ZwAlertResumeThread 805D33D0 13 ZwAlertThread 805D3380 14 ZwAllocateLocallyUniqueId 806141EE 15 ZwAllocateUserPhysicalPages 805B49F8 16 ZwAllocateUuids 8061380A 17 ZwAllocateVirtualMemory 805A758E 18 ZwAreMappedFilesTheSame 805AF00C 19 ZwAssignProcessToJobObject 805D4E94 20 ZwCallbackReturn 80500DD4 21 ZwCancelDeviceWakeupRequest 806148FC 22 ZwCancelIoFile 80575974 23 ZwCancelTimer 80537E4E 24 ZwClearEvent 8060CE12 25 ZwClose 805BAF72 26 ZwCloseObjectAuditAlarm 805F3114 27 ZwCompactKeys 80621D04 28 ZwCompareTokens 805F7628 29 ZwCompleteConnectPort 805A37F2 30 ZwCompressKey 80621F58 31 ZwConnectPort 805A30A4 32 ZwContinue 80544104 33 ZwCreateDebugObject 8063FF3E 34 ZwCreateDirectoryObject 805BCE26 35 ZwCreateEvent 8060CE62 36 ZwCreateEventPair 80615180 37 ZwCreateFile 80577ED2 38 ZwCreateIoCompletion 80576764 39 ZwCreateJobObject 805D3E58 40 ZwCreateJobSet 805D3B90 41 ZwCreateKey --[HOOKED]-- B8760396 probably by C:\WINDOWS\system32\DRIVERS\avipbb.sys ------------------------------------------------------------------------------- Information for module avipbb.sys: ------------------------------------------------------------------------------- Index: 101 Base address: B3E68000 Size: 0001C000 Flags: 09104000 Load count: 1 Imagename: \SystemRoot\system32\DRIVERS\avipbb.sys Name: (null) Version: 9.00.00.00 Company: Avira GmbH File Version: 1.0.2.86 Description: Avira Driver for RootKit Detection Possible path: C:\WINDOWS\system32\DRIVERS\avipbb.sys Signed: YES 42 ZwCreateMailslotFile 80577FE0 43 ZwCreateMutant 80615578 44 ZwCreateNamedPipeFile 80577F0C 45 ZwCreatePagingFile 805AA4C2 46 ZwCreatePort 805A3BC0 47 ZwCreateProcess 805CFAE2 48 ZwCreateProcessEx 805CFA2C 49 ZwCreateProfile 80615998 50 ZwCreateSection 805A9E9C 51 ZwCreateSemaphore 80612F28 52 ZwCreateSymbolicLinkObject 805C36A6 53 ZwCreateThread --[HOOKED]-- B876038C probably by C:\WINDOWS\system32\DRIVERS\avipbb.sys ------------------------------------------------------------------------------- Information for module avipbb.sys: ------------------------------------------------------------------------------- Index: 101 Base address: B3E68000 Size: 0001C000 Flags: 09104000 Load count: 1 Imagename: \SystemRoot\system32\DRIVERS\avipbb.sys Name: (null) Version: 9.00.00.00 Company: Avira GmbH File Version: 1.0.2.86 Description: Avira Driver for RootKit Detection Possible path: C:\WINDOWS\system32\DRIVERS\avipbb.sys Signed: YES 54 ZwCreateTimer 80614E48 55 ZwCreateToken 805F79D0 56 ZwCreateWaitablePort 805A3BE4 57 ZwDebugActiveProcess 8064101A 58 ZwDebugContinue 8064116A 59 ZwDelayExecution 8061484C 60 ZwDeleteAtom 8061407E 61 ZwDeleteBootEntry 806148FC 62 ZwDeleteFile 80575ABA 63 ZwDeleteKey --[HOOKED]-- B876039B probably by C:\WINDOWS\system32\DRIVERS\avipbb.sys ------------------------------------------------------------------------------- Information for module avipbb.sys: ------------------------------------------------------------------------------- Index: 101 Base address: B3E68000 Size: 0001C000 Flags: 09104000 Load count: 1 Imagename: \SystemRoot\system32\DRIVERS\avipbb.sys Name: (null) Version: 9.00.00.00 Company: Avira GmbH File Version: 1.0.2.86 Description: Avira Driver for RootKit Detection Possible path: C:\WINDOWS\system32\DRIVERS\avipbb.sys Signed: YES 64 ZwDeleteObjectAuditAlarm 805F3220 65 ZwDeleteValueKey --[HOOKED]-- B87603A5 probably by C:\WINDOWS\system32\DRIVERS\avipbb.sys ------------------------------------------------------------------------------- Information for module avipbb.sys: ------------------------------------------------------------------------------- Index: 101 Base address: B3E68000 Size: 0001C000 Flags: 09104000 Load count: 1 Imagename: \SystemRoot\system32\DRIVERS\avipbb.sys Name: (null) Version: 9.00.00.00 Company: Avira GmbH File Version: 1.0.2.86 Description: Avira Driver for RootKit Detection Possible path: C:\WINDOWS\system32\DRIVERS\avipbb.sys Signed: YES 66 ZwDeviceIoControlFile 80578098 67 ZwDisplayString 80610EA6 68 ZwDuplicateObject 805BC94E 69 ZwDuplicateToken 805EB5DA 70 ZwEnumerateBootEntries 8061490A 71 ZwEnumerateKey --[HOOKED]-- B7EC5CA4 probably by C:\WINDOWS\system32\DRIVERS\spgn.sys ------------------------------------------------------------------------------- Information for module spgn.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spgn.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spgn.sys Warning: Driver file couldn't be found. 72 ZwEnumerateSystemEnvironmentValuesEx 806148EE 73 ZwEnumerateValueKey --[HOOKED]-- B7EC6032 probably by C:\WINDOWS\system32\DRIVERS\spgn.sys ------------------------------------------------------------------------------- Information for module spgn.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spgn.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spgn.sys Warning: Driver file couldn't be found. 74 ZwExtendSection 805B2718 75 ZwFilterToken 805EB786 76 ZwFindAtom 80613E32 77 ZwFlushBuffersFile 80575B86 78 ZwFlushInstructionCache 805B528C 79 ZwFlushKey 80622E48 80 ZwFlushVirtualMemory 805AB1D6 81 ZwFlushWriteBuffer 805B522E 82 ZwFreeUserPhysicalPages 805B4D9A 83 ZwFreeVirtualMemory 805B19F4 84 ZwFsControlFile 805780CC 85 ZwGetContextThread 805CFDF4 86 ZwGetDevicePowerState 805C6FC6 87 ZwGetPlugPlayEvent 80597E7E 88 ZwGetWriteWatch 80520498 89 ZwImpersonateAnonymousToken 805F731C 90 ZwImpersonateClientOfPort 805A3C4E 91 ZwImpersonateThread 805D6054 92 ZwInitializeRegistry 8062010C 93 ZwInitiatePowerAction 805C6DAC 94 ZwIsProcessInJob 805D3A54 95 ZwIsSystemResumeAutomatic 805C6FB2 96 ZwListenPort 805A3E5A 97 ZwLoadDriver 80582EAE 98 ZwLoadKey --[HOOKED]-- B87603AA probably by C:\WINDOWS\system32\DRIVERS\avipbb.sys ------------------------------------------------------------------------------- Information for module avipbb.sys: ------------------------------------------------------------------------------- Index: 101 Base address: B3E68000 Size: 0001C000 Flags: 09104000 Load count: 1 Imagename: \SystemRoot\system32\DRIVERS\avipbb.sys Name: (null) Version: 9.00.00.00 Company: Avira GmbH File Version: 1.0.2.86 Description: Avira Driver for RootKit Detection Possible path: C:\WINDOWS\system32\DRIVERS\avipbb.sys Signed: YES 99 ZwLoadKey2 80623AAE 100 ZwLockFile 80578100 101 ZwLockProductActivationKeys 80611498 102 ZwLockRegistryKey 80622004 103 ZwLockVirtualMemory 805B5394 104 ZwMakePermanentObject 805BCC1C 105 ZwMakeTemporaryObject 805BB016 106 ZwMapUserPhysicalPages 805B3E58 107 ZwMapUserPhysicalPagesScatter 805B43A8 108 ZwMapViewOfSection 805B0A7C 109 ZwModifyBootEntry 806148FC 110 ZwNotifyChangeDirectoryFile 80578D18 111 ZwNotifyChangeKey 80623E2E 112 ZwNotifyChangeMultipleKeys 80622F4A 113 ZwOpenDirectoryObject 805BCEF8 114 ZwOpenEvent 8060CF62 115 ZwOpenEventPair 80615258 116 ZwOpenFile 80578FD0 117 ZwOpenIoCompletion 8057683C 118 ZwOpenJobObject 805D3FDE 119 ZwOpenKey --[HOOKED]-- B7EA70C0 probably by C:\WINDOWS\system32\DRIVERS\spgn.sys ------------------------------------------------------------------------------- Information for module spgn.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spgn.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spgn.sys Warning: Driver file couldn't be found. 120 ZwOpenMutant 80615650 121 ZwOpenObjectAuditAlarm 805F2CE2 122 ZwOpenProcess --[HOOKED]-- B8760378 probably by C:\WINDOWS\system32\DRIVERS\avipbb.sys ------------------------------------------------------------------------------- Information for module avipbb.sys: ------------------------------------------------------------------------------- Index: 101 Base address: B3E68000 Size: 0001C000 Flags: 09104000 Load count: 1 Imagename: \SystemRoot\system32\DRIVERS\avipbb.sys Name: (null) Version: 9.00.00.00 Company: Avira GmbH File Version: 1.0.2.86 Description: Avira Driver for RootKit Detection Possible path: C:\WINDOWS\system32\DRIVERS\avipbb.sys Signed: YES 123 ZwOpenProcessToken 805EBFD2 124 ZwOpenProcessTokenEx 805EBBD8 125 ZwOpenSection 805A8EC0 126 ZwOpenSemaphore 80613022 127 ZwOpenSymbolicLinkObject 805C388C 128 ZwOpenThread --[HOOKED]-- B876037D probably by C:\WINDOWS\system32\DRIVERS\avipbb.sys ------------------------------------------------------------------------------- Information for module avipbb.sys: ------------------------------------------------------------------------------- Index: 101 Base address: B3E68000 Size: 0001C000 Flags: 09104000 Load count: 1 Imagename: \SystemRoot\system32\DRIVERS\avipbb.sys Name: (null) Version: 9.00.00.00 Company: Avira GmbH File Version: 1.0.2.86 Description: Avira Driver for RootKit Detection Possible path: C:\WINDOWS\system32\DRIVERS\avipbb.sys Signed: YES 129 ZwOpenThreadToken 805EBFF0 130 ZwOpenThreadTokenEx 805EBD48 131 ZwOpenTimer 80614F6A 132 ZwPlugPlayControl 8064320C 133 ZwPowerInformation 805C7DFA 134 ZwPrivilegeCheck 805F63CE 135 ZwPrivilegeObjectAuditAlarm 805F1FF4 136 ZwPrivilegedServiceAuditAlarm 805F21E0 137 ZwProtectVirtualMemory 805B6E60 138 ZwPulseEvent 8060D01A 139 ZwQueryAttributesFile 80575D64 140 ZwQueryBootEntryOrder 8061490A 141 ZwQueryBootOptions 8061490A 142 ZwQueryDebugFilterState 8053EE36 143 ZwQueryDefaultLocale 8060EBEC 144 ZwQueryDefaultUILanguage 8060F84C 145 ZwQueryDirectoryFile 80578CB2 146 ZwQueryDirectoryObject 805BCF98 147 ZwQueryEaFile 80579000 148 ZwQueryEvent 8060D0E2 149 ZwQueryFullAttributesFile 80575E9C 150 ZwQueryInformationAtom 806140A6 151 ZwQueryInformationFile 8057986C 152 ZwQueryInformationJobObject 805D44B0 153 ZwQueryInformationPort 805A3EB8 154 ZwQueryInformationProcess 805CB860 155 ZwQueryInformationThread 805CA48E 156 ZwQueryInformationToken 805EC0D0 157 ZwQueryInstallUILanguage 8060EFEA 158 ZwQueryIntervalProfile 80615E1A 159 ZwQueryIoCompletion 805768E4 160 ZwQueryKey --[HOOKED]-- B7EC610A probably by C:\WINDOWS\system32\DRIVERS\spgn.sys ------------------------------------------------------------------------------- Information for module spgn.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spgn.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spgn.sys Warning: Driver file couldn't be found. 161 ZwQueryMultipleValueKey 80621302 162 ZwQueryMutant 806156F8 163 ZwQueryObject 805C2DC6 164 ZwQueryOpenSubKeys 80621968 165 ZwQueryPerformanceCounter 80615EA8 166 ZwQueryQuotaInformationFile 8057A604 167 ZwQuerySection 805B7022 168 ZwQuerySecurityObject 805BEA84 169 ZwQuerySemaphore 806130DA 170 ZwQuerySymbolicLinkObject 805C392C 171 ZwQuerySystemEnvironmentValue 80614926 172 ZwQuerySystemEnvironmentValueEx 806148E0 173 ZwQuerySystemInformation 8060F8CC 174 ZwQuerySystemTime 80611072 175 ZwQueryTimer 80615022 176 ZwQueryTimerResolution 80611104 177 ZwQueryValueKey --[HOOKED]-- B7EC5F8A probably by C:\WINDOWS\system32\DRIVERS\spgn.sys ------------------------------------------------------------------------------- Information for module spgn.sys: ------------------------------------------------------------------------------- Index: 4 Base address: B7EA6000 Size: 00101000 Flags: 09004000 Load count: 1 Imagename: spgn.sys Name: (null) Version: (null) Company: (null) File Version: (null) Description: (null) Possible path: C:\WINDOWS\system32\DRIVERS\spgn.sys Warning: Driver file couldn't be found. 178 ZwQueryVirtualMemory 805B76B0 179 ZwQueryVolumeInformationFile 8057AAEE 180 ZwQueueApcThread 805CFB40 181 ZwRaiseException 8054414C 182 ZwRaiseHardError 80612D4C 183 ZwReadFile 8057B28E 184 ZwReadFileScatter 8057B7F8 185 ZwReadRequestData 805A4940 186 ZwReadVirtualMemory 805B2D04 187 ZwRegisterThreadTerminatePort 805D0FEA 188 ZwReleaseMutant 80615830 189 ZwReleaseSemaphore 8061320A 190 ZwRemoveIoCompletion 80576BDC 191 ZwRemoveProcessDebug 806410EA 192 ZwRenameKey 80621B5A 193 ZwReplaceKey --[HOOKED]-- B87603B4 probably by C:\WINDOWS\system32\DRIVERS\avipbb.sys ------------------------------------------------------------------------------- Information for module avipbb.sys: ------------------------------------------------------------------------------- Index: 101 Base address: B3E68000 Size: 0001C000 Flags: 09104000 Load count: 1 Imagename: \SystemRoot\system32\DRIVERS\avipbb.sys Name: (null) Version: 9.00.00.00 Company: Avira GmbH File Version: 1.0.2.86 Description: Avira Driver for RootKit Detection Possible path: C:\WINDOWS\system32\DRIVERS\avipbb.sys Signed: YES 194 ZwReplyPort 805A3FC0 195 ZwReplyWaitReceivePort 805A4F88 196 ZwReplyWaitReceivePortEx 805A4990 197 ZwReplyWaitReplyPort 805A42AA 198 ZwRequestDeviceWakeup 805C6F44 199 ZwRequestPort 805A151E 200 ZwRequestWaitReplyPort 805A184A 201 ZwRequestWakeupLatency 805C6D52 202 ZwResetEvent 8060D1F4 203 ZwResetWriteWatch 80520980 204 ZwRestoreKey --[HOOKED]-- B87603AF probably by C:\WINDOWS\system32\DRIVERS\avipbb.sys ------------------------------------------------------------------------------- Information for module avipbb.sys: ------------------------------------------------------------------------------- Index: 101 Base address: B3E68000 Size: 0001C000 Flags: 09104000 Load count: 1 Imagename: \SystemRoot\system32\DRIVERS\avipbb.sys Name: (null) Version: 9.00.00.00 Company: Avira GmbH File Version: 1.0.2.86 Description: Avira Driver for RootKit Detection Possible path: C:\WINDOWS\system32\DRIVERS\avipbb.sys Signed: YES 205 ZwResumeProcess 805D332A 206 ZwResumeThread 805D320C 207 ZwSaveKey 806205DE 208 ZwSaveKeyEx 8062066E 209 ZwSaveMergedKeys 8062073A 210 ZwSecureConnectPort 805A2838 211 ZwSetBootEntryOrder 8061490A 212 ZwSetBootOptions 8061490A 213 ZwSetContextThread 805D0004 214 ZwSetDebugFilterState 80643DA2 215 ZwSetDefaultHardErrorPort 80612BF6 216 ZwSetDefaultLocale 8060ED3C 217 ZwSetDefaultUILanguage 8060F5AE 218 ZwSetEaFile 80579514 219 ZwSetEvent 8060D2B4 220 ZwSetEventBoostPriority 8060D37E 221 ZwSetHighEventPair 80615514 222 ZwSetHighWaitLowEventPair 80615444 223 ZwSetInformationDebugObject 80640AB4 224 ZwSetInformationFile 80579E38 225 ZwSetInformationJobObject 805D51BE 226 ZwSetInformationKey 80620ECE 227 ZwSetInformationObject 805C233C 228 ZwSetInformationProcess 805CC756 229 ZwSetInformationThread 805CA9DA 230 ZwSetInformationToken 805F874A 231 ZwSetIntervalProfile 8061597C 232 ZwSetIoCompletion 80576B7A 233 ZwSetLdtEntries 805D2156 234 ZwSetLowEventPair 806154B0 235 ZwSetLowWaitHighEventPair 806153D8 236 ZwSetQuotaInformationFile 8057A5E2 237 ZwSetSecurityObject 805BE9B8 238 ZwSetSystemEnvironmentValue 80614BAA 239 ZwSetSystemEnvironmentValueEx 806148E0 240 ZwSetSystemInformation 8060DC1A 241 ZwSetSystemPowerState 80650E26 242 ZwSetSystemTime 8061237A 243 ZwSetThreadExecutionState 805C6C66 244 ZwSetTimer 80537FDE 245 ZwSetTimerResolution 8061184C 246 ZwSetUuidSeed 806136C0 247 ZwSetValueKey --[HOOKED]-- B87603A0 probably by C:\WINDOWS\system32\DRIVERS\avipbb.sys ------------------------------------------------------------------------------- Information for module avipbb.sys: ------------------------------------------------------------------------------- Index: 101 Base address: B3E68000 Size: 0001C000 Flags: 09104000 Load count: 1 Imagename: \SystemRoot\system32\DRIVERS\avipbb.sys Name: (null) Version: 9.00.00.00 Company: Avira GmbH File Version: 1.0.2.86 Description: Avira Driver for RootKit Detection Possible path: C:\WINDOWS\system32\DRIVERS\avipbb.sys Signed: YES 248 ZwSetVolumeInformationFile 8057AEF8 249 ZwShutdownSystem 80610E6A 250 ZwSignalAndWaitForSingleObject 80525A60 251 ZwStartProfile 80615BC6 252 ZwStopProfile 80615D70 253 ZwSuspendProcess 805D32D4 254 ZwSuspendThread 805D3146 255 ZwSystemDebugControl 80615F94 256 ZwTerminateJobObject 805D5D52 257 ZwTerminateProcess --[HOOKED]-- B8760387 probably by C:\WINDOWS\system32\DRIVERS\avipbb.sys ------------------------------------------------------------------------------- Information for module avipbb.sys: ------------------------------------------------------------------------------- Index: 101 Base address: B3E68000 Size: 0001C000 Flags: 09104000 Load count: 1 Imagename: \SystemRoot\system32\DRIVERS\avipbb.sys Name: (null) Version: 9.00.00.00 Company: Avira GmbH File Version: 1.0.2.86 Description: Avira Driver for RootKit Detection Possible path: C:\WINDOWS\system32\DRIVERS\avipbb.sys Signed: YES 258 ZwTerminateThread 805D142E 259 ZwTestAlert 805D3494 260 ZwTraceEvent 80534374 261 ZwTranslateFilePath 80614918 262 ZwUnloadDriver 80583042 263 ZwUnloadKey 80620ABC 264 ZwUnloadKeyEx 80620CAA 265 ZwUnlockFile 805784A4 266 ZwUnlockVirtualMemory 805B5922 267 ZwUnmapViewOfSection 805B188A 268 ZwVdmControl 805F9B02 269 ZwWaitForDebugEvent 8064081C 270 ZwWaitForMultipleObjects 805BF0DA 271 ZwWaitForSingleObject 805BEFF0 272 ZwWaitHighEventPair 80615374 273 ZwWaitLowEventPair 80615310 274 ZwWriteFile 8057BCF6 275 ZwWriteFileGather 8057C2DA 276 ZwWriteRequestData 805A4968 277 ZwWriteVirtualMemory 805B2E0E 278 ZwYieldExecution 80503FF4 279 ZwCreateKeyedEvent 806163EC 280 ZwOpenKeyedEvent 806164D6 281 ZwReleaseKeyedEvent 80616588 282 ZwWaitForKeyedEvent 806167E4 283 ZwQueryPortInformationProcess 805CA20E Number of Service Table entries hooked = 16 Number of Service Table entries patched = 0 15:39:22 - Performing check: "IDT hooks": IDT offset in kernel: 0x01F98F50 IDT address: 0x8003F400 (phys.: 0x0153F400) INT# SegType DPL ISR 000(00) IntG32 00 0008:80541420 001(01) IntG32 00 0008:8054159C 002(02) TaskG32 00 0058:80551896 003(03) IntG32 03 0008:805419B0 004(04) IntG32 03 0008:80541B30 005(05) IntG32 00 0008:80541C90 006(06) IntG32 00 0008:80541E04 007(07) IntG32 00 0008:8054247C 008(08) TaskG32 00 0050:80551888 009(09) IntG32 00 0008:80542880 010(0A) IntG32 00 0008:805429A0 011(0B) IntG32 00 0008:80542AE0 012(0C) IntG32 00 0008:80542D40 013(0D) IntG32 00 0008:8054302C 014(0E) IntG32 00 0008:80543740 015(0F) IntG32 00 0008:80543A78 016(10) IntG32 00 0008:80543B98 017(11) IntG32 00 0008:80543CD4 018(12) TaskG32 00 00A0:0ACA7CD0 (hooked) 019(13) IntG32 00 0008:80543E3C 020(14) IntG32 00 0008:80543A78 021(15) IntG32 00 0008:80543A78 022(16) IntG32 00 0008:80543A78 023(17) IntG32 00 0008:80543A78 024(18) IntG32 00 0008:80543A78 025(19) IntG32 00 0008:80543A78 026(1A) IntG32 00 0008:80543A78 027(1B) IntG32 00 0008:80543A78 028(1C) IntG32 00 0008:80543A78 029(1D) IntG32 00 0008:80543A78 030(1E) IntG32 00 0008:80543A78 031(1F) IntG32 00 0008:806E510C 032(20) Not present 033(21) Not present 034(22) Not present 035(23) Not present 036(24) Not present 037(25) Not present 038(26) Not present 039(27) Not present 040(28) Not present 041(29) Not present 042(2A) IntG32 03 0008:80540C4E 043(2B) IntG32 03 0008:80540D50 044(2C) IntG32 03 0008:80540F00 045(2D) IntG32 03 0008:8054188C 046(2E) IntG32 03 0008:805406D1 047(2F) IntG32 00 0008:80543A78 048(30) IntG32 00 0008:8053FD90 049(31) IntG32 00 0008:8053FD9A 050(32) IntG32 00 0008:8053FDA4 051(33) IntG32 00 0008:8053FDAE 052(34) IntG32 00 0008:8053FDB8 053(35) IntG32 00 0008:8053FDC2 054(36) IntG32 00 0008:8053FDCC 055(37) IntG32 00 0008:806E4864 056(38) IntG32 00 0008:8053FDE0 057(39) IntG32 00 0008:8053FDEA 058(3A) IntG32 00 0008:8053FDF4 059(3B) IntG32 00 0008:8053FDFE 060(3C) IntG32 00 0008:8053FE08 061(3D) IntG32 00 0008:806E5E2C 062(3E) IntG32 00 0008:8053FE1C 063(3F) IntG32 00 0008:8053FE26 064(40) IntG32 00 0008:8053FE30 065(41) IntG32 00 0008:806E5C88 066(42) IntG32 00 0008:8053FE44 067(43) IntG32 00 0008:8053FE4E 068(44) IntG32 00 0008:8053FE58 069(45) IntG32 00 0008:8053FE62 070(46) IntG32 00 0008:8053FE6C 071(47) IntG32 00 0008:8053FE76 072(48) IntG32 00 0008:8053FE80 073(49) IntG32 00 0008:8053FE8A 074(4A) IntG32 00 0008:8053FE94 075(4B) IntG32 00 0008:8053FE9E 076(4C) IntG32 00 0008:8053FEA8 077(4D) IntG32 00 0008:8053FEB2 078(4E) IntG32 00 0008:8053FEBC 079(4F) IntG32 00 0008:8053FEC6 080(50) IntG32 00 0008:806E493C 081(51) IntG32 00 0008:8053FEDA 082(52) IntG32 00 0008:8053FEE4 083(53) IntG32 00 0008:8053FEEE 084(54) IntG32 00 0008:8053FEF8 085(55) IntG32 00 0008:8053FF02 086(56) IntG32 00 0008:8053FF0C 087(57) IntG32 00 0008:8053FF16 088(58) IntG32 00 0008:8053FF20 089(59) IntG32 00 0008:8053FF2A 090(5A) IntG32 00 0008:8053FF34 091(5B) IntG32 00 0008:8053FF3E 092(5C) IntG32 00 0008:8053FF48 093(5D) IntG32 00 0008:8053FF52 094(5E) IntG32 00 0008:8053FF5C 095(5F) IntG32 00 0008:8053FF66 096(60) IntG32 00 0008:8053FF70 097(61) IntG32 00 0008:8053FF7A 098(62) IntG32 00 0008:8A749BEC (hooked) 099(63) IntG32 00 0008:8A6AFBEC (hooked) 100(64) IntG32 00 0008:8053FF98 101(65) IntG32 00 0008:8053FFA2 102(66) IntG32 00 0008:8053FFAC 103(67) IntG32 00 0008:8053FFB6 104(68) IntG32 00 0008:8053FFC0 105(69) IntG32 00 0008:8053FFCA 106(6A) IntG32 00 0008:8053FFD4 107(6B) IntG32 00 0008:8053FFDE 108(6C) IntG32 00 0008:8053FFE8 109(6D) IntG32 00 0008:8053FFF2 110(6E) IntG32 00 0008:8053FFFC 111(6F) IntG32 00 0008:80540006 112(70) IntG32 00 0008:80540010 113(71) IntG32 00 0008:8054001A 114(72) IntG32 00 0008:80540024 115(73) IntG32 00 0008:8054002E 116(74) IntG32 00 0008:8A3AF894 (hooked) 117(75) IntG32 00 0008:80540042 118(76) IntG32 00 0008:8054004C 119(77) IntG32 00 0008:80540056 120(78) IntG32 00 0008:80540060 121(79) IntG32 00 0008:8054006A 122(7A) IntG32 00 0008:80540074 123(7B) IntG32 00 0008:8054007E 124(7C) IntG32 00 0008:80540088 125(7D) IntG32 00 0008:80540092 126(7E) IntG32 00 0008:8054009C 127(7F) IntG32 00 0008:805400A6 128(80) IntG32 00 0008:805400B0 129(81) IntG32 00 0008:805400BA 130(82) IntG32 00 0008:8A67ABEC (hooked) 131(83) IntG32 00 0008:805400CE 132(84) IntG32 00 0008:8A2BC66C (hooked) 133(85) IntG32 00 0008:805400E2 134(86) IntG32 00 0008:805400EC 135(87) IntG32 00 0008:805400F6 136(88) IntG32 00 0008:80540100 137(89) IntG32 00 0008:8054010A 138(8A) IntG32 00 0008:80540114 139(8B) IntG32 00 0008:8054011E 140(8C) IntG32 00 0008:80540128 141(8D) IntG32 00 0008:80540132 142(8E) IntG32 00 0008:8054013C 143(8F) IntG32 00 0008:80540146 144(90) IntG32 00 0008:80540150 145(91) IntG32 00 0008:8054015A 146(92) IntG32 00 0008:8A4953BC (hooked) 147(93) IntG32 00 0008:8054016E 148(94) IntG32 00 0008:8A212BEC (hooked) 149(95) IntG32 00 0008:80540182 150(96) IntG32 00 0008:8054018C 151(97) IntG32 00 0008:80540196 152(98) IntG32 00 0008:805401A0 153(99) IntG32 00 0008:805401AA 154(9A) IntG32 00 0008:805401B4 155(9B) IntG32 00 0008:805401BE 156(9C) IntG32 00 0008:805401C8 157(9D) IntG32 00 0008:805401D2 158(9E) IntG32 00 0008:805401DC 159(9F) IntG32 00 0008:805401E6 160(A0) IntG32 00 0008:805401F0 161(A1) IntG32 00 0008:805401FA 162(A2) IntG32 00 0008:80540204 163(A3) IntG32 00 0008:8054020E 164(A4) IntG32 00 0008:8A2C3BEC (hooked) 165(A5) IntG32 00 0008:80540222 166(A6) IntG32 00 0008:8054022C 167(A7) IntG32 00 0008:80540236 168(A8) IntG32 00 0008:80540240 169(A9) IntG32 00 0008:8054024A 170(AA) IntG32 00 0008:80540254 171(AB) IntG32 00 0008:8054025E 172(AC) IntG32 00 0008:80540268 173(AD) IntG32 00 0008:80540272 174(AE) IntG32 00 0008:8054027C 175(AF) IntG32 00 0008:80540286 176(B0) IntG32 00 0008:80540290 177(B1) IntG32 00 0008:8A6B114C (hooked) 178(B2) IntG32 00 0008:805402A4 179(B3) IntG32 00 0008:805402AE 180(B4) IntG32 00 0008:8A2CD30C (hooked) 181(B5) IntG32 00 0008:805402C2 182(B6) IntG32 00 0008:805402CC 183(B7) IntG32 00 0008:805402D6 184(B8) IntG32 00 0008:805402E0 185(B9) IntG32 00 0008:805402EA 186(BA) IntG32 00 0008:805402F4 187(BB) IntG32 00 0008:805402FE 188(BC) IntG32 00 0008:80540308 189(BD) IntG32 00 0008:80540312 190(BE) IntG32 00 0008:8054031C 191(BF) IntG32 00 0008:80540326 192(C0) IntG32 00 0008:80540330 193(C1) IntG32 00 0008:806E4AC0 194(C2) IntG32 00 0008:80540344 195(C3) IntG32 00 0008:8054034E 196(C4) IntG32 00 0008:80540358 197(C5) IntG32 00 0008:80540362 198(C6) IntG32 00 0008:8054036C 199(C7) IntG32 00 0008:80540376 200(C8) IntG32 00 0008:80540380 201(C9) IntG32 00 0008:8054038A 202(CA) IntG32 00 0008:80540394 203(CB) IntG32 00 0008:8054039E 204(CC) IntG32 00 0008:805403A8 205(CD) IntG32 00 0008:805403B2 206(CE) IntG32 00 0008:805403BC 207(CF) IntG32 00 0008:805403C6 208(D0) IntG32 00 0008:805403D0 209(D1) IntG32 00 0008:806E3E54 210(D2) IntG32 00 0008:805403E4 211(D3) IntG32 00 0008:805403EE 212(D4) IntG32 00 0008:805403F8 213(D5) IntG32 00 0008:80540402 214(D6) IntG32 00 0008:8054040C 215(D7) IntG32 00 0008:80540416 216(D8) IntG32 00 0008:80540420 217(D9) IntG32 00 0008:8054042A 218(DA) IntG32 00 0008:80540434 219(DB) IntG32 00 0008:8054043E 220(DC) IntG32 00 0008:80540448 221(DD) IntG32 00 0008:80540452 222(DE) IntG32 00 0008:8054045C 223(DF) IntG32 00 0008:80540466 224(E0) IntG32 00 0008:80540470 225(E1) IntG32 00 0008:806E5048 226(E2) IntG32 00 0008:80540484 227(E3) IntG32 00 0008:806E4DAC 228(E4) IntG32 00 0008:80540498 229(E5) IntG32 00 0008:805404A2 230(E6) IntG32 00 0008:805404AC 231(E7) IntG32 00 0008:805404B6 232(E8) IntG32 00 0008:805404C0 233(E9) IntG32 00 0008:805404CA 234(EA) IntG32 00 0008:805404D4 235(EB) IntG32 00 0008:805404DE 236(EC) IntG32 00 0008:805404E8 237(ED) IntG32 00 0008:805404F2 238(EE) IntG32 00 0008:805404F9 239(EF) IntG32 00 0008:80540500 240(F0) IntG32 00 0008:80540507 241(F1) IntG32 00 0008:8054050E 242(F2) IntG32 00 0008:80540515 243(F3) IntG32 00 0008:8054051C 244(F4) IntG32 00 0008:80540523 245(F5) IntG32 00 0008:8054052A 246(F6) IntG32 00 0008:80540531 247(F7) IntG32 00 0008:80540538 248(F8) IntG32 00 0008:8054053F 249(F9) IntG32 00 0008:80540546 250(FA) IntG32 00 0008:8054054D 251(FB) IntG32 00 0008:80540554 252(FC) IntG32 00 0008:8054055B 253(FD) IntG32 00 0008:806E55A8 254(FE) IntG32 00 0008:806E5748 255(FF) IntG32 00 0008:80540570 15:39:30 - Performing check: "SYSENTER hook": SYSENTER offset in kernel: 0x004697A0 (=0x805407A0) SYSENTER EIP: 0008:805407A0 [OK] 15:39:30 - Performing check: "IAT hooks": PID 852 - C:\WINDOWS\System32\smss.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) PID 1076 - C:\WINDOWS\system32\csrss.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) CSRSRV.dll (75AE0000 - 75AEB000) basesrv.dll (75AF0000 - 75B00000) winsrv.dll (75B00000 - 75B4A000) USER32.dll (77D10000 - 77DA0000) KERNEL32.dll (7C800000 - 7C907000) GDI32.dll (77EF0000 - 77F38000) sxs.dll (76970000 - 76A21000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) PID 1100 - C:\WINDOWS\system32\winlogon.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) AUTHZ.dll (77690000 - 776A1000) msvcrt.dll (77BE0000 - 77C38000) CRYPT32.dll (77A50000 - 77AE5000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) MSASN1.dll (77AF0000 - 77B02000) NDdeApi.dll (758E0000 - 758E8000) PROFMAP.dll (758D0000 - 758DA000) NETAPI32.dll (597D0000 - 59824000) USERENV.dll (76620000 - 766D5000) PSAPI.DLL (76BB0000 - 76BBB000) REGAPI.dll (76B70000 - 76B7F000) SETUPAPI.dll (778F0000 - 779E4000) VERSION.dll (77BD0000 - 77BD8000) WINSTA.dll (76300000 - 76310000) WINTRUST.dll (76BF0000 - 76C1E000) IMAGEHLP.dll (76C50000 - 76C78000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) MSGINA.dll (75910000 - 75A09000) SHELL32.dll (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) COMCTL32.dll (5D450000 - 5D4E7000) ODBC32.dll (745D0000 - 7460D000) comdlg32.dll (76350000 - 7639A000) comctl32.dll (773A0000 - 774A2000) odbcint.dll (20000000 - 20019000) SHSVCS.dll (776B0000 - 776D4000) sfc.dll (76B60000 - 76B65000) sfc_os.dll (76C20000 - 76C4A000) ole32.dll (774B0000 - 775EC000) Apphelp.dll (77B10000 - 77B32000) WINSCARD.DLL (72360000 - 7237C000) WTSAPI32.dll (76F10000 - 76F18000) sxs.dll (76970000 - 76A21000) WINMM.dll (76AF0000 - 76B1E000) uxtheme.dll (5AD70000 - 5ADA8000) cscdll.dll (765A0000 - 765BD000) WlNotify.dll (758F0000 - 7590B000) WINSPOOL.DRV (72F70000 - 72F96000) MPR.dll (71A80000 - 71A92000) rsaenh.dll (0FFD0000 - 0FFF8000) WgaLogon.dll (01290000 - 012D2000) OLEAUT32.dll (770F0000 - 7717C000) NTMARTA.DLL (77660000 - 77681000) WLDAP32.dll (76F20000 - 76F4D000) SAMLIB.dll (71B70000 - 71B83000) CLBCATQ.DLL (76F90000 - 7700F000) COMRes.dll (77010000 - 770E3000) msv1_0.dll (77C40000 - 77C64000) cryptdll.dll (76740000 - 7674C000) iphlpapi.dll (76D20000 - 76D39000) AdobeDriveCS4_NP.dll(10000000 - 10013000) cscui.dll (779F0000 - 77A46000) wdmaud.drv (72C90000 - 72C99000) xpsp2res.dll (01630000 - 01909000) msacm32.drv (72C80000 - 72C88000) MSACM32.dll (77BB0000 - 77BC5000) midimap.dll (77BA0000 - 77BA7000) PID 1144 - C:\WINDOWS\system32\services.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) msvcrt.dll (77BE0000 - 77C38000) NCObjAPI.DLL (5FB60000 - 5FB6C000) MSVCP60.dll (76020000 - 76085000) SCESRV.dll (77B40000 - 77B93000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) USERENV.dll (76620000 - 766D5000) AUTHZ.dll (77690000 - 776A1000) umpnpmgr.dll (75850000 - 7586F000) WINSTA.dll (76300000 - 76310000) NETAPI32.dll (597D0000 - 59824000) ShimEng.dll (5CF00000 - 5CF26000) AcGenral.DLL (6FD90000 - 6FF5A000) WINMM.dll (76AF0000 - 76B1E000) ole32.dll (774B0000 - 775EC000) OLEAUT32.dll (770F0000 - 7717C000) MSACM32.dll (77BB0000 - 77BC5000) VERSION.dll (77BD0000 - 77BD8000) SHELL32.dll (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) UxTheme.dll (5AD70000 - 5ADA8000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) Apphelp.dll (77B10000 - 77B32000) eventlog.dll (772D0000 - 772E1000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) PSAPI.DLL (76BB0000 - 76BBB000) DNSAPI.dll (76EE0000 - 76F07000) imagehlp.dll (76C50000 - 76C78000) WININET.dll (77180000 - 77229000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) rsaenh.dll (0FFD0000 - 0FFF8000) wtsapi32.dll (76F10000 - 76F18000) mswsock.dll (719B0000 - 719F0000) iphlpapi.dll (76D20000 - 76D39000) winrnr.dll (76F70000 - 76F78000) WLDAP32.dll (76F20000 - 76F4D000) mdnsNSP.dll (16080000 - 160A5000) rasadhlp.dll (76F80000 - 76F86000) hnetcfg.dll (66710000 - 66769000) wshtcpip.dll (719F0000 - 719F8000) PID 1156 - C:\WINDOWS\system32\lsass.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) LSASRV.dll (753D0000 - 75486000) MPR.dll (71A80000 - 71A92000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) MSASN1.dll (77AF0000 - 77B02000) msvcrt.dll (77BE0000 - 77C38000) NETAPI32.dll (597D0000 - 59824000) NTDSAPI.dll (76750000 - 76763000) DNSAPI.dll (76EE0000 - 76F07000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) WLDAP32.dll (76F20000 - 76F4D000) SAMLIB.dll (71B70000 - 71B83000) SAMSRV.dll (743C0000 - 7442E000) cryptdll.dll (76740000 - 7674C000) ShimEng.dll (5CF00000 - 5CF26000) AcGenral.DLL (6FD90000 - 6FF5A000) WINMM.dll (76AF0000 - 76B1E000) ole32.dll (774B0000 - 775EC000) OLEAUT32.dll (770F0000 - 7717C000) MSACM32.dll (77BB0000 - 77BC5000) VERSION.dll (77BD0000 - 77BD8000) SHELL32.dll (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) USERENV.dll (76620000 - 766D5000) UxTheme.dll (5AD70000 - 5ADA8000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) msprivs.dll (20000000 - 2000E000) kerberos.dll (71C70000 - 71CBB000) msv1_0.dll (77C40000 - 77C64000) iphlpapi.dll (76D20000 - 76D39000) netlogon.dll (74430000 - 74495000) w32time.dll (76770000 - 7679D000) MSVCP60.dll (76020000 - 76085000) schannel.dll (767A0000 - 767CD000) CRYPT32.dll (77A50000 - 77AE5000) wdigest.dll (7F000000 - 7F012000) rsaenh.dll (0FFD0000 - 0FFF8000) setupapi.dll (778F0000 - 779E4000) scecli.dll (74380000 - 743B0000) ipsecsvc.dll (74350000 - 74380000) AUTHZ.dll (77690000 - 776A1000) oakley.DLL (756C0000 - 7578E000) WINIPSEC.DLL (742E0000 - 742EB000) mswsock.dll (719B0000 - 719F0000) hnetcfg.dll (66710000 - 66769000) wshtcpip.dll (719F0000 - 719F8000) pstorsvc.dll (74310000 - 7431B000) psbase.dll (74330000 - 7434B000) dssenh.dll (68100000 - 68124000) PID 1336 - C:\WINDOWS\system32\nvsvc32.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) USERENV.dll (76620000 - 766D5000) msvcrt.dll (77BE0000 - 77C38000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) POWRPROF.dll (74A50000 - 74A58000) SETUPAPI.dll (778F0000 - 779E4000) wtsapi32.dll (76F10000 - 76F18000) WINSTA.dll (76300000 - 76310000) NETAPI32.dll (597D0000 - 59824000) VERSION.dll (77BD0000 - 77BD8000) SHLWAPI.dll (77F40000 - 77FB6000) COMCTL32.dll (5D450000 - 5D4E7000) SHELL32.dll (7E670000 - 7EE90000) ole32.dll (774B0000 - 775EC000) OLEAUT32.dll (770F0000 - 7717C000) comctl32.dll (773A0000 - 774A2000) nvapi.dll (00940000 - 00A4A000) WINTRUST.dll (76BF0000 - 76C1E000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) IMAGEHLP.dll (76C50000 - 76C78000) msv1_0.dll (77C40000 - 77C64000) cryptdll.dll (76740000 - 7674C000) iphlpapi.dll (76D20000 - 76D39000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) NTMARTA.DLL (77660000 - 77681000) WLDAP32.dll (76F20000 - 76F4D000) SAMLIB.dll (71B70000 - 71B83000) uxtheme.dll (5AD70000 - 5ADA8000) Apphelp.dll (77B10000 - 77B32000) PID 1360 - C:\WINDOWS\system32\svchost.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) ShimEng.dll (5CF00000 - 5CF26000) AcGenral.DLL (6FD90000 - 6FF5A000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) WINMM.dll (76AF0000 - 76B1E000) ole32.dll (774B0000 - 775EC000) msvcrt.dll (77BE0000 - 77C38000) OLEAUT32.dll (770F0000 - 7717C000) MSACM32.dll (77BB0000 - 77BC5000) VERSION.dll (77BD0000 - 77BD8000) SHELL32.dll (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) USERENV.dll (76620000 - 766D5000) UxTheme.dll (5AD70000 - 5ADA8000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) NTMARTA.DLL (77660000 - 77681000) WLDAP32.dll (76F20000 - 76F4D000) SAMLIB.dll (71B70000 - 71B83000) rpcss.dll (76A30000 - 76A94000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) xpsp2res.dll (20000000 - 202D9000) CLBCATQ.DLL (76F90000 - 7700F000) COMRes.dll (77010000 - 770E3000) Apphelp.dll (77B10000 - 77B32000) termsrv.dll (761D0000 - 76224000) ICAAPI.dll (74EF0000 - 74EF6000) SETUPAPI.dll (778F0000 - 779E4000) WINTRUST.dll (76BF0000 - 76C1E000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) IMAGEHLP.dll (76C50000 - 76C78000) AUTHZ.dll (77690000 - 776A1000) mstlsapi.dll (75090000 - 750AF000) ACTIVEDS.dll (77C90000 - 77CC3000) adsldpc.dll (76DD0000 - 76DF5000) NETAPI32.dll (597D0000 - 59824000) ATL.DLL (76AD0000 - 76AE1000) REGAPI.dll (76B70000 - 76B7F000) rsaenh.dll (0FFD0000 - 0FFF8000) PID 1408 - C:\WINDOWS\system32\svchost.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) ShimEng.dll (5CF00000 - 5CF26000) AcGenral.DLL (6FD90000 - 6FF5A000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) WINMM.dll (76AF0000 - 76B1E000) ole32.dll (774B0000 - 775EC000) msvcrt.dll (77BE0000 - 77C38000) OLEAUT32.dll (770F0000 - 7717C000) MSACM32.dll (77BB0000 - 77BC5000) VERSION.dll (77BD0000 - 77BD8000) SHELL32.dll (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) USERENV.dll (76620000 - 766D5000) UxTheme.dll (5AD70000 - 5ADA8000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) rpcss.dll (76A30000 - 76A94000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) xpsp2res.dll (20000000 - 202D9000) rsaenh.dll (0FFD0000 - 0FFF8000) mswsock.dll (719B0000 - 719F0000) hnetcfg.dll (66710000 - 66769000) wshtcpip.dll (719F0000 - 719F8000) DNSAPI.dll (76EE0000 - 76F07000) iphlpapi.dll (76D20000 - 76D39000) winrnr.dll (76F70000 - 76F78000) WLDAP32.dll (76F20000 - 76F4D000) mdnsNSP.dll (16080000 - 160A5000) rasadhlp.dll (76F80000 - 76F86000) CLBCATQ.DLL (76F90000 - 7700F000) COMRes.dll (77010000 - 770E3000) PID 1476 - C:\WINDOWS\System32\svchost.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) ShimEng.dll (5CF00000 - 5CF26000) AcGenral.DLL (6FD90000 - 6FF5A000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) WINMM.dll (76AF0000 - 76B1E000) ole32.dll (774B0000 - 775EC000) msvcrt.dll (77BE0000 - 77C38000) OLEAUT32.dll (770F0000 - 7717C000) MSACM32.dll (77BB0000 - 77BC5000) VERSION.dll (77BD0000 - 77BD8000) SHELL32.dll (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) USERENV.dll (76620000 - 766D5000) UxTheme.dll (5AD70000 - 5ADA8000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) NTMARTA.DLL (77660000 - 77681000) WLDAP32.dll (76F20000 - 76F4D000) SAMLIB.dll (71B70000 - 71B83000) xpsp2res.dll (20000000 - 202D9000) shsvcs.dll (776B0000 - 776D4000) WINSTA.dll (76300000 - 76310000) NETAPI32.dll (597D0000 - 59824000) dhcpcsvc.dll (76D40000 - 76D5E000) DNSAPI.dll (76EE0000 - 76F07000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) iphlpapi.dll (76D20000 - 76D39000) CLBCATQ.DLL (76F90000 - 7700F000) COMRes.dll (77010000 - 770E3000) SETUPAPI.dll (778F0000 - 779E4000) schedsvc.dll (76B20000 - 76B53000) NTDSAPI.dll (76750000 - 76763000) IMAGEHLP.dll (76C50000 - 76C78000) WTSAPI32.dll (76F10000 - 76F18000) msv1_0.dll (77C40000 - 77C64000) cryptdll.dll (76740000 - 7674C000) MSIDLE.DLL (74ED0000 - 74ED5000) audiosrv.dll (70DC0000 - 70DCD000) WINTRUST.dll (76BF0000 - 76C1E000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) wkssvc.dll (76E00000 - 76E23000) cryptsvc.dll (76CD0000 - 76CE2000) certcli.dll (752D0000 - 75303000) ATL.DLL (76AD0000 - 76AE1000) CRYPTUI.dll (76880000 - 76905000) WININET.dll (77180000 - 77229000) ESENT.dll (5E200000 - 5E310000) dmserver.dll (74F10000 - 74F19000) es.dll (776E0000 - 77724000) hidserv.dll (68D80000 - 68D89000) HID.DLL (68D90000 - 68D99000) pchsvc.dll (74EC0000 - 74ECC000) ersvc.dll (74F00000 - 74F09000) rsaenh.dll (0FFD0000 - 0FFF8000) srvsvc.dll (75010000 - 7502A000) netman.dll (77CD0000 - 77D03000) netshell.dll (763A0000 - 7654B000) rtutils.dll (76E40000 - 76E4E000) credui.dll (76BC0000 - 76BEF000) MPRAPI.dll (76D00000 - 76D18000) ACTIVEDS.dll (77C90000 - 77CC3000) adsldpc.dll (76DD0000 - 76DF5000) RASAPI32.dll (76EA0000 - 76EDC000) rasman.dll (76E50000 - 76E62000) TAPI32.dll (76E70000 - 76E9F000) WZCSvc.DLL (775F0000 - 7765E000) WMI.dll (76CF0000 - 76CF4000) WZCSAPI.DLL (72FA0000 - 72FB0000) HNETCFG.DLL (66710000 - 66769000) sens.dll (72260000 - 7226D000) seclogon.dll (73C90000 - 73C98000) srsvc.dll (75120000 - 7514E000) POWRPROF.dll (74A50000 - 74A58000) trkwks.dll (74FF0000 - 75009000) w32time.dll (76770000 - 7679D000) MSVCP60.dll (76020000 - 76085000) wmisvc.dll (4F110000 - 4F138000) VSSAPI.DLL (75360000 - 753CD000) mswsock.dll (719B0000 - 719F0000) wuauserv.dll (50000000 - 50005000) wuaueng.dll (50040000 - 50219000) WINSPOOL.DRV (72F70000 - 72F96000) WINHTTP.dll (4D5C0000 - 4D619000) Cabinet.dll (750D0000 - 750E4000) mspatcha.dll (604A0000 - 604AB000) wshtcpip.dll (719F0000 - 719F8000) sfc.dll (76B60000 - 76B65000) sfc_os.dll (76C20000 - 76C4A000) browser.dll (772F0000 - 77305000) ipnathlp.dll (668D0000 - 66926000) AUTHZ.dll (77690000 - 776A1000) wscsvc.dll (4C170000 - 4C187000) msi.dll (745E0000 - 748A6000) Apphelp.dll (77B10000 - 77B32000) wbemcomn.dll (75210000 - 75247000) wbemcore.dll (76260000 - 762E5000) esscli.dll (75290000 - 752CF000) FastProx.dll (75620000 - 75696000) wbemsvc.dll (74E50000 - 74E5E000) wmiutils.dll (74FA0000 - 74FBC000) repdrvfs.dll (75180000 - 751AE000) wmiprvsd.dll (42BC0000 - 42C32000) NCObjAPI.DLL (5FB60000 - 5FB6C000) SXS.DLL (76970000 - 76A21000) wbemess.dll (75310000 - 75356000) comsvcs.dll (76090000 - 761CA000) MTXCLU.DLL (75070000 - 75083000) WSOCK32.dll (71A30000 - 71A3A000) colbact.DLL (750B0000 - 750C4000) CLUSAPI.DLL (76D60000 - 76D71000) RESUTILS.DLL (75030000 - 75042000) ncprov.dll (5FB30000 - 5FB3E000) wups2.dll (50F00000 - 50F0D000) rasadhlp.dll (76F80000 - 76F86000) netcfgx.dll (75580000 - 7561D000) upnp.dll (76DA0000 - 76DC3000) SSDPAPI.dll (74E80000 - 74E8C000) RASDLG.dll (754D0000 - 7557B000) rasmans.dll (723F0000 - 72420000) WINIPSEC.DLL (742E0000 - 742EB000) tapisrv.dll (73350000 - 7338F000) PSAPI.DLL (76BB0000 - 76BBB000) rastapi.dll (75490000 - 754A1000) urlmon.dll (7DF20000 - 7DFC3000) unimdm.tsp (58030000 - 58066000) uniplat.dll (71F90000 - 71F97000) kmddsp.tsp (580B0000 - 580BB000) ndptsp.tsp (58090000 - 580A0000) ipconf.tsp (580C0000 - 580C8000) h323.tsp (580E0000 - 58126000) hidphone.tsp (580D0000 - 580DA000) rasppp.dll (721D0000 - 72205000) ntlsapi.dll (72420000 - 72426000) kerberos.dll (71C70000 - 71CBB000) raschap.dll (76CA0000 - 76CB4000) rastls.dll (76B80000 - 76B9F000) SCHANNEL.dll (767A0000 - 767CD000) WinSCard.dll (72360000 - 7237C000) PID 1604 - C:\WINDOWS\system32\svchost.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) ShimEng.dll (5CF00000 - 5CF26000) AcGenral.DLL (6FD90000 - 6FF5A000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) WINMM.dll (76AF0000 - 76B1E000) ole32.dll (774B0000 - 775EC000) msvcrt.dll (77BE0000 - 77C38000) OLEAUT32.dll (770F0000 - 7717C000) MSACM32.dll (77BB0000 - 77BC5000) VERSION.dll (77BD0000 - 77BD8000) SHELL32.dll (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) USERENV.dll (76620000 - 766D5000) UxTheme.dll (5AD70000 - 5ADA8000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) dnsrslvr.dll (76720000 - 7672D000) DNSAPI.dll (76EE0000 - 76F07000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) iphlpapi.dll (76D20000 - 76D39000) rsaenh.dll (0FFD0000 - 0FFF8000) mswsock.dll (719B0000 - 719F0000) hnetcfg.dll (66710000 - 66769000) wshtcpip.dll (719F0000 - 719F8000) PID 1648 - C:\WINDOWS\system32\svchost.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) ShimEng.dll (5CF00000 - 5CF26000) AcGenral.DLL (6FD90000 - 6FF5A000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) WINMM.dll (76AF0000 - 76B1E000) ole32.dll (774B0000 - 775EC000) msvcrt.dll (77BE0000 - 77C38000) OLEAUT32.dll (770F0000 - 7717C000) MSACM32.dll (77BB0000 - 77BC5000) VERSION.dll (77BD0000 - 77BD8000) SHELL32.dll (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) USERENV.dll (76620000 - 766D5000) UxTheme.dll (5AD70000 - 5ADA8000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) NTMARTA.DLL (77660000 - 77681000) WLDAP32.dll (76F20000 - 76F4D000) SAMLIB.dll (71B70000 - 71B83000) xpsp2res.dll (20000000 - 202D9000) lmhsvc.dll (74BC0000 - 74BC6000) iphlpapi.dll (76D20000 - 76D39000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) regsvc.dll (76AA0000 - 76AB2000) ssdpsrv.dll (76910000 - 76924000) hnetcfg.dll (66710000 - 66769000) CLBCATQ.DLL (76F90000 - 7700F000) COMRes.dll (77010000 - 770E3000) mswsock.dll (719B0000 - 719F0000) wshtcpip.dll (719F0000 - 719F8000) rsaenh.dll (0FFD0000 - 0FFF8000) httpapi.dll (67A10000 - 67A1A000) WINHTTP.dll (4D5C0000 - 4D619000) PID 1724 - C:\WINDOWS\system32\spoolsv.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) msvcrt.dll (77BE0000 - 77C38000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) GDI32.dll (77EF0000 - 77F38000) USER32.dll (77D10000 - 77DA0000) ShimEng.dll (5CF00000 - 5CF26000) AcGenral.DLL (6FD90000 - 6FF5A000) WINMM.dll (76AF0000 - 76B1E000) ole32.dll (774B0000 - 775EC000) OLEAUT32.dll (770F0000 - 7717C000) MSACM32.dll (77BB0000 - 77BC5000) VERSION.dll (77BD0000 - 77BD8000) SHELL32.dll (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) USERENV.dll (76620000 - 766D5000) UxTheme.dll (5AD70000 - 5ADA8000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) SPOOLSS.DLL (74250000 - 74265000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) DNSAPI.dll (76EE0000 - 76F07000) iphlpapi.dll (76D20000 - 76D39000) rasadhlp.dll (76F80000 - 76F86000) localspl.dll (75E60000 - 75EB8000) sfc_os.dll (76C20000 - 76C4A000) WINTRUST.dll (76BF0000 - 76C1E000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) IMAGEHLP.dll (76C50000 - 76C78000) winspool.drv (72F70000 - 72F96000) netapi32.dll (597D0000 - 59824000) avmprmon.dll (00970000 - 00977000) cnbjmon.dll (74200000 - 7420F000) ZLhp1020.DLL (10000000 - 1001B000) ZLM.dll (00980000 - 00987000) pjlmon.dll (741E0000 - 741E7000) tcpmon.dll (72390000 - 7239F000) usbmon.dll (72380000 - 72387000) IMFPrint.DLL (715E0000 - 715ED000) Imf32.dll (71600000 - 71607000) ZTAG32.dll (715D0000 - 715D6000) ZSPOOL.dll (71130000 - 71145000) filterpipelineprintproc.dll(3F420000 - 3F43B000) mswsock.dll (719B0000 - 719F0000) winrnr.dll (76F70000 - 76F78000) WLDAP32.dll (76F20000 - 76F4D000) mdnsNSP.dll (16080000 - 160A5000) win32spl.dll (76550000 - 76573000) NETRAP.dll (71C00000 - 71C07000) NTDSAPI.dll (76750000 - 76763000) CLBCATQ.DLL (76F90000 - 7700F000) COMRes.dll (77010000 - 770E3000) inetpp.dll (74270000 - 74285000) xpsp2res.dll (20000000 - 202D9000) PID 1788 - C:\Programme\Avira\AntiVir Desktop\sched.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) IPHLPAPI.DLL (76D20000 - 76D39000) msvcrt.dll (77BE0000 - 77C38000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) MSVCR90.dll (78520000 - 785C3000) MSVCP90.dll (78480000 - 7850E000) VERSION.dll (77BD0000 - 77BD8000) SHELL32.dll (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) schedr.dll (10000000 - 10004000) WTSAPI32.DLL (76F10000 - 76F18000) WINSTA.dll (76300000 - 76310000) NETAPI32.dll (597D0000 - 59824000) rasapi32.dll (76EA0000 - 76EDC000) rasman.dll (76E50000 - 76E62000) TAPI32.dll (76E70000 - 76E9F000) rtutils.dll (76E40000 - 76E4E000) WINMM.dll (76AF0000 - 76B1E000) avevtlog.dll (00B90000 - 00BBE000) sqlite3.dll (00CF0000 - 00D43000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) xpsp2res.dll (20000000 - 202D9000) rsaenh.dll (0FFD0000 - 0FFF8000) userenv.dll (76620000 - 766D5000) cryptnet.dll (76580000 - 76593000) WLDAP32.dll (76F20000 - 76F4D000) WINHTTP.dll (4D5C0000 - 4D619000) SensApi.dll (72240000 - 72245000) PID 1828 - C:\WINDOWS\system32\svchost.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) ShimEng.dll (5CF00000 - 5CF26000) AcGenral.DLL (6FD90000 - 6FF5A000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) WINMM.dll (76AF0000 - 76B1E000) ole32.dll (774B0000 - 775EC000) msvcrt.dll (77BE0000 - 77C38000) OLEAUT32.dll (770F0000 - 7717C000) MSACM32.dll (77BB0000 - 77BC5000) VERSION.dll (77BD0000 - 77BD8000) SHELL32.dll (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) USERENV.dll (76620000 - 766D5000) UxTheme.dll (5AD70000 - 5ADA8000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) NTMARTA.DLL (77660000 - 77681000) WLDAP32.dll (76F20000 - 76F4D000) SAMLIB.dll (71B70000 - 71B83000) xpsp2res.dll (20000000 - 202D9000) webclnt.dll (5AA50000 - 5AA65000) WININET.dll (77180000 - 77229000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) wsock32.dll (71A30000 - 71A3A000) PID 1888 - C:\Programme\Avira\AntiVir Desktop\avguard.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) MSVCR90.dll (78520000 - 785C3000) MSVCP90.dll (78480000 - 7850E000) VERSION.dll (77BD0000 - 77BD8000) SHELL32.dll (7E670000 - 7EE90000) msvcrt.dll (77BE0000 - 77C38000) SHLWAPI.dll (77F40000 - 77FB6000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) WTSAPI32.DLL (76F10000 - 76F18000) WINSTA.dll (76300000 - 76310000) NETAPI32.dll (597D0000 - 59824000) AVEvtLog.dll (10000000 - 1002E000) guardmsg.dll (00BF0000 - 00BF9000) sqlite3.dll (00C10000 - 00C63000) AVPREF.DLL (00D80000 - 00D8D000) SMTPLIB.DLL (00DA0000 - 00DAB000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) wintrust.dll (76BF0000 - 76C1E000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) IMAGEHLP.dll (76C50000 - 76C78000) AVGIO.DLL (01000000 - 01016000) FLTLIB.DLL (5E160000 - 5E168000) aecore.dll (01030000 - 01060000) aevdf.dll (01070000 - 0108B000) aescript.dll (013D0000 - 0150A000) aescn.dll (01510000 - 01530000) aesbx.dll (01530000 - 0156F000) aerdl.dll (01580000 - 01606000) aepack.dll (01620000 - 0168D000) unacev2.dll (016A0000 - 016EB000) aeoffice.dll (01700000 - 01733000) aeheur.dll (01750000 - 019B4000) aehelp.dll (019D0000 - 01A0D000) aegen.dll (01A20000 - 01A7D000) aeemu.dll (01A90000 - 01AF1000) aebb.dll (01B10000 - 01B1E000) avipc.dll (01CA0000 - 01CB2000) PID 1900 - C:\Programme\Bonjour\mDNSResponder.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) WS2_32.dll (71A10000 - 71A27000) msvcrt.dll (77BE0000 - 77C38000) WS2HELP.dll (71A00000 - 71A08000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) IPHLPAPI.DLL (76D20000 - 76D39000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) ole32.dll (774B0000 - 775EC000) OLEAUT32.dll (770F0000 - 7717C000) rsaenh.dll (0FFD0000 - 0FFF8000) SHELL32.dll (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) mswsock.dll (719B0000 - 719F0000) hnetcfg.dll (66710000 - 66769000) wshtcpip.dll (719F0000 - 719F8000) MPRAPI.dll (76D00000 - 76D18000) ACTIVEDS.dll (77C90000 - 77CC3000) adsldpc.dll (76DD0000 - 76DF5000) NETAPI32.dll (597D0000 - 59824000) WLDAP32.dll (76F20000 - 76F4D000) ATL.DLL (76AD0000 - 76AE1000) rtutils.dll (76E40000 - 76E4E000) SAMLIB.dll (71B70000 - 71B83000) SETUPAPI.dll (778F0000 - 779E4000) PID 1944 - C:\Programme\Hotspot Shield\bin\openvpnas.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) libcurl.dll (6B240000 - 6B2AF000) msvcrt.dll (77BE0000 - 77C38000) wldap32.dll (76F20000 - 76F4D000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) WS2_32.DLL (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) libidn-11.dll (69540000 - 69586000) libeay32.dll (61D80000 - 61EA8000) GDI32.dll (77EF0000 - 77F38000) USER32.dll (77D10000 - 77DA0000) WSOCK32.DLL (71A30000 - 71A3A000) libssl32.dll (6B080000 - 6B0BD000) WINMM.DLL (76AF0000 - 76B1E000) IPHLPAPI.DLL (76D20000 - 76D39000) SHELL32.DLL (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) mswsock.dll (719B0000 - 719F0000) hnetcfg.dll (66710000 - 66769000) wshtcpip.dll (719F0000 - 719F8000) USERENV.dll (76620000 - 766D5000) PID 2028 - C:\Programme\Hotspot Shield\HssWPR\hsssrv.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) WSOCK32.dll (71A30000 - 71A3A000) WS2_32.dll (71A10000 - 71A27000) msvcrt.dll (77BE0000 - 77C38000) WS2HELP.dll (71A00000 - 71A08000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) OLEAUT32.dll (770F0000 - 7717C000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) ole32.dll (774B0000 - 775EC000) WININET.dll (77180000 - 77229000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) SHLWAPI.dll (77F40000 - 77FB6000) SHELL32.dll (7E670000 - 7EE90000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) Iphlpapi.dll (76D20000 - 76D39000) USERENV.dll (76620000 - 766D5000) mswsock.dll (719B0000 - 719F0000) hnetcfg.dll (66710000 - 66769000) wshtcpip.dll (719F0000 - 719F8000) CLBCATQ.DLL (76F90000 - 7700F000) COMRes.dll (77010000 - 770E3000) VERSION.dll (77BD0000 - 77BD8000) msxml3.dll (74900000 - 74A23000) urlmon.dll (7DF20000 - 7DFC3000) mlang.dll (75DC0000 - 75E51000) MPRAPI.dll (76D00000 - 76D18000) ACTIVEDS.dll (77C90000 - 77CC3000) adsldpc.dll (76DD0000 - 76DF5000) NETAPI32.dll (597D0000 - 59824000) WLDAP32.dll (76F20000 - 76F4D000) ATL.DLL (76AD0000 - 76AE1000) rtutils.dll (76E40000 - 76E4E000) SAMLIB.dll (71B70000 - 71B83000) SETUPAPI.dll (778F0000 - 779E4000) PID 2040 - C:\Programme\Hotspot Shield\bin\hsswd.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) WS2_32.dll (71A10000 - 71A27000) msvcrt.dll (77BE0000 - 77C38000) WS2HELP.dll (71A00000 - 71A08000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) SHELL32.dll (7E670000 - 7EE90000) GDI32.dll (77EF0000 - 77F38000) USER32.dll (77D10000 - 77DA0000) SHLWAPI.dll (77F40000 - 77FB6000) OLEAUT32.dll (770F0000 - 7717C000) ole32.dll (774B0000 - 775EC000) PSAPI.DLL (76BB0000 - 76BBB000) curllib.dll (10000000 - 10032000) SSLEAY32.dll (00340000 - 00373000) LIBEAY32.dll (61D80000 - 61EA8000) WSOCK32.DLL (71A30000 - 71A3A000) MSVCR90.dll (78520000 - 785C3000) OpenLDAP.dll (00390000 - 003AB000) libsasl.dll (003B0000 - 003C3000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) Iphlpapi.dll (76D20000 - 76D39000) USERENV.dll (76620000 - 766D5000) mswsock.dll (719B0000 - 719F0000) hnetcfg.dll (66710000 - 66769000) wshtcpip.dll (719F0000 - 719F8000) PID 156 - C:\Programme\FRITZ!DSL\IGDCTRL.EXE ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) avmcsock.dll (10000000 - 10043000) WSOCK32.dll (71A30000 - 71A3A000) WS2_32.dll (71A10000 - 71A27000) msvcrt.dll (77BE0000 - 77C38000) WS2HELP.dll (71A00000 - 71A08000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) MSVCR71.dll (7C340000 - 7C396000) avmigd.dll (00330000 - 00337000) upnpapicli.dll (00340000 - 0036B000) avmufc.dll (00370000 - 0037A000) MFC71.DLL (7C140000 - 7C243000) GDI32.dll (77EF0000 - 77F38000) USER32.dll (77D10000 - 77DA0000) SHLWAPI.dll (77F40000 - 77FB6000) COMCTL32.dll (773A0000 - 774A2000) igdapi.dll (00380000 - 00391000) ole32.dll (774B0000 - 775EC000) OLEAUT32.dll (770F0000 - 7717C000) MFC71DEU.DLL (5D360000 - 5D370000) avmssl.dll (01E30000 - 01E37000) SSLEAY32.dll (01E40000 - 01E70000) LIBEAY32.dll (01F80000 - 0207B000) mswsock.dll (719B0000 - 719F0000) DNSAPI.dll (76EE0000 - 76F07000) CLBCATQ.DLL (76F90000 - 7700F000) COMRes.dll (77010000 - 770E3000) VERSION.dll (77BD0000 - 77BD8000) AVMCONN.DLL (021D0000 - 021EA000) iphlpapi.dll (76D20000 - 76D39000) SXS.DLL (76970000 - 76A21000) winrnr.dll (76F70000 - 76F78000) WLDAP32.dll (76F20000 - 76F4D000) mdnsNSP.dll (16080000 - 160A5000) rasadhlp.dll (76F80000 - 76F86000) hnetcfg.dll (66710000 - 66769000) wshtcpip.dll (719F0000 - 719F8000) uxtheme.dll (5AD70000 - 5ADA8000) PID 192 - C:\Programme\Java\jre6\bin\jqs.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) WS2_32.dll (71A10000 - 71A27000) msvcrt.dll (77BE0000 - 77C38000) WS2HELP.dll (71A00000 - 71A08000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) ole32.dll (774B0000 - 775EC000) GDI32.dll (77EF0000 - 77F38000) USER32.dll (77D10000 - 77DA0000) MSVCR71.dll (7C340000 - 7C396000) psapi.dll (76BB0000 - 76BBB000) pdh.dll (74C30000 - 74C87000) comdlg32.dll (76350000 - 7639A000) SHLWAPI.dll (77F40000 - 77FB6000) COMCTL32.dll (5D450000 - 5D4E7000) SHELL32.dll (7E670000 - 7EE90000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) ODBC32.dll (745D0000 - 7460D000) odbcbcp.dll (66B40000 - 66B46000) VERSION.dll (77BD0000 - 77BD8000) OLEAUT32.dll (770F0000 - 7717C000) comctl32.dll (773A0000 - 774A2000) odbcint.dll (20000000 - 20019000) mswsock.dll (719B0000 - 719F0000) hnetcfg.dll (66710000 - 66769000) wshtcpip.dll (719F0000 - 719F8000) netfxperf.dll (79FD0000 - 79FD8000) mscoree.dll (79000000 - 79046000) perfcounter.dll (640D0000 - 640E6000) MSVCR80.dll (78130000 - 781CB000) mscorwks.dll (00DF0000 - 01380000) CorperfmonExt.dll (60310000 - 60327000) aspnet_perf.dll (60080000 - 60089000) aspnet_isapi.dll (79E60000 - 79EA2000) USERENV.dll (76620000 - 766D5000) query.dll (7D9B0000 - 7DB17000) msdtcuiu.DLL (61070000 - 6109B000) ATL.DLL (76AD0000 - 76AE1000) MFC42u.DLL (727A0000 - 7289E000) MPR.dll (71A80000 - 71A92000) MSDTCPRX.dll (6DA00000 - 6DA6D000) MSVCP60.dll (76020000 - 76085000) MTXCLU.DLL (75070000 - 75083000) COMRes.dll (77010000 - 770E3000) WSOCK32.dll (71A30000 - 71A3A000) NETAPI32.dll (597D0000 - 59824000) MFC42LOC.DLL (61DC0000 - 61DCE000) CLUSAPI.DLL (76D60000 - 76D71000) RESUTILS.DLL (75030000 - 75042000) NTMARTA.DLL (77660000 - 77681000) WLDAP32.dll (76F20000 - 76F4D000) SAMLIB.dll (71B70000 - 71B83000) perfdisk.dll (5EB60000 - 5EB69000) perfnet.dll (5EB50000 - 5EB58000) perfos.dll (5EB30000 - 5EB3A000) perfproc.dll (5EB20000 - 5EB2D000) pschdprf.dll (5E5B0000 - 5E5B6000) TRAFFIC.dll (73500000 - 7350B000) iphlpapi.dll (76D20000 - 76D39000) WMI.dll (76CF0000 - 76CF4000) rsvpperf.dll (5D7C0000 - 5D7C6000) winspool.drv (72F70000 - 72F96000) tapiperf.dll (5BB60000 - 5BB65000) Perfctrs.dll (5EB70000 - 5EB7D000) MPRAPI.dll (76D00000 - 76D18000) ACTIVEDS.dll (77C90000 - 77CC3000) adsldpc.dll (76DD0000 - 76DF5000) rtutils.dll (76E40000 - 76E4E000) SETUPAPI.dll (778F0000 - 779E4000) perfts.dll (5EB10000 - 5EB16000) WINSTA.dll (76300000 - 76310000) UTILDLL.dll (5B130000 - 5B13A000) TAPI32.dll (76E70000 - 76E9F000) WINMM.dll (76AF0000 - 76B1E000) wmiaprpl.dll (59D20000 - 59D39000) loadperf.dll (72ED0000 - 72EEC000) wbemcomn.dll (75210000 - 75247000) PID 284 - C:\Programme\Sitecom\Common\RegistryWriter.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) SETUPAPI.dll (778F0000 - 779E4000) msvcrt.dll (77BE0000 - 77C38000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) GDI32.dll (77EF0000 - 77F38000) USER32.dll (77D10000 - 77DA0000) SHLWAPI.dll (77F40000 - 77FB6000) PID 472 - C:\Programme\iZ3D Driver\Win32\S3DCService.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) WINMM.dll (76AF0000 - 76B1E000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) SHLWAPI.dll (77F40000 - 77FB6000) msvcrt.dll (77BE0000 - 77C38000) SHELL32.dll (7E670000 - 7EE90000) ole32.dll (774B0000 - 775EC000) OLEAUT32.dll (770F0000 - 7717C000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) xpsp2res.dll (20000000 - 202D9000) CLBCATQ.DLL (76F90000 - 7700F000) COMRes.dll (77010000 - 770E3000) VERSION.dll (77BD0000 - 77BD8000) PID 540 - C:\WINDOWS\system32\svchost.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) ShimEng.dll (5CF00000 - 5CF26000) AcGenral.DLL (6FD90000 - 6FF5A000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) WINMM.dll (76AF0000 - 76B1E000) ole32.dll (774B0000 - 775EC000) msvcrt.dll (77BE0000 - 77C38000) OLEAUT32.dll (770F0000 - 7717C000) MSACM32.dll (77BB0000 - 77BC5000) VERSION.dll (77BD0000 - 77BD8000) SHELL32.dll (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) USERENV.dll (76620000 - 766D5000) UxTheme.dll (5AD70000 - 5ADA8000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) wiaservc.dll (75B50000 - 75BA5000) CFGMGR32.dll (74A60000 - 74A67000) setupapi.DLL (778F0000 - 779E4000) mscms.dll (73AA0000 - 73AB5000) WINSPOOL.DRV (72F70000 - 72F96000) WINSTA.dll (76300000 - 76310000) NETAPI32.dll (597D0000 - 59824000) xpsp2res.dll (20000000 - 202D9000) CLBCATQ.DLL (76F90000 - 7700F000) COMRes.dll (77010000 - 770E3000) WINTRUST.dll (76BF0000 - 76C1E000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) IMAGEHLP.dll (76C50000 - 76C78000) actxprxy.dll (71CC0000 - 71CDC000) sti.dll (73B10000 - 73B24000) PID 1036 - C:\WINDOWS\System32\alg.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) msvcrt.dll (77BE0000 - 77C38000) ATL.DLL (76AD0000 - 76AE1000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) ole32.dll (774B0000 - 775EC000) OLEAUT32.dll (770F0000 - 7717C000) WSOCK32.dll (71A30000 - 71A3A000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) MSWSOCK.DLL (719B0000 - 719F0000) ShimEng.dll (5CF00000 - 5CF26000) AcGenral.DLL (6FD90000 - 6FF5A000) WINMM.dll (76AF0000 - 76B1E000) MSACM32.dll (77BB0000 - 77BC5000) VERSION.dll (77BD0000 - 77BD8000) SHELL32.dll (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) USERENV.dll (76620000 - 766D5000) UxTheme.dll (5AD70000 - 5ADA8000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) CLBCATQ.DLL (76F90000 - 7700F000) COMRes.dll (77010000 - 770E3000) xpsp2res.dll (20000000 - 202D9000) hnetcfg.dll (66710000 - 66769000) wshtcpip.dll (719F0000 - 719F8000) PID 1276 - C:\WINDOWS\system32\wbem\wmiprvse.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) msvcrt.dll (77BE0000 - 77C38000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) wbemcomn.dll (75210000 - 75247000) OLEAUT32.dll (770F0000 - 7717C000) ole32.dll (774B0000 - 775EC000) FastProx.dll (75620000 - 75696000) MSVCP60.dll (76020000 - 76085000) NTDSAPI.dll (76750000 - 76763000) DNSAPI.dll (76EE0000 - 76F07000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) WLDAP32.dll (76F20000 - 76F4D000) NETAPI32.dll (597D0000 - 59824000) NCObjAPI.DLL (5FB60000 - 5FB6C000) ShimEng.dll (5CF00000 - 5CF26000) AcGenral.DLL (6FD90000 - 6FF5A000) WINMM.dll (76AF0000 - 76B1E000) MSACM32.dll (77BB0000 - 77BC5000) VERSION.dll (77BD0000 - 77BD8000) SHELL32.dll (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) USERENV.dll (76620000 - 766D5000) UxTheme.dll (5AD70000 - 5ADA8000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) xpsp2res.dll (20000000 - 202D9000) CLBCATQ.DLL (76F90000 - 7700F000) COMRes.dll (77010000 - 770E3000) wbemsvc.dll (74E50000 - 74E5E000) wmiutils.dll (74FA0000 - 74FBC000) esscli.dll (75290000 - 752CF000) wmiprov.dll (72E90000 - 72EB8000) WMI.dll (76CF0000 - 76CF4000) PID 2364 - C:\WINDOWS\Explorer.EXE ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) The code of LdrLoadDll at 7C925CBB (0) got patched. Here is the diff: Address New-Original 7C925CBB: FF - 68 7C925CBC: 25 - 6C 7C925CBD: 1E - 02 7C925CBF: 6B - 00 7C925CC0: 71 - 68 --> JMP DWORD PTR DS:[716B001E] --> JMP 716C000A Patched by C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1BA0 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1BA0: Base address: 10000000 Size: 00023000 Flags: 800C4004 Load count: 1 Name: iZ3D Driver Prod. Version: 1.99.0038 Company: iZ3D Inc. File Version: 1.0.151.2547 Description: S3DInjector Location: C:\Programme\iZ3D Driver\Win32\S3DInjector.dll Signed: > NO! < ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of LdrUnloadDll at 7C926C83 (0) got patched. Here is the diff: Address New-Original 7C926C83: FF - 68 7C926C84: 25 - C4 7C926C85: 1E - 00 7C926C87: 6E - 00 7C926C88: 71 - 68 --> JMP DWORD PTR DS:[716E001E] --> JMP 716F000A Patched by C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1C90 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1C90: Base address: 10000000 Size: 00023000 Flags: 800C4004 Load count: 1 Name: iZ3D Driver Prod. Version: 1.99.0038 Company: iZ3D Inc. File Version: 1.0.151.2547 Description: S3DInjector Location: C:\Programme\iZ3D Driver\Win32\S3DInjector.dll Signed: > NO! < ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: kernel32.dll (7C800000 - 7C907000) msvcrt.dll (77BE0000 - 77C38000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) GDI32.dll (77EF0000 - 77F38000) USER32.dll (77D10000 - 77DA0000) SHLWAPI.dll (77F40000 - 77FB6000) SHELL32.dll (7E670000 - 7EE90000) ole32.dll (774B0000 - 775EC000) OLEAUT32.dll (770F0000 - 7717C000) BROWSEUI.dll (75F20000 - 7601D000) SHDOCVW.dll (7E1E0000 - 7E352000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) CRYPTUI.dll (76880000 - 76905000) WINTRUST.dll (76BF0000 - 76C1E000) IMAGEHLP.dll (76C50000 - 76C78000) NETAPI32.dll (597D0000 - 59824000) WININET.dll (77180000 - 77229000) WLDAP32.dll (76F20000 - 76F4D000) VERSION.dll (77BD0000 - 77BD8000) UxTheme.dll (5AD70000 - 5ADA8000) ShimEng.dll (5CF00000 - 5CF26000) AcGenral.DLL (6FD90000 - 6FF5A000) WINMM.dll (76AF0000 - 76B1E000) MSACM32.dll (77BB0000 - 77BC5000) USERENV.dll (76620000 - 766D5000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) S3DInjector.dll (10000000 - 10023000) appHelp.dll (77B10000 - 77B32000) CLBCATQ.DLL (76F90000 - 7700F000) COMRes.dll (77010000 - 770E3000) cscui.dll (779F0000 - 77A46000) CSCDLL.dll (765A0000 - 765BD000) themeui.dll (5B9B0000 - 5BA22000) MSIMG32.dll (76320000 - 76325000) xpsp2res.dll (20000000 - 202D9000) msutb.dll (60010000 - 60043000) MSCTF.dll (746A0000 - 746EB000) SAMLIB.dll (71B70000 - 71B83000) ntshrui.dll (76940000 - 76966000) ATL.DLL (76AD0000 - 76AE1000) LINKINFO.dll (76930000 - 76938000) SETUPAPI.dll (778F0000 - 779E4000) urlmon.dll (7DF20000 - 7DFC3000) NETSHELL.dll (763A0000 - 7654B000) rtutils.dll (76E40000 - 76E4E000) credui.dll (76BC0000 - 76BEF000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) iphlpapi.dll (76D20000 - 76D39000) msi.dll (016E0000 - 019A6000) rsaenh.dll (0FFD0000 - 0FFF8000) WINSTA.dll (76300000 - 76310000) webcheck.dll (74AB0000 - 74AF8000) WSOCK32.dll (71A30000 - 71A3A000) stobject.dll (765C0000 - 765E1000) BatMeter.dll (74A70000 - 74A7A000) POWRPROF.dll (74A50000 - 74A58000) WTSAPI32.dll (76F10000 - 76F18000) WPDShServiceObj.dll (164A0000 - 164C3000) WINHTTP.dll (4D5C0000 - 4D619000) mydocs.dll (723A0000 - 723BA000) PortableDeviceTypes.dll(109C0000 - 109EC000) PortableDeviceApi.dll(10930000 - 10979000) wdmaud.drv (72C90000 - 72C99000) msacm32.drv (72C80000 - 72C88000) midimap.dll (77BA0000 - 77BA7000) WZCSAPI.DLL (72FA0000 - 72FB0000) wzcdlg.dll (4F4A0000 - 4F4FF000) MPR.dll (71A80000 - 71A92000) AdobeDriveCS4_NP.dll(00BB0000 - 00BC3000) drprov.dll (75F00000 - 75F07000) ntlanman.dll (71B90000 - 71B9E000) NETUI0.dll (71C50000 - 71C67000) NETUI1.dll (71C10000 - 71C50000) NETRAP.dll (71C00000 - 71C07000) davclnt.dll (75F10000 - 75F19000) WINSPOOL.DRV (72F70000 - 72F96000) comdlg32.dll (76350000 - 7639A000) MSVCR90.dll (78520000 - 785C3000) browselc.dll (01400000 - 01413000) SDHelper.dll (02760000 - 02936000) faultrep.dll (69900000 - 69916000) olepro32.dll (5F1A0000 - 5F1B7000) jsproxy.dll (65F40000 - 65F47000) DUSER.dll (6C670000 - 6C6BD000) MSGINA.dll (75910000 - 75A09000) ODBC32.dll (745D0000 - 7460D000) odbcint.dll (03910000 - 03929000) sti.dll (73B10000 - 73B24000) CFGMGR32.dll (74A60000 - 74A67000) MLANG.dll (75DC0000 - 75E51000) shdoclc.dll (030B0000 - 0313E000) shlxthdl.dll (5EE60000 - 5EEBF000) gdiplus.dll (4EBA0000 - 4ED4B000) stlport_vc7145.dll (5E470000 - 5E507000) PDFShell.dll (032E0000 - 0333B000) MSVCR80.dll (78130000 - 781CB000) PDFShell.DEU (03340000 - 0338C000) ADFSMenu.dll (03440000 - 03587000) BIB.dll (035A0000 - 035EA000) VersionCue.DLL (61800000 - 6195B000) nvcpl.dll (03A30000 - 04674000) NVRSDE.DLL (03760000 - 037A4000) NTMARTA.DLL (77660000 - 77681000) nvshell.dll (04680000 - 046F3000) mscms.dll (73AA0000 - 73AB5000) MSVFW32.dll (75EC0000 - 75EE1000) qedit.dll (66B80000 - 66C0C000) quartz.dll (74790000 - 748FE000) devenum.dll (765F0000 - 76601000) msdmo.dll (73620000 - 73627000) VSFilter.dll (02450000 - 02548000) AviSplitter.ax (05400000 - 05461000) oggsplitter.ax (033D0000 - 0341B000) wmpasf.dll (133D0000 - 1340F000) dxmasf.dll (6C410000 - 6C48E000) DRMClien.DLL (04F50000 - 04F9F000) DivXMedia.ax (05470000 - 054C6000) MSVCP60.dll (76020000 - 76085000) mpg2splt.ax (58340000 - 58367000) RealMediaSplitter.ax(054D0000 - 0553E000) MatroskaSplitter.ax (05540000 - 055B1000) msxml5.dll (78800000 - 7895C000) PID 2508 - C:\Programme\Avira\AntiVir Desktop\avgnt.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) The code of LdrLoadDll at 7C925CBB (0) got patched. Here is the diff: Address New-Original 7C925CBB: FF - 68 7C925CBC: 25 - 6C 7C925CBD: 1E - 02 7C925CBF: 6B - 00 7C925CC0: 71 - 68 --> JMP DWORD PTR DS:[716B001E] --> JMP 716C000A Patched by C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1BA0 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1BA0: Base address: 003D0000 Size: 00023000 Flags: 802C4004 Load count: 1 Name: iZ3D Driver Prod. Version: 1.99.0038 Company: iZ3D Inc. File Version: 1.0.151.2547 Description: S3DInjector Location: C:\Programme\iZ3D Driver\Win32\S3DInjector.dll Signed: > NO! < ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of LdrUnloadDll at 7C926C83 (0) got patched. Here is the diff: Address New-Original 7C926C83: FF - 68 7C926C84: 25 - C4 7C926C85: 1E - 00 7C926C87: 6E - 00 7C926C88: 71 - 68 --> JMP DWORD PTR DS:[716E001E] --> JMP 716F000A Patched by C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1C90 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1C90: Base address: 003D0000 Size: 00023000 Flags: 802C4004 Load count: 1 Name: iZ3D Driver Prod. Version: 1.99.0038 Company: iZ3D Inc. File Version: 1.0.151.2547 Description: S3DInjector Location: C:\Programme\iZ3D Driver\Win32\S3DInjector.dll Signed: > NO! < ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: kernel32.dll (7C800000 - 7C907000) mfc90u.dll (789E0000 - 78D81000) MSVCR90.dll (78520000 - 785C3000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) SHLWAPI.dll (77F40000 - 77FB6000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) msvcrt.dll (77BE0000 - 77C38000) COMCTL32.dll (773A0000 - 774A2000) MSIMG32.dll (76320000 - 76325000) SHELL32.dll (7E670000 - 7EE90000) cclib.dll (10000000 - 10038000) VERSION.dll (77BD0000 - 77BD8000) MSVCP90.dll (78480000 - 7850E000) UxTheme.dll (5AD70000 - 5ADA8000) MFC90DEU.DLL (5D360000 - 5D36F000) S3DInjector.dll (003D0000 - 003F3000) ccgen.dll (00BA0000 - 00C10000) ole32.dll (774B0000 - 775EC000) ccgenrc.dll (00B60000 - 00B69000) ccguard.dll (00C10000 - 00C4A000) ccgrdrc.dll (00C70000 - 00C78000) avipc.dll (00C90000 - 00CA2000) ccupdate.dll (00CC0000 - 00CEC000) ccupdrc.dll (00D10000 - 00D16000) cclic.dll (00D30000 - 00D41000) cclicrc.dll (00D70000 - 00D73000) ccmsg.dll (00D90000 - 00DBD000) wtsapi32.dll (76F10000 - 76F18000) WINSTA.dll (76300000 - 76310000) NETAPI32.dll (597D0000 - 59824000) PID 2528 - C:\Programme\Java\jre6\bin\jusched.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) The code of LdrLoadDll at 7C925CBB (0) got patched. Here is the diff: Address New-Original 7C925CBB: FF - 68 7C925CBC: 25 - 6C 7C925CBD: 1E - 02 7C925CBF: 6B - 00 7C925CC0: 71 - 68 --> JMP DWORD PTR DS:[716B001E] --> JMP 716C000A Patched by C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1BA0 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1BA0: Base address: 10000000 Size: 00023000 Flags: 800C4004 Load count: 1 Name: iZ3D Driver Prod. Version: 1.99.0038 Company: iZ3D Inc. File Version: 1.0.151.2547 Description: S3DInjector Location: C:\Programme\iZ3D Driver\Win32\S3DInjector.dll Signed: > NO! < ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of LdrUnloadDll at 7C926C83 (0) got patched. Here is the diff: Address New-Original 7C926C83: FF - 68 7C926C84: 25 - C4 7C926C85: 1E - 00 7C926C87: 6E - 00 7C926C88: 71 - 68 --> JMP DWORD PTR DS:[716E001E] --> JMP 716F000A Patched by C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1C90 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1C90: Base address: 10000000 Size: 00023000 Flags: 800C4004 Load count: 1 Name: iZ3D Driver Prod. Version: 1.99.0038 Company: iZ3D Inc. File Version: 1.0.151.2547 Description: S3DInjector Location: C:\Programme\iZ3D Driver\Win32\S3DInjector.dll Signed: > NO! < ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: kernel32.dll (7C800000 - 7C907000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) GDI32.dll (77EF0000 - 77F38000) USER32.dll (77D10000 - 77DA0000) WININET.dll (77180000 - 77229000) CRYPT32.dll (77A50000 - 77AE5000) msvcrt.dll (77BE0000 - 77C38000) MSASN1.dll (77AF0000 - 77B02000) OLEAUT32.dll (770F0000 - 7717C000) ole32.dll (774B0000 - 775EC000) SHLWAPI.dll (77F40000 - 77FB6000) SHELL32.dll (7E670000 - 7EE90000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) S3DInjector.dll (10000000 - 10023000) uxtheme.dll (5AD70000 - 5ADA8000) PID 2788 - C:\Programme\Sitecom\Common\RaUI.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) The code of LdrLoadDll at 7C925CBB (0) got patched. Here is the diff: Address New-Original 7C925CBB: FF - 68 7C925CBC: 25 - 6C 7C925CBD: 1E - 02 7C925CBF: 6B - 00 7C925CC0: 71 - 68 --> JMP DWORD PTR DS:[716B001E] --> JMP 716C000A Patched by C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1BA0 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1BA0: Base address: 00B20000 Size: 00023000 Flags: 802C4004 Load count: 1 Name: iZ3D Driver Prod. Version: 1.99.0038 Company: iZ3D Inc. File Version: 1.0.151.2547 Description: S3DInjector Location: C:\Programme\iZ3D Driver\Win32\S3DInjector.dll Signed: > NO! < ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of LdrUnloadDll at 7C926C83 (0) got patched. Here is the diff: Address New-Original 7C926C83: FF - 68 7C926C84: 25 - C4 7C926C85: 1E - 00 7C926C87: 6E - 00 7C926C88: 71 - 68 --> JMP DWORD PTR DS:[716E001E] --> JMP 716F000A Patched by C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1C90 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1C90: Base address: 00B20000 Size: 00023000 Flags: 802C4004 Load count: 1 Name: iZ3D Driver Prod. Version: 1.99.0038 Company: iZ3D Inc. File Version: 1.0.151.2547 Description: S3DInjector Location: C:\Programme\iZ3D Driver\Win32\S3DInjector.dll Signed: > NO! < ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: kernel32.dll (7C800000 - 7C907000) NETAPI32.dll (597D0000 - 59824000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) msvcrt.dll (77BE0000 - 77C38000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) CRYPT32.dll (77A50000 - 77AE5000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) MSASN1.dll (77AF0000 - 77B02000) acAuth.dll (10000000 - 10122000) SETUPAPI.dll (778F0000 - 779E4000) iphlpapi.dll (76D20000 - 76D39000) ole32.dll (774B0000 - 775EC000) SHLWAPI.dll (77F40000 - 77FB6000) VERSION.dll (77BD0000 - 77BD8000) comdlg32.dll (76350000 - 7639A000) COMCTL32.dll (5D450000 - 5D4E7000) SHELL32.dll (7E670000 - 7EE90000) WINSPOOL.DRV (72F70000 - 72F96000) oledlg.dll (74CB0000 - 74CD1000) OLEAUT32.dll (770F0000 - 7717C000) WINMM.dll (76AF0000 - 76B1E000) comctl32.dll (773A0000 - 774A2000) S3DInjector.dll (00B20000 - 00B43000) uxtheme.dll (5AD70000 - 5ADA8000) WINTRUST.dll (76BF0000 - 76C1E000) IMAGEHLP.dll (76C50000 - 76C78000) xpsp2res.dll (20000000 - 202D9000) CLBCATQ.DLL (76F90000 - 7700F000) COMRes.dll (77010000 - 770E3000) wbemprox.dll (74E70000 - 74E78000) wbemcomn.dll (75210000 - 75247000) wbemsvc.dll (74E50000 - 74E5E000) fastprox.dll (75620000 - 75696000) MSVCP60.dll (76020000 - 76085000) NTDSAPI.dll (76750000 - 76763000) DNSAPI.dll (76EE0000 - 76F07000) WLDAP32.dll (76F20000 - 76F4D000) rsaenh.dll (0FFD0000 - 0FFF8000) DHCPCSVC.DLL (76D40000 - 76D5E000) PID 2268 - C:\WINDOWS\system32\wuauclt.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) The code of LdrLoadDll at 7C925CBB (0) got patched. Here is the diff: Address New-Original 7C925CBB: FF - 68 7C925CBC: 25 - 6C 7C925CBD: 1E - 02 7C925CBF: 6B - 00 7C925CC0: 71 - 68 --> JMP DWORD PTR DS:[716B001E] --> JMP 716C000A Patched by C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1BA0 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1BA0: Base address: 10000000 Size: 00023000 Flags: 800C4004 Load count: 1 Name: iZ3D Driver Prod. Version: 1.99.0038 Company: iZ3D Inc. File Version: 1.0.151.2547 Description: S3DInjector Location: C:\Programme\iZ3D Driver\Win32\S3DInjector.dll Signed: > NO! < ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of LdrUnloadDll at 7C926C83 (0) got patched. Here is the diff: Address New-Original 7C926C83: FF - 68 7C926C84: 25 - C4 7C926C85: 1E - 00 7C926C87: 6E - 00 7C926C88: 71 - 68 --> JMP DWORD PTR DS:[716E001E] --> JMP 716F000A Patched by C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1C90 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1C90: Base address: 10000000 Size: 00023000 Flags: 800C4004 Load count: 1 Name: iZ3D Driver Prod. Version: 1.99.0038 Company: iZ3D Inc. File Version: 1.0.151.2547 Description: S3DInjector Location: C:\Programme\iZ3D Driver\Win32\S3DInjector.dll Signed: > NO! < ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: kernel32.dll (7C800000 - 7C907000) msvcrt.dll (77BE0000 - 77C38000) ole32.dll (774B0000 - 775EC000) GDI32.dll (77EF0000 - 77F38000) USER32.dll (77D10000 - 77DA0000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) OLEAUT32.dll (770F0000 - 7717C000) SHLWAPI.dll (77F40000 - 77FB6000) ShimEng.dll (5CF00000 - 5CF26000) AcGenral.DLL (6FD90000 - 6FF5A000) WINMM.dll (76AF0000 - 76B1E000) MSACM32.dll (77BB0000 - 77BC5000) VERSION.dll (77BD0000 - 77BD8000) SHELL32.dll (7E670000 - 7EE90000) USERENV.dll (76620000 - 766D5000) UxTheme.dll (5AD70000 - 5ADA8000) comctl32.dll (773A0000 - 774A2000) S3DInjector.dll (10000000 - 10023000) wucltui.dll (507E0000 - 50832000) MSIMG32.dll (76320000 - 76325000) Cabinet.dll (750D0000 - 750E4000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) WINTRUST.dll (76BF0000 - 76C1E000) IMAGEHLP.dll (76C50000 - 76C78000) CLBCATQ.DLL (76F90000 - 7700F000) COMRes.dll (77010000 - 770E3000) xpsp2res.dll (20000000 - 202D9000) wups2.dll (50F00000 - 50F0D000) wuaucpl.cpl (508E0000 - 50917000) mucltui.dll (509E0000 - 50A25000) PID 2728 - C:\WINDOWS\System32\svchost.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) ShimEng.dll (5CF00000 - 5CF26000) AcGenral.DLL (6FD90000 - 6FF5A000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) WINMM.dll (76AF0000 - 76B1E000) ole32.dll (774B0000 - 775EC000) msvcrt.dll (77BE0000 - 77C38000) OLEAUT32.dll (770F0000 - 7717C000) MSACM32.dll (77BB0000 - 77BC5000) VERSION.dll (77BD0000 - 77BD8000) SHELL32.dll (7E670000 - 7EE90000) SHLWAPI.dll (77F40000 - 77FB6000) USERENV.dll (76620000 - 766D5000) UxTheme.dll (5AD70000 - 5ADA8000) comctl32.dll (773A0000 - 774A2000) comctl32.dll (5D450000 - 5D4E7000) NTMARTA.DLL (77660000 - 77681000) WLDAP32.dll (76F20000 - 76F4D000) SAMLIB.dll (71B70000 - 71B83000) xpsp2res.dll (20000000 - 202D9000) w3ssl.dll (5AE00000 - 5AE07000) strmfilt.dll (66E40000 - 66E56000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) HTTPAPI.dll (67A10000 - 67A1A000) WS2_32.dll (71A10000 - 71A27000) WS2HELP.dll (71A00000 - 71A08000) PID 3348 - C:\WINDOWS\system32\wscntfy.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) The code of LdrLoadDll at 7C925CBB (0) got patched. Here is the diff: Address New-Original 7C925CBB: FF - 68 7C925CBC: 25 - 6C 7C925CBD: 1E - 02 7C925CBF: 6B - 00 7C925CC0: 71 - 68 --> JMP DWORD PTR DS:[716B001E] --> JMP 716C000A Patched by C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1BA0 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1BA0: Base address: 10000000 Size: 00023000 Flags: 800C4004 Load count: 1 Name: iZ3D Driver Prod. Version: 1.99.0038 Company: iZ3D Inc. File Version: 1.0.151.2547 Description: S3DInjector Location: C:\Programme\iZ3D Driver\Win32\S3DInjector.dll Signed: > NO! < ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of LdrUnloadDll at 7C926C83 (0) got patched. Here is the diff: Address New-Original 7C926C83: FF - 68 7C926C84: 25 - C4 7C926C85: 1E - 00 7C926C87: 6E - 00 7C926C88: 71 - 68 --> JMP DWORD PTR DS:[716E001E] --> JMP 716F000A Patched by C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1C90 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1C90: Base address: 10000000 Size: 00023000 Flags: 800C4004 Load count: 1 Name: iZ3D Driver Prod. Version: 1.99.0038 Company: iZ3D Inc. File Version: 1.0.151.2547 Description: S3DInjector Location: C:\Programme\iZ3D Driver\Win32\S3DInjector.dll Signed: > NO! < ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: kernel32.dll (7C800000 - 7C907000) msvcrt.dll (77BE0000 - 77C38000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) SHELL32.dll (7E670000 - 7EE90000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) SHLWAPI.dll (77F40000 - 77FB6000) comctl32.dll (773A0000 - 774A2000) S3DInjector.dll (10000000 - 10023000) xpsp2res.dll (20000000 - 202D9000) uxtheme.dll (5AD70000 - 5ADA8000) Apphelp.dll (77B10000 - 77B32000) VERSION.dll (77BD0000 - 77BD8000) PID 3024 - E:\mp3player\radix_installer\radixgui.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) kernel32.dll (7C800000 - 7C907000) USER32.dll (77D10000 - 77DA0000) GDI32.dll (77EF0000 - 77F38000) comdlg32.dll (76350000 - 7639A000) SHLWAPI.dll (77F40000 - 77FB6000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) msvcrt.dll (77BE0000 - 77C38000) COMCTL32.dll (5D450000 - 5D4E7000) SHELL32.dll (7E670000 - 7EE90000) ole32.dll (774B0000 - 775EC000) VERSION.dll (77BD0000 - 77BD8000) dbghelp.dll (59DD0000 - 59E71000) comctl32.dll (773A0000 - 774A2000) S3DInjector.dll (10000000 - 10023000) wintrust.dll (76BF0000 - 76C1E000) CRYPT32.dll (77A50000 - 77AE5000) MSASN1.dll (77AF0000 - 77B02000) IMAGEHLP.dll (76C50000 - 76C78000) NTMARTA.DLL (77660000 - 77681000) WLDAP32.dll (76F20000 - 76F4D000) SAMLIB.dll (71B70000 - 71B83000) uxtheme.dll (5AD70000 - 5ADA8000) xpsp2res.dll (20000000 - 202D9000) rsaenh.dll (0FFD0000 - 0FFF8000) userenv.dll (76620000 - 766D5000) netapi32.dll (597D0000 - 59824000) cryptnet.dll (76580000 - 76593000) WINHTTP.dll (4D5C0000 - 4D619000) SensApi.dll (72240000 - 72245000) PID 3112 - C:\Programme\Windows NT\Zubehör\wordpad.exe ------------------------------------------------------------------------------- ntdll.dll (7C910000 - 7C9C9000) The code of LdrLoadDll at 7C925CBB (0) got patched. Here is the diff: Address New-Original 7C925CBB: FF - 68 7C925CBC: 25 - 6C 7C925CBD: 1E - 02 7C925CBF: 6B - 00 7C925CC0: 71 - 68 --> JMP DWORD PTR DS:[716B001E] --> JMP 716C000A Patched by C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1BA0 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1BA0: Base address: 10000000 Size: 00023000 Flags: 800C4004 Load count: 1 Name: iZ3D Driver Prod. Version: 1.99.0038 Company: iZ3D Inc. File Version: 1.0.151.2547 Description: S3DInjector Location: C:\Programme\iZ3D Driver\Win32\S3DInjector.dll Signed: > NO! < ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: The code of LdrUnloadDll at 7C926C83 (0) got patched. Here is the diff: Address New-Original 7C926C83: FF - 68 7C926C84: 25 - C4 7C926C85: 1E - 00 7C926C87: 6E - 00 7C926C88: 71 - 68 --> JMP DWORD PTR DS:[716E001E] --> JMP 716F000A Patched by C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1C90 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Information about C:\Programme\iZ3D Driver\Win32\S3DInjector.dll!Disable3DDriver+0x1C90: Base address: 10000000 Size: 00023000 Flags: 800C4004 Load count: 1 Name: iZ3D Driver Prod. Version: 1.99.0038 Company: iZ3D Inc. File Version: 1.0.151.2547 Description: S3DInjector Location: C:\Programme\iZ3D Driver\Win32\S3DInjector.dll Signed: > NO! < ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: kernel32.dll (7C800000 - 7C907000) MFC42u.DLL (727A0000 - 7289E000) msvcrt.dll (77BE0000 - 77C38000) GDI32.dll (77EF0000 - 77F38000) USER32.dll (77D10000 - 77DA0000) ADVAPI32.dll (77DA0000 - 77E4A000) RPCRT4.dll (77E50000 - 77EE2000) Secur32.dll (77FC0000 - 77FD1000) comdlg32.dll (76350000 - 7639A000) SHLWAPI.dll (77F40000 - 77FB6000) COMCTL32.dll (773A0000 - 774A2000) SHELL32.dll (7E670000 - 7EE90000) ole32.dll (774B0000 - 775EC000) MFC42LOC.DLL (61DC0000 - 61DCE000) S3DInjector.dll (10000000 - 10023000) uxtheme.dll (5AD70000 - 5ADA8000) MSFTEDIT.DLL (4B4D0000 - 4B556000) WINSPOOL.DRV (72F70000 - 72F96000) unidrvui.dll (7E5A0000 - 7E65A000) VERSION.dll (77BD0000 - 77BD8000) OLEAUT32.dll (770F0000 - 7717C000) CLBCATQ.DLL (76F90000 - 7700F000) COMRes.dll (77010000 - 770E3000) mxdwdrv.dll (3F500000 - 3F5C0000) FontSub.dll (697C0000 - 697D7000) xpsp2res.dll (20000000 - 202D9000) appHelp.dll (77B10000 - 77B32000) SETUPAPI.dll (778F0000 - 779E4000) ntshrui.dll (76940000 - 76966000) ATL.DLL (76AD0000 - 76AE1000) NETAPI32.dll (597D0000 - 59824000) USERENV.dll (76620000 - 766D5000) LINKINFO.dll (76930000 - 76938000) MPR.dll (71A80000 - 71A92000) AdobeDriveCS4_NP.dll(00EE0000 - 00EF3000) drprov.dll (75F00000 - 75F07000) ntlanman.dll (71B90000 - 71B9E000) NETUI0.dll (71C50000 - 71C67000) NETUI1.dll (71C10000 - 71C50000) NETRAP.dll (71C00000 - 71C07000) SAMLIB.dll (71B70000 - 71B83000) davclnt.dll (75F10000 - 75F19000) ---- Check ended at 2.4.2010 15:40:46 ----